EX200 Red Hat Certified System Administrator RHCSA – SELinux Part 2

3. Basics

Welcome back. Let’s go ahead and dig into that example. So if a user wants to change their password, they will run the past WD as we have done so in the past. And this particular executable has a label of past WD underline exec underline nine P type. So we can go ahead and check that out by typing in LSL and then set. By the way, this is a textbook example. They usually use this command as an example, pretty much an old literature and pretty much in the official documentation as well.

So I’m using it as well. It’s rather simple. And if you’re wondering why I’m not using something more complex, don’t worry, we will in the exercises a bit later on. But for now, let’s just stick to the very, very simple stuff. So USR and then Bin, and then past WD. And behold, it says password underline exec underline T. So this is the type by which this command has been labeled. Now, this command, what does it need to do? Which files it need to access? Do we remember? It needs to access the Etsy shadow file in order to put the hashed password there, or change the hash password that already exists, I guess, or not necessarily, but okay, so we will type in LSL capital set.

And by the way, forgive me for bitter lack of lacking some constration at present, primarily because it’s almost 03:00 in the morning here, but I don’t sleep much anyway. So LSpace, L capitalsetspace, and then we’re going to go ahead and type in Etsy shadow, press Enter and there you go. This one has a now, this one is labeled with shadow underline T. So these are two different types. And how on earth are they going to inter? How is this allowed to interact with this? Because as we know, these sort of transitions are forbidden by default by Se Linux. However, the good people who develop these things have created a set of policies to make AC Linux functional without any prior adjustment with the system, functionalities as they are.

So they’ve made some really nice policy for us. Therefore, an AC Linux policy rule exists and states that processes running in the past W d underlying T domain are allowed to read and write to files labeled with the shadow underline T type. Now, this is the official explanation from the document from Fedora documentation. You can find it in the deck if you like, but I don’t really think that this is the best way to put it because it says pass WD underline T domain. What is that? Do you see that anywhere on the screen now? No, you don’t.

That is why I am going to go ahead and install a very useful tool. Where is it? There you go. So this is what you need to install. Now just go ahead and type this type command in. Press Enter. It’s going to run for me. It’s already installed so I don’t need to do it again. And now that this is installed, I can go ahead and check the man pages for past WD for Se Linux and see a detailed description of what past WD is allowed and what it is not allowed to do. Had two hiccups there. Anyway, we’re going to type in man. Look, the format is pretty much exactly the same for the other commands. Just keep that in mind and we’re going to type in well, you can also type in Mank SELinux.

And now you’re going to see a lot of things here that are related to Se Linux and you can see man pages for all of these things. But I can’t see mine because it’s a bit different. I need to type in passwd underline Se Linux and then I’m going to let’s clear the screen Manpass WD Se Linux and there we go. If you scroll down to the bottom, I know a weird place to start. It says that this manual page was autogenerated using Selen se policy manage.

So this is not something that a human hand has typed in. Rather instead this is something that has been autogenerated by a system tool. If you compare it to some other man pages, for example Man SC Linux. If you scroll down to the bottom you will see come on, where is it? Where is it? Two reasons why I’ve opened up this page. Author okay, the manual page was written by Dan Walsh. Excellent. So this was written by a human hand while that one was actually generated. And down below you can see a fine example of what we are using at the moment, but simply for a different service. It says httpd underline Se Linux and then you type in man in front and you get a detailed description of what is going on there. Now if we’ve typed this in Mank SELinux but it doesn’t really give us everything. So don’t completely rely on this to give you whatever it is that you need.

Rather instead remember the format and rely on the format to help you out. So if you know the name of the service, you type in the name of the service underline SELinux and give it a shot and see if there is a man page for it. Here you will realize why this is very useful. Now remember I said a moment ago that a policy rule states that processes running in past WD underline T domain are allowed to read and write to files labeled with the shadow underlined T type. Well, how on earth are you going to know this? How on earth are you going to know which processes are running in the past WD underlined T domain? How will you figure out that past WD is running in that particular? In what domain is it running in the first place? How will you know that what you’re going to go on to the net every time and look for it over there.

Sure, it’s a valid option. I mean, you will definitely find the answer, but you’re kind of going to be stuck in front of a console somewhere where you won’t have GUI or a browser and you need to be able to do this purely by using the terminal. So once you do this, once you have installed these tools and once you type in demand pages for these things now you can see some useful information here. It says here security enhanced Linux policy for the past WD processes. So we have the entire policy for us explained here. You can figure out hold on processes running executing process. You can figure out which processes are running in this domain by just typing in this. Do you remember this? What we have done with the set argument? LS set?

Well, we can do the same thing with the PS. You can add your own set of arguments here and then just add set at the end and then just grab out the domain that you want and you will see all the processes that are running in that particular domain. Very simple, very nice. It gives good insight. Now it says that there was an entry point so the past WD underlined Tsilinx type can be entered via the past WD underline exec t and what was labeled with this past WD was labeled with this. So this can access this and in turn this can access shadow underline T, which is very nice. How do we know that this can access shadow underline T? Well, if we just keep on scrolling down oh, by the way, before we scroll down you have this se manage permissive a past WDT.

This can be used to make those processes, to make the processes which have that label which have their type labeled as passed w the underlying t to be permissive. So you don’t need to put your entire silinx into the permissive mode. Rather instead you can put it in permissive mode for a specific process which is very nice. So you don’t need to shut your entire internal security system down just to troubleshoot a single process, but rather instead you can just disable it for processes running under that particular label, which is very nice. Usually just one process which you want to mess around with. You’re going to catch some others, but no big deal. We’re going to deal with a lot of these things later on, setting up booleans, et cetera. Don’t worry, we’ll get to that. Don’t be too concerned that I’m going to skip it or something like that. But here, look. It says Managed files SELinux processes type pass WD underline t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Okay, so this one can be managed, this one can be managed and you can see which files correspond to this type, you can see their paths.

Okay, so these paths can change from one system to the other. I don’t know, from one version of sentos to another. It’s okay, they have a way of dealing with this. But you can see the paths and then you can see the label which this one is allowed to interact with. So you have an entire list not only of labels which are allowed which password underlined T is allowed to interact with breadwin, but as well you have a list of files which belong to those labels which are labeled So. Sorry, and past WD underline file. Okay, so anybody remember this file that we have used before? Past WD at C and Etsy group. We have definitely messed around with these files in the past. And down below, here we go. So this is the file that we need. And you see it has a label of shadow underlined T and this one has a label of Etsy shadow. Now we know that we can interact with it. We know that this is the label for our process. And we know that this label can be entered via this one here.

Sorry, not the label for the process. The process will run under this label, but that this one can interact with this one, and this one in turn can interact with well, I’ve lost it. It’s somewhere around here at the bottom. There we go. And so this one can interact with this one in turn. This file is labeled So, and therefore this file can be changed and edited via the password command. Okay, hopefully that has all settled in a way to an extent. Hopefully. I sincerely hope that it did and that it does function. Now, if all of that is going on, we can type in the command that we have seen there. Psef. Well, he just typed in EI. I like to use the EF argument. And we’re going to type in this grab, sorry, pass WD underline T. And there are no processes running other than our grep. So that’s the only thing that’s going to run here as such and nothing else. We haven’t really started the past WD process, but let’s see if we can manage to do just that and have a look. Come on.

Okay, so let’s zoom it in. And let’s zoom this one in as well. We’ll put it like this one underneath the other. Wasting a bit of time here. There isn’t really much of the example. It’s more of a theoretical application. When we start configuring Apache and SSH and all that, that’s going to be a lot different. Who cares? You can see it. Actually, you can’t. Now you can. Okay, so we’re going to say Fast WD Creator and we’re going to press Enter. And this process has started. And down below we’re going to type in PS E-E-F set. And we’re going to type in Voila. You see that there’s more than one thing here now, and this is a bit messy, let’s see if we can make it a bit smaller. So let’s just expand this one across the screen. You know that the password is running in the background, gave a bit of a smaller font, but hopefully you all can see this without bigger problems.

So let’s see, where is it? So XV and C don’t need that VNC password. There we go. So this is the one that we were looking for. I passed a really bad filter. There we go. Now we can see it. So this one is just the grip. We don’t really care about that one, but we do care about the top one. And there you can see that indeed it has a label of path WD with which the file which was hold on, let me just do this so you can see it on the screen while I’m typing in LS usrpin passwd.

There we go. And we’re going to do one more LSL set etsy shadow. So before I wrap it up one more time, very slowly, you have all three of them listed. Now, before you, this one here, this is the password executable, the program which we’re going to run. But the executable file which is to be executed is labeled as password underline exec underline D, which has an entry point here, which can interact with this one. There is a rule which states that it can interact with pass WD underline t and then a process which is labeled with pass WD underline t can in turn edit this file here. Shadow underline t can edit the shadow file with the label shadow underline and we have seen all these markations, all these labels for the past WD command by typing in man space, past WD underline se Linux, all of that is explained there. Who can interact with who, what.

4. SELinux and Apache part 1

Welcome all back to the tutorial and I’m going to go ahead and do a bit of a demonstration here with files that need to be accessed from the Apache web server. Anyway, while I was doing some prep work, I realized that my siblings were in Permissive mode, which basically made everything fly through, didn’t basically prevent anything. So that was a bit annoying to see that none of my commands actually worked or settings worked. And I was like, Why? But hey, I figured it out, it was just in Permissive mode. I forgot to reconfigure it, I forgot to reset it from the previous tutorial. Anyway, we’re just going to type in Se status just to be certain, so you don’t have to go through that. It says that the current mode is enforcing. Of course you can also use Get Enforced and realize that it’s an Enforcing Mode. Here you’re just given a bit more information, just the current mode from the config file and the Ace Linux status. Was it enabled or not at all.

So very useful. Anyway, what we are going to do is navigate over to this folder. So VAR, www, HTML, LS and some file with some name. I am seriously creative with these names. Let’s go ahead and delete this. Just create any file here with Touch. Name it any way you want, you don’t need to name it. Some file with some name that actually sounds rather confusing. I’m going to name mine. What do I have on my desk? Water water TXT let’s put it like that. So water TXT, that’s going to be my file in this folder. Now we’re going to start the Apache server or verify that it is running anyway. So we’re going to type in Systemctl Status Httpd and it seems to be running, so no worries. It says Active active running, so that’s fine if it’s not running. If you get anything else other than what I got, you can just type in here. Start. There we go. And now we’re going to clear the screen. So make sure that Se Linux is enforcing and that Apache Web server is running. Those are the first two prerequisites. Now I do believe that the Wget is installed by default. I keep getting hammered for using the tools that are perhaps not installed by the default, but there are things that people generally use in Linux. So I have shown you how to install things so you know how to install them.

But we’re just going to go ahead and type in yum, install Wget just in case it is not installed and it should go through rather fast. Something failed, no big deal. The connections break. It says that the package that we get is already installed and the latest version, so that’s perfectly fine. It’s there. The next thing that we’re going to do is type in is actually just type in LS, sorry, set and we can see how this is labeled. It says httpd underline sys underline content underlined if you’re interested to figure to see how this works in relation to the past WD, the process is pretty much the same as with past WD. I mean, not how it interacts with each other, but rather instead if you want to see all those things, all the labels and all the domains that it can transition to interact and work with, what sort of labels can there be for files, for Apache to be able to access them, et cetera. You can do exactly the same thing as we did with the past WD and simply type in man httpd underline SC Linux and then just repeat the procedure from before. Look for the things that you need to look for here. Feel free to read through the man pages. Very important, not a bad idea at all. If you want to go ahead and skip through a lot of it, I would suggest reading at the first couple of points and then you can go down, sorry, not far down actually I don’t know it is here for sure, just don’t know which line it is.

There we go. Actually I’m passing over them, it’s just that there is a lot of these things. So here you go, you have these labels as before you have a lot of them so just feel free to take a look if you wish. If not, well just follow through the tutorial and hopefully it will be clear. But I’m just trying to make a point that it is exactly the same if you want to get more information as with past WD. So there’s no need to go into great, great detail into the man file, into the man text file and basically explained every single thing, how it interconnects and interrelates. The procedure is the same for the processes generally this should work like man http the underlying sclenux or you can type in some other service here or some other executable here, as I did a moment ago with passwd. Anyway we see that it has this label and if you want to take my word that this is a proper label, feel free I would advise you not to and to check it in the http underline st Linux file and see it for yourselves the same way we conducted checks with past WD. That is all I’m saying. You will get a bit more out of it if you do it yourself. If you get stuck, there’s always the discussion section, so just ask away.

Also now we are going to use the ch con command which will relabel this file, which will relabel the water TXT and we will change the type. So you will see how we can, at a certain point of time, how we can download a file and how at a certain point of time after that we have conducted the change and after we have imposed an improper label we will no longer be able to download the file. So let’s just go ahead and begin. We can type in Chcond and we’re going to put some random label here. I think I got this particular example somewhere from the net. I’m not sure from where, but it’s completely relevant. You can put any label you want. So sumba underline share, underline D. We don’t need the full path since we’re in the directory, but I’m going to give you a full path and then HTML and what was our file? Water TXT. So if we were to enact this command, we would no longer be able to download this file. From here, chcon conducts changes with Se Linux labels which will not survive relabeling or reboot. If you want to impose permanent changes, we will do that with SC manage a bit later on during the follow up tutorials, but for the time being we’ll just learn how to impose temporary changes.

This is very nice for troubleshooting and very nice for learning as all you need to do to go back to where you started is just reboot the machine. And especially if it’s a virtual machine, no harm done, everything is fine. Actually I’m just going to go ahead and copy this so I don’t have to retype it. And we are going to clear the screen. We’re no longer going to be root. So I’m going to exit route and I’m going to do a list here with this test. I don’t need that. Let’s go into the document. The Documents folder have something here. So this is going to go and this is going to go. I’m not going to actually remove this because I don’t know what it is. Later on I’ll mess around with it. Let it just stay there for now. But look, I’m doing the LS in this folder and you can see that I have nothing in here other than this file. So definitely I don’t have water TXT right, it’s not here.

Now I’m going to go ahead and type in Wgethtpcolocalhostwater TXT, press Enter and the download is download will finish quite fast if I do LS. You can see that I have water TXT here. Indeed it is there. So you can see that I have managed to download it, but now I’m going to go ahead and remove it because I no longer want it there. I will go back to the root, to being root, because I like to be root now. It’s just joking though it actually gives me chills because I always know that I am always positively certain that I’ll mess something up for no reason or whatsoever. Okay, let’s go back to the folder. And now I’m going to go ahead and relabel this. Since I am already in the folder. I don’t need the full path, but it’s just giving you an example. Then I’m going to do a list set and you can see that I have indeed changed this field and now it is something different, something strange. It is a lot different from what it was. Let’s go ahead and repeat the procedure. I’m going to exit and I’m back in this document, in this folder and I’m going to do LS. There is nothing, the water TXT is not there and if I type in W get well, actually I can just repeat the command from before.

It should be around here somewhere. There we go. What happened? It says error 403 forbidden. So I am no longer able to download this file. What could be the problem? And you can see that it is labeled with the DAC as world readable. So what is the problem? Why can I not pull it from the server? It says error 403 forbidden. Not going to happen at all. We can go ahead and remove the file or not, doesn’t really matter. I would advise you to remove it because we’ve messed around with the AC Linux settings. So I’ll just go ahead and do that anyway. I don’t particularly care for it anyway. There’s nothing in it. Yes, no big deal. Just to be on the safe side. And the log file should have been created that we can now examine and see what has occurred. So let’s go ahead and type in clear the screen first. You can use control L to clear the screen as well. Here we go, control L and it clears. So we’re going to type in tailspace VAR logit, log. What else do I got? One? No, this one should be fine. And we have a lot of things here, like a lot. So this is not something that we can go through with our naked eye. Although it wouldn’t be that difficult because look, this is where I shoot the command and this is how long the command was. That is all that there is to it. Now we would use the label of the file that we have deleted to actually grab it out. But no big deal, really no big deal.

This is a very small file now and I don’t need to grab anything out. I can see it for myself. So you can immediately see here the first one. It says type ABC and MSG. Audit. It says denied for this process. And you have Httpd, and then you have the Path. It says Farter TXT. It says System u systemr httpd underlined TS zero unconfined. And there we go. We have some sort of a label that we have placed here from somebody that we have borrowed from somewhere else in the system. And obviously it’s not going to work if this change because no policy exists which will actually permit this to occur. So this is how this error message would actually look like. Did I grab everything? Let me just hopefully I did. There we go. That should be the first segment and then we have down below as well. That it. Was denied. The Get request is not happening at all.

This cannot happen. And you can also do this, just scan for deny things. You can try to drop out what has been denied in general, but you can just go ahead and read through the files through one section after another and you should be able to see it. However, okay, granted, this is not the best of files to read through just like this with a naked eye. And we will deal a little bit more with the audit logs and see how it actually all works out. But in general, what you would do is something like this. So just tail and then you would have F. This would be live monitoring. It was working. I just want to make it a bit clearer. So this would be live monitoring. And if we open up another terminal, I love going the long way around for no reason. Just zoom it in a little bit. One more should do it. Okay, so you will see the log file up above. Yes. Excellent. So you can see how the things are happening as I am doing certain things here as well. I can go to cdbard HTML. I’m going to do LS and I’m going to do touch. How shall I call the file? Bottle? Bottle of water bottle? TXT or no, even better. Look at me. I don’t need a TXT. And there you go. I have created a file. If I do LS set, you can see that it has a certain context. It is labeled in a certain way. But now we are going to relabel it and we’re going to do LS set. And you can see that now we have something completely else here. I’m going to go ahead and exit this user. So you see, it is recording the root access. If you attempt to switch to root. And if I do this something random, it’s going to say that it has failed. So you see, it’s going to say that it has failed.

These log files are quite important. Just want to demonstrate that. Let’s go into documents. Well, I don’t even know where I’m going here because we’re not going to download anything, but we’re going to try to download it for sure. Httpdp localhost look at me. And we’re going to go ahead and cancel this. Clear the screen, do the tail again, which didn’t really help out at all. And I really thought it would, some strange reason. Not the way it works. Let’s just go ahead and attempt to download and monitor the upper log. So this is going to change. Enter.

Oh, sorry, not there, down below. You see, it immediately has recorded. It says here that it is forbidden and it’s a bit easier to see now. It says, look at me. Okay, so this is not the best format. So let’s go ahead and do this. And it should be around here somewhere. It shouldn’t be that difficult to spot. Look at me. Should be somewhere around here. I forget about this. I think it’s the last line, but who cares? Let’s just go ahead and do this. And it’s immediately going to pull out all the lines with this particular file. Look at me. And you can see that it was denied indeed that there was an attempt of an unauthorized access. And it tells you which service from which service that it came. It tells you the PID and it tells you the path, the file where the access was actually attempted. But we will deal with this a bit more later on as well. Anyway, I bid you farewell.

• Category: Uncategorized