Cyber Security SE Linux ExerciseGoalFamiliarize yourselves with the SE Linux tools in preparation for upcoming SE Linux Lab assignment. Exercise SELinux type enforcement and MCS policy.ScenarioBob Co is interested in SE Linux to provide the same kind of separation you implemented using ACL's in Windows. As a reminder this company has three sets of employees:• Engineers• Financial folks• System AdministratorsEach set of folks would like a place on the file system where in general they have full control and other folks have read-only access. But each group of folks would like to have the following subareas with different access:• A public area that gives all users read and write access.• A private area that blocks everyone except for folks of the same set.Basic type enforcement policies should provide adequate separation. MCS may also work. Try both mechanisms to get a feel for their expressibility and ease of use.Your EnvironmentEach machine has a Linux VM with the appropriate packages installed. Work in that VM. First explore your environment with the -Z arguments for ls and ps and the id command to identify the current security contexts.Feel free to create and delete users as necessary. Use the “adduser” command to create new users. You may want to ssh into the VM with the new users to test access. Creating new users and getting the full permission set correct under X windows can be difficult.Enabling SELinuxThe /selinux portion of the file system is mapped to the runtime memory of the SELinux system much like the /proc file system maps out controls to the rest of the Linux system. The /selinux/enforce file controls whether the security server really enforces the policy or not. I have the lab systems configured to operate in permissive mode. This mean the security server will be run, but the results will never really restrict access. Instead only the error message will be logged, but the operation will be permitted.You can directly change the values in the /selinux/enforce file to change between permissive and enforcing mode. Or you can use the getenforce and setenforcecommands. If you change to enforcing mode, the system will actively use the results to restrict access. On reboot, the /selinux/enforce will be reset to 0. This mode is valuable when developing policy. If you end up with a too restrictive policy, a reboot will return you to a state where you can fix things. So while, you can set the system to be in a persistent enabled mode, please do not do this on the lab machinesUser Level ViewAs a user in an active SE Linux system, you don’t (can’t) interact with the policy. Someone else has set up the policy rules to associate types, categories, sensitivity labels, and rules with you. Also, some initial security contexts have been associated with all files and many other objects in the system.Use the id command to determine the security context associated with current running process.While a user can be assigned the capability of multiple role and role can have multiple domains associated with it, a given process at any point in time is associated with exactly one role and one type. The newrole command is used to transition between types, domains, and levels.Many commands have been augmented with a –Z argument to show the new SELinux attributes. For example ls –Z will show the security contexts associated with each file. ps –Z does the same thing with processes.When you create a file, the type enforcement rules will use your current domain and the type of the enclosing directory to determine the type of the new file. You can change the existing label of a file (assuming you are a privileged user) using the chcon command.Looking at audit messagesSE Linux audit messages are placed in the kernel buffer which you can see from the dmesg command or by looking at /var/log/messages. Look for the prefix “avc: denied” (two spaces) to find the access denied logs.Interesting directory and filesThe virtual machines have the targeted modular policy installed. We do not have access to the source for these modules. I have downloaded the refpolicy source, but this is not what is installed.● /selinux – The root of the proc file system that controls how the selinux kernel module operates.● /etc/selinux – Root of the policy configuration area● /etc/selinux/config – Identifies the policy installed and the enforcing mode used at boot time.● /etc/selinux/setrans.conf – The definition of user names for built in category names.● /etc/selinux/refpolicy/src/policy/policy – The root of the reference policy module sources.● /usr/share/selinux – Installed policy packages● /usr/share/doc/ - Contains one subdirectory about selinux and another subdirectory about the policyInteresting Commands• GUI semanage from the “System Tools” menu. Wrapper for the command line semanage tool.• GUI Policy Generation tool from the “System Tools” menu. Creates the start of a new policy module.• GUI Policy Analysis tool from the “System Tools” menu. Also called apol.• new -Z arguments – Many standard commands like id, ls, and ps now have a -Z argument that displays the security context associated with the process or file.• Semanage – Manages logins, users, ports. See the man page and the Gentoo reference below for more details.• Semodule – Compiles and loads policy modules. See the man page and the RedHat reference below for more details.• Chcat – Manage categories. See the man page and the Morris reference below for more details.• Chcon – Change the types associated with files. See the man page for details.• Newrole – Take on a new role.Policy editingWith FC5, modular policy is supported. You can use the Policy Generation GUI to get started on created your own module to define policy for an application, daemon, or set of users. For each module there are potentially three files (actually four created by the policy generation gui).• foo.te – This is the main and only required file. It includes the AV statements and any supporting type and role definitions.• foo.if – The interface file. If your policy requires other modules to access what you define, you will need to create an if file. You should not need to create this file, but you will need to create an empty file to satisfy the standard policy makefile.• foo.fc – The file context. Describes the base labels of files. You will
View Full Document
Unlocking...