P a g e | 1
SELinux Policy
Date Assigned: mm/dd/yyyy
Time Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab is designed to learn how to use and modify current SELinux policy. You will also learn
how to create new SELinux policy modules and install them. After completion of this lab, you
will learn how to
Confine network ports
Check and restore default SELinux security contexts under a directory
Modify current SELinux policy
Create new SELinux policy modules and integrate them into current policy.
Lab Environment
One Fedora 18 VM is needed for this lab.
Assume that you have installed SELinux commands and libraries on this computer to finish the
previous lab. If not, please run the following command as a root to install current SELinux
packages on Fedora 18:
yum install *selinux* --skip-broken
Section 1 Confining Network Ports
Port numbers a network service listens on are defined in a SELinux policy if this service is
confined. The command below will display all of the confined port numbers, part of the list is
shown in the screenshot below:
semanage port -l
P a g e | 2
In the list, the first column shows SELinux type, indicating the network service. The second
column gives the protocol (TCP/UDP). The last column lists the port numbers.
When SELinux is enforced, the Apache HTTP server (httpd) runs in confined mode. The
following command shows the port numbers that current SELinux policy allows httpd to listen
on:
semanage port -l | grep -w http_port_t
If Apache HTTP server is configured to listen on a network port that is different from those
defined in the policy, SELinux will prevent the server from running.
Please perform the following practice as a root to test the effects:
Stop httpd if it is running. (systemctl stop httpd.service)
Configure httpd to listen on a port this is not defined in SELinux policy.
o vim /etc/httpd/conf/httpd.conf
o Look for the Listen portion.
o Change the port number to 90. (Assume that port number 90 is not defined for
httpd by the SELinux policy. Otherwise, use another number.)
P a g e | 3
o Save the file.
Run systemctl start httpd.servicet to start the Apache HTTP server.
Could you start the service? The answer is no. You should see a result similar to the following:
By looking at the data logged in status, we know that the action to start the Apache HTTP
service was failed. Data logged in the /var/log/messages file contains detailed information
regarding this failed action, as shown in the following screenshot. The fact that caused the failed
action is that the system cannot bind httpd to a port defined in the current SELinux policy. A
TCP socket cannot be created in this case.
P a g e | 4
Well, the question is how can you fix the above problem when you are faced to? There are
several approaches:
a) Disable SELinux, which you most likely don’t want to if you want to use SELinux to
secure your web server.
b) Make httpd listen on a port that is defined in SELinux policy configuration for httpd,
which should be recommended in general.
c) Tell SELinux policy that you want httpd to listen on a specific port (modify the SELinux
policy), which is useful if you want to limit the access to your web server.
The command below tells SELinux that you want httpd to listen on TCP port number 12345.
The option -p is used for specifying the protocol (tcp/udp) for the specified port.
Scenario 1
You are setting up a web page and you want the httpd listen on TCP port 999. The web server
runs a Fedora 18 with current SELinux targeted policy enforced. You believe that SELinux
policy will make the web server more secure and you don’t want to disable it.
P a g e | 5
Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1?
Attach screenshots to demonstrate your results.
Now you can switch the httpd.conf file back to its original version (Listen on 80).
One question you may ask might be: Can I remove a port from the SELinux policy? I leave this
question for you. Please find the solution and test it.
Section 2 Checking and Restoring the SELinux Context
In SELinux, type enforcement is all about labels. Every process, file, directory and device in a
SELinux system has a label (security context). If these labels are wrong due to some reason,
SELinux will not function properly. AVC denials will occur. In order to cope with this, SELinux
developers have designed several utilities that can be used to check and restore SELinux default
contexts. One of them is the command matchpathcon.
From matchpathcon(8) man page: "matchpathcon queries the system policy and outputs the
default security context associated with the file path." It can be used to check if files and
directories have consistent SELinux contexts. Please use man page to learn how to use it.
Please perform the following to gain experience with this command.
Run touch /var/www/html/file{a,b,c} command. This will create three files that inherit
the httpd_sys_content_t type from /var/www/html directory. Please verify it using the
tool you have learned.
Run chcon –t samba_share_t /var/www/html/filea
Run chcon –t admin_home_t /var/www/html/fileb
Run ls –Z /var/www/html to view the changes.
Run /usr/sbin/matchpathcon –V /var/www/html/* and study the results.
Now you have identified inconsistent labels associated with files in /var/www/html/ directory.
You can verify that only file filec is accessible by httpd.
Again, the question is how to resolve the problem of inconsistent labels and allow Apache HTTP
server to access those files? You can re-label the files one by one. However, the following
command will make this job much easier when you have a great number of files with
inconsistent labels.
/sbin/restorecon –v /var/www/html/*
Please run the above command and test its effects.
P a g e | 6
You may argue. Why would I bother to use matchpathcon command to identify the wrong
labels first? The command restorecon will restore the default context anyway. Well, again, I
would leave this question for you. (It will be helpful to identify the problems before trying to
resolve them.)
Please remove the files (filea, fileb, filec) in the /var/www/html/ folder.
Scenario 2
A web programmer has created three files (file1, file2, file3) in his home directory
(/home/student/lab10/). He wants to link them to the web page. You have done the following:
mv /home/student/lab10/file* /var/www/html/
Then you create two files (index.html, secret) in your own directory (/root/lab10). You know
that the file index.html is for the web page, but secret contains confidential data and cannot be
exposed. When the files have been created, you do the following to move those files:
mv /root/lab10/* /var/www/html/
Then you tell the web programmer to test the result.
Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user.
What will the web programmer tell when he tests the results. If the web programmer has any
problem, please fix it as a system administrator to make the files accessible by httpd. Use
screenshots to demonstrate your work and the results. Note, for security purpose, as a system
administrator, you don’t want to expose any confidential data (secret file) to anybody.
We have worked with the existing SELinux policy without modifying it. How can we modify it?
There are several ways at different levels. We will look at some of the techniques that can be
used to modify the policy in the following sections.
Section 3 Booleans
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of
SELinux policy writing.
3.1 Listing Booleans
For a list of Booleans, explanations of what each one is, and whether they are on or off, run the
following command as the Linux root user.
semanage boolean -l
P a g e | 7
The following screenshot shows part of the Boolean list on my computer.
The SELinux boolean column lists Boolean names. The second column gives default value. The
Description column tells what they do.
The getsebool -a command lists Boolean values. The getsebool boolean-name command gives
the status of the boolean-name Boolean:
getsebool samba_run_unconfined
Use a space-separated list to list multiple Booleans:
P a g e | 8
3.2 Configuring Booleans
The setsebool command is used to set SELinux Boolean values. It has the following format:
The command setsebool boolean-name x turns Booleans on or off, where boolean-name is a
Boolean name, and x is either 1 or true or on to turn the Boolean on, or 0 or false or off to turn
it off. Use the -P option to make the change persist across reboots. If the –N option is given, the
policy on disk is not reloaded into the kernel.
Some Boolean configurations are easier. For example, in order to allow Apache HTTP Server to
access Samba file systems (files labeled with the cifs_t type), you can simply perform the
following configuration:
/usr/sbin/setsebool httpd_use_cifs on
To allow Apache HTTP Server to access NFS file systems (files labeled with the nfs_t type), do
the following:
/usr/sbin/setsebool httpd_use_nfs on
Some others are not so apparent. Especially, it could be complex when you want to prevent a
service from accessing files of certain types. A thorough study is usually needed before you
actually know what you need to do. You will gain the experience in the following scenario.
Please do the following:
setsebool httpd_use_nfs=on httpd_enable_homedirs=on use_nfs_home_dirs=on
Scenario 3
You have Apache HTTP Server (httpd) running on a Fedora 18 system with SELinux targeted
policy enforced. This system serves files from NFS mount at the same time. To secure your file
system, you don’t want the server to access files labeled with nfs_t type. In addition, you want to
test your configurations to assure that they work as expected.
P a g e | 9
Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use
screenshots to demonstrate your work and results. (Hint: study these three Booleans:
httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs)
Do you see the complexity of the SELinux Booleans? Some Booleans are not orthogonal. Some
of them are related to each other. Different combinations of the Boolean settings could generate
or imply unexpected results.
Section 4 The audit2allow command
SELinux denials will be logged. The utility audit2allow can be used to generate SELinux policy
allow rules from logs of denied operations.
4.1 Log files
SELinux denial messages are written to the /var/log/audit/audit.log file by default:
P a g e | 10
In addition, if setroubleshootd is running, denial messages from the /var/log/audit/audit.log
file are translated to an easier-to-read form and sent to the /var/log/messages file:
Denial messages are sent to different locations depending on which logging daemon is running
on your system. Table 1 gives a good estimation on Fedora Linux systems.
Table 1 Log locations
Daemon Log Location
auditd on /var/log/audit/audit.log
auditd off; rsyslogd
on
/var/log/messages
auditd and rsyslogd
on
/var/log/audit/audit.log. Easier-to-read denial messages also sent to
/var/log/messages
P a g e | 11
Please view the log files on your computer and identify SELinux AVC denials. If you cannot see
any, generate some.
4.2 Allowing access
The audit2allow utility is commonly used to generate SELinux policy allow rules from logs of
denied operations. In SELinux, actions are denied by default. If you want an action to be
allowed, an allow rule must be in the SELinux policy. The development of the audit2allow tool
makes the job less complex. However, this tool should be used with care.
It works in two steps:
Generate allow rules for logged denied operations.
Integrate/install the rules into the SELinux policy.
As a system administrator, the most important thing is that you need to
Understand why the operations are denied;
Decide whether you want to allow the denied operations.
Most likely, the denials are what you want.
Please do the following to install audit2allow:
yum install /usr/bin/audit2allow
Please use the man page to learn the audit2allow utility.
The following command will tell you the reason why a denial occurred.
audit2allow -w -a
Please run the above command and study the reasons why the denials occurred on your system.
The following command will tell what allow rules are needed to allow the denied accesses that
are logged.
audit2allow -a
Please run the above command to understand what rules are needed to allow logged denied
accesses. Please note that one allow rule may fix a great number of denials.
P a g e | 12
To use the rules displayed by audit2allow -a, run the following command to create a custom
module:
audit2allow -a -M myRule
The -M option creates a Type Enforcement file (.te) with the name specified with -M in your
current working directory. The audit2allow command also compiles this .te file into a policy
package (.pp) file that is ready to be integrated with the semodule command. The command also
tells you what you need to do to install these rules as shown in the following screenshot:
Should you simply follow the instruction and install your custom SELinux module? Why not?
This is the way it works. Well, things are not so simple. Before you actually install the module,
you need to carefully study the allow rules to make sure whether these are what you want. For
example, the following screenshot shows some of the allow rules generated on my computer.
P a g e | 13
Do I need the allow rules under the httpd_t section? These denials were generated while testing
the Apache HTTP Server. It does not make any sense to install those rules. This is the homework
we need to do before getting the allow rules integrated. You don’t want to make your system
weaker by integrating your own allow rules. Otherwise, why do you bother to run SELinux on
your computer?
Please use the audit2allow man page to learn how to generate policy package and install it.
Examples are located at the bottom of the man page.
Scenario 4
You have set up a web server that runs Fedora 18 Linux with SELinux targeted policy enforced.
Some of the users call the help desk reporting that they cannot download some of the files from
the web page.
Question 4: Please describe the major steps you would like to take to fix the problem specified
in Scenario 4. Use screenshots to demonstrate your work and results.
Before you leave this section, please refer to Dan Walsh's "Using audit2allow to build policy
modules. Revisited." blog entry for further information about using audit2allow to build policy
modules.
Note: the semodule –i command may not work on Fedora 18
Section 5 The system-config-selinux and seinfo utilities
You may wonder how to view the types, policy modules, defined network ports and so on in the
SELinux policy. To serve this purpose, several tools have been developed.
One of the utilities is seinfo, which is located in /usr/bin/ by default. It allows users to query the
components of a SELinux policy. The following command installs seinfo utility:
yum install /usr/bin/seinfo
The use of seinfo has the following general format:
seinfo [OPTIONS] [EXPRESSION] [POLICY …]
When POLICY is omitted, the default policy will be queried. For example, the following
command will display the statistics for the default policy on your system, as shown in the
following screenshot:
seinfo --stats
P a g e | 14
Please use man page to learn how to use this tool.
Another useful SELinux tool is system-config-selinux. It operates with a GUI.
Install the utility:
yum install /usr/bin/system-config-selinux
The following command will launch the GUI that is similar to the following screenshot.
system-config-selinux
P a g e | 15
It can also be accessed from the menu: Administration => SELinux Management
Please check out this tool on your computer and play with it.
Scenario 5
You want to spend time and play with the seinfo and system-config-selinux utilities to learn
what they do and how to use them.
Question 5: Summarize the part that you thought was the most interesting when you conducted
the tasks specified in Scenario 5. Use screenshots to demonstrate.
The developer of the system-config-selinux tool wrote an article several years ago. Apparently,
the materials are old and the current system-config-selinux has a different look. However, it is
good to know. Interested in? Check out the article from the following link:
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-
module/
The author updated his blog recently regarding the use of system-config-selinux on current
release. You may check it out from the following link:
P a g e | 16
http://danwalsh.livejournal.com/40350.html
Section 6 Bonus (4%)
Again, what you need to do for the bonus is not restricted, but has to be related to SELinux since
this is the topic of this lab.
I hope the way bonus is given will inspire you more interests on the lab topic and give you more
free space at the same time.
Please do the following to earn the bonus of this lab. More extra points may be given if you can
convince your instructor that you have done a significant amount of work on SELinux.
Work out a mini project of your choice based on what you have learned on SELinux so
far.
Describe your mini project: motivation, design and technical contents.
Implement your mini project.
Question B1: What is your mini project about? Give a description of your project, including
motivation, design and technical details.
Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers
to questions to show your implementation.
Survey Questions
Questions in this section will not be graded, but will make your suggestions and voice heard by
your instructor.
GQ 1. What changes would you like to make to this lab?
GQ 2. How much time did you spend to finish this lab?
GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?
P a g e | 17
Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let
your instructor know if you have any comments.
P a g e | 18
Answer Sheet
============================= Required Part ============================
Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1?
Attach screenshots to demonstrate your results.
Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user.
What will the web programmer tell when he tests the results. If the web programmer has any
problem, please fix it as a system administrator to make the files accessible by httpd. Use
screenshots to demonstrate your work and the results. Note, for security purpose, as a system
administrator, you don’t want to expose any confidential data (secret file) to anybody.
Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use
screenshots to demonstrate your work and results. (Hint: study these three Booleans:
httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs)
Question 4: Please describe the major steps you would like to take to fix the problem specified
in Scenario 4. Use screenshots to demonstrate your work and results.
Question 5: Summarize the part that you thought was the most interesting when you conducted
the tasks specified in Scenario 5. Use screenshots to demonstrate.
============================ Bonus Part (4%) ===========================
Question B1: What is your mini project about? Give a description of your project, including
motivation, design and technical details.
Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers
to questions to show your implementation.