P a g e | 1

SELinux Policy

Date Assigned: mm/dd/yyyy

Time Due: mm/dd/yyyy by hh:mm

Educational Objectives

This lab is designed to learn how to use and modify current SELinux policy. You will also learn

how to create new SELinux policy modules and install them. After completion of this lab, you

will learn how to

Confine network ports

Check and restore default SELinux security contexts under a directory

Modify current SELinux policy

Create new SELinux policy modules and integrate them into current policy.

Lab Environment

One Fedora 18 VM is needed for this lab.

Assume that you have installed SELinux commands and libraries on this computer to finish the

previous lab. If not, please run the following command as a root to install current SELinux

packages on Fedora 18:

yum install *selinux* --skip-broken

Section 1 Confining Network Ports

Port numbers a network service listens on are defined in a SELinux policy if this service is

confined. The command below will display all of the confined port numbers, part of the list is

shown in the screenshot below:

semanage port -l

P a g e | 2

In the list, the first column shows SELinux type, indicating the network service. The second

column gives the protocol (TCP/UDP). The last column lists the port numbers.

When SELinux is enforced, the Apache HTTP server (httpd) runs in confined mode. The

following command shows the port numbers that current SELinux policy allows httpd to listen

on:

semanage port -l | grep -w http_port_t

If Apache HTTP server is configured to listen on a network port that is different from those

defined in the policy, SELinux will prevent the server from running.

Please perform the following practice as a root to test the effects:

Stop httpd if it is running. (systemctl stop httpd.service)

Configure httpd to listen on a port this is not defined in SELinux policy.

o vim /etc/httpd/conf/httpd.conf

o Look for the Listen portion.

o Change the port number to 90. (Assume that port number 90 is not defined for

httpd by the SELinux policy. Otherwise, use another number.)

P a g e | 3

o Save the file.

Run systemctl start httpd.servicet to start the Apache HTTP server.

Could you start the service? The answer is no. You should see a result similar to the following:

By looking at the data logged in status, we know that the action to start the Apache HTTP

service was failed. Data logged in the /var/log/messages file contains detailed information

regarding this failed action, as shown in the following screenshot. The fact that caused the failed

action is that the system cannot bind httpd to a port defined in the current SELinux policy. A

TCP socket cannot be created in this case.

P a g e | 4

Well, the question is how can you fix the above problem when you are faced to? There are

several approaches:

a) Disable SELinux, which you most likely don’t want to if you want to use SELinux to

secure your web server.

b) Make httpd listen on a port that is defined in SELinux policy configuration for httpd,

which should be recommended in general.

c) Tell SELinux policy that you want httpd to listen on a specific port (modify the SELinux

policy), which is useful if you want to limit the access to your web server.

The command below tells SELinux that you want httpd to listen on TCP port number 12345.

The option -p is used for specifying the protocol (tcp/udp) for the specified port.

Scenario 1

You are setting up a web page and you want the httpd listen on TCP port 999. The web server

runs a Fedora 18 with current SELinux targeted policy enforced. You believe that SELinux

policy will make the web server more secure and you don’t want to disable it.

P a g e | 5

Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1?

Attach screenshots to demonstrate your results.

Now you can switch the httpd.conf file back to its original version (Listen on 80).

One question you may ask might be: Can I remove a port from the SELinux policy? I leave this

question for you. Please find the solution and test it.

Section 2 Checking and Restoring the SELinux Context

In SELinux, type enforcement is all about labels. Every process, file, directory and device in a

SELinux system has a label (security context). If these labels are wrong due to some reason,

SELinux will not function properly. AVC denials will occur. In order to cope with this, SELinux

developers have designed several utilities that can be used to check and restore SELinux default

contexts. One of them is the command matchpathcon.

From matchpathcon(8) man page: "matchpathcon queries the system policy and outputs the

default security context associated with the file path." It can be used to check if files and

directories have consistent SELinux contexts. Please use man page to learn how to use it.

Please perform the following to gain experience with this command.

Run touch /var/www/html/file{a,b,c} command. This will create three files that inherit

the httpd_sys_content_t type from /var/www/html directory. Please verify it using the

tool you have learned.

Run chcon –t samba_share_t /var/www/html/filea

Run chcon –t admin_home_t /var/www/html/fileb

Run ls –Z /var/www/html to view the changes.

Run /usr/sbin/matchpathcon –V /var/www/html/* and study the results.

Now you have identified inconsistent labels associated with files in /var/www/html/ directory.

You can verify that only file filec is accessible by httpd.

Again, the question is how to resolve the problem of inconsistent labels and allow Apache HTTP

server to access those files? You can re-label the files one by one. However, the following

command will make this job much easier when you have a great number of files with

inconsistent labels.

/sbin/restorecon –v /var/www/html/*

Please run the above command and test its effects.

P a g e | 6

You may argue. Why would I bother to use matchpathcon command to identify the wrong

labels first? The command restorecon will restore the default context anyway. Well, again, I

would leave this question for you. (It will be helpful to identify the problems before trying to

resolve them.)

Please remove the files (filea, fileb, filec) in the /var/www/html/ folder.

Scenario 2

A web programmer has created three files (file1, file2, file3) in his home directory

(/home/student/lab10/). He wants to link them to the web page. You have done the following:

mv /home/student/lab10/file* /var/www/html/

Then you create two files (index.html, secret) in your own directory (/root/lab10). You know

that the file index.html is for the web page, but secret contains confidential data and cannot be

exposed. When the files have been created, you do the following to move those files:

mv /root/lab10/* /var/www/html/

Then you tell the web programmer to test the result.

Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user.

What will the web programmer tell when he tests the results. If the web programmer has any

problem, please fix it as a system administrator to make the files accessible by httpd. Use

screenshots to demonstrate your work and the results. Note, for security purpose, as a system

administrator, you don’t want to expose any confidential data (secret file) to anybody.

We have worked with the existing SELinux policy without modifying it. How can we modify it?

There are several ways at different levels. We will look at some of the techniques that can be

used to modify the policy in the following sections.

Section 3 Booleans

Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of

SELinux policy writing.

3.1 Listing Booleans

For a list of Booleans, explanations of what each one is, and whether they are on or off, run the

following command as the Linux root user.

semanage boolean -l

P a g e | 7

The following screenshot shows part of the Boolean list on my computer.

The SELinux boolean column lists Boolean names. The second column gives default value. The

Description column tells what they do.

The getsebool -a command lists Boolean values. The getsebool boolean-name command gives

the status of the boolean-name Boolean:

getsebool samba_run_unconfined

Use a space-separated list to list multiple Booleans:

P a g e | 8

3.2 Configuring Booleans

The setsebool command is used to set SELinux Boolean values. It has the following format:

The command setsebool boolean-name x turns Booleans on or off, where boolean-name is a

Boolean name, and x is either 1 or true or on to turn the Boolean on, or 0 or false or off to turn

it off. Use the -P option to make the change persist across reboots. If the –N option is given, the

policy on disk is not reloaded into the kernel.

Some Boolean configurations are easier. For example, in order to allow Apache HTTP Server to

access Samba file systems (files labeled with the cifs_t type), you can simply perform the

following configuration:

/usr/sbin/setsebool httpd_use_cifs on

To allow Apache HTTP Server to access NFS file systems (files labeled with the nfs_t type), do

the following:

/usr/sbin/setsebool httpd_use_nfs on

Some others are not so apparent. Especially, it could be complex when you want to prevent a

service from accessing files of certain types. A thorough study is usually needed before you

actually know what you need to do. You will gain the experience in the following scenario.

Please do the following:

setsebool httpd_use_nfs=on httpd_enable_homedirs=on use_nfs_home_dirs=on

Scenario 3

You have Apache HTTP Server (httpd) running on a Fedora 18 system with SELinux targeted

policy enforced. This system serves files from NFS mount at the same time. To secure your file

system, you don’t want the server to access files labeled with nfs_t type. In addition, you want to

test your configurations to assure that they work as expected.

P a g e | 9

Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use

screenshots to demonstrate your work and results. (Hint: study these three Booleans:

httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs)

Do you see the complexity of the SELinux Booleans? Some Booleans are not orthogonal. Some

of them are related to each other. Different combinations of the Boolean settings could generate

or imply unexpected results.

Section 4 The audit2allow command

SELinux denials will be logged. The utility audit2allow can be used to generate SELinux policy

allow rules from logs of denied operations.

4.1 Log files

SELinux denial messages are written to the /var/log/audit/audit.log file by default:

P a g e | 10

In addition, if setroubleshootd is running, denial messages from the /var/log/audit/audit.log

file are translated to an easier-to-read form and sent to the /var/log/messages file:

Denial messages are sent to different locations depending on which logging daemon is running

on your system. Table 1 gives a good estimation on Fedora Linux systems.

Table 1 Log locations

Daemon Log Location

auditd on /var/log/audit/audit.log

auditd off; rsyslogd

on

/var/log/messages

auditd and rsyslogd

on

/var/log/audit/audit.log. Easier-to-read denial messages also sent to

/var/log/messages

P a g e | 11

Please view the log files on your computer and identify SELinux AVC denials. If you cannot see

any, generate some.

4.2 Allowing access

The audit2allow utility is commonly used to generate SELinux policy allow rules from logs of

denied operations. In SELinux, actions are denied by default. If you want an action to be

allowed, an allow rule must be in the SELinux policy. The development of the audit2allow tool

makes the job less complex. However, this tool should be used with care.

It works in two steps:

Generate allow rules for logged denied operations.

Integrate/install the rules into the SELinux policy.

As a system administrator, the most important thing is that you need to

Understand why the operations are denied;

Decide whether you want to allow the denied operations.

Most likely, the denials are what you want.

Please do the following to install audit2allow:

yum install /usr/bin/audit2allow

Please use the man page to learn the audit2allow utility.

The following command will tell you the reason why a denial occurred.

audit2allow -w -a

Please run the above command and study the reasons why the denials occurred on your system.

The following command will tell what allow rules are needed to allow the denied accesses that

are logged.

audit2allow -a

Please run the above command to understand what rules are needed to allow logged denied

accesses. Please note that one allow rule may fix a great number of denials.

P a g e | 12

To use the rules displayed by audit2allow -a, run the following command to create a custom

module:

audit2allow -a -M myRule

The -M option creates a Type Enforcement file (.te) with the name specified with -M in your

current working directory. The audit2allow command also compiles this .te file into a policy

package (.pp) file that is ready to be integrated with the semodule command. The command also

tells you what you need to do to install these rules as shown in the following screenshot:

Should you simply follow the instruction and install your custom SELinux module? Why not?

This is the way it works. Well, things are not so simple. Before you actually install the module,

you need to carefully study the allow rules to make sure whether these are what you want. For

example, the following screenshot shows some of the allow rules generated on my computer.

P a g e | 13

Do I need the allow rules under the httpd_t section? These denials were generated while testing

the Apache HTTP Server. It does not make any sense to install those rules. This is the homework

we need to do before getting the allow rules integrated. You don’t want to make your system

weaker by integrating your own allow rules. Otherwise, why do you bother to run SELinux on

your computer?

Please use the audit2allow man page to learn how to generate policy package and install it.

Examples are located at the bottom of the man page.

Scenario 4

You have set up a web server that runs Fedora 18 Linux with SELinux targeted policy enforced.

Some of the users call the help desk reporting that they cannot download some of the files from

the web page.

Question 4: Please describe the major steps you would like to take to fix the problem specified

in Scenario 4. Use screenshots to demonstrate your work and results.

Before you leave this section, please refer to Dan Walsh's "Using audit2allow to build policy

modules. Revisited." blog entry for further information about using audit2allow to build policy

modules.

Note: the semodule –i command may not work on Fedora 18

Section 5 The system-config-selinux and seinfo utilities

You may wonder how to view the types, policy modules, defined network ports and so on in the

SELinux policy. To serve this purpose, several tools have been developed.

One of the utilities is seinfo, which is located in /usr/bin/ by default. It allows users to query the

components of a SELinux policy. The following command installs seinfo utility:

yum install /usr/bin/seinfo

The use of seinfo has the following general format:

seinfo [OPTIONS] [EXPRESSION] [POLICY …]

When POLICY is omitted, the default policy will be queried. For example, the following

command will display the statistics for the default policy on your system, as shown in the

following screenshot:

seinfo --stats

P a g e | 14

Please use man page to learn how to use this tool.

Another useful SELinux tool is system-config-selinux. It operates with a GUI.

Install the utility:

yum install /usr/bin/system-config-selinux

The following command will launch the GUI that is similar to the following screenshot.

system-config-selinux

P a g e | 15

It can also be accessed from the menu: Administration => SELinux Management

Please check out this tool on your computer and play with it.

Scenario 5

You want to spend time and play with the seinfo and system-config-selinux utilities to learn

what they do and how to use them.

Question 5: Summarize the part that you thought was the most interesting when you conducted

the tasks specified in Scenario 5. Use screenshots to demonstrate.

The developer of the system-config-selinux tool wrote an article several years ago. Apparently,

the materials are old and the current system-config-selinux has a different look. However, it is

good to know. Interested in? Check out the article from the following link:

http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-

module/

The author updated his blog recently regarding the use of system-config-selinux on current

release. You may check it out from the following link:

P a g e | 16

http://danwalsh.livejournal.com/40350.html

Section 6 Bonus (4%)

Again, what you need to do for the bonus is not restricted, but has to be related to SELinux since

this is the topic of this lab.

I hope the way bonus is given will inspire you more interests on the lab topic and give you more

free space at the same time.

Please do the following to earn the bonus of this lab. More extra points may be given if you can

convince your instructor that you have done a significant amount of work on SELinux.

Work out a mini project of your choice based on what you have learned on SELinux so

far.

Describe your mini project: motivation, design and technical contents.

Implement your mini project.

Question B1: What is your mini project about? Give a description of your project, including

motivation, design and technical details.

Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers

to questions to show your implementation.

Survey Questions

Questions in this section will not be graded, but will make your suggestions and voice heard by

your instructor.

GQ 1. What changes would you like to make to this lab?

GQ 2. How much time did you spend to finish this lab?

GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this

lab?

P a g e | 17

Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let

your instructor know if you have any comments.

P a g e | 18

Answer Sheet

============================= Required Part ============================

Question 1: Please summarize what you need to do to achieve the goal specified in Scenario 1?

Attach screenshots to demonstrate your results.

Question 2: Perform the tasks described in Scenario 2 as the web programmer and the root user.

What will the web programmer tell when he tests the results. If the web programmer has any

problem, please fix it as a system administrator to make the files accessible by httpd. Use

screenshots to demonstrate your work and the results. Note, for security purpose, as a system

administrator, you don’t want to expose any confidential data (secret file) to anybody.

Question 3: Summarize what you need to do to achieve the goals specified in Scenario 3. Use

screenshots to demonstrate your work and results. (Hint: study these three Booleans:

httpd_use_nfs, httpd_enable_homedirs and use_nfs_home_dirs)

Question 4: Please describe the major steps you would like to take to fix the problem specified

in Scenario 4. Use screenshots to demonstrate your work and results.

Question 5: Summarize the part that you thought was the most interesting when you conducted

the tasks specified in Scenario 5. Use screenshots to demonstrate.

============================ Bonus Part (4%) ===========================

Question B1: What is your mini project about? Give a description of your project, including

motivation, design and technical details.

Question B2: Implement your mini project. Please use screenshots, descriptions and/or answers

to questions to show your implementation.

P a g e | 19

================================ Survey Part ===========================

GQ1. Would you like to make any changes to this lab?

GQ2. How long did it take you to complete this lab?

GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this

lab?