EX200 Red Hat Certified System Administrator RHCSA – SELinux

1. SELinux general talk part 1

Welcome all. Today I’m going to go ahead and begin a chapter on Se Linux. First of all, my sincere apologies for getting it out this late. I have been ridiculously busy and I’ve also been sick, so my throat is absolutely killing me. But here goes my sincere apologies once again. If I cough somewhere along the way, but hopefully I won’t, I’ll see if I can cut everything out. Anyway, first we’re going to have a bit of an introductory video. I will do a bit of dry talking to explain what AC Linux is, what it is not and what it is used for. A lot of people confuse it for some different things, such as they think oh, it’s a firewall, oh, it’s an antivirus system, something like that. No, it is neither of those two things. It is something completely different and hopefully you will be able to understand because I don’t want to go through the how to videos before I actually explain what something is. If you feel like skipping it, sure, that’s always an option, but I would recommend that you don’t skip the intro. So SELinux stands for Security enhanced Linux. This is an implementation of mandatory access control mechanism in the Linux kernel. So this is a secondary check of access controls in addition to the DAC. DAC that stands for Discretionary Access Control and that we have already done.

Maybe we haven’t used that particular term, but here I will show it to you and it will be clear if I do. LSL. So you have these controls. So this would be DAC. And then based upon this you generally would control certain permissions where a file owner has all the permissions. Even though it seems like the owner of this file, that is root doesn’t have a permission to execute this file, the root can easily change it. Who is the owner of the file to give itself permissions to execute? While with SELinux, if something is forbidden, then only the admins or the authorized accounts can actually modify the permissions. It’s not something that anyone can just do, that any user can do. Because in general, with DAC, any user should that user be the owner of the file or the folder can do with that folder, do with that file as they choose and please. And then you have the group permissions.

And then you have the world permissions. Now keep in mind that these permissions are checked first and then anything that SELinux dictates is checked. So these are checked first and then the system goes into and then the SELinux rules or policies are applied policies actually, but we will talk about that soon enough, let’s just continue ahead with SELinux. So it was first created and then later released into public domain by the NSA or the National Security Agency. And these days there’s a lot of negative talk about NSA and so on and so forth. However, there are some good things and not some, but there’s quite a bit of good things that they have released. Se Linux is one of them. It’s completely open source and they have released it. It was first adopted by Red Hat and then by other distribution by other organizations and some individuals as well who contributed to the development of Silinux. AC Linux can enforce rules on files and processes in a Linux system and it can also enforce rules on their actions based on certain defined policies.

AC Linux will treat all files in a Linux system as objects, process as objects. Processes, whether user or system generated, will always be referred to as subjects. So once again, files in a Linux SELinux will treat files in a Linux system as objects while processes, either user or system generated will be referred to as subjects. Not a lot, but you have a good amount of operating systems today, perhaps not a healthy amount because there are only three major ones. But then again you have different distributions of Linux. But in any case, most operating systems will rely on a DAC. So what we have learned thus far is what I’m selecting now for access management in Linux DAC. Well, it’s implemented such that any owner, as I stated, has complete control and they can grant revoke access to a user or process to the files that are in their ownership. For example, if a user were to set a file permissions to be world readable, they would lose all control over who would be able to read through that specific file. So everybody would be able to do it.

That is why SELinux is there to provide fine grain control over such things because fine grain control with DAC is simply not possible. To an extent it is doable, but on a larger scale and with something rather very specific it is not doable. Especially because the problem exists that an individual user can change file permissions, can change the file permissions on the files that they own, which, I don’t know, it makes sense. But in a larger production environment this is a very bad thing because if you’re in a desktop computer you have a regular user and you have a root user and okay, as a regular user you want to mess around with the permissions in your files. You want to do stuff that’s all fine and dandy. But imagine if you’re in a production environment you don’t want Steve from downstairs in accounting changing his folder permissions of his home directory for certain things to be executables that he downloaded from the net. That would be insane because of course that would lead to the compromising of the system as that person from downstairs.

Let’s say accounting doesn’t really matter. Let’s say that his name is Steve. He would be able to go into the home directory like this and go into downloads and let’s say they’ve downloaded something from the net. I’ve actually downloaded something from upwork probably their time tracking application. So excellent. Actually, this is a very nice example. So let’s say Steve from accounting downstairs has downloaded this file and you see it’s like read, write nothing, has execute permissions. And let’s say that this was some sort of an executable, not an Rpm, but something else and he wasn’t able to run the script because the script that he has downloaded let’s say that there is some script here, the script that he has downloaded from the net he cannot run it.

So he what he does is tries to run some script dot sh but he gets an error not like mine but rather instead that the file is not executable oh whatever shall I do? Chmod plus x to some script sh. And now that particular script would become executable. And now that he, Steve from downstairs would be able to do this and actually run that script and God knows what’s in it or some piece of code. It doesn’t need to be a bear script. It can be something else. But you would obviously be able to see what’s in a bear script. But this is a stupid example. You could also do this through via GUI and if they were to run it you could put your system in jeopardy. With SELinux this is not possible not possible is a hard word you can always find a way but in general it is very difficult or impossible to do.

Let’s put it like that. So no one can change any permissions of whatsoever other than the specific set of users that is authorized to change permissions. So you can have a rampage of users from the offices changing the permissions and the files and doing whatever it is that they wish with them. So this is not possible with Silinx. That’s why it is fantastic. It takes away the ability of the regular user to change the permissions on particular files, processes, et cetera. And it gives greater controls to the admins, therefore enabling them to protect the system much better. Also, we’re going to go ahead and see now with the LS command you can actually take a look at the Se Linux context of the file. So SELinux adds a Mac or Mac mandatory access control to the Linux kernel and this is enabled by default incentives it helps in enforcing security policies. We’re going to see a context very soon over all the processes and files in the system now SELinux will make decisions on who can do what, which process can go where and access which file well go where? It doesn’t make sense, it doesn’t make much sense but access which file and do what? Let’s put it like that. If you have se Linux disconfigured in a proper fashion, this will ensure that the system is secure in terms of access control vulnerabilities. This prevents privilege, escalations and stuff like that. It’s making secure it’s making your system secure. Secure in a sense that if any of your applications, if any of your servers was compromised, the attacker would remain confined to that particular service. So if they break into your web server they will only be able that particular attacker will only be able to do what you can do from the web server. So they won’t be able, for example, to access a home directory of some other user because obviously that would be prevented by default by Se Linux policies pretty much without any configuration whatsoever.

That is by default. If you want to see a Se Linux context for a particular file or just for files, what you would do is use the LS command again and then you would do L and then capital Z and press Enter. And this is a lot different from this. So you see you have this extra line here that states so in this particular example Acylinx provides a user unconfined here and you have a role right next to it. And then you have a type, which is the third argument in this line. And then you have the fourth argument, which is a level we don’t really need to bother with that. That much as it is not terribly important for you at this stage. At some advanced stage, it will be important, but for the time being, not really. The information is used in order to make access control decisions.

So this information is used to make access control decisions alongside DAC. So alongside this, this will be checked first and then the system will check this. So first this and then this. It doesn’t matter if something is allowed here and not allowed here. So if it’s not allowed here, it’s not going to get to this point. Even if it does, it will be of no consequence. If it’s not allowed here, then this will be taken into consideration and not this. But if it’s allowed here and not allowed here then that something will not be allowed. Just to put it like that. Hopefully you understand just one more time to be sure if something is not allowed here but is allowed here by AC Linux policies that something will not happen because DAC is checked first and then SELinux policies. However, if something is allowed here but then prohibited by the Se Linux policy that something will again not happen. Just to put it like that. Hopefully you understand it now. If not, there is always a discussion section where I will be more than happy to help you out or somebody will be there to help you out.

If you fail to understand anything, feel free to ask. Anyway, there are Linux and Se linux users. Linux users are basically mapped to Se linux Users and SELinux Users are part of the Se Linux policies. So these policies are enforced and transferred in such a way or inherited. Let’s say Linux Users will inherit SELinux policies when they are mapped to SELinux users. Now, the advantages of running SELinux well, all processes and files will be labeled with a type. You can define a type as a domain or a type in context of processes and in contexts a domain in context of processes and a type in context of files. These processes, they would be separated from each other by running in their own domains and SELinux policy rules will define how processes can interact with files as well as how one process would be able to interact with another. So one process would only be able to interact with another or would only be able to access a certain file if there is a strict if this is allowed by an Se Linux policy rule that would have to exist that would specifically allow something of a kind.

So Apache for example, cannot access something from, I don’t know, from SSH, for example or from certain portions of Etsy, for example. Apache would not be able to access the Etsy past W, not past WD, sorry shadow. So Apache would not be able to access slash Etsy shadow for example. Just giving a stupid example here whether it’s correct or not it’s completely irrelevant. Just giving an example.

So if there is a user that came through Apache, he will be confined to what that server can do and access and it will not be allowed to do anything else unless St Linux specifically allows it which allows you to confine your attacks that come against that hammer against the server. So if the server is breached somewhere, it enables good amount of containment and prevents privilege escalation, which is very important. It will give you fine grained access control. It will take decisions that are based on the information that is provided by only the administrators. It will check whether the policy requirements are met and access is made and then based upon the policies it will basically allow or disallow an action. It is also very nice because it creates log files and these log files are amazing.

We will go through them later. Why? Well, it basically tells you when somebody has made an unauthorized attempt of an access. So if you know, if you can see the log file and if you can see that somebody is making time and time again attempting to make an unauthorized access to something or attempting to execute something that they are not authorized to execute or trying to do something that they’re not authorized, you obviously can see that there is something wrong.

There there’s something amiss. So you can either see whether that is coming from outside or from within the network. If it’s coming within the network, if you’re physically there you can obviously go and confront the person or you can shut them off completely from the network, et cetera. You can read through the logs and figure out what is happening from those logs just like you can troubleshoot a thing by just reading the logs and error messages. Now, I’m going to pause the intro here, and then we’re going to continue into follow up tutorial as I am running a bit short on time.

2. SELinux general talk part 2

Welcome back. Okay so what SELinux is not, it is not an antivirus software it is not replacement for strong passwords. You still need to use strong passwords. Just because you have some sort of an interior protection does not mean that you can use passwords on your production networks such as, I don’t know, let’s say door one two three, let’s say that that is your password. You cannot use such weak passwords. SELinux is not a replacement for firewalls. Of course you still need a proper firewall configuration or any other security system for that matter. So you’re not replacing anything, you’re just adding to the existing infrastructure. Definitely not an all in one solution. It works in combination with your firewall, with your general configuration of the network and with your passwords and some other security systems depending on what you might have on your network or servers or whatever.

Now it’s not an antivirus software in a sense that it doesn’t actually search or detect viruses, it doesn’t go about searching and detecting code which seems suspicious to it or something like that. It’s just a simple access control system so it does not scan for malware or anything like that. The only thing that it will do is that it will deny access, unauthorized access and that it will log unauthorized attempts of access but it’s not going to scan for viruses or anything like that. But on Linux systems you don’t generally need an antivirus who have some wonderful open source ones but generally no a sane behavior or reasonable behavior will be a far better protection for you as opposed to an antivirus next up you see, it is designed to enhance the existing security systems or solutions. You don’t actually use Se Linux to replace any of them regardless of whether you are running SELinux or not.

You are to continue sound security practices amongst others to keep your software up to date always because people always find exploits, bugs, et cetera. So you need to keep it up to date where those holes have been patched, so to say anyway, moving onwards now in the previous tutorials I have instructed you to shut test the Linux off. Why? Well, it’s a chapter in and of itself and I need to go over it. I didn’t want to show you SKIMS of it, so to say like small portions of it in the previous sections without you understanding what they actually are and we couldn’t do it with SELinux on because it would obviously prevent a lot of things from being doable. That is why we’re going to go ahead and enable it now before we do. Se Linux is structured in such a way that it has three mods.

So it is a security module that is built into the Linux kernel. It is using policy defined rules that were created by the administrator of the system. And as soon as some sort of an access is made, I don’t know, a process attempts to open up a file or something like that, that particular operation is intercepted, is intercepted in the kernel by Se Linux and then depending on the rules that were defined for that particular object, the given operation will either be allowed to continue or be blocked. However, if it is blocked, keep in mind that the errors will be logged. So unauthorized attempts will be logged and in the log files you will be able to read it and there inform yourself on the matter. There is another thing which is a concept and it is a utilized one. So just have it somewhere up there in your mind. You don’t need to dig deep into it the way Silinx is making decisions.

So in order to expediate the process, in order not to create a lot of overhead, to have a fast functioning system when something is done, it needs to go and check out the policy and then decide whether to allow it or not. Well, those things are cached and this cache is also known as the Access vector. Cache AVC, a term you should know. You don’t need to go like digging really deep into it at this point of time, but you should know about it. So when using these cached decisions, the policy rules need to be checked less, less checking needs to be done and therefore faster decisions can be made leading to a better performance, better overall performance. Regardless of this being cached or not, the DAC rules will always be the first ones to be looked at. If there is a denial there, it’s not going to go, it’s not going to work anyway.

The three mods of Se Linux, let’s have a look at them. Just pulling up my chair. So the three mods of Se Linux in our terminal we’re going to go ahead and type in Vimuxconfig. So we have already seen this file and you have Enforcing Permissive and Disabled. So enforcing a given set of security policies is being enforced. So if something is not allowed, it will not be allowed, it will not happen. That is the Enforcing Mode and then you have the Permissive Mode where regardless of something being allowed or not allowed, it will still be doable, it will still be possible because SELinux policy will not be enforced at all. The only thing that will happen, okay, it says here that has the only expense warnings instead of enforcing but what it does in reality is creates log files.

So if there is an attempt of an unauthorized access, it’s going to allow that, but it will log the attempt anyway, like it would log it in the Enforcing Mode except in the Enforcing Mode. It would also enforce the policy as well and would not allow an authorized access to occur. And then you have disabled down below. Disabled means that the Selence is simply not non functional. However, you cannot enable or disable Se Linux while the machine is running that does not exist. You can only reboot the machine and boot it with selenx functional or not functional at all. So it’s not even loaded. But what you can do for the sake of troubleshooting is switch between enforcing and permissive while the system is running. So even though you are not shutting off Se Linux, you’re just putting it in a different mode and the two modes are interchangeable enforcing and permissive while the system is running. While for disabled you actually need to reboot the machine.

So at this point of time, most likely for you here, it will say instead of enforcing, it will say disabled. And since I’m using Vim, I’m going to press I to enter insert mode. Hopefully you know this by now. And let’s say that I don’t have enforcing here that it says disabled. By the way, this is a really bad practice typing these things in. I mean if you have them up above here, just go ahead and copy paste them. It will save you a lot of time and nerves because sometimes a person mistypes this you miss a letter or something like that. You’re only human after all. Or maybe you’re not, I don’t know. But I’m pretty sure that I’m only a human.

So go ahead and copy this to save yourself problems. Let’s go ahead and delete this. Control shift V is to paste and control shift C is to copy and then I’m going to go ahead and save it by pressing Escape. Those are commands issued to Vim. Colon is not a command. Colon is like to enter the command mode. So escape colon to enter the command mode and then write WQ to write the changes to the file and quit out of the program to exit the file.

And at this point of time, what you are going to do is type in reboot and you’re going to press Enter. So we’re just going to go ahead and wait for the system to reboot so that we would have Se Linux up and running because as I said, you cannot change between enforcing and disabled while the system is running. You can change it and then reboot it and then the changes will actually take effect without this, forget about it, it’s not going to happen at all by the way, when Se Linux is disabled only the DAC rules are applied and used so the ones that we use with chmod only those would be applied, nothing else. So you can forget about everything else those are the only ones that would be used as the Silinx wouldn’t be functional at all. I do believe that they are relatively good for home use and they can satisfy pretty much all the demands of a desktop user or somebody in their own house or something like that but not of a production server.

On a production server you really need tighter enforcement and more refined control so let’s go ahead and log in. You can see that my password here is really short this is a really bad practice but this is a VM that I use only for Udemy and for Udemy alone, nothing else. Maybe I test a thing or two from time to time but oh well, okay, so let’s go back into the terminal don’t need this, give me the terminal, that is what I want, please. Thank you. Go ahead and expand this and I would like a little bit bigger letters for you all to be able to see and for myself. So one of the first things that we are going to use, one of the first commands is the Set and Force Utility to change between well, it’s not the first one but you have the Set Enforce Utility that changes between Enforcing and Permissive mode. These sort of changes will not persist through reboot, through a reboot so keep that in mind. These are temporary changes for the current session.

Once the session has expired, in the sense that you reboot the machine or the machine turns off for whatever reasons this change will not persist. The system will use the config file and that is how it shall be depending on what you have defined or specified there. Now, aside from Get Enforced, aside from Set Enforce, we have Get Enforced, checked or verify the status of RSC Linux and if we just type in Get Enforced, press Enter you can see that the system is in the Enforcing Mode. Please verify this, type in Get Enforced after this reboot and if it says anything other than Enforcing here, you’ve done something wrong. So go back and revise the steps and see where you have made an error. Please do that because without actually this saying Enforcing this tutorial you won’t be able to follow it through you won’t be able to follow it through another command which I just posted is Set Enforce. And then Set Enforce has basically two ways of doing it you can change between Permissive and Enforcing Mode but you can use numbers or you can use defining words you can type in Setting Force for Enforcing. It says failed. I’m going to give you 2 seconds or pause the video and realize why it failed. So type in Su. Let’s become root. And as root we need to do this not anybody can edit Se Linux policies, not even for themselves. So a user cannot edit the Seal Linux policies for herself or himself. That does not work. You need to have administrative privileges to be able to do that.

So everyone set enforce. And you can type in for enforcing or you can type in set. And for Mistype that you can also use numbers. As I said. There we go. And if we type in get and Force, you can see that we are now in permissive mode. But we can also use it like this. And this is a lot simpler. So if we just type in one that’s going to be enforcing and if we type in zero that’s going to be permissive. There we go. So set of force going to return it to one and I want it to remain in the permissive mode. So in addition to this we also have Se Linux users and you can basically do this Semanage login shell. There we go. So a lot of these things are self-explanatory. So you have the login name column that one lists Linux users. You can see that the root is there the Se Linux user column which is the next one. You can see it here. There we go. That one lists which Se Linux user well, which Linux users are mapped to which Se Linux users? Let’s put it like that.

And the next line that we have here MLS MCs that’s not terribly important for us at the moment. That is the multi level security that’s the MLS and MCs is the multi category security. We’re not going to go terribly into depth there. The service column well determines the correct Se Linux context in which the Linux user is supposed to be logged into the system and the asterisk that is the default character that is used which stands for any service. So root is here for any service.

You can do whatever you want. You can go nuts if you wish but yeah, be careful when using Root, of course. So now we can also take a look at this one more time LSL set and you see just to reiterate one more time before I go ahead and start explaining it. This is the user and this is a role, this is a type and then you have a level again which we’re going to sort of I wouldn’t say skip but we’re going to not pay that much attention to it. So I’ve just explained what the first portion is basically with the previous command that is the Se Linux user and what it is, how it is defined. Let’s put it like that. That’s the field. But then you have the Se Linux role which is a part of the role based Access control or RBAC.

That is the security model. You should be familiar with that name and with that shortcut you will find it mentioned quite often through the literature. And the role is basically an attribute of it. SELinux users are authorized for certain roles and roles themselves are authorized for domains. The role serves as some sort of an intermediary between a domain and the nest Linux users. These roles that can be entered determine which domains can be entered.

So I know that this is a little bit complicated when I’m saying it like this but let me try to put it in a bit simpler terms. So you have a role of some sort and you have a domain. So a certain role is authorized for a certain domain. Apache web server will have its own domain, and the users will have or the service will have its role. So it’s only able to do certain things within a certain domain. It cannot do things unless there is a policy for it in the domain of an FTP server or an SSH server or something like that. Those are called the domain transitions, and they need to be specifically allowed by the Se Linux policy. So, as I said, if somebody breaks into your FTP server, they’re going to remain confined to the FTP server.

They’re not going to be able to roam around the system as they choose and please. So it serves as a prevention of privilege. Escalation. Now you have an AC linux type is an attribute of type enforcement, or Tea, that is commonly referred to. The type defines a domain for a process and type for files. Selimx policy rules define how types can access each other, whether it be domain accessing. A type a domain can access another domain.

But in any case, access is only allowed if a specific acute Linux policy rule exists that will allow something of a kind to happen. And I’m trying to explain it all at least twice, something like that. I know that a lot of it is unclear, believe me, I do. But when we get to the clear examples and application, and when we apply this in action, this will become a lot clearer and we’re going to go ahead and skip a level. I’ve just told you what a domain transition is, and hopefully you have understood it in the follow up lecture. I’m going to try to do an example of a domain transition, and hopefully that will make it a little bit clearer. Later on, we will mess around with this a bit more, but for now, I have to cut the tutorial because I am limited in terms of time.

• Category: Uncategorized