4 - SELinux
Unit 4 - SELinux
Last Update Unknown
SELinux
SELinux Administration
Question 1: Global Settings
Use the getenforce administrative command. What is the current setting?
What is the absolute pathname to the selinux directory in /sys?
How does the information from getenforce compare to the related enforce status value stored in /sys?
How many files and directories are actually in the top level of the SELinux directory in /sys?
Question 2: Basic Labels
Locate the syslog daemon (called rsyslogd). What is the full true pathname?
What is the SELinux label of this executable rsyslogd file?
| User | Role | Type | Sensitivity |
|---|---|---|---|
| system_u | object_r | syslogd_exec_t | s0 |
The daemon rsyslogd uses /etc/rsyslog.conf as its configuration file. What is the SELinux label of the rsyslogd configuration file?
| User | Role | Type | Sensitivity |
|---|---|---|---|
| system_u | object_r | syslog_conf_t | s0 |
Given that rsyslogd is running currently, what is the label of the process. Use the list of running processes to discover this.
| User | Role | Type | Sensitivity |
|---|---|---|---|
| system_u | system_r | syslogd_t | s0 |
Question 3: Port Rules
Question 4: Process Transitions
Locate the Network Manager daemon (called NetworkManager). What is the full true pathname?
Given that NetworkManager is running currently, what is the label of the process. Use the list of running processes to discover this
| User | Role | Type | Sensitivity |
|---|---|---|---|
| system_u | system_r | NetworkManager_t | s0 |
| User | Role | Type | Sensitivity |
|---|---|---|---|
| system_u | object_r | NetworkManager_initrc_exec_t | s0 |
SELinux Usage
Question 1: Basic Labelling
Create 2 directories in /root, "secure" and "protect". Set the SELinux type of secure to system_conf_t, and set the type of protect to etc_t.
Create a file called "test1" in secure, and "test2" in protect. Look at the types of these files. How does the types of these new files get decided?
Copy test1 to protect/test3. What happens to the test3 type in comparison to test1?
Rename secure/test1 to protect/test4. What happens to the test4 type in comparison to the type test1 was when it was in secure (system_conf_t)?
Use matchpathcon to find the type which would be set if you did a restorecon on protect/test2. Save the output of matchpathcon to /root/match1. What type would be set if you did do restorecon?
Use semanage and list all of the fcontext entries, grepping the list for those which start with /root. Grep through this with the restorecon type from the previous question. This should reduce the list to just 1 regular expression, i.e. the one which matchpathcon used to produce the answer above. What is that expression?
Add a rule to semanage fcontext so that any files in /root/ which end with .bin will be set to type bin_t. Create a file /root/test.bin and do a restorecon on that file to confirm it takes on bin_t.
Question 2: Boolean Control
In this section we will practice accessing and using a selinux boolean.
There is a boolean called httpd_tmp_exec. Is the boolean on or off?
Change the boolean called httpd_tmp_exec to on.
Find out all allow rules which are switched on by setting this boolean to on. Save the output of sesearch to /root/boolrule. When you search, find all rules, unrestricted by source types.
Question 3: Auditing
A mislabelling error for httpd causes an event when httpd is started with systemctl.
Save the AVC event to /root/event, making sure only the AVC event is saved, and there is only 1 AVC line.
Use the inode information from the event. What is the full pathname of the directory in the event?
Use restorecon on that single directory to fix the label. Confirm that httpd now starts.