EX200 Red Hat Certified System Administrator RHCSA – SELinux Part 3

5. SELinux and Apache part 2

Welcome back. Now, all that we have done so far pretty much deals with confined, with processes that run in confined domains. But what happens when you have a process that is running in an unconfined domain? Well, I don’t know. The services that are executed by in it, they end up running in unconfined underlined service underlined T domain. Some of them which are run by unconfined Linux users. They will most likely run in an unconfined underlying T domain. You have the ones that are executed that end up running in the kernel underlined T domain. Those are services executed by the kernel. Now there’s a pretty big problem here because if there is a process which is running in an unconfined domain, its primary fallback are the DAC rules.

And if such a process were to be compromised, the Se Linux will do nothing, literally nothing. This is one of the most clear cases where you realize that Selenx is really not a standalone solution, that it does heavily rely on the existing security mechanisms which are on your system, namely DAC in this matter. Next up, I’m going to go ahead and demonstrate how Apache can access data intended for use by someone else by some other process. Really. We are going to relabel the two files. One of the files will be the executable for Apache and the second one will be a file within the Apache folder that has been relabeled that I have demonstrated in the previous tutorial. I mean, you cannot access it if you give it a wrong label.

So Se Linux will definitely prevent you from doing so. But let’s see what happens when we mess around with the permissions of a web server and when we give it a label which most executables so that it can actually run most executables. Now, how shall we do this? First off, we need to go ahead and go into this directory VARs. Look at me. The file is still there.

And if I do LSpace set, you can see that the file has been relabeled. If you don’t know how to do this, go back to the previous tutorial and I will show you a command there. If you’re lazy and don’t feel like it and you have skipped something, no big deal. Let me just show you the command quickly. Anyway, just type in Chcond and then we’re going to need this. Let’s put it there. Show me. And then all we need to do is specify the file path. You don’t need to specify the full path, obviously if you’re in the folder.

But I’m going to do it anyway. Look at me. There you go. So this is all you would need to do and that would be it. There is a way of restoring this as well to its default value. So you don’t actually need to remember what was here before you changed it. Generally, if there is something custom made or something like that, you should, but you can restore it to its default value with a command restore con. We will deal with that in a moment once we’re done with this.

It’s fairly simple, no big deal. These changes will not persist through a reboot anyway, so no worries there. Second thing you need to do is check the status of your Apache server. See, I’ve actually used restorecon, so status Kslinx is denying some things or has denied it says loaded and loaded, okay, below active, inactive, dead. So it is dead. This process is dead. Let’s keep it that way. No need to change anything. But if in case it is not, you would need to type in the following command. So it says stop. There we go. So you would need to type in system CTL, space, stop, space, Httpd service, and that would effectively stop the service from running.

Now the next file which we’re going to mess around with is this is a bit dangerous to do. So please don’t do this in a production network. Don’t do this in a front facing server or anything like that. Have a virtual machine that you’re going to use, where you can feel safe, where you can do pretty much whatever you want. What I’m about to do, just don’t do it in a production network. Don’t do it on a server that has outside access to the Internet or something like that. Just don’t. If you do, I mean, seriously, why would you do that? That’s all I have to say on that matter. What I’m about to do is, in terms of SELinux, give Apache service a very broad authority across the system. It will be able to run executables on the system. It will be able to run things that executables on the system can run, which gives it a huge spectrum of possibilities. Well, not all, but it still gives it a fairly broad spectrum of possibilities. So if we use the ch con command again to relabel sorry. Bin underline D, lots of confined domains, they are allowed to execute bin underlined T files.

And most executables on the system are labeled with bin underline T. So you will be able to run a lot so the Apache web server will be able to run a lot of executables. This is pretty bad. But as I said, don’t do this somewhere where you can actually cause problems for yourself, where you can cause a headache for yourself. Just do it in a virtual machine in your own safe environment, where you feel safe, where no harm can occur, but don’t do it elsewhere anyway. So chcon space T space, bin underline T, space USR. And there we go. So just go ahead and press Enter and we have successfully changed it. Now if we want to revert it back, well, no big deal. You can type in Rest or restore con and then give it this path. I’m just going to go ahead and copy the path, so I don’t need to type it in again. Control shift. C control shift. We press Enter. And I’m going to do LS Space set. Paste the path again. And take a look at this. It’s http the underlying exec underline D. But if we do this and then list it up again, it’s been underline T, so you can use where is it? Where is it? Lschcon. There we go. So restorecon, you can use restorecon to basically return the default label. But these changes won’t persist through a reboot anyway. So if you are uncertain, if you’ve changed something or something like that, just reboot the system and you should be fine without any sort of worries or troubles. Okay, now that we have done this, do you remember from the previous tutorial how this sorry, how this file could not be pulled because we have relabeled it here. So there’s no way we could have pulled it because of this sort of relabeling. To prove it to you, let me just well, I’m going to prove it to you in a moment. But now the download will go without any problems. So let’s go ahead and clear the screen. And let’s first off, will demonstrate that we cannot download it without enacting changes. Where is it? There we go.

So I’m going to do a restore here, get any two terminals for this and there you go. I’ve already attempted down below. Excellent. So let’s go ahead and attempt this. Download failed. Connection refused. Okay, this is not a sealing exponent. Sorry. This is Apache problem system CTL start. Actually, it’s not an Apache problem. It’s my problem because I didn’t start the service. Let’s attempt to pull it says Error 434 bidden. No way. Doesn’t want to set. But if we do this, store con, look at me. And we can do a set again. If the label is proper, we can go ahead and attempt to download one more time and voila. It has actually managed to download the file without any problems whatsoever. So let me just go ahead and remove the file here. Let’s go back here and type in chcond because we want to mislabel the file again and make it impossible to download. Just demonstrate how Apache will work when it is unconfined, when it is less confined. Would be more proper to state which label did I give it underline share underline T. And we’re going to type in look at me. So now we have relabeled it down below. Is it going to do it? No, it’s going to give us forbidden. Okay, no problems. So up above, we’re going to do let’s clear the screen down below first.

Up above, we’re going to go ahead and shut the Apache down. So systemctl stop. Httpd service has been stopped. Now we need to just find the command because I really don’t feel like typing in it again. There we go. So chcon and we’re going to give it the ability to run executables files which executables can run. So chcon underlined Bin, underline T and then the paths of the executable. Now that we have done this we’re going to start the server again. So start and down below we can attempt to pull the file from the server again. Well actually a good practice would be to read the status. Status, okay. So that’s really fine that a lot of things won’t be working fine. Well, but it says active active running. Actually they are working just fine and let’s try to pull the file again. Now you know that it has been mislabeled. Yes, there we go. So you know that it’s been mislabeled and you know that Aclinux cannot will not allow this to occur. But look now Apache, apache service is running in a completely different domain and this is not good. This is not good at all. In fact, look, you can take a look at it up here. The download will of course pass through because there is nothing to prevent it due to the mislabeling. And we’re going to do the graph httpd where is it? I’ll just expand it a little bit further. Okay.

So you can see that it is running unconfined underline service underline T which is a huge problem as now it can do a lot and I mean a lot on the system. This is just a demonstration of what a misconfiguration can lead to. So if I try to download this file for a center you can see that the download has passed without any problems. It says look at me. Why has the download passed? Because Apache web service is now running apache web server is now running in an unconfined domain and it has a greater allowance and pretty much no control. But it is falling back to the DAC rules. So if we do LS shell it is falling back to these rules here which is a major problem. Now this is world readable therefore I as anyone can come have a look at it and the download has passed without any sort of problems whatsoever. Now you might wonder well you’ve given us a really simple example what does it matter if somebody downloads a file from the net? Well, you might not see the obvious problem with it but here’s one of the vulnerabilities that has been utilized actually last year or the year before that I’m not actually sure. Look at it whichever way you want utilized or discovered basically you could download a file from a router and this is common case really this happens with a lot of cheap routers which are issued by the ISP providers. You could basically download the etsy shadow file from the router remotely without any sort of authentication of whatsoever. That is what misconfiguration can lead to. So people would go, they would download an etsy shadow file and they would be able to decrypt the password later on because the passwords.

They are not too complex to begin with. So the hash can be broken. But they can pull very sensitive information from the system with this sort of download if things are not configured properly. Now please, before I wrap this tutorial up or demonstration, sure, we wish to refer to it. You can run restore con if you like. But I would ask you all at this point of time yes, sure, fine. Let’s just type in Restoreconusr. Wait, wait. This is non root user and I need to stop the service first. System CTL stop httpd service there we go. So it stopped. Now we need to type in restorcon USR. Okay, now we have done that. But I would like to ask you all politely to type in reboot and actually reboot the machine. See, I’m doing it. And I’m asking you nicely for all of you, I’m actually begging you, just go ahead and do it, just in case. So that we don’t have our Apache web service running unconfined, running a mock like this. And with that, I would like to wrap up this tutorial. We will continue onwards in the next one where we shall deal with some others things as well.

6. SELinux and Apache part 3

Welcome back. Now we’re going to go ahead now I’m going to go ahead and talk a little bit about booleans, namely Se Linux booleans. So they allow you to alter Se Linux policy at Runtime. So you don’t need a lot of knowledge about in terms of Se Linux policy creation. That is the key. Those are the two key features in regard to the Se Linux booleans. First one is that you can alter the existing policy at Runtime. Second is that you don’t need extensive knowledge in terms of Se Linux policy to do this. It is rather simple. Writing a whole new Se Linux policy is complicated to say the least. Anyway, you can go ahead and use SC manage Boolean shellcommand. So semanage l where am I typing? Well, of course not. Why would it type? Because I’m using a completely different keyboard that has been lying on my desk here. Amazing.

My apologies for this. So SC Manage Boolean L and you will get a listing of all the existing booleans if I have only managed to spell it correctly, have I? Semanage L and there we go. So what have we learned from this? If you’re typing on your keyboard and if you realize that nothing is coming out on your screen, make sure that you’re using the right keyboard. Hey, why not? You’re going to get a whole list of booleans down here and we can go ahead. Well, we don’t have that many. This is one of the simpler ones FTP Home Deer. So this is the Acylinx boolean. That’s the first colon. The second one will tell you the state of that boolean. The third one will tell you the default state of that boolean and the fourth one will tell you something about that boolean. A brief description you can infer a lot from the boolean name itself and then you can solidify that knowledge by just reading the description and it will pretty much tell you everything that you would need to understand in terms of that boolean. What does that particular boolean do? So it determines whether Ftpd can read and write files in the user home directories. You can either turn it off or on.

A boolean implies or states that it has two possible states. It can be either on or it can be off. One or zero, nothing else. So only two states. Anyway, you have another way of checking this. Basically you have a Get Se bool so clear Get Sebull space ups a this will list, this command will list booleans whether they are on or off. However, it’s not really as user friendly as the previous one as that one will give you a description, give you the default state, et cetera. But you can also use this one to go and create yourself listings. Now we can go ahead and check out a particular boolean if we wanted to. So we can go ahead and clear the screen and use the same command without the A argument and just type in the name of the boolean that we would like to check.

So we can check FTP underline home, underline Deer and there you go. Now we know that this particular boolean state, current state is off. We could have seen that from the previous command as well, but just another way of using it and of checking it out. You have the Se Bool utility. Now with it you are able to set the Se Linux Booleans to be true or false, to be enabled or disabled, to be one or zero, on and off. Whichever way you want to look at it, the concept is exactly the same.

So we are going to go ahead and mess around with the boolean that’s an Httpd Boolean that actually enables the connection to databases. So let’s first of all check it out ourselves. So this is the boolean that I would like to mess with. Httpd underline can underline network underline connect underlined DB and you can see that this is off. But if I wanted to learn more about this, I would use the other command and then I would just use the grepable output. So grep I but suppose I didn’t know much about this, I can just type in Httpd and hey, I would like to see the Httpd booleans, so let me see what I can do with that, what I can do in terms of that policy and surely enough, here you go. You can find a particular boolean here. You can see the default state, the current state and then you can see that the brief description here states that it allows Httpd scripts and modules to connect to databases over the network. Now we can temporarily enable the Http server scripts and modules, we can enable them these connections to databases by using the Set pool command. So we can just type in Set pool. No, I don’t feel like rewriting this. Let’s just go ahead and copy it a lot easier this way. There we go, simple enough. And once we have this, we can just space and on have I seriously mistyped that? Oh right, I did, I did, I did. My bad, my bad. Set Sebull. So set SELinux boolean.

My apologies. And there you go. So it immediately lists it and now we can type in get Sebull. I’m pretty sure my typing is wonderful tonight. It is on. And by the way, I’ve fixed my clock on this sentos machine, so the time is indeed correct. It’s 230 in the morning. Amazing. No worries, I don’t like to sleep much anyway. You can see that the Http network connect DB is actually set to on now and we have changed this particular boolean and we have changed immediately the manner in which the particular policy behaves and immediately we have changed what is allowed and what it is not allowed.

So for example, if you have a website that needs to and it’s not working. I can give you a specific example with Joomla because I’ve done some work with Joomla, and wherever you see a guide on how to set up Joomla on it, on Sentos or Infradora or something like that, the very first thing that they tell you is like, disable SELinux, which on a production network is I don’t know. That’s not a good idea. I don’t know what to compare it with. But you get the idea. It’s very bad. And why did they say this? Well, they don’t configure Apache to work with Slynx properly, but more importantly, they don’t actually allow database connections at all. And no one needs a database connections. So all they need to do is change a couple of booleans and set them to true so that they would allow such things to occur. But no, rather, instead, it’s a lot easier to actually disable Slmx and reboot the machine so that it would be completely disabled, not even in permissive mode, as I said, on a virtual machine somewhere in your house where you’re doing some tests. On a virtual machine in a protected, safe environment, fine, no big deal. But production network, not a good idea. Not a good idea at all. Anyway, notice we have actually configured this. Keep in mind that this change will not persist through a reboot. This is not a persistent change, this is only a current session change. If you wish to make a persistent change across reboots, you can run the P argument.

You can pass a dash P argument in this command. So let’s just make it persistent p. Not get my good man, not get set. And it’s going to happen anytime. I would like to say today, but it’s actually tonight, so yeah, I don’t know, should run, should apply it eventually. There we go. So that part is done. And that is how you can actually configure these booleans, set them on and off. I will just revert this back to off to its default state. I’ve already shown you how you can find the default states after this tutorial. I do believe that we are if I’m not mistaken, I do believe that I am going to go ahead and proceed with the certain configurations with Apache. And what can we do there? How can we set up the encryption to work as well, along with as long as it can be an additional feature that I’m going to throw in here and hopefully it will be of use to you. So until then, I bet you will. Farewell and we shall see each other in the followup story.

7. SELinux and SSH

Welcome back everybody. Today we’re going to do a very simple task. We’re just going to go ahead and reconfigure the SSH port. This is a common task performed very, very often as people generally don’t like their SSH to be on port 22 as it is standardized because SSH is usually used for private access. You just want to be the only person that’s using it and you don’t want to enable port 22 to why? Well, I don’t know. A scan can pick it up rather easily but if it’s somewhere high up the person will need to be scanning a lot more ports to figure out which one is open and which one is listening for SSH. And in such a way you’re adding an extra security layer.

As you will be most likely warned in advance of the scans, your logs will record the most likely. Anyway, what we shall do is edit the configuration file so Vimsshss and as you can see I have done this here. It says port 12,000. You don’t need to put port 12,000, I’ve placed port 12,000. Why? Generally recommended to put a higher port here but it’s not a big deal. You can put pretty much whatever is not taken or reserved already though 12,000. I’m pretty sure that nothing is going to use 412 thousand on my system. Let’s just change that file so and write and write the changes there. Hopefully you know how to edit a file with Vim by now. So I’m not going to go over that and wait, one more thing I wanted to mention here. There is a note above the option.

Now configuration files in Linux are very simple to the point of extreme, perhaps not as simple as they are clear. You can see that above the option you have an explanation of what you need to do. So if you want to change the port and SELinux system you will have to tell you will have to inform SELinux about this change. And then to make things even easier it actually gives you the command down below. Amazing, right?

So just let’s go ahead and quit now. We’re going to need to inform Se Linux of this and a good idea is to make sure that SSH is not running. Most likely it will be running because I’m assuming that you have it set up and configured from the previous tutorials. And if you go ahead and type in system CTL Status SSHD service I swear I press it. It’s probably the keyboard. I know it’s a lame excuse but I don’t think that the key is functioning properly because there’s no way I’m missing it every time.

The S key especially and active inactive debt. Okay, so that’s fine and dandy, no big deal there. Now that we have changed the port, let’s go ahead and inform the Se Linux about it with SC manage portadss port underline T sorry PTCP. And then here we’re going to say 12,000, the standard weight that we have to endure. You can literally copy paste this command from the configuration file. It’s that simple. No big deal thereof whatsoever. And there we go. The SSH has worked out and you can now do start press Enter and there you go. SSH will now be running status. There you go. It says server listening on any IP port 12,000. There you go, it’s running, it’s functional.

No problems, no big deal. It’s working out rather well. That was just something that I want to throw in here as this is one of the most common changes that people tend to make. If you want to see full range scene help, there you go. So this is a help option. You can go ahead you can go ahead and read through this and see some of the additional options here. Please do let me know if I have skipped something. If there is something that you would like to know and I didn’t explain it here, I would be more than happy to make an extra tutorial for you. No problems posted either here or new to me or if I can’t logically fit it into the course, I can put it on YouTube, no big deal to help you out along your merry way. Anyway, that would be it for this I visual farewell.

• Category: Uncategorized