subject:"SELinux MLS for Apache Process"

Re: SELinux MLS for Apache Process

2018-11-08 Thread Stephen Smalley


On 11/8/18 8:33 AM, Ishara Fernando wrote:

Dear Stephen ,

Many thanks for the detailed information , it has been very useful . 
Infact I have tested your steps in a similar environment (CentOS 6.10 , 
see versions below) as of yours in a Virtual machine based on 
Virtualbox  , I have reached to the step where the *selinux module is 
installed* on doing the range transition to enforce httpd to run on 
s4-s5:c1,c2 .


Unfortunately I still see the range transition denied errors in the 
audit logs (After installing the selinux module) and I do not see any 
errors related to *httpd trying to perform writes* on various 
directories/files that are labeled s0 as per your explanation .


Kindly see the details below

[root@msc-ishara-system1 ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount:    /selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:    mls

Process contexts:
Current context:    staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
Init context:   system_u:system_r:init_t:s0-s15:c0.c1023
/sbin/mingetty  system_u:system_r:getty_t:s0-s15:c0.c1023
/usr/sbin/sshd  system_u:system_r:sshd_t:s0-s15:c0.c1023

File contexts:
Controlling term:   staff_u:object_r:user_devpts_t:s4
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/login  system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> 
system_u:object_r:shell_exec_t:s0

/sbin/agetty    system_u:object_r:getty_exec_t:s0
/sbin/init  system_u:object_r:init_exec_t:s0
/sbin/mingetty  system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0



Dist: CentOS release 6.10 (Final)
Kernel : 2.6.32-754.6.3.el6.x86_64
SELinux MLS Policy RPM: selinux-policy-mls-3.7.19-312.el6.noarch
SELinux Policy version: 24


[root@msc-ishara-system1 ~]# id -Z
staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2


This is the problem - you switched levels before running run_init.
And run_init tries to do an explicit transition to the context 
configured in /etc/selinux/$SELINUXTYPE/contexts/initrc_context.  Just 
leave your shell in s0-s15:c0.1023, and let the range_transition rule 
handle transitioning httpd into s4-s5:c1,c2 for you automatically.





[root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd



[root@msc-ishara-system1 ~]# which run_init
/usr/sbin/run_init
[root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/run_init
-rwxr-xr-x. root root system_u:object_r:run_init_exec_t:s0 
/usr/sbin/run_init




[root@msc-ishara-system1 /]# cat httpdtrans.te
policy_module(httpdtrans, 1.0)

require {
     type initrc_t;
     type httpd_exec_t;
     type httpd_t;
}

range_transition initrc_t httpd_exec_t:process s4 - s5:c1,c2;

mls_rangetrans_source(initrc_t)
mls_rangetrans_target(httpd_t)



[root@msc-ishara-system1 /]# semodule -l | grep -i httpd
httpdtrans    1.0



[root@msc-ishara-system1 ~]# sesearch --type | grep -i initrc_t | grep 
-i httpd_exec

    type_transition initrc_t httpd_exec_t : process httpd_t;


[root@msc-ishara-system1 ~]# id -Z
staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2


[root@msc-ishara-system1 ~]# run_init /etc/init.d/httpd start
Authenticating root.
Password:
execvp: Permission denied


[root@msc-ishara-system1 ~]# ausearch -i -m AVC -ts recent

type=SYSCALL msg=audit(11/08/2018 18:32:36.457:160) : arch=x86_64 
syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd2309581a 
a1=0x7ffd230949b0 a2=0x7ffd230949c8 a3=0x7ffd23094610 items=0 ppid=1802 
pid=3074 auid=root uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=run_init 
exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 
key=(null)
type=AVC msg=audit(11/08/2018 18:32:36.457:160) :*avc:  denied  { 
transition } f*or  pid=3074 comm=run_init path=/etc/rc.d/init.d/httpd 
dev=dm-0 ino=262967 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process



[root@msc-ishara-system1 /]# cat  /var/log/audit/audit.log | grep -i 
httpd | grep -i write

[root@msc-ishara-system1 /]#

[root@msc-ishara-system1 /]# cat  /var/log/audit/audit.log | grep -i 
httpd | grep -i append

[root@msc-ishara-system1 /]#



I followed all your steps but not sure whether I have missed something 
which I still couldn't point out



Also regarding the constraint rules , now I understand how it works 
after your explanation about the httpd process running in the sshd_t 
domain :) . So therefore I have installed the SRC rpm to see the types 
for mlsfileread attribute

Re: SELinux MLS for Apache Process

2018-11-08 Thread Ishara Fernando

Dear Stephen ,

Many thanks for the detailed information , it has been very useful . Infact
I have tested your steps in a similar environment (CentOS 6.10 , see
versions below) as of yours in a Virtual machine based on Virtualbox  , I
have reached to the step where the *selinux module is installed* on doing
the range transition to enforce httpd to run on s4-s5:c1,c2 .

Unfortunately I still see the range transition denied errors in the audit
logs (After installing the selinux module) and I do not see any errors
related to *httpd trying to perform writes* on various directories/files
that are labeled s0 as per your explanation .

Kindly see the details below

[root@msc-ishara-system1 ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:mls

Process contexts:
Current context:staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2
Init context:   system_u:system_r:init_t:s0-s15:c0.c1023
/sbin/mingetty  system_u:system_r:getty_t:s0-s15:c0.c1023
/usr/sbin/sshd  system_u:system_r:sshd_t:s0-s15:c0.c1023

File contexts:
Controlling term:   staff_u:object_r:user_devpts_t:s4
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/login  system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agettysystem_u:object_r:getty_exec_t:s0
/sbin/init  system_u:object_r:init_exec_t:s0
/sbin/mingetty  system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0



Dist: CentOS release 6.10 (Final)
Kernel : 2.6.32-754.6.3.el6.x86_64
SELinux MLS Policy RPM: selinux-policy-mls-3.7.19-312.el6.noarch
SELinux Policy version: 24


[root@msc-ishara-system1 ~]# id -Z
staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2


[root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd



[root@msc-ishara-system1 ~]# which run_init
/usr/sbin/run_init
[root@msc-ishara-system1 ~]# ls -lZ /usr/sbin/run_init
-rwxr-xr-x. root root system_u:object_r:run_init_exec_t:s0
/usr/sbin/run_init



[root@msc-ishara-system1 /]# cat httpdtrans.te
policy_module(httpdtrans, 1.0)

require {
type initrc_t;
type httpd_exec_t;
type httpd_t;
}

range_transition initrc_t httpd_exec_t:process s4 - s5:c1,c2;

mls_rangetrans_source(initrc_t)
mls_rangetrans_target(httpd_t)



[root@msc-ishara-system1 /]# semodule -l | grep -i httpd
httpdtrans1.0



[root@msc-ishara-system1 ~]# sesearch --type | grep -i initrc_t | grep -i
httpd_exec
   type_transition initrc_t httpd_exec_t : process httpd_t;


[root@msc-ishara-system1 ~]# id -Z
staff_u:sysadm_r:sysadm_t:s4-s5:c1,c2


[root@msc-ishara-system1 ~]# run_init /etc/init.d/httpd start
Authenticating root.
Password:
execvp: Permission denied


[root@msc-ishara-system1 ~]# ausearch -i -m AVC -ts recent

type=SYSCALL msg=audit(11/08/2018 18:32:36.457:160) : arch=x86_64
syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd2309581a
a1=0x7ffd230949b0 a2=0x7ffd230949c8 a3=0x7ffd23094610 items=0 ppid=1802
pid=3074 auid=root uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=run_init
exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2
key=(null)
type=AVC msg=audit(11/08/2018 18:32:36.457:160) :* avc:  denied  {
transition } f*or  pid=3074 comm=run_init path=/etc/rc.d/init.d/httpd
dev=dm-0 ino=262967 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process


[root@msc-ishara-system1 /]# cat  /var/log/audit/audit.log | grep -i httpd
| grep -i write
[root@msc-ishara-system1 /]#

[root@msc-ishara-system1 /]# cat  /var/log/audit/audit.log | grep -i httpd
| grep -i append
[root@msc-ishara-system1 /]#



I followed all your steps but not sure whether I have missed something
which I still couldn't point out


Also regarding the constraint rules , now I understand how it works after
your explanation about the httpd process running in the sshd_t domain :) .
So therefore I have installed the SRC rpm to see the types for mlsfileread
attribute to understand how it works .


[root@msc-ishara-system1 serefpolicy-3.7.19]# cd
/root/rpmbuild/BUILD/serefpolicy-3.7.19

[root@msc-ishara-system1 serefpolicy-3.7.19]# grep -ir 'mlsfileread'
./tmp/all_te_files.conf  | grep -v toclr | sed -e 's/typeattribute//g' |
sed -e 's/mlsfileread//g' | sed -e 's/attribute//g' | grep -i ssh
* sshd_t ;*


So in that case If i have understood it right , I need to run the httpd
process in

Re: SELinux MLS for Apache Process

2018-11-07 Thread Stephen Smalley


On 11/7/18 2:04 AM, Ishara Fernando wrote:

Thanks Stephen , so below are the details of my SELinux setup


*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch


That's quite old.  Any particular reason you aren't at least on the 
latest CentOS 6.x release if not CentOS 7.x? 
CentOS/Fedora/RHEL-specific questions likely should go to the Fedora 
selinux list,

https://lists.fedoraproject.org/admin/lists/selinux.lists.fedoraproject.org/



*cat /etc/selinux/mls/contexts/securetty_types *
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t

*
*
*sestatus -v *
SELinux status: enabled
SELinuxfs mount:    /selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:    mls

Process contexts:
Current context:    system_u:system_r:sshd_t:s0-s15:c0.c1023


Your shell shouldn't be running in sshd_t; sshd should have transitioned 
to a user context (like root:sysadm_r:sysadm_t:... or 
staff_u:staff_r:staff_t:... or user_u:user_r:user_t:...).  Were there 
errors from sshd in /var/log/secure or elsewhere?



Init context:   unknown (Permission denied)

File contexts:
Controlling term:   system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> 
system_u:object_r:shell_exec_t:s0

/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0


*Regarding the httpd process , i started the process by switching to a 
new role as follows , so that's why it has obtained the sshd_t type on 
the 'httpd' process*


[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:*sshd_t*:s4-s5:c1,c2*
*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


You first need to be in a proper user context before you do anything 
else.  Otherwise any processes you start are likely to be in the wrong 
context too.


I created a CentOS 6.10 VM, installed the mls policy, changed 
/etc/selinux/config to specify permissive and mls, touched 
/.autorelabel, rebooted to relabel filesystems, then changed 
/etc/selinux/config to enforcing and rebooted again.  If I try to ssh in 
as root, I get an error ("Unable to get valid context for root") and the 
connection is closed; /var/log/secure contains some additional error 
reporting from sshd.  That seems like a bug in selinux-policy-mls.


If I run the following command:
# semanage login -m -s staff_u root # map root to staff role
then I can ssh in as root albeit with some errors about accessing /root 
files.


Then I can do the following to switch to the sysadm role:
# newrole -r sysadm_r

I can't directly run /etc/init.d/httpd at all:
# /etc/init.d/httpd start
-bash: /etc/init.d/httpd: Permission denied

Or via service:
# service httpd start
env: /etc/init.d/httpd: Permission denied

I think -mls policy required the use of run_init to run init scripts in 
the proper context, ala the original SELinux policy:

# run_init /etc/init.d/httpd start
# ps -eZ | grep httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1704 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1706 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1707 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1708 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1709 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1710 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1711 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1712 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0-s15:c0.c1023 1713 ? 00:00:00 httpd

However, if I switch levels before trying to do this, it fails:
# newrole -l s4-s5:c1,c2
# run_init /etc/init.d/httpd restart
execvp: Permission denied

And the denial is due to the change in levels:
# ausearch -i -m AVC -ts recent
type=SYSCALL msg=audit(11/07/2018 09:37:14.703:318) : arch=x86_64 
syscall=execve success=no exit=-13(Permission denied) a0=0x7fffaf68a871 
a1=0x7fffaf6893d0 a2=0x7fffaf6893e8 a3=0x7fffaf689030 items=0 ppid=1824 
pid=1838 auid=root uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts0 ses=7 comm=run_init 
exe=/usr/sbin/run_init subj=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 
key=(null)
type=AVC msg=audit(11/07/2018 09:37:14.703:318) : avc:  denied  { 
transition } for  pid=1838 comm=run_init path=/etc/rc.d/init.d/httpd 
dev=dm-0 ino=133288 scontext=staff_u:sysadm_r:run_init_t:s4-s5:c1,c2 
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=process


run_init always tries to run the init script in the initrc_context, so 
you'd lose the

Re: SELinux MLS for Apache Process

2018-11-07 Thread Ishara Fernando

Thanks Stephen , so below are the details of my SELinux setup


*Centos Version* : CentOS release 6.2 (Final)
*Kernel version* : 2.6.32-220.el6.x86_64
*RPM package* : selinux-policy-mls-3.7.19-312.el6.noarch

*cat /etc/selinux/mls/contexts/securetty_types *
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t


*sestatus -v *
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:mls

Process contexts:
Current context:system_u:system_r:sshd_t:s0-s15:c0.c1023
Init context:   unknown (Permission denied)

File contexts:
Controlling term:   system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0


*Regarding the httpd process , i started the process by switching to a new
role as follows , so that's why it has obtained the sshd_t type on the
'httpd' process*

[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:*sshd_t*:s4-s5:c1,c2

[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


[root@msc-ishara-system1 ~]# ps auxZ  |  grep -i httpd
system_u:system_r:*sshd_t*:s4-s5:c1,c2 root 29220 0.0  0.4 262888  9244
?Ss   00:18   0:00 /usr/sbin/httpd
system_u:system_r:*sshd_t*:s4-s5:c1,c2 apache 29223 0.0  0.2 262888 5264
?   S00:18   0:00 /usr/sbin/httpd


*And on the mlsconstraint statements for file read , i see the following
constrain *

mlsconstrain { file } { read getattr execute  }
(  l1 l2  dom  t1 { sysadm_t aide_t system_cronjob_t ksmtuned_t sssd_t
virtd_t xserver_t } ==  h1 l2  dom  &&  ||  t1 { bootloader_t pam_console_t
logrotate_t dmidecode_t iptables_t auditadm_wm_t myuser_wm_t setfiles_mac_t
initrc_t mcelog_t secadm_t sysadm_t fsadm_t getty_t kudzu_t lvm_t mdadm_t
quota_t rpm_t xdm_t xguest_wm_t myuser2_wm_t setsebool_t newrole_t
setrans_t user_wm_t local_login_t rpm_script_t tmpreaper_t devicekit_disk_t
NetworkManager_t audisp_t auditd_t kernel_t crond_t cupsd_t hald_t init_t
kdump_t klogd_t mount_t rshd_t sshd_t udev_t fsdaemon_t
sssd_selinux_manager_t load_policy_t remote_login_t secadm_wm_t readahead_t
system_dbusd_t staff_wm_t setfiles_t semanage_t consoletype_t auditctl_t
rlogind_t vbetool_t } ==  ||  t2 { cupsd_var_run_t sssd_var_lib_t
kvm_device_t null_device_t zero_device_t system_dbusd_var_run_t devlog_t
devtty_t tmpfs_t xdm_t vhost_device_t httpd_bool_t tun_tap_device_t
faillog_t setrans_t qemu_var_run_t anon_inodefs_t setrans_var_run_t crond_t
cupsd_t ptmx_t *sshd_t* sssd_t virt_log_t system_dbusd_t proc_numa_t
security_t initctl_t sudo_db_t syslogd_t xserver_t } ==  || );


Also I would like to understand about the precedence check by the SELinux
security server , assume if a *type is allowed* to read the file by the
mlsconstrain statements as shown above , then does the security server
check and compare for the security levels as well of the source process and
the destination ? (In this case the apache process runs in *s4-s5:c1,c2 *,
the linux user running the curl is mapped on SELinux user *s4-s5:c1,c2  *and
the php file : /var/www/html/info.php is on *s0:c3  *)

So in that case , any suggestions to bypass the constrain rule ?

I tried to create a new SELinux role so that it has no types at all (This
didn't work though as it gets the selinux types for *user_u* for some
reason) . Then I was planning to add just 1 new type (eg: testuser_t) and
then map this new 'type' to the new SELinux role and then map this role to
a Linux User . So in that case the Linux User will have one single type
accessible and then I can run the 'curl' command on the apache endpoint to
see if the Bell Lapadula condition works :) .










On Wed, Nov 7, 2018 at 1:13 AM Stephen Smalley  wrote:

> On 11/6/18 9:33 AM, Ishara Fernando wrote:
> > Dear all ,
> >
> > I have been trying to test and see how SELinux MLS works with Apache ,
> > this is what I did to test
> >
> > *1) As we're aware if we start apache process as the default SELinux
> > user (i.e: Just as root user) , it will obtain a security context which
> > has all the range of sensitivities and categories (i.e : s0-s15 ,
> > C0-C1023) *
> >
> > [root@msc-ishara-system1 ~]# id -Z
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023*
> >
> > [root@msc-ishara-system1 ~]# ps auxZ | grep -i http
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0  0.4 262888
> > 9248 ? Ss   00:16   0:00 /usr/sbin/httpd
> > system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0  0.2 262888
> > 5264 ?   S00:16

Re: SELinux MLS for Apache Process

2018-11-06 Thread Stephen Smalley


On 11/6/18 9:33 AM, Ishara Fernando wrote:

Dear all ,

I have been trying to test and see how SELinux MLS works with Apache , 
this is what I did to test


*1) As we're aware if we start apache process as the default SELinux 
user (i.e: Just as root user) , it will obtain a security context which 
has all the range of sensitivities and categories (i.e : s0-s15 , 
C0-C1023) *


[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s0-s15:c0.c1023*

[root@msc-ishara-system1 ~]# ps auxZ | grep -i http
system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0  0.4 262888 
9248 ? Ss   00:16   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0  0.2 262888 
5264 ?   S    00:16   0:00 /usr/sbin/httpd



*2) Then what I did was stop apache and then Switch to a new SELinux 
role (s4-s5:c1,c2) and start Apache process as follows , apache will 
also get the same security contexts as the User ( s4-s5:c1,c2 ) *


[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s4-s5:c1,c2
*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


[root@msc-ishara-system1 ~]# ps auxZ  |  grep -i httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0  0.4 262888  9244 
?    Ss   00:18   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0  0.2 262888 5264 
?   S    00:18   0:00 /usr/sbin/httpd


*3) And now I created a file 'info.php' under /var/www/html , and then i 
changed the security context of this file as follows

*

touch  /var/www/html/info.php
chcat s0:c3 /var/www/html/info.php

*4) Now that we know the apache process is running in s4-s5:c1,c2 
security context and the file /var/www/html/info.php has s0:c3 context , 
then apache process shouldn't be able to read the /var/www/html/info.php 
file as c3 isn't read into c1,c2 apache process according to the Bell 
Lapadula model which is the security policy in SELinux MLS , but however 
when i run a curl on the apache process , it produces an output (Which 
shows the php version and stuff)

*

*curl http://localhost/info.php*

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"DTD/xhtml1-transitional.dtd">

SELinux MLS for Apache Process

2018-11-06 Thread Ishara Fernando

Dear all ,

I have been trying to test and see how SELinux MLS works with Apache , this
is what I did to test

*1) As we're aware if we start apache process as the default SELinux user
(i.e: Just as root user) , it will obtain a security context which has all
the range of sensitivities and categories (i.e : s0-s15 , C0-C1023) *

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s0-s15:c0.c1023*

[root@msc-ishara-system1 ~]# ps auxZ | grep -i http
system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0  0.4 262888 9248
? Ss   00:16   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0  0.2 262888
5264 ?   S00:16   0:00 /usr/sbin/httpd


*2) Then what I did was stop apache and then Switch to a new SELinux role
(s4-s5:c1,c2) and start Apache process as follows , apache will also get
the same security contexts as the User ( s4-s5:c1,c2 ) *

[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:
*s4-s5:c1,c2*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


[root@msc-ishara-system1 ~]# ps auxZ  |  grep -i httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0  0.4 262888  9244
?Ss   00:18   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0  0.2 262888 5264
?   S00:18   0:00 /usr/sbin/httpd


*3) And now I created a file 'info.php' under /var/www/html , and then i
changed the security context of this file as follows *

touch  /var/www/html/info.php
chcat s0:c3 /var/www/html/info.php


*4) Now that we know the apache process is running in s4-s5:c1,c2 security
context and the file /var/www/html/info.php has s0:c3 context , then apache
process shouldn't be able to read the /var/www/html/info.php file as c3
isn't read into c1,c2 apache process according to the Bell Lapadula model
which is the security policy in SELinux MLS , but however when i run a curl
on the apache process , it produces an output (Which shows the php version
and stuff) *

*curl  http://localhost/info.php *

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">

Re: SELinux MLS for Apache Process

Re: SELinux MLS for Apache Process

Re: SELinux MLS for Apache Process

Re: SELinux MLS for Apache Process

Re: SELinux MLS for Apache Process

SELinux MLS for Apache Process

6 matches

Site Navigation

Mail list logo

Footer information