Thanks Stephen , so below are the details of my SELinux setup
Centos Version : CentOS release 6.2 (Final)
Kernel version : 2.6.32-220.el6.x86_64
RPM package : selinux-policy-mls-3.7.19-312.el6.noarch
cat /etc/selinux/mls/contexts/securetty_types
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
user_devpts_t
sshd_devpts_t
sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: mls
Process contexts:
Current context: system_u:system_r:sshd_t:s0-s15:c0.c1023
Init context: unknown (Permission denied)
File contexts:
Controlling term: system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: mls
Process contexts:
Current context: system_u:system_r:sshd_t:s0-s15:c0.c1023
Init context: unknown (Permission denied)
File contexts:
Controlling term: system_u:object_r:sshd_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
Regarding the httpd process , i started the process by switching to a new role as follows , so that's why it has obtained the sshd_t type on the 'httpd' process
[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:
Password:
[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:s4-s5:c1,c2
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start
system_u:system_r:sshd_t:s4-s5:c1,c2
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start
[root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd
system_u:system_r:sshd_t:s4-s5:c1,c2 root 29220 0.0 0.4 262888 9244 ? Ss 00:18 0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:s4-s5:c1,c2 apache 29223 0.0 0.2 262888 5264 ? S 00:18 0:00 /usr/sbin/httpd
And on the mlsconstraint statements for file read , i see the following constrain
mlsconstrain { file } { read getattr execute }
( l1 l2 dom t1 { sysadm_t aide_t system_cronjob_t ksmtuned_t sssd_t virtd_t xserver_t } == h1 l2 dom && || t1 { bootloader_t pam_console_t logrotate_t dmidecode_t iptables_t auditadm_wm_t myuser_wm_t setfiles_mac_t initrc_t mcelog_t secadm_t sysadm_t fsadm_t getty_t kudzu_t lvm_t mdadm_t quota_t rpm_t xdm_t xguest_wm_t myuser2_wm_t setsebool_t newrole_t setrans_t user_wm_t local_login_t rpm_script_t tmpreaper_t devicekit_disk_t NetworkManager_t audisp_t auditd_t kernel_t crond_t cupsd_t hald_t init_t kdump_t klogd_t mount_t rshd_t sshd_t udev_t fsdaemon_t sssd_selinux_manager_t load_policy_t remote_login_t secadm_wm_t readahead_t system_dbusd_t staff_wm_t setfiles_t semanage_t consoletype_t auditctl_t rlogind_t vbetool_t } == || t2 { cupsd_var_run_t sssd_var_lib_t kvm_device_t null_device_t zero_device_t system_dbusd_var_run_t devlog_t devtty_t tmpfs_t xdm_t vhost_device_t httpd_bool_t tun_tap_device_t faillog_t setrans_t qemu_var_run_t anon_inodefs_t setrans_var_run_t crond_t cupsd_t ptmx_t sshd_t sssd_t virt_log_t system_dbusd_t proc_numa_t security_t initctl_t sudo_db_t syslogd_t xserver_t } == || );
( l1 l2 dom t1 { sysadm_t aide_t system_cronjob_t ksmtuned_t sssd_t virtd_t xserver_t } == h1 l2 dom && || t1 { bootloader_t pam_console_t logrotate_t dmidecode_t iptables_t auditadm_wm_t myuser_wm_t setfiles_mac_t initrc_t mcelog_t secadm_t sysadm_t fsadm_t getty_t kudzu_t lvm_t mdadm_t quota_t rpm_t xdm_t xguest_wm_t myuser2_wm_t setsebool_t newrole_t setrans_t user_wm_t local_login_t rpm_script_t tmpreaper_t devicekit_disk_t NetworkManager_t audisp_t auditd_t kernel_t crond_t cupsd_t hald_t init_t kdump_t klogd_t mount_t rshd_t sshd_t udev_t fsdaemon_t sssd_selinux_manager_t load_policy_t remote_login_t secadm_wm_t readahead_t system_dbusd_t staff_wm_t setfiles_t semanage_t consoletype_t auditctl_t rlogind_t vbetool_t } == || t2 { cupsd_var_run_t sssd_var_lib_t kvm_device_t null_device_t zero_device_t system_dbusd_var_run_t devlog_t devtty_t tmpfs_t xdm_t vhost_device_t httpd_bool_t tun_tap_device_t faillog_t setrans_t qemu_var_run_t anon_inodefs_t setrans_var_run_t crond_t cupsd_t ptmx_t sshd_t sssd_t virt_log_t system_dbusd_t proc_numa_t security_t initctl_t sudo_db_t syslogd_t xserver_t } == || );
Also I would like to understand about the precedence check by the SELinux security server , assume if a type is allowed to read the file by the mlsconstrain statements as shown above , then does the security server check and compare for the security levels as well of the source process and the destination ? (In this case the apache process runs in s4-s5:c1,c2 , the linux user running the curl is mapped on SELinux user s4-s5:c1,c2 and the php file : /var/www/html/info.php is on s0:c3 )
So in that case , any suggestions to bypass the constrain rule ?
I tried to create a new SELinux role so that it has no types at all (This didn't work though as it gets the selinux types for user_u for some reason) . Then I was planning to add just 1 new type (eg: testuser_t) and then map this new 'type' to the new SELinux role and then map this role to a Linux User . So in that case the Linux User will have one single type accessible and then I can run the 'curl' command on the apache endpoint to see if the Bell Lapadula condition works :) .
On Wed, Nov 7, 2018 at 1:13 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On 11/6/18 9:33 AM, Ishara Fernando wrote:
> Dear all ,
>
> I have been trying to test and see how SELinux MLS works with Apache ,
> this is what I did to test
>
> *1) As we're aware if we start apache process as the default SELinux
> user (i.e: Just as root user) , it will obtain a security context which
> has all the range of sensitivities and categories (i.e : s0-s15 ,
> C0-C1023) *
>
> [root@msc-ishara-system1 ~]# id -Z
> system_u:system_r:sshd_t:*s0-s15:c0.c1023*
>
> [root@msc-ishara-system1 ~]# ps auxZ | grep -i http
> system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0 0.4 262888
> 9248 ? Ss 00:16 0:00 /usr/sbin/httpd
> system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0 0.2 262888
> 5264 ? S 00:16 0:00 /usr/sbin/httpd
>
>
> *2) Then what I did was stop apache and then Switch to a new SELinux
> role (s4-s5:c1,c2) and start Apache process as follows , apache will
> also get the same security contexts as the User ( s4-s5:c1,c2 ) *
>
> [root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
> Password:
>
> [root@msc-ishara-system1 ~]# id -Z
> system_u:system_r:sshd_t:*s4-s5:c1,c2
> *
> [root@msc-ishara-system1 ~]# /etc/init.d/httpd start
>
>
> [root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd
> system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0 0.4 262888 9244
> ? Ss 00:18 0:00 /usr/sbin/httpd
> system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0 0.2 262888 5264
> ? S 00:18 0:00 /usr/sbin/httpd
>
> *3) And now I created a file 'info.php' under /var/www/html , and then i
> changed the security context of this file as follows
> *
>
> touch /var/www/html/info.php
> chcat s0:c3 /var/www/html/info.php
>
> *4) Now that we know the apache process is running in s4-s5:c1,c2
> security context and the file /var/www/html/info.php has s0:c3 context ,
> then apache process shouldn't be able to read the /var/www/html/info.php
> file as c3 isn't read into c1,c2 apache process according to the Bell
> Lapadula model which is the security policy in SELinux MLS , but however
> when i run a curl on the apache process , it produces an output (Which
> shows the php version and stuff)
> *
>
> *curl http://localhost/info.php*
>
> !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "DTD/xhtml1-transitional.dtd">
> <html><head>
> <style type="text/css">
> body {background-color: #ffffff; color: #000000;}
> body, td, th, h1, h2 {font-family: sans-serif;}
> pre {margin: 0px; font-family: monospace;}
> a:link {color: #000099; text-decoration: none; background-color: #ffffff;}
> a:hover {text-decoration: underline;}
> table {border-collapse: collapse;}
> .center {text-align: center;}
>
> 5) What i need to understand is am I testing this wrong ? When I run
> curl command I run it as the same user in which switched roles to (i.e :
> s4-s5:c1,c2) , so still c3 isn't read into c1,c2 . But I still get an
> output for the curl .
>
> What I am trying to achieve is show that Apache process will not be able
> to read the file /var/www/html/info.php according to the Bell Lapadula
> model , have i missed any step in here ? Awaiting your kind guidance and
> inputs . Thank you
First, note that selinux@xxxxxxxxxxxxx has moved to
selinux@xxxxxxxxxxxxxxx. The old list still exists but will eventually
be shut down sometime. I have cc'd the new list above.
Second, it would help if you provided information about your
distribution, release, policy package, etc. sestatus -v output would
also be helpful.
Third, your httpd processes are running in the wrong domain (sshd_t vs
httpd_t), which indicates something else is wrong with your
configuration / set up. And sshd_t appears to be allowed mlsfileread in
the Fedora -mls policy, so it is exempted from MLS constraints on file
reading, which would explain the behavior you are seeing.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
