P a g e | 1

Introduction to SELinux

Date Assigned: mm/dd/yyyy

Time Due: mm/dd/yyyy by hh:mm

Educational Objectives

This lab is designed to give an introduction to SELinux. After completion of this lab, you will

learn how to

Discover the current SELinux status

Use basic SELinux command

Understand targeted policy

Lab Environment

One Fedora 18 VM is needed for this lab.

All of the tasks for this lab will be performed on this Fedora 18 machine. If you conduct this lab

on a different version or different distribution of Linux system, some files may be located in

different folders.

References

Here are the references that are used to construct this lab:

SELinux documentation (NSA)

http://www.nsa.gov/research/selinux/docs.shtml

SELinux Wiki

http://www.selinuxproject.org/page/Main_Page

SELinux (Fedora Project)

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

Section 1 Environment Preparation

Please run the following command as a root to install current SELinux packages on Fedora 18:

yum install *selinux* --skip-broken

All SELinux policies are located in the following folder:

/etc/selinux/<policy_name>

P a g e | 2

Where, <policy_name> is the name of the policy. Now, the policies minimum, targeted and mls

should be installed.

Section 2 SELinux modes and global configuration files

2.1 SELinux modes

SELinux has three major operation modes:

Enforcing - SELinux is enforcing the loaded policy.

Permissive - SELinux has loaded the policy, however it is not enforcing the policy. This

is generally used for testing as the audit log will contain the AVC (access vector cache)

denied messages.

Disabled - The SELinux infrastructure (in the kernel) is not loaded.

Run the following command to learn the current SELinux operation mode on your system:

sestatus

SELinux operation mode and policy are defined in the following file:

/etc/selinux/config

The value for SELINUX determines the SELinux operation mode. It can be set to three values as

follows:

SELINUX=enforcing | permissive | disabled

In order to change the SELinux operation mode in a system, you need perform the following:

Assign the right value to SELINUX in the /etc/selinux/config file.

Reboot the system

Please perform the following:

Check the current SELinux operation mode.

If it is disabled, change it to enforcing mode. Please use targeted policy.

2.2 The sestatus.conf file

The /etc/sestatus.conf file is used by sestatus command to list files and processes

whose security context should be displayed (sestatus -v). This file has the following

parameters:

[files]

P a g e | 3

List of files to display context [process] List of processes to display context

Please perform the following tasks:

View the /etc/sestatus.conf file.

Run sestatus –v.

Compare the output of sestatus -v command with the contents of the sestatus.conf file.

Comment out some of the entries of your choice in the /etc/sestatus.conf file and repeat

steps 2 and 3.

Add more entries of your choice to the /etc/sestatus.conf file and repeat steps 2 and 3.

Question 1: How would the use of sestatus -v command benefit your everyday administration

work on SELinux? Please explain your answer.

2.3 Changing current running mode

The setenforce command allows you to modify the mode SELinux is currently running in

without confirmation and rebooting. It has the following format:

setenforce [ Enforcing | Permissive | 1 | 0 ]

Use Enforcing or 1 to put SELinux in enforcing mode. Use Permissive or 0 to put SELinux in

permissive mode. However, you cannot use this command to put SELinux in disabled mode.

Please run the following commands as a root:

setenforce 0 getenforce setenforce 1 getenforce

Question 2: How would the setenforce command be useful? Please explain your answer.

When you use the setenforce command to change the SELinux operation mode, will this

change stay when the system is rebooted? Test it to confirm your conclusion.

Section 3 SELinux security contexts and modified Linux commands

P a g e | 4

SELinux requires a security context, also known as a “security label” or just “label”, to be

associated with every process (or subject) and object that are used by the security server to

decide whether access is allowed or not as defined in the policy. Many standard Linux

commands must be modified for being used in a SELinux system. Some commonly used Linux

commands with SELinux modification are introduced in this section.

3.1 Displaying security contexts

Please use the man page for ls command to study SELinux options. (Scroll down and look for

SELinux options)

Question 3: What option would you use with the ls command if you want to display only

security context and file name?

Please use the command options you just learned to study security contexts under your current

directory and some other directories, such as /bin, /etc/selinux, /var/log, etc.

3.2 Modified Linux commands

GNU standard Linux commands need to be modified in order to work with SELinux. These

commands include cp, mv, id, ls, ps and others.

The ps command accepts a -Z flag to display the security context of each running process along

with standard Linux information.

Run ps -Z or ps -aux -Z to learn the process’s domains.

The cp command accepts a -Z flag to set a security context of a newly created file. If not

specified, the security context of the new file will default to that of the destination directory.

Create a file in your home directory, such as /root/test.txt.

Execute cp /root/test.txt /tmp/test.txt

Study the security contexts associated with /root/test.txt and /tmp/test.txt to understand

the difference.

Please use the man page for cp to learn how to copy a file from one place to another with the

same security context as the source file. Test what you learned on your computer.

The id command displays current user’s security context information along with the user and

group information. It will also accept a -Z flag to display only security context of current user.

Please perform the following to learn the effects.

id

P a g e | 5

id -Z

An important note when using the mv command is that the new file will retain its security

context when it is moved by using the mv command. For example, moving a file from a user

home directory to an http served directory will result in a file retaining its user_home_t type,

which, under normal policy, is not readable by httpd daemon. Please perform the following to

learn the effects.

Create a file in your home director, such as /root/test.html

Execute ls -Z /root/test.html Execute mv /root/test.html /tmp/test.html Execute ls -Z /tmp/test.html

Did you see any difference between the security context of the /root/test.html file and that of the

/tmp/test.html file? Now you have learned how cp and mv works in the SELinux environment.

Scenario 1

Assume that you have a directory /var/www/html that is used to hold html and related files for a

web page. The system runs SELinux enforcing mode with targeted policy. Apache HTTP service

(httpd) has read permission to those files. You have been writing a web page and testing it in

another directory, which is not accessible by httpd. This is usually how it works since you don’t

want anybody to access the page until your writing and editing are finished and the page is in a

good shape. Now the contents of the page and its appearance have been approved by your

manager and you want to move those files to the /var/www/html directory.

Question 4: Would you use the command cp or mv to achieve the goal specified in Scenario 1?

Please explain your solution.

Please test your solution on your computer to ensure that it works correctly.

There are some other commands that must be modified in order to work with SELinux. You need

to be aware of this while using them.

Section 4 Introduction to Targeted Policy and Type Enforcement

Targeted policy is the default SELinux policy used in Fedora 18. Under this policy, processes

that are targeted run in a confined domain. Processes that are not targeted run in an unconfined

domain. For example, by default, login users run in the unconfined_t domain, and system

processes started by init run in the initrc_t domain. Both of them are unconfined. In this section,

you will gain experience with confined processes and unconfined processes.

4.1 Relabeling a file system

P a g e | 6

In SELinux systems, files are labeled with security contexts corresponding to the policy. These

security contexts can be changed at run time using various commands such as chcon for testing

and debugging purposes. Then, you want to set those contexts back to what are defined in the

policy. Relabeling a file system is to set the security contexts of the files in the system back to

what are defined in the policy.

4.1.1 Relabeling a file system using init

Relabeling a file system is the process to reset the security contexts of the files in the file system.

The recommended method for relabeling a file system is to reboot the machine. This allows init

process to perform the relabeling. The following procedure will re-label a file system using init

process:

touch /.autorelabel reboot

This command is rarely used because you rarely need to re-label a whole file system.

4.1.2 Relabeling a file system using fixfiles

It is possible to re-label a file system using the fixfiles command.

fixfiles –F –f relabel

However, using this command to re-label a file system is not recommended.

4.2 Changing the type associated with a file

One way to test the effects of or modify the SELinux policy is to change the type associated with

a file. This file can represent either a subject (a process) or an object (a data file). The type can

be changed permanently or temporarily in the current running mode.

4.2.1 The chcon command

The chcon command can be used to change the SELinux security context of a file, but the

changes will not stay when the file system is relabeled, such as after reboot. Please use man page

to learn how to use this command. The format for changing type of a file is as follows:

chcon -t type_t file_name

This command will change the type of the file_name file to the type type_t. A full path for

file_name may be needed on some systems. Otherwise, the command won’t work as specified.

Please perform the following as a root user.

P a g e | 7

Create a file in your home directory, such as /root/test.txt.

Execute ls -Z /root/test.txt, watch the type associated with this file.

Execute chcon -t httpd_sys_content_t /root/test.txt Execute ls -Z /root/test.txt. Study the type associated with test.txt file.

Can you learn the effects of the chcon operation? However, this change will not stay when the

file system is relabeled.

Please remove the test.txt file when you have done the above practice.

4.2.2 The semanage command

In order to change the type permanently, you need to use the semanage command. Please use

the man page to study the semanage command. The semanage fcontext command is used for

manipulating file security contexts.

Please perform the following practices as a root user:

Create a file in /etc/ directory, such as /etc/test1

Execute ls -Z /etc/test1, watch the type of this file.

Execute /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /etc/test1 (Note that

the full path must be used. It may not work correctly if the full path is not used.)

Execute ls -Z /etc/test1, watch the type of this file.

Did you notice the type change? No, the displayed type is still the same. The effect of

/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /etc/test1 operation is simply to

“add an OBJECT record NAME”. What does it mean? An entry about the /etc/test1 file is

recorded in the following file:

/etc/selinux/targeted/contexts/files/file_contexts.local

View the above file and see what you can find. There should be an entry similar to the following:

The first part identifies the file with a full path name. The second part specifies the security

context associated with the file.

Please perform the following to actually see the effects:

/sbin/restorecon -v /etc/test1 ls -Z /etc/test1, watch the type associated with this file.

P a g e | 8

Did you notice the type change? You should be able to see the type change if the policy is not

changed. In addition, this type change will survive system reboot or file system relabeling.

Question 5: Why would you want to use the chcon command to make type changes? Why

would you want to use the semanage/restorecon commands to make type changes? Please try

to explain the real world situations where chcon and semanage/restorecon can fit in.

Please delete the /etc/test1 file when you finished the practice.

4.3 Confined processes

Almost every service that listens on a network is confined in Fedora 18 that enforces a SELinux

targeted policy. Most processes that run as the root user and perform tasks for users, such as the

passwd application, are confined under targeted policy. When a process is confined, it runs in

its own domain, such as the httpd process running in the httpd_t domain. If a confined process is

compromised by an attacker, depending on SELinux policy configuration, an attacker's access to

resources and the possible damage they can make are limited.

The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd)

from reading files that are not allowed by the SELinux policy.

Please perform the following as a root user on the Fedora 18 computer:

Create a file in the /var/www/html directory, such as /var/www/html/index.html. Put the

message “This is just a test” in the file.

Execute ls -Z /var/www/html/index.html, study and understand the security context of

this file. Especially, the SELinux type of the file.

The index.html file is labeled with the SELinux unconfined_u user because a Linux user that is

mapped to the unconfined_u SELinux user created the file. Role-Based Access Control

(RBAC) is used for processes, not files. Roles do not have a meaning for data files - the object_r role is a generic role used for data files (on persistent storage and network file systems). Under

the /proc/ directory, files related to processes may use the system_r role. The

httpd_sys_content_t type allows the httpd process to access this file.

Please continue your practice by performing the following:

Stop HTTP server (httpd) if it is on (systemctl stop httpd.service)

Open file /etc/httpd/conf/httpd.conf and comment out the following line at

the bottom of the file: o Include Optional conf.d/*.conf

Start the Apache HTTP server (httpd) (systemctl start httpd.service)

Go to a directory where your Linux user has write access to.

P a g e | 9

Run wget http://localhost/index.html command

Question 6: Were you able to get the index.html file? Why or Why not?

Then, continue to conduct the following tasks:

Use chcon command to change the type of index.html to samba_share_t by running

the following command: (Note: Under the targeted policy, httpd does not have

permission to access files of samba_share_t type)

chcon -t samba_share_t /var/www/html/index.html

Run the ls -Z /var/www/html/index.html command to confirm the type change.

Run the wget http://localhost/index.html command again.

Were you able to get the file index.htmle? The access should be denied (403 Forbidden). This is

because httpd does not have permission to access files of samba_share_t type.

Please stop the Apache HTTP service:

systemctl stop httpd.service

The error of running the wget http://localhost/index.html command is logged in the log file

/var/log/messages. View this file using a text viewer of your choice. Scroll down to the bottom

of the file. You will see an entry similar to the following:

In addition, an error similar to the following is logged to /var/log/httpd/error_log:

4.4 Unconfined processes

Unconfined processes run in unconfined domains. For example, init programs run in the

unconfined initrc_t domain, unconfined kernel processes run in the kernel_t domain, and

unconfined Linux users run in the unconfined_t domain. For unconfined processes, SELinux

P a g e | 10

policy rules are applied, but policy rules allow unconfined processes access to almost everything.

Processes running in unconfined domains fall back to using DAC rules exclusively. If an

unconfined process is compromised, SELinux does not prevent an attacker from gaining access

to system resources and data, but, of course, the DAC rules are still applied. SELinux is a

security enhancement on top of DAC rules - it does not replace them.

Can we change the domain of a process to allow it access more resources or run in unconfined

domain? The answer is yes. Man-made rules can always be changed.

The following example demonstrates how the Apache HTTP Server (httpd) can access data

intended for use by Samba, while running in an unconfined domain.

Create a file in the /var/www/html directory, such as /var/www/html/index2.html.

Run the ls -Z /var/www/html/index2.html command to view and study the SELinux

security context of this file. The httpd_sys_context_t type should be associated with the

file. The type allows the Apache HTTP service (httpd) to read this file.

Use chcon command to change the type of the index2.html file to the samba_share_t type.

Run ls -Z /var/www/html/index2.html command to confirm the type change.

From what you have learned from the previous section, you know that httpd has no

access to the index2.html file after the type change. This can be changed by changing the

domain of httpd.

Stop Apache HTTP service (httpd) if it is on. (systemctl start httpd.service).

Run chcon -t unconfined_exec_t /usr/sbin/httpd to change the type of httpd to the

unconfined_exec_t type.

Run systemctl start httpd.service to start the Apache HTTP service.

Run ps -eZ | grep httpd to confirm that the httpd is in the unconfined_t domain.

Change into a directory where your Linux user has write access to, and run the following

command:

wget http://localhost/index2.html

Question 7: Were you able to get the index2.html file? Why or Why not?

How to change the httpd back into a confined process? Well you have learned how to do it.

Change its type back to a confined domain or restore the original domain for the process.

Please perform the following:

Stop httpd

Run the restorecon -v /usr/sbin/httpd command

P a g e | 11

Run the ls -Z /usr/sbin/httpd command to confirm the restoration. It is now associated

with httpd_exec_t type.

Start httpd

Run the wget http://localhost/index2.html command

Now the access to index2.html by httpd is forbidden. Please stop httpd and delete the

index2.html file from the system.

Section 5 Confined and unconfined SELinux users

Each standard Linux user is mapped to a SELinux user via SELinux policy. This mapping allows

Linux users to inherit the restrictions on SELinux users. This Linux and SELinux user mapping

can be viewed by running the following command:

semanage login -l

5.1 Unconfined SELinux users

In a Fedora 18 system, Linux users are mapped to the SELinux __default__ login by default,

which is mapped to the SELinux unconfined_u user. In other words, when you create a standard

Linux user, this user is mapped to __default__ login, which is mapped to an unconfined

SELinux user (unconfined_u).

Please perform the following to verify this:

Create a Linux user, such as joe. (useradd joe)

Set password for this user. (passwd joe)

Log in as the newly created user.

Run id -Z

You will see that joe is an unconfined user (unconfined_u); plays the unconfined role

(unconfined_r); and runs in the unconfined domain (unconfined_t).

You can remove this user from your system by running the command userdel -r joe if you don’t

want to keep the data in your system

5.2 Confined SELinux users

Depending on the SELinux policy, different confined SELinux users may be defined. Table 1

gives some of them along with restrictions and permissions for each of them.

Table 1 Common confined SELinux users and their capabilities

User Domain X Window su and sudo Execute in home networking

P a g e | 12

System directory and /tmp/

guest_u guest_t no no optional no

xguest_u xguest_t yes no optional Firefox only

user_u user_t yes no optional yes

staff_u staff_t yes sudo only optional yes

SELinux users defined in a policy can be viewed by running the following command:

semanage user -l

How can you confine a user? Well, you are getting there.

5.3 Confining users

It could be useful to confine a user and restrict its access to the system resources. This can be

done when a Linux user is created. This can also be done on existing users.

5.3.1 Confining new Linux users.

When creating Linux users with useradd, the -Z option can be used to specify which SELinux

user they are mapped to. For example, the following command will create the user tom and maps

it to the SELinux staff_u user:

useradd -Z staff_u tom

Please perform the following to understand the effects of confined users.

Create a user, such as tom and map this Linux user to the SELinux user_u user.

(useradd –Z user_u tom)

Set password for user tom.

Log on the computer as user tom.

Run the su root command.

Question 8: What happened when you tried to run the su command as user tom? Take a

screenshot of the results and attach it here. Explain the result.

P a g e | 13

5.3.2 Confining existing Linux users

In order to confine an existing Linux user, the semanage login command can be used to map

the user to a SELinux confined user. For example, the following command will map user

currentUser, which is a standard Linux user, to a SELinux user_u user, which is a SELinux

confined user.

semanage login -a -s user_u currentUser

The -a option adds a new record, and the -s option specifies the SELinux user. The last

argument, currentUser, is the normal Linux user.

Please perform the following tasks as a Linux root user to understand the effects:

Create a Linux user, such as current.

Set password for this user.

Run the su current command to be as user current.

Run id -Z, check the security context of user current. Run the su command to switch back to root.

Map user current to a SELinux staff_u user

Log out and log back in as user current.

Try to run the commands su and sudo as user current. Record what you see.

Question 9: What did you see when you tried the commands su and sudo root as user current (which is an SELinux staff_u user). Explain the results. Please pay attention to the reasons why

user current cannot run the command.

Question 10: Why would you confine Linux users in practice? Explain your answer.

You are encouraged to practice the effects of confining users with more examples. Technically,

every Linux users can be remapped. However, please be careful and understand what you are

doing and its effects before you actually do it. You don’t want to lock yourself out. It could

happen.

Section 6 Bonus (4%)

What you need to do for the bonus is not restricted, but has to be related to SELinux.

P a g e | 14

Please do the following to earn the bonus of this lab. More extra points may be given if you can

convince your instructor that you have done a significant amount of work on SELinux.

Work out a mini project of your choice based on what you have learned on SELinux

Describe your mini project: motivation, design and technical contents.

Implement your mini project.

Question B1: What is your mini project about? Give a description of your project, including

motivation, design and technical details.

Question B2: Implement your mini project. Please use screenshots, descriptions and answers to

questions to show your implementation.

Survey Questions

Questions in this section will not be graded, but will make your suggestions and voice heard by

your instructor.

GQ 1. What changes would you like to make to this lab?

GQ 2. How much time did you spend to finish this lab?

GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this

lab?

Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let

your instructor know if you have any comments.

P a g e | 15

Answer Sheet

============================ Required Questions =========================

Question 1: How would the use of sestatus -v command benefit your everyday administration

work on SELinux? Please explain your answer.

Question 2: How would the setenforce command be useful? Please explain your answer.

Question 3: What option would you use with the ls command if you want to display only

security context and file name?

Question 4: Would you use the command cp or mv to achieve the goal specified in Scenario 1?

Please explain your solution.

Question 5: Why would you want to use the chcon command to make type changes? Why

would you want to use the semanage/restorecon commands to make type changes? Please try

to explain the real world situations where chcon and semanage/restorecon can fit in.

Question 6: Were you able to get the index.html file? Why or Why not?

Question 7: Were you able to get the index2.html file? Why or Why not?

Question 8: What happened when you tried to run the su command as user tom? Take a

screenshot of the results and attach it here. Explain the result.

Question 9: What did you see when you tried the commands su and sudo root as user current (which is an SELinux staff_u user). Explain the results. Please pay attention to the reasons why

user current cannot run the command.

P a g e | 16

Question 10: Why would you confine Linux users in practice? Explain your answer.

========================== Bonus Part (4%) =============================

Question B1: What is your mini project about? Give a description of your project, including

motivation, design and technical details.

Question B2: Implement your mini project. Please use screenshots, descriptions and answers to

questions to show your implementation.

=========================== Survey Questions ============================

GQ1. Would you like to make any changes to this lab?

GQ2. How long did it take you to complete this lab?

GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this

lab?