Understanding SELinux, Part 3

In the previous article we started exploring the Red Hat Targeted Policy as shipped with Red Hat Enterprise Linux 5. In Dan Walsh’s words: “The Targeted Policy goal is to lock down all processes that listen for network connections and pretty much all processes that start at boot. Processes that are started by a logged in user were unconfined (unconfined_t). Services started by the init scripts that did not have a policy were also run in an unconfined domain (initrc_t).”

We also listed the users, roles and types that are inbuilt by default in the Red Hat Targeted Policy. Now, we shall explore some other building blocks of the Targeted Policy.

Booleans

Booleans, as we all know, are variables that can either be set as true or false. Booleans enhance the effect of SELinux policies by letting the system administrator fine tune a policy. A policy may protect a certain daemon or service by applying various access control rules. In real world scenarios, a system administrator would not like to implement all the access controls specified in the policy.

This is where Booleans help. Booleans create conditional access controls based on their value. As an example, the httpd (Apache Web Server) subject has the following Booleans in the targeted policy:

allow_httpd_mod_auth_pam
allow_httpd_bugzilla_script_anon_write
httpd_enable_ftp_server
allow_httpd_squid_script_anon_write
allow_httpd_anon_write
httpd_can_network_relay
httpd_disable_trans
httpd_tty_comm
httpd_unified
httpd_rotatelogs_disable_trans
httpd_builtin_scripting
httpd_enable_cgi
allow_httpd_nagios_script_anon_write
httpd_suexec_disable_trans
httpd_enable_homedirs
httpd_ssi_exec
allow_httpd_sys_script_anon_write
httpd_can_network_connect
httpd_can_network_connect_db

One of these Booleans is httpd_enable_cgi. As any Web administrator knows, CGI scripts can be potential security leaks—depending on the manner in which they are written and the use for which they are written. We frequently create Web servers that let people use CGI scripts to monitor and maintain our clients’ mail server queues—to delete messages, hold messages, etc. A security breach can expose the entire mail queue leaving our mail server(s) vulnerable.

To prevent CGI scripts from running on a server that does not require them to be executed, simply disable the httpd_enable_cgi Boolean (set the value of this Boolean to false). SELinux Access Controls will deny execution of CGI scripts and thus secure the server.

Using the seinfo tool discussed earlier, you can list all the available Booleans by issuing the following command:

[root@vbg services]# seinfo -b

All the Booleans inbuilt in the SELinux Targeted Policy shall be displayed.

The list of Booleans in the currently loaded policy can also be retrieved by the getsebool command. The -a option not only lists all Booleans similar to the seinfo -b command discussed earlier, but also the current value of those Booleans.

[root@vbg services]# getsebool -a
NetworkManager_disable_trans --> off
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on

The above output shows various Booleans and their values. To get the value of a particular Boolean, it may be specified as an argument to the getsebool command. To view the current value of the https_enable_cgi Boolean, issue the following command:

[root@vbg services]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on

A system administrator on a system not requiring CGI script execution would want to set this Boolean to false (off). To modify the value of this Boolean we can use either the setsebool or the togglesebool commands.

To disable the httpd_enable_cgi Boolean, issue the following command:

[root@vbg services]# setsebool httpd_enable_cgi off

You can check the new value of the Boolean by again using the getsebool command described above:

[root@vbg services]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off

The above change will affect the Boolean value in the currently loaded policy but will not remain after reboot. To make Boolean values persistent across reboots, use the -P option with the setsebool command:

[root@vbg services]# setsebool -P httpd_enable_cgi off

This will ensure that value of the httpd_enable_cgi Boolean has been set to off and will not change even after reboot.

[root@vbg services]# togglesebool httpd_enable_cgi
httpd_enable_cgi: active
[root@vbg services]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on

A note of caution though: togglesebool only changes the “in memory” value of a Boolean. Changes made using the togglesebool command are not persistent across reboots.

As an exercise, I leave it to you to discover the Boolean that disables SELinux policy rules from applying to a particular service or daemon. In case of doubt, you can leave a comment below for an answer.

Booleans also help to understand the various protected daemons under the SELinux Targeted Policy.

Pages: 1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *