A question about SELinux.

[hack3rcon]

Hello,
When SELinux make some problems about services and we use "setsebool" for change it then can it mean SELinux not protecting that service?

Thanks.

[jlehtone]

That is case dependent. The objective of such change is to demote a harmless service into mostly harmless state.

[hack3rcon]

That is case dependent. The objective of such change is to demote a harmless service into mostly harmless state.

For example, When I did below command for vsftp then can it cause SELinux never protect vsftp?

Code: Select all

# setsebool -P ftpd_full_access 1

[jlehtone]

SELinux does not "protect vsftpd".
SELinux "confines vsftpd"; its ftp-rules protect everybody else from the vsftpd.

The effect of that specific boolean is described in:
https://access.redhat.com/documentation ... l-booleans

[hack3rcon]

Thank you.
According to that link:

ftpd_full_access
When this Boolean is enabled, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the public_content_t or public_content_rw_t types.

Thus, its mean that SELinux protect the service?
Can you show me a PDF file or book that explain SELinux from basic?

[TrevorH]

No. It means that selinux is effectively off for ftp if you enable that.

[hack3rcon]

No. It means that selinux is effectively off for ftp if you enable that.

Thus, How can I use FTP with SELinux enabled?

[hunter86_bg]

FTP binary has a specific 'domain' which must match one or several file 'labels'.
They all can be checked by relevant command and the switch '-Z'.
For example 'ls -lZ' will show you the file labels, while 'ps aux -Z' will show you the selinux stuff for a process.

In your case you should label the ftp's home properly , so selinux will not cause any issues.
Also, if a compromised apache process tries to access the ftp's home - an AVC will be generated in the audit log.

You can read more about selinux at: https://books.google.bg/books/about/SEL ... edir_esc=y
In order to have the selinux related manpages you need to run:

Code: Select all

yum whatprovides '*/sepolicy'
yum install -y selinux-policy-devel
sepolicy manpage -a -p /usr/share/man/man8
mandb
man -k _selinux

[hack3rcon]

Thanks, thus below command is a wrong command?

Code: Select all

# setsebool -P ftpd_full_access 1

[sawozny]

Thank you.
According to that link:

ftpd_full_access
When this Boolean is enabled, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the public_content_t or public_content_rw_t types.

Thus, its mean that SELinux protect the service?
Can you show me a PDF file or book that explain SELinux from basic?

I think it's more appropriate to say that when that boolean is enabled, SELinux will not interfere with file operations in regards to file / folder contexts. Rather the only security will be the classic DAC security (-rw-r--r--). Alternatively, when the boolean is disabled, security is increased and a file operation must pass BOTH the classic DAC stuff AS WELL as the SELinux rules on folder labelling so any file the FTP user wants to read must have once of the public content types specified and if they want to write to a folder it needs that public content rw label. So SELinux is on either way, but with that boolean on, it's not being as much of a hard-ass as it normally is.

I, personally, feel the SELinux policies direct you to doing things the "right" way (as determined by SELinux, distro and application developers) but if you can't, the booleans allow you to do things that are less than ideal from a security perspective but are recognized as common decisions. In this case if the folder you want to use / the app needs to use is not the default one for this FTP server AND you can't change the label of your desired folder for whatever reason this boolean lets you turn off THAT check because you've made a conscious decision to do so without impacting security of the FTP service in other ways you didn't intend (like anonymous writes, for example, which is a DIFFERENT boolean).

Think of SELinux policies as a list of rules for how an application should behave to protect you from malware or hackers who try and abuse an application to do things it shouldn't do (sort of a "whitelisting" of system calls). Since one size doesn't fit all and app developers do all sorts of things that are not great ideas, SELinux ALSO allows you the ability to selectively loosen up and change those rules.

The "easiest" way to do this (outside of disabling SELinux entirely which is the first stop of many sysadmins but auditors and regulators have started to catch on to that trick) is to change a boolean which is written to accomplish a task of modifying security policy ONLY in the way it describes. In this case, don't make the FTP process concern itself with SELinux file and folder labels when determining whether or not a file can go to a certain place.

The next level is to start modifying object labels to tell your FTP service "Yeah, this folder is totally a cool place to read and write files so treat it like that".

After that you start getting into policy which, hopefully, you'll never need to because that stuff gets REALLY complicated and the more complicated it gets, the harder it is to get the security right.

If you're looking for a getting started SELinux resource, I found these videos useful:

https://www.youtube.com/watch?v=_WOKRaM-HI4
https://www.youtube.com/watch?v=FRdk9xA6lA0

If you find yourself needing to dig into actual policy, this video is good, but can get complicated.

https://www.youtube.com/watch?v=GWy6vXIQxkc

HTH and good luck!