How to debug selinux


I am creating an externally facing server and need it to be as hardened as possible, normally for internal servers I just disable selinux as there the risk of hacking is virtually non existent.

To keep the security up on a external server though selinux should stay enabled.

To use the tools you will need to install the following :-

yum install policycoreutils-python
yum install setroubleshoot-server

Installing this you now have access to /var/log/audit/audit.log

tail -n 50 /var/log/audit/audit.log

Will give you something like this

type=AVC msg=audit(1452761897.495:221): avc: denied { unlink } for pid=2013 comm=”squid” name=”squid-cf__metadata.shm” dev=tmpfs ino=32533 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfin
ed_u:object_r:tmpfs_t:s0 tclass=file

There are some tools that you can use to decipher this

mkdir ~/selinux_output
cd ~/selinux_output

You need to identify the application that you are trying to debug, in this instance it is squid as highlighted in the log above.

If you have a large audit log I would use the following commands

service auditd stop
rm -f /var/log/audit/audit.log
service auditd start

Now start the service that has failed or you are trying to debug

service squid start

Now to extract some details as create a policy file

cd ~/selinux_output
rm -f myaudit.txt
sealert -a /var/log/audit/audit.log > myaudit.txt

You can review what errors are being highlighted in the audit files. This is needed if you are constantly debugging the application

mv myapplication.te myapplication.bak

Now to create the policy file change squid for whichever application you are trying to debug

grep squid /var/log/audit/audit.log | audit2allow -m squid > myapplication.te

When the myapplication.te file has been created review it.

There will be a line at the top formatted something like this.

module squid 1.0;

Ensure that you prefix what ever the application is with my, this ensure that there will not be a conflict with pre-configured policies or future policies when they released.

module mysquid 1.0;

Now we need to create the policy and install it.

Again the first two lines are for when you are constantly updating the policy

rm -f *.mod
rm -f *.pp
checkmodule -M -m -o myapplication.mod myapplication.te
 semodule_package -o myapplication.pp -m myapplication.mod
 semodule -i myapplication.pp

You then need to test the application and keep repeating the exercise. Please note that you will need to merge the two policies together as you create them so in the example above merge the require and the policy from the .bak file with the newly created .te file. An example of a file that has been created from around three or four tries of the above process.


module mysquid 1.0;
require {
        type tmpfs_t;
        type squid_t;
        class dir { write read create add_name remove_name };
        class file { read write create add_name unlink };
}
#============= squid_t ==============
#!!!! The source type 'squid_t' can write to a 'dir' of the following types:
# var_log_t, var_run_t, pcscd_var_run_t, squid_var_run_t, squid_cache_t, squid_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t
allow squid_t tmpfs_t:dir { write read create add_name remove_name };
allow squid_t tmpfs_t:file { write read create add_name unlink };

 

Some of the references used for this post

https://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-Squid-3-5-9-is-available-td4673315.html

 

 

 

 

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s