[gentoo-hardened] SELinux (strict policy) and ssh

[gentoo-hardened] SELinux (strict policy) and ssh

[luc nac]

Hi everybody, I'm learning how to use SELinux and I'm experiencing
some difficulties. I write here hoping that someone can help me.

I just installed SELinux (strict policy) in a Gentoo-based
distribution (Linux kernel version 2.6.24) following the handbook's
instructions http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

Is it right that I can still login (or switch to the sysadm_r role)
via ssh to that machine even if the boolean "ssh_sysadm_login" is set
"off"?
What tests can I do to confirm that SELinux is correctly working?

lucnac@plgd:~$ ssh root@192.168.1.203
Password:
Last login: Sun Nov 14 13:54:26 2010 from unknown
Could not chdir to home directory /root: Permission denied
-bash: /root/.bash_profile: Permission denied
localhost / # id -Z
root:staff_r:staff_t
localhost / # newrole -r sysadm_r
Authenticating root.
Password:
localhost / # id -Z
root:sysadm_r:sysadm_t


This is the output of "sestatus -v":
localhost / # sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        strict

Process contexts:
Current context:                root:staff_r:staff_t
Init context:                   unknown (Permission denied)

File contexts:
Controlling term:               root:object_r:staff_devpts_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/rc                        system_u:object_r:initrc_exec_t
/sbin/runscript.sh              system_u:object_r:initrc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:shlib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t


...and this is the output of "getsebool -a" (everything is off):
localhost / # getsebool -a
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_polyinstantiation --> off
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_ssh_keysign --> off
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_ypbind --> off
cron_can_relabel --> off
fcron_crond --> off
global_ssp --> off
mail_read_content --> off
mozilla_read_content --> off
nfs_export_all_ro --> off
nfs_export_all_rw --> off
read_default_t --> off
read_untrusted_content --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
ssh_sysadm_login --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_ping --> off
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off
write_untrusted_content --> off
xdm_sysadm_login --> off

Re: [gentoo-hardened] SELinux (strict policy) and ssh

[klondike]

[-- Attachment #1: Type: text/plain, Size: 142 bytes --]

Can't help you on the SELinux issue, but you should use a more recent
kernel. There have been a lot of security problems corrected since.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] SELinux (strict policy) and ssh

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 388 bytes --]

On Sun, Nov 14, 2010 at 01:40:12PM +0100, luc nac wrote:
> Is it right that I can still login (or switch to the sysadm_r role)
> via ssh to that machine even if the boolean "ssh_sysadm_login" is set
> "off"?

Yes, the boolean only ensures that users cannot immediately log on (through
SSH) in the sysadm_r role. Once they are logged on, they can always use
newrole.

wkr,
	Sven Vermeulen

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux (strict policy) and ssh

[Chris Richards]

On 11/14/2010 06:40 AM, luc nac wrote:
> Is it right that I can still login (or switch to the sysadm_r role)
> via ssh to that machine even if the boolean "ssh_sysadm_login" is set
> "off"?
Sven's reply is correct.  ssh_sysadm_login doesn't PREVENT ssh users 
from changing to the sysadm_r role once they have logged in; it simply 
prevents them from logging directly in as sysadm_r.  Essentially, it 
enforces the requirement to 'newrole -r' before you can access the 
sysadm role.

A little bit more about this can be found here: 
http://www.nsa.gov/research/selinux/list-archive/0612/thread_body32.shtml

> What tests can I do to confirm that SELinux is correctly working?
>
Not sure what you're after here?

'sestatus' will give you some information regarding what mode 
(permissive, enforcing), what policy (strict, targeted), etc. you are 
using, and whether the system is running.  'ls -Z' will give you context 
information on a particular file, and you can use 'matchpathcon' to see 
what the context of a file should be.  'chcon' will allow you to force 
an arbitrary file to an arbitrary context (even one it's not supposed to 
have), while 'restorecon', 'setfiles', and 'rlpkg' can all be used to 
restore file contexts to their defaults (the different commands have 
different options and different effects). 'semodule -l' can be used to 
see what modules (other than the base capabilities provided by 
selinux-base-policy) are loaded.

HTH

Later,
Gizmo