From Fedora Project Wiki
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 11: | Line 11: | ||
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are: | Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are: | ||
* <code>guest_u</code> – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory. | |||
* <code>xguest_u</code> – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. | |||
* <code>user_u</code> – X Windows login and terminal login, nosetuid, noexec in home directory. | |||
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except <code>sudo</code>. | |||
* kiosk user - X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout. | |||
* confined administrator - Able to manage only a predefined set of services. | |||
The purpose of test day is to test these SELinux users in usual/specific use cases. | The purpose of test day is to test these SELinux users in usual/specific use cases. | ||
Line 49: | Line 40: | ||
echo > /var/log/audit/audit.log | echo > /var/log/audit/audit.log | ||
service auditd restart | service auditd restart | ||
service messagebus | service messagebus restart | ||
service restorecond restart | service restorecond restart | ||
setenforce 1 | setenforce 1 | ||
Line 73: | Line 64: | ||
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug. | The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug. | ||
If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our | If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intend is to test at least one program from each of the following groups: | ||
* mail clients (<code>mutt</code>, <code>alpine</code> etc.) | |||
* editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.) | |||
* networking tools (<code>ping</code>, <code>traceroute</code> etc.) | |||
* FTP clients | |||
* web browsers | |||
* audio / video players | |||
* samba mounting / tools | |||
* NFS mounting / tools | |||
* Java apps | |||
* office apps | |||
* printing / scanning tools | |||
* photo / camera manipulation | |||
* CD/DVD reading / writing | |||
* IM clients | |||
* flash players | |||
Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS). | Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS). | ||
== How to Report Problems == | == How to Report Problems == | ||
If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before | If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before following a bug | ||
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed. | # '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed. | ||
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed. | # '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed. | ||
Line 163: | Line 147: | ||
|- | |- | ||
! [[User:czhang]] | ! [[User:czhang]] | ||
! G1.G3.B1.B2.B3.B4.B5 | ! G1.G3.G4.B1.B2.B3.B4.B5 | ||
! | ! N/A | ||
! G2<ref>I don't understand what | ! G2<ref>I don't understand what this step means</ref> | ||
! <references/> | ! <references/> | ||
|} | |} | ||
Line 244: | Line 186: | ||
! [[User:czhang]] | ! [[User:czhang]] | ||
! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5 | ! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5 | ||
! G2<ref>Firefox core dumped,can't test | ! G2<ref>Firefox core dumped,can't test</ref>.G3<ref>ntfs disks could be readable/writable, fat32&ext2/3/4 couldn't</ref> | ||
! G4<ref>no device</ref> | ! G4<ref>no device</ref> | ||
! <references/> | ! <references/> | ||
|} | |} | ||
Line 339: | Line 221: | ||
! Failed | ! Failed | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 418: | Line 257: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 489: | Line 292: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
=== | === Confined administrator === | ||
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}} | |||
As root set up a | As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>). | ||
Log in to the machine and try the following: | Log in to the machine and try the following: | ||
Line 517: | Line 304: | ||
* Good Test - try to behave correctly | * Good Test - try to behave correctly | ||
*# Edit files in home directory. | *# Edit files in home directory. | ||
*# Verify | *# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works. | ||
*# Verify other network protocols work (aol, ssh, mail etc.) | |||
*# Plug in USB disk and make sure the confined administrator can read/write the disk. | |||
*# Plug in USB camera and make sure it works. | |||
*# Plug in other USB devices. | |||
*# Verify '''Network Manager''' works. | |||
*# Verify printing from '''Firefox''' and from the desktop works. | |||
*# Try to <code>ping</code> off the machine. | |||
*# Copy an executable into home directory and try to execute it. | |||
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>web_db_adm_t</code> via <code>sudo</code>. | |||
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>. | |||
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories. | |||
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>). | |||
* Bad Test - try to do evil | * Bad Test - try to do evil | ||
*# Try to break into the root account via <code> | *# Try to break into the root account via <code>su</code>. | ||
*# Try to read a file in the <code>/secrets</code> directory. | *# Try to read a file in the <code>/secrets</code> directory. | ||
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | *# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | ||
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>. | |||
{| | {| | ||
Line 530: | Line 330: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
=== | === Guest user that can send an email === | ||
As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>). | |||
As root set up a | |||
Log in to the machine and try the following: | Log in to the machine and try the following: | ||
Line 550: | Line 340: | ||
* Good Test - try to behave correctly | * Good Test - try to behave correctly | ||
*# Edit files in home directory. | *# Edit files in home directory. | ||
*# Verify | *# Verify you can send a mail as this user. | ||
* Bad Test - try to do evil | * Bad Test - try to do evil | ||
*# Try to break into the root account via <code> | *# Try to break into the root account via <code>sudo</code>. | ||
*# Try to read a file in the <code>/secrets</code> directory. | *# Try to read a file in the <code>/secrets</code> directory. | ||
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | *# Try to read the '''MySQL''' database (<code>mysqlshow</code>). | ||
{| | {| | ||
Line 576: | Line 353: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 590: | Line 361: | ||
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html | # http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html | ||
[[Category:Test Days]] | |||
[[Category: |