From Fedora Project Wiki

Line 7: Line 7:
 
== What to Test? ==
 
== What to Test? ==
  
Today's Fedora Test Day will focus on Confined SELinux Users. We want to write a policy confining a user by assigning the user an SELinux role where the policy controls what the user can do/access on the system. Current confined SELinux user types with their purpose of use are:
+
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:
  
 
* <code>guest_u</code> – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
 
* <code>guest_u</code> – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
Line 13: Line 13:
 
* <code>user_u</code> – X Windows login and terminal login, nosetuid, noexec in home directory.
 
* <code>user_u</code> – X Windows login and terminal login, nosetuid, noexec in home directory.
 
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except <code>sudo</code>.
 
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except <code>sudo</code>.
 +
* kiosk user - X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout.
 +
* confined administrator - able to manage only a predefined set of services
  
The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like <code>xguest_u</code>, <code>user_u</code> or <code>staff_u</code> try to login to X Windows, try to start '''Firefox''', IM, try to run terminal, <code>ping</code>, <code>sudo</code> and so on.
+
The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like <code>xguest_u</code>, <code>user_u</code> or <code>staff_u</code> try to login to X Windows. TDB
  
 
== What's Needed to Be Able to Test ==
 
== What's Needed to Be Able to Test ==
Line 32: Line 34:
 
</pre>
 
</pre>
  
You will need following packages installed on the machine. Please run <code>yum install PACKAGE</code> as root to install them.
+
You will need following packages installed on the machine. Please run <code>yum install PACKAGE</code> as root to install them and check that their versions match:
 
* <code>selinux-policy-targeted-3.6.32-24.fc12</code>
 
* <code>selinux-policy-targeted-3.6.32-24.fc12</code>
 
* <code>policycoreutils-gui-2.0.74-4.fc12</code>
 
* <code>policycoreutils-gui-2.0.74-4.fc12</code>
Line 50: Line 52:
 
== How to Test ==
 
== How to Test ==
  
The main goal is to test chosen users and to do things which are usual for you with these SELinux users. For example if you log as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.
+
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.
  
 
== How to Report Problems ==
 
== How to Report Problems ==
  
 
Usage of following means of communication is encouraged:
 
Usage of following means of communication is encouraged:
* paste the AVC to IRC channel with a short description what happened
+
* paste the AVC to IRC channel with a short description what you did and what happened
* file a bug in Red Hat Bugzilla https://bugzilla.redhat.com/ ('''Classification:''' Fedora, '''Product:''' Fedora, '''Version:''' rawhide, '''Component:''' selinux-policy)
+
* communicate with others on IRC channel to find out if they encountered the same problem
 +
* file a bug in Red Hat Bugzilla ('''Classification:''' Fedora, '''Product:''' Fedora, '''Version:''' rawhide, '''Component:''' selinux-policy)
  
 
== Test Cases ==
 
== Test Cases ==
Line 80: Line 83:
 
{{admon/note|User capabilities|Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory}}
 
{{admon/note|User capabilities|Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory}}
  
As root set up a server only machine, with '''Apache''' service. Configure '''Apache''' in such a way that user home directories are accessible. Add an user which can log in as <code>guest_u</code> (<code>useradd -Z guest_u USERNAME</code>). Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.
+
As root set up a server only machine, with '''Apache''' service (<code>yum install httpd</code>). Configure '''Apache''' in such a way that user home directories are accessible. Make sure '''Apache''' service is running (<code>service httpd start</code>). Add an user which can log in as <code>guest_u</code> (<code>useradd -Z guest_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
  
 
Log in to the machine and try the following:
 
Log in to the machine and try the following:
Line 95: Line 98:
 
*# Copy an executable into home directory and try to execute it.
 
*# Copy an executable into home directory and try to execute it.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
  
 
{|
 
{|
Line 109: Line 112:
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory}}
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory}}
  
As root set up a client machine, with network access. Add an user which can log in as <code>xguest_u</code> (<code>useradd -Z xguest_u USERNAME</code>). Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.
+
As root set up a client machine, with network access. Add an user which can log in as <code>xguest_u</code> (<code>useradd -Z xguest_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
  
 
Log in to the machine and try the following:
 
Log in to the machine and try the following:
Line 127: Line 130:
 
*# Copy an executable into home directory and try to execute it.
 
*# Copy an executable into home directory and try to execute it.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
  
 
{|
 
{|
Line 141: Line 144:
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, noexec in home directory}}
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, noexec in home directory}}
  
As root set up a client machine, with network access. Add an user which can log in as <code>user_u</code> (<code>useradd -Z user_u USERNAME</code>). Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.
+
As root set up a client machine, with network access. Add an user which can log in as <code>user_u</code> (<code>useradd -Z user_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
  
 
Log in to the machine and try the following:
 
Log in to the machine and try the following:
Line 160: Line 163:
 
*# Copy an executable into home directory and try to execute it.
 
*# Copy an executable into home directory and try to execute it.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
  
 
{|
 
{|
Line 174: Line 177:
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid except sudo}}
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid except sudo}}
  
As root set up a client machine, with network access. Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.
+
As root set up a client machine, with network access. Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
  
 
Log in to the machine and try the following:
 
Log in to the machine and try the following:
Line 194: Line 197:
 
*# Try to break into the root account via <code>sudo</code>.
 
*# Try to break into the root account via <code>sudo</code>.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
  
 
{|
 
{|
Line 208: Line 211:
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout.}}
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout.}}
  
As root set up a client machine, with network access. Install <code>xguest</code> package.
+
As root set up a client machine, with network access. Make sure <code>xguest</code> package is installed (<code>yum install xguest</code>).
  
 
Log in to the machine and try the following:
 
Log in to the machine and try the following:
Line 228: Line 231:
 
*# Copy an executable into home directory and try to execute it.
 
*# Copy an executable into home directory and try to execute it.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
 
*# Verify that you can not <code>ssh</code> into the machine as <code>xguest_u</code>.
 
*# Verify that you can not <code>ssh</code> into the machine as <code>xguest_u</code>.
  
Line 243: Line 246:
 
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}
 
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}
  
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code>. Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL'''. Make sure the database is world readable.
+
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code>. Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable.
  
 
Log in to the machine and try the following:
 
Log in to the machine and try the following:
Line 266: Line 269:
 
*# Try to break into the root account via <code>su</code>.
 
*# Try to break into the root account via <code>su</code>.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
 
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.
 
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.
  
Line 290: Line 293:
 
*# Try to break into the root account via <code>sudo</code>.
 
*# Try to break into the root account via <code>sudo</code>.
 
*# Try to read a file in the <code>/secrets</code> directory.
 
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database.
+
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
  
 
{|
 
{|

Revision as of 13:34, 18 October 2009

Confined Users Test Day

  • Devel contact: dwalsh, mgrepl
  • QE contact: mmalik, ebenes
  • IRC channel: #fedora-test-day on irc.freenode.net

What to Test?

Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:

  • guest_u – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
  • xguest_u – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.
  • user_u – X Windows login and terminal login, nosetuid, noexec in home directory.
  • staff_u – X Windows login and terminal login, nosetuid except sudo.
  • kiosk user - X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and /tmp get destroyed on logout.
  • confined administrator - able to manage only a predefined set of services

The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like xguest_u, user_u or staff_u try to login to X Windows. TDB

What's Needed to Be Able to Test

You will need a fully updated Fedora 12 / Rawhide machine. Check if any of your repository files contains following lines or create a new repository file located in /etc/yum.repos.d/ with following content:

[rawhide]
name=Fedora - Rawhide - Developmental packages for the next Fedora release
failovermethod=priority
#baseurl=http://download.fedoraproject.org/pub/fedora/linux/development/$basearch/os/
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test-$basearch
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch

You will need following packages installed on the machine. Please run yum install PACKAGE as root to install them and check that their versions match:

  • selinux-policy-targeted-3.6.32-24.fc12
  • policycoreutils-gui-2.0.74-4.fc12
  • setroubleshoot-2.2.37-1.fc12
  • audit-2.0.1-1.fc12
  • xguest-1.0.7-7.fc12

As root run following commands to be able to record and see possible AVCs:

service auditd start
service messagebus start
service restorecond start
setenforce 1
tail -f /var/log/audit/audit.log

How to Test

The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as xguest_u and try to run ping or sudo in your favourite terminal you won't be able to run it. But if you won't be able to run Firefox then probably this is a bug.

How to Report Problems

Usage of following means of communication is encouraged:

  • paste the AVC to IRC channel with a short description what you did and what happened
  • communicate with others on IRC channel to find out if they encountered the same problem
  • file a bug in Red Hat Bugzilla (Classification: Fedora, Product: Fedora, Version: rawhide, Component: selinux-policy)

Test Cases

Here you can find a few test cases. Please run as many of them as possible. Below each test case you can see a table, where you should write your results. Please add a line with your username and list of tests you ran/skipped into the table. The table could look this way:

User Passed Failed Skipped References
User:mmalik G.1 G.2 B.1 B.2 B.3 G.3 G.4

guest_u

Note.png
User capabilities
Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory

As root set up a server only machine, with Apache service (yum install httpd). Configure Apache in such a way that user home directories are accessible. Make sure Apache service is running (service httpd start). Add an user which can log in as guest_u (useradd -Z guest_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. scp files to home directory and public_html directory.
    3. Copy files to public_html directory.
    4. Verify that the content is viewable via Apache.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try any network protocol, try to get off the machine (ssh, sendmail, rsh, telnet etc.)
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References

xguest_u

Note.png
User capabilities
X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory

As root set up a client machine, with network access. Add an user which can log in as xguest_u (useradd -Z xguest_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
    3. Plug in USB disk and make sure xguest_u user can read/write the disk.
    4. Plug in USB camera and make sure it works.
    5. Plug in other USB devices.
    6. Verify Network Manager works.
    7. Verify printing from Firefox and from the desktop works.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try any network protocol, try to get off the machine (ssh, sendmail, rsh, telnet etc.)
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References

user_u

Note.png
User capabilities
X Windows login and terminal login, nosetuid, noexec in home directory

As root set up a client machine, with network access. Add an user which can log in as user_u (useradd -Z user_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Verify other network protocols work (aol, ssh, mail etc.)
    4. Plug in USB disk and make sure user_u user can read/write disk.
    5. Plug in USB camera and make sure it works.
    6. Plug in other USB devices.
    7. Verify Network Manager works.
    8. Verify printing from Firefox and from the desktop works.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try to break into the root account via su, sudo.
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References

staff_u

Note.png
User capabilities
X Windows login and terminal login, nosetuid except sudo

As root set up a client machine, with network access. Add an user which can log in as staff_u (useradd -Z staff_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Verify other network protocols work (aol, ssh, mail etc.)
    4. Plug in USB disk and make sure staff_u user can read/write disk.
    5. Plug in USB camera and make sure it works.
    6. Plug in other USB devices.
    7. Verify Network Manager works.
    8. Verify printing from Firefox and from the desktop works.
    9. Try to ping off the machine.
    10. Copy an executable into home directory and try to execute it.
    11. Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
  • Bad Test - try to do evil
    1. Try to break into the root account via sudo.
    2. Try to read a file in the /secrets directory.
    3. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References

Kiosk user

Note.png
User capabilities
X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and /tmp get destroyed on logout.

As root set up a client machine, with network access. Make sure xguest package is installed (yum install xguest).

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Plug in USB disk and make sure the kiosk user can read/write the disk.
    4. Plug in USB camera and make sure it works.
    5. Plug in other USB devices.
    6. Verify that Network Manager works.
    7. Verify printing from Firefox and from the desktop works.
    8. Logout and login to verify that home directory disappeared.
    9. Verify that password is not required.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try any network protocol, try to get off the machine (ssh, sendmail, telnet, rsh etc.)
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
    6. Verify that you can not ssh into the machine as xguest_u.
User Passed Failed Skipped References

Confined administrator

Note.png
User capabilities
Administrator that can manage MySQL and Apache

As root set up a client machine, with network access. Build policy for web_db_admin_t. Add an user which can log in as staff_u (useradd -Z staff_u USERNAME). Set up a transition from staff_t to web_db_admin_t. Set up sudo to make this happen automatically. Create a directory named /secrets and install MySQL (yum install mysql-server). Make sure MySQL is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Verify other network protocols work (aol, ssh, mail etc.)
    4. Plug in USB disk and make sure the confined administrator can read/write the disk.
    5. Plug in USB camera and make sure it works.
    6. Plug in other USB devices.
    7. Verify Network Manager works.
    8. Verify printing from Firefox and from the desktop works.
    9. Try to ping off the machine.
    10. Copy an executable into home directory and try to execute it.
    11. Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
    12. Execute sudo sh and make sure you end up as web_db_adm_t.
    13. Try to edit /var/www/html directory and some of the MySQL directories.
    14. Try to start/stop MySQL and Apache.
  • Bad Test - try to do evil
    1. Try to break into the root account via su.
    2. Try to read a file in the /secrets directory.
    3. Try to read the MySQL database (mysqlshow).
    4. As web_db_adm_t try to add an user, modify files in /usr/share.
User Passed Failed Skipped References

Guest user that can send an email

As root set up a server machine, with network access. Build policy for sendmail_user_t. Add an user which can log in as sendmail_user_u (useradd -Z sendmail_user_u USERNAME).

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify you can send a mail as this user.
  • Bad Test - try to do evil
    1. Try to break into the root account via sudo.
    2. Try to read a file in the /secrets directory.
    3. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References

Links

  1. http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  2. http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
  3. http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  4. http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html