Linux Notes: SELinux (into for hackers)

  1. The information presented here is intended for educational use by qualified computer technologists.
  2. The information presented here is provided free of charge, as-is, with no warranty of any kind.
Edit: 2019-07-18

Project 1 :: need one directory write-enabled for use by FTP

Introduction (how a simple project went sideways)

project #1 overview

This is how we have been doing backups in our datacenter for the past few years:

		+-------------------------+	+--------------------------+
		| server : HP rx2800-i2   |	| server : HP DL385p-gen8  |
		| OS     : OpenVMS-8.4    |	| OS     : CentOS-7        |
		| client : MariaDB-5.5-60 |	| server : MariaDB-10.3.11 |
		| net-1  : TCP/IP         +-----+ net-1  : TCP/IP          |
 private  ------+ net-2  : TCP/IP         |	+--------------------------+
 intranet	| net-3  : DECnet         +---> hub to other OpenVMS systems (HP rx2660) 
		| net-4  : TCP/IP         +---> Windows-7 PC (backup host) 

But things change:

Project-1 Details

Caveat: in the following commands you will need to do one of the following:

  1. preface each command with "sudo" (preferred)
  2. "su to root" once before the whole lot (old-school)

initial steps (CentOS-7)

Command(s) Comments
yum install vsftpd
vi /etc/vsftpd.conf
install an ftp server
configure the settings file
firewall-cmd --permanent --zone public --add-service ftp
firewall-cmd --reload
prep the firewall
systemctl stop vsftpd.service
systemctl start vsftpd.service
systemctl enable vsftpd.service
make config changes take effect
auto-start this service during reboot
yum install epel-release
yum install ntfs-3g -y
install ntfs software

commands to see connected disks

Commands Comments
fdisk -l  
fdisk -l /dev/sd*  
ls -la /dev/disk/by-label/  
ls -la /dev/disk/by-label/BKUP* see all disks with a label beginning with BKUP

Overview of SELinux

Believe it or not, SELinux was developed by America's NSA (National Security Agency) and combines two approaches to security. (read on)

Now for a little hacking

part 1: getting new manual pages

You will not learn SELinux in one day. In fact, there are large tomes available on Amazon dedicated to this single topic; but you might be able to learn just enough about this to get yourself over the hump provided you are willing to do a little hacking. So try these two commands:

Commands Comments Additional Info
man ftpd_selinux view SELinux info specific to ftpd All FTPd programs are required to follow these rules
man httpd_selinux view SELinux info specific to httpd All HTTPd programs are required to follow these rules

If neither one of these commands worked but you would like them to, then follow these steps

Commands Comments
yum install selinux-policy-devel  
sepolicy manpage -a -p /usr/local/man/man8 generate new manpages
mandb integrate the new manpages into your index

At this point commands like "man ftpd_selinux" should work properly. Be sure to read the whole thing taking special note of any predefined sebooleans (these are topic-specific boolean variables stored in SELinux)

part2: see what's already found in my SELinux implementation

Commands Comments
semanage boolean -l list all booleans
semanage boolean -l | grep ftp list booleans specific to ftp and sftp

part3: let's make a few changes (this works but is not recommended)

Commands Comments
mkdir /icsis/win
chmod 777 /icsis/win
this will be my mount point (where my USB-DISK will be connected)
note: only need to do this once
setsebool ftpd_use_fusefs 1 since my USB-DISK is being attached by fusefs (see blue text below)
this change will allow all FTPd programs to access directories attached to path /icsis/win
#	inspect a file 
#	tack on "Z" to also see SELinux data
#	note: MAC stuff in red and blue
[root@localhost ~]# ls -laZ /icsis
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0      ..
drwxrwxrwx. root root system_u:object_r:fusefs_t:s0    win

part4: an alternate approach (recommended)

Commands Comments
ls -la /dev/disk/by-label/BKUP* take notice where CentOS auto-mounted my USB-DISK
probably will be /dev/sdb1 depending upon how many other drives are present
umount /dev/sdb1 dismount my USB-DISK from where ever it is right now
mount -t /dev/sdb1 /icsis/win mount it in a place where OpenVMS expects it
semanage fcontext -a -t public_content_rw_t "/icsis/win(/.*)?" tell SELinux that this location is sanctioned for read+write
restorecon -F -R -v /icsis/win necessary voodoo (copies info from SELinux back to the file system)
setsebool -P ftpd_anon_write 1 an optional "hall pass"

At this point the attached USB-DISK can be written to via FTP

Project #2 :: need one directory write-enabled for use by Apache/HTTPd

External Links

 Back to Home
Neil Rieck
Waterloo, Ontario, Canada.