From Fedora Project Wiki

No edit summary
(Move long comments to a separate section at end of page)
 
(115 intermediate revisions by 14 users not shown)
Line 11: Line 11:
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:


* <code>guest_u</code> – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
{|
* <code>xguest_u</code> – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.
! user role            !! terminal login !! xwindows login !! network !! exec in homedir !! setuid !! notes
* <code>user_u</code> – X Windows login and terminal login, nosetuid, noexec in home directory.
|-
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except <code>sudo</code>.
| '''guest_u'''        || yes            || no            || no      || no              || no    ||
* kiosk user - X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout.
|-                                                                                                             
* confined administrator - Able to manage only a predefined set of services.
| '''xguest_u'''        || yes            || yes            || no*    || no              || no    || * only Firefox
|-                                                                                                             
| '''user_u'''          || yes            || yes            || yes    || no              || no    ||
|-                                                                                                             
| '''staff_u'''        || yes            || yes            || yes    || yes            || no*    || * <code>sudo</code> allowed
|-                                                                                                             
| '''kiosk user'''      || yes            || yes            || no      || no              || no    || No password required. Home directory and <code>/tmp</code> get destroyed on logout.
|-                                                                                                             
| '''confined admin'''  || yes            || yes            || yes    || yes            || yes    || Able to manage only a predefined set of services.
|}


The purpose of test day is to test these SELinux users in usual/specific use cases.
The purpose of test day is to test these SELinux users in usual/specific use cases.
Line 40: Line 49:
echo > /var/log/audit/audit.log
echo > /var/log/audit/audit.log
service auditd restart
service auditd restart
service messagebus restart
service messagebus start
service restorecond restart
service restorecond restart
setenforce 1
setenforce 1
Line 47: Line 56:


{{admon/important|No production testing| Please do not use production machine for this testing. }}
{{admon/important|No production testing| Please do not use production machine for this testing. }}
=== '''Live Image''' ===
You may download a non-destructive rawhide live image for your architecture. Tips on using a live image are available at [[FedoraLiveCD]].
{|
! Architecture !! SHA256SUM
|-
| [http://jlaska.fedorapeople.org/live/livecd-selinux-test-day-200910191654-i386.iso i686] || <code>b4c8631aeb40bf4594bbb64c189b1c66f0c7f7cd763ae50ce8f6ce800746aee4</code>
|-
| [http://jlaska.fedorapeople.org/live/livecd-selinux-test-day-200910191709-x86_64.iso x86_64] || <code>fa4e971ed3af85b4aaf7ac5630b0efce5b51c11749dc13b42556cfc7ccf5af56</code>
|}


== How to Test ==
== How to Test ==
Line 52: Line 73:
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.


If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intend is to test at least one program from each of the following groups:
If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intent is to test at least one program from each of the following groups:
* mail clients (<code>mutt</code>, <code>alpine</code> etc.)
# mail clients (<code>mutt</code>, <code>alpine</code> etc.)
* editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.)
# editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.)
* networking tools (<code>ping</code>, <code>traceroute</code> etc.)
# networking tools (<code>ping</code>, <code>traceroute</code> etc.)
* FTP clients
# FTP clients
* web browsers
# web browsers
* audio / video players
# audio / video players
* samba mounting / tools
# samba mounting / tools
* NFS mounting / tools
# NFS mounting / tools
* Java apps
# Java apps
* office apps
# office apps
* printing / scanning tools
# printing / scanning tools
* photo / camera manipulation
# photo / camera manipulation
* CD/DVD reading / writing
# CD/DVD reading / writing
* IM clients
# IM clients
* flash players
# flash players


Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).
Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).
{{admon/tip|<code>audit.log</code> upload|Be so kind and upload your <code>/var/log/audit/audit.log</code> after you finish the testing. Please leave a reference to it in the following table. This action is optional but it will help us not to forget/miss any of possible AVC messages.}}
{|
! User
! <code>audit.log</code> references
|}


== How to Report Problems ==
== How to Report Problems ==


If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before following a bug
If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before filing a bug
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed.
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed.
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed.
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed.
Line 133: Line 161:
! Skipped
! Skipped
! References
! References
|-
! [[User:czhang]]
! G1.G3.B1.B2.B3.B4.B5
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1</ref>
! G2<ref>I don't understand what does this step means, scp from localhost to localhost?</ref>
! <references/>
|-
! [[User:hdong]]
! G1.G3.B1~B5
! G4<ref>don't have permission to access /~guest_u/ on server</ref>
! G2<ref>ssh Permission denied</ref>
! <references/>
|-
! [[User:Rhe]]
! G1,G2,G3,B3,B4,B5
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1 as czhang said</ref>, B1<ref>can ping</ref>, B2<ref>can ssh</ref>
!
! <references/>
|-
! [[User:tpelka]]
! G1~3,G4<ref>Agree with czhang, but 701 is sufficient</ref>,B1~5
!
!
! <references/>
|-
! [[User:mmaslano]]
! G1,G2,G3,G4,B1,B2,B3
!
! B4,B5
! Directions are ambiguous. Howto apache was missing. <references/>
|-
! varekova
! G1~G3,B1~B5
!
! G4 <ref>problems with setting up Appache - it would be good to have describe this step more precisely </ref>
! <references/>
|-
! [[User:psss]]
! G1, G2, G3, B1, B2, B3, B4, B5
! G4<ref group="long">restorecond -u not running for guest_u (running restorecon -R public_html or adding "~/* ~/public_html/*" to /etc/selinux/restorecond.conf resolves the problem)</ref>
!
! <references/> Filed bugs [https://bugzilla.redhat.com/show_bug.cgi?id=529852 #529852] and [https://bugzilla.redhat.com/show_bug.cgi?id=529827 #529827].
|-
! [[User:mmalik]]
! G1, G2, G3, B1, B2, B3, B4, B5
! G4<ref>chmod 711 /home/USER, setsebool httpd_enable_homedirs=1, restorecon -Rv /home/USER were needed</ref>
!
! <references/>
|}
|}


Line 165: Line 241:
! Skipped
! Skipped
! References
! References
|-
! [[User:czhang]]
! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5
! G2<ref>Firefox core dumped,can't test. Maybe {{bz|512845}} describes this bug.</ref>.G3<ref>ntfs disks is readable/writable, ext2/3/4 are not permitted in enforce mode, setenforce 0 could solve this problem.</ref>
! G4<ref>no device</ref>
! <references/>
|-
! guaneryu
! G.1 G.2<ref>Start firefox with 'firefox -safe-mode'</ref> G.6 G.7 B.1~B.5
!
! G.3~G.5<ref>no device</ref>
! <references/>
|-
! [[User:jbao]]
! G.1 G.2 G.3 G.7 B.1~B.5
! G.6<ref>can't start the NetworkManager</ref>
! G.4~G.5<ref>no device</ref>
! <references/>
|-
! hdong
! G1.G2.G3.G7 B1~B5
! G6<ref>NetworkManager applet icon disappear</ref>
! G4.G5<ref>no device</ref>
! <references/>
|-
! [[User:Rhe]]
! G1.G5.B1~B5
! G2<ref>a crash in package firefox-3.5.3-1.fc12 has been detected.{{bz|530007}}</ref>.G3<ref>couldn't display </ref>.G6<ref>unrecognised service.{{bz|530013}}</ref><ref>cant run selinux management {{bz|530005}}</ref>
! G4.G7
! <references/>
|-
! varekova
! G1 G6 B1~B5
! G2<ref>firefox problem, with 'firefox -safe-mode' OK</ref>
! G3~G5<ref>virt. machines</ref>
! <references/>
|-
! [[User:mmaslano]]
! G1 G2 G3 G6 G7 B1-4
!
! G4 G5
! FF worked firefox-3.5.3-1.fc12.x86_64. I have updated rawhide.<references/>
|-
! [[User: jkoten|jkoten]]
! G1 G3 G6 B1-5
! G2<ref>cannot play streamed video using totem-mozplugin {{bz|529847}}</ref>
! G7
! <references/>
|-
! [[User:psss]]
! G1, G3, G6, B1, B2, B3, B4, B5
! G2<ref>Firefox crashes, works only in -safe-mode</ref>
! G4, G5, G7
! <references/> Filed bug [https://bugzilla.redhat.com/show_bug.cgi?id=529878 #529878] - Unable to login after logout
|-
! [[User:mmalik]]
! G1, B1, B2, B3, B4, B5
! G2<ref>Firefox crashes, must be executed with -safe-mode</ref>
! G3, G4, G5, G6, G7
! <references/>
|-
! [[User:tpelka]]
! <ref>First login as xguest_u cause gphoto2 support for gvfs crash, RHBZ [https://bugzilla.redhat.com/show_bug.cgi?id=530091 #530091]</ref>G1~4,G7,B1,B2,B3,B4,B5
!
! G5,G6<ref>no device</ref>
! <references/>
|}
|}


Line 197: Line 339:
! Failed
! Failed
! Skipped
! Skipped
! References
! References\
|-
! guaneryu
! G.1 G.2 G.3 G.7 B.1 B.2 B.4 B.5
! B.3<ref>cd;cp /bin/ls ~/;./ls;  can execute ls command at home directory</ref>
! G4~G6<ref>no device</ref>.G8
! <references/>
|-
! [[User:jbao]]
! G1.G2.G3.G4.G8 B1.B2.B4.B5
! G7<ref>can't start the NetworkManager,with the error"(nm-applet:5910): Gtk-WARNING **: cannot open display:
"</ref> B3<ref>{{bz|529830}}</ref>
! G5~G6<ref>no device</ref>
! <references/>
|-
! varekova
! G.1 G.3 G.7 B.1 B.2 B.4
! G2<ref>firefox problem</ref> B.3<ref>{{bz|529830}}</ref>
! G.4~G.6, G.8<ref>virt machine</ref>
! <references/>
|-
! [[User:mmaslano]]
! G1-5 G7 B2-4
! B1 B5
! G6
! G6 no NM applet in KDE tray<references/>
|-
! [[User:Rhe]]
! G1.G3.G4.G6.B1.B2.B4.B5
! G2<ref>firefox crash.{{bz|530007}}</ref>.G7<ref>unrecognized service.{{bz|530013}}</ref>.B3<ref>executable.{{bz|529830}}</ref>
! G5.G8
! <references/>
|-
! [[User:hdong]]
! G1.G2.G3.G4.G8.B1.B2.B4.B5
! G7<ref>Permission denied and applet icon disappear</ref>.B3<ref>executable.{{bz|529830}}</ref>
! G5.G6<ref>no device</ref>
! <references/>
|-
! [[User:tpelka]]
! G1~4,G7,G8,B1,B2,B4,B5
! B3<ref>same as guaneryu [1]</ref>
! G5,G6<ref>no device</ref>
! <references/>
|}
|}


Line 233: Line 418:
! Skipped
! Skipped
! References
! References
|-
! [[User:jbao]]
! G1.G2.G3.G4.G8.G9.G10.G11.G12.B1~B3
! G7<ref>can't start the NetworkManager</ref>
! G5~G6<ref>no device</ref>
! <references/>
|-
! guaneryu
! G.1~G.3 G.7 G.9~G.12 B.1~B.3
!
! G.4~G.6 G.8<ref>no device</ref>
! <references/>
|-
! varekova
! G.1 G.3 G.7 G.9~G.12 B.1~B.3
! G.2<ref>firefox problem</ref>
! G.4~G.6 G.8<ref>virt machine</ref>
! <references/>
|-
! [[User:Rhe]]
! G1. G3. G4. G6. G9. G10. B1~B3
! G2<ref>firefox crash.{{bz|530007}}</ref>. G7<ref>unrecognised service.{{bz|530013}}</ref>. G11<ref>/user/sbin/semanage:SElinux Policy is not managed or store cannot be accessed.</ref>
! G5. G6. G12
! <references/>
|-
! [[User:hdong]]
! G1.G2.G3.G4.G8.G9.G10.G11.G12 B1~B3
! G7<ref>Permission denied and applet icon disappear.{{bz|530013}}</ref>
! G5.G6<ref>no device</ref>
! <references/>
|-
! [[User:tpelka]]
! G1~4,G7,G8~12,B1~3
!
! G5,G6<ref>no device</ref>
! <references/>
|}
|}


Line 268: Line 489:
! Skipped
! Skipped
! References
! References
|-
! [[User: jkoten|jkoten]]
! G1 G2
! G8<ref>home dir still present - even before login for the first time</ref> G9<ref>cannot login after logout {{bz|529897}}</ref>
! B1-6 <ref>cannot login again :(</ref>
! <references/>
|-
| [[User: hdong]]
! G1.G2.G3.G7
! G8<ref>home dir still present,temporary files in home dir disappear</ref>.G9<ref>cannot login again</ref>
! G4.G5<ref>no device</ref>G6 B1~B6<ref>can not login</ref>
! <references/>
|-
| [[User: tpelka]]
! G1,G2,G3,G7
! G8<ref>home dir still present</ref>,G9<ref>cannot login again</ref>
! G4,G5<ref>no device</ref>G6,B1~B6<ref>can not login</ref>
! <references/>
|}
|}


=== Confined administrator ===
=== Guest user that can send an email ===


{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}
As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>).
 
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>).


Log in to the machine and try the following:
Log in to the machine and try the following:
Line 280: Line 517:
* Good Test - try to behave correctly
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Edit files in home directory.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Verify you can send a mail as this user.
*# Verify other network protocols work (aol, ssh, mail etc.)
*# Plug in USB disk and make sure the confined administrator can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Try to <code>ping</code> off the machine.
*# Copy an executable into home directory and try to execute it.
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>unconfined_t</code> via <code>sudo</code>.
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>.
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories.
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>).


* Bad Test - try to do evil
* Bad Test - try to do evil
*# Try to break into the root account via <code>su</code>.
*# Try to break into the root account via <code>sudo</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.


{|
{|
Line 306: Line 530:
! Skipped
! Skipped
! References
! References
|-
| ebenes      ||  G1,G2<ref>{{bz|529916}}</ref>, B1,B2,B3        ||              ||      ||  <references/>
|-
| [[User: tpelka]]
|         
|G1,G2,B1~3<ref>RHBZ {{bz|530349}}</ref>
|<references/>     
|}
|}


=== Guest user that can send an email ===
=== Confined administrator ===
 
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}


As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>).
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>).


Log in to the machine and try the following:
Log in to the machine and try the following:
Line 316: Line 550:
* Good Test - try to behave correctly
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Edit files in home directory.
*# Verify you can send a mail as this user.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Verify other network protocols work (aol, ssh, mail etc.)
*# Plug in USB disk and make sure the confined administrator can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Try to <code>ping</code> off the machine.
*# Copy an executable into home directory and try to execute it.
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>web_db_adm_t</code> via <code>sudo</code>.
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>.
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories.
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>).


* Bad Test - try to do evil
* Bad Test - try to do evil
*# Try to break into the root account via <code>sudo</code>.
*# Try to break into the root account via <code>su</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.


{|
{|
Line 329: Line 576:
! Skipped
! Skipped
! References
! References
|-
| [[User: tpelka]]
|         
|G1~14,B1~4<ref>RHBZ {{bz|530349}}</ref>
|<references/>   
|}
|}


Line 336: Line 589:
# http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
# http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
== Long comments ==
<references group="long" />
[[Category:Fedora 12 Test Days]]

Latest revision as of 06:24, 26 December 2014

DATE TIME WHERE
Tue Oct 20, 2009 ALL DAY #fedora-test-day)

What to Test?[edit]

Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:

user role terminal login xwindows login network exec in homedir setuid notes
guest_u yes no no no no
xguest_u yes yes no* no no * only Firefox
user_u yes yes yes no no
staff_u yes yes yes yes no* * sudo allowed
kiosk user yes yes no no no No password required. Home directory and /tmp get destroyed on logout.
confined admin yes yes yes yes yes Able to manage only a predefined set of services.

The purpose of test day is to test these SELinux users in usual/specific use cases.

Who's available[edit]

The following cast of characters will be available for testing, workarounds, bug fixes, and general discussion.

  • Development: dwalsh, mgrepl
  • Quality: mmalik, ebenes

What's Needed to test[edit]

  • You will need a fully updated Rawhide, Fedora 12 Beta or the Rawhide nightly Live Image
  • You will need following packages installed on the machine. Please run yum install PACKAGE as root to install them and check that their versions match:
    • selinux-policy-targeted-3.6.32-24.fc12
    • policycoreutils-gui-2.0.74-4.fc12
    • setroubleshoot-2.2.37-1.fc12
    • audit-2.0.1-1.fc12
    • xguest-1.0.7-7.fc12
  • The content of /var/log/messages will be useful during testing and reporting issues. Connect to your test system and prepare the system for gathering output using the commands below:
echo > /var/log/audit/audit.log
service auditd restart
service messagebus start
service restorecond restart
setenforce 1
tail -f /var/log/messages
No production testing
Please do not use production machine for this testing.

Live Image[edit]

You may download a non-destructive rawhide live image for your architecture. Tips on using a live image are available at FedoraLiveCD.

Architecture SHA256SUM
i686 b4c8631aeb40bf4594bbb64c189b1c66f0c7f7cd763ae50ce8f6ce800746aee4
x86_64 fa4e971ed3af85b4aaf7ac5630b0efce5b51c11749dc13b42556cfc7ccf5af56

How to Test[edit]

The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as xguest_u and try to run ping or sudo in your favourite terminal you won't be able to run it. But if you won't be able to run Firefox then probably this is a bug.

If you usually use another web browser than Firefox, please continue to do so during the test day. Our intent is to test at least one program from each of the following groups:

  1. mail clients (mutt, alpine etc.)
  2. editors (vim, emacs, nano etc.)
  3. networking tools (ping, traceroute etc.)
  4. FTP clients
  5. web browsers
  6. audio / video players
  7. samba mounting / tools
  8. NFS mounting / tools
  9. Java apps
  10. office apps
  11. printing / scanning tools
  12. photo / camera manipulation
  13. CD/DVD reading / writing
  14. IM clients
  15. flash players

Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).

audit.log upload
Be so kind and upload your /var/log/audit/audit.log after you finish the testing. Please leave a reference to it in the following table. This action is optional but it will help us not to forget/miss any of possible AVC messages.
User audit.log references

How to Report Problems[edit]

If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before filing a bug

  1. Permissive mode - switch to permissive mode (setenforce 0) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (setenforce 1) before next testing. Root shell is needed.
  2. ausearch - Run ausearch as advised below to see if new AVC messages appeared. Root shell is needed.
  3. fpaste.org - Make the AVC message public via http://fpaste.org/ . Add a short description what you did and what happened or did not happen. Please increase the default expiry time to 1 day, because the default is 1 hour.
  4. IRC - Communicate with others on IRC channel to find out if they encountered the same problem. It's likely that someone on IRC channel knows the solution or already reported the problem.
  5. sealert - Look at the end of /var/log/messages and search for messages containing sealert. Run sealert with parameters as advised. Root shell is needed.
  6. Bugzilla - Lastly, file a bug in Red Hat Bugzilla. Be sure to set the following attributes: Product: Fedora, Version: rawhide, Component: selinux-policy. Alternatively, follow this link to file a bug against selinux-policy. Do not forget to supply the description of actions you did, the AVC message and the full output of sealert.
Before filing...
Do not file a bug if the user you are testing now is by the SELinux role prevented from doing certain things (e.g. guest_u is prevented from using network, staff_u is prevented from running su). The actions you are trying to do under userX must make sense considering the SELinux role of the userX.

Here is an example how to display AVCs which arose since a specific time:

  1. START_DATE_TIME=date "+%m/%d/%Y %T"
  2. do something as confined user
  3. ausearch -m AVC -ts $START_DATE_TIME

Test Cases[edit]

Here you can find a few test cases. Please run as many of them as possible. Below each test case you can see a table, where you should write your results. Please add a line with your username and list of tests you ran/skipped into the table. The table could look this way:

User Passed Failed Skipped References
User:mmalik G.1 G.2 B.1 B.2 B.3 G.3 G.4

guest_u[edit]

User capabilities
Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory

As root set up a server only machine, with Apache service (yum install httpd). Configure Apache in such a way that user home directories are accessible. Make sure Apache service is running (service httpd start). Add an user which can log in as guest_u (useradd -Z guest_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. scp files to home directory and public_html directory.
    3. Copy files to public_html directory.
    4. Verify that the content is viewable via Apache.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try any network protocol, try to get off the machine (ssh, mail, rsh, telnet etc.)
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References
User:czhang G1.G3.B1.B2.B3.B4.B5 G4[1] G2[2]
  1. need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1
  2. I don't understand what does this step means, scp from localhost to localhost?
User:hdong G1.G3.B1~B5 G4[1] G2[2]
  1. don't have permission to access /~guest_u/ on server
  2. ssh Permission denied
User:Rhe G1,G2,G3,B3,B4,B5 G4[1], B1[2], B2[3]
  1. need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1 as czhang said
  2. can ping
  3. can ssh
User:tpelka G1~3,G4[1],B1~5
  1. Agree with czhang, but 701 is sufficient
User:mmaslano G1,G2,G3,G4,B1,B2,B3 B4,B5 Directions are ambiguous. Howto apache was missing.
varekova G1~G3,B1~B5 G4 [1]
  1. problems with setting up Appache - it would be good to have describe this step more precisely
User:psss G1, G2, G3, B1, B2, B3, B4, B5 G4[long 1] Filed bugs #529852 and #529827.
User:mmalik G1, G2, G3, B1, B2, B3, B4, B5 G4[1]
  1. chmod 711 /home/USER, setsebool httpd_enable_homedirs=1, restorecon -Rv /home/USER were needed

xguest_u[edit]

User capabilities
X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory

As root set up a client machine, with network access. Add an user which can log in as xguest_u (useradd -Z xguest_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
    3. Plug in USB disk and make sure xguest_u user can read/write the disk.
    4. Plug in USB camera and make sure it works.
    5. Plug in other USB devices.
    6. Verify Network Manager works.
    7. Verify printing from Firefox and from the desktop works.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try any network protocol, try to get off the machine (ssh, mail, rsh, telnet etc.)
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References
User:czhang G1.G5.G6.G7[1].B1~B5 G2[2].G3[3] G4[4]
  1. Firefox core dumped, but desktop printing is normal
  2. Firefox core dumped,can't test. Maybe RHBZ #512845 describes this bug.
  3. ntfs disks is readable/writable, ext2/3/4 are not permitted in enforce mode, setenforce 0 could solve this problem.
  4. no device
guaneryu G.1 G.2[1] G.6 G.7 B.1~B.5 G.3~G.5[2]
  1. Start firefox with 'firefox -safe-mode'
  2. no device
User:jbao G.1 G.2 G.3 G.7 B.1~B.5 G.6[1] G.4~G.5[2]
  1. can't start the NetworkManager
  2. no device
hdong G1.G2.G3.G7 B1~B5 G6[1] G4.G5[2]
  1. NetworkManager applet icon disappear
  2. no device
User:Rhe G1.G5.B1~B5 G2[1].G3[2].G6[3][4] G4.G7
  1. a crash in package firefox-3.5.3-1.fc12 has been detected.RHBZ #530007
  2. couldn't display
  3. unrecognised service.RHBZ #530013
  4. cant run selinux management RHBZ #530005
varekova G1 G6 B1~B5 G2[1] G3~G5[2]
  1. firefox problem, with 'firefox -safe-mode' OK
  2. virt. machines
User:mmaslano G1 G2 G3 G6 G7 B1-4 G4 G5 FF worked firefox-3.5.3-1.fc12.x86_64. I have updated rawhide.
jkoten G1 G3 G6 B1-5 G2[1] G7
  1. cannot play streamed video using totem-mozplugin RHBZ #529847
User:psss G1, G3, G6, B1, B2, B3, B4, B5 G2[1] G4, G5, G7
  1. Firefox crashes, works only in -safe-mode
Filed bug #529878 - Unable to login after logout
User:mmalik G1, B1, B2, B3, B4, B5 G2[1] G3, G4, G5, G6, G7
  1. Firefox crashes, must be executed with -safe-mode
User:tpelka [1]G1~4,G7,B1,B2,B3,B4,B5 G5,G6[2]
  1. First login as xguest_u cause gphoto2 support for gvfs crash, RHBZ #530091
  2. no device

user_u[edit]

User capabilities
X Windows login and terminal login, nosetuid, noexec in home directory

As root set up a client machine, with network access. Add an user which can log in as user_u (useradd -Z user_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Verify other network protocols work (aol, ssh, mail etc.)
    4. Plug in USB disk and make sure user_u user can read/write disk.
    5. Plug in USB camera and make sure it works.
    6. Plug in other USB devices.
    7. Verify Network Manager works.
    8. Verify printing from Firefox and from the desktop works.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try to break into the root account via su, sudo.
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References\
guaneryu G.1 G.2 G.3 G.7 B.1 B.2 B.4 B.5 B.3[1] G4~G6[2].G8
  1. cd;cp /bin/ls ~/;./ls; can execute ls command at home directory
  2. no device
User:jbao G1.G2.G3.G4.G8 B1.B2.B4.B5 G7[1] B3[2] G5~G6[3]
  1. can't start the NetworkManager,with the error"(nm-applet:5910): Gtk-WARNING **: cannot open display: "
  2. RHBZ #529830
  3. no device
varekova G.1 G.3 G.7 B.1 B.2 B.4 G2[1] B.3[2] G.4~G.6, G.8[3]
  1. firefox problem
  2. RHBZ #529830
  3. virt machine
User:mmaslano G1-5 G7 B2-4 B1 B5 G6 G6 no NM applet in KDE tray
User:Rhe G1.G3.G4.G6.B1.B2.B4.B5 G2[1].G7[2].B3[3] G5.G8
  1. firefox crash.RHBZ #530007
  2. unrecognized service.RHBZ #530013
  3. executable.RHBZ #529830
User:hdong G1.G2.G3.G4.G8.B1.B2.B4.B5 G7[1].B3[2] G5.G6[3]
  1. Permission denied and applet icon disappear
  2. executable.RHBZ #529830
  3. no device
User:tpelka G1~4,G7,G8,B1,B2,B4,B5 B3[1] G5,G6[2]
  1. same as guaneryu [1]
  2. no device

staff_u[edit]

User capabilities
X Windows login and terminal login, nosetuid except sudo

As root set up a client machine, with network access. Add an user which can log in as staff_u (useradd -Z staff_u USERNAME). Create a directory named /secrets. Install MySQL (yum install mysql-server). Make sure MySQL service is running (service mysqld start) and the database is world readable.

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Verify other network protocols work (aol, ssh, mail etc.)
    4. Plug in USB disk and make sure staff_u user can read/write disk.
    5. Plug in USB camera and make sure it works.
    6. Plug in other USB devices.
    7. Verify Network Manager works.
    8. Verify printing from Firefox and from the desktop works.
    9. Try to ping off the machine
    10. Copy an executable into home directory and try to execute it.
    11. Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
      # semanage user -m -R "staff_r unconfined_r system_r" staff_u
      add a record to sudoers using visudo:
      USERNAME ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
    12. Execute sudo sh and make sure you end up as unconfined_t.
      # sudo sh
      # id -Z
  • Bad Test - try to do evil
    1. Try to break into the root account via sudo.
    2. Try to read a file in the /secrets directory.
    3. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References
User:jbao G1.G2.G3.G4.G8.G9.G10.G11.G12.B1~B3 G7[1] G5~G6[2]
  1. can't start the NetworkManager
  2. no device
guaneryu G.1~G.3 G.7 G.9~G.12 B.1~B.3 G.4~G.6 G.8[1]
  1. no device
varekova G.1 G.3 G.7 G.9~G.12 B.1~B.3 G.2[1] G.4~G.6 G.8[2]
  1. firefox problem
  2. virt machine
User:Rhe G1. G3. G4. G6. G9. G10. B1~B3 G2[1]. G7[2]. G11[3] G5. G6. G12
  1. firefox crash.RHBZ #530007
  2. unrecognised service.RHBZ #530013
  3. /user/sbin/semanage:SElinux Policy is not managed or store cannot be accessed.
User:hdong G1.G2.G3.G4.G8.G9.G10.G11.G12 B1~B3 G7[1] G5.G6[2]
  1. Permission denied and applet icon disappear.RHBZ #530013
  2. no device
User:tpelka G1~4,G7,G8~12,B1~3 G5,G6[1]
  1. no device

Kiosk user[edit]

User capabilities
X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and /tmp get destroyed on logout.

As root set up a client machine, with network access. Make sure xguest package is installed (yum install xguest).

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Plug in USB disk and make sure the kiosk user can read/write the disk.
    4. Plug in USB camera and make sure it works.
    5. Plug in other USB devices.
    6. Verify that Network Manager works.
    7. Verify printing from Firefox and from the desktop works.
    8. Logout and login to verify that home directory disappeared.
    9. Verify that password is not required.
  • Bad Test - try to do evil
    1. Try to ping off the machine.
    2. Try any network protocol, try to get off the machine (ssh, mail, telnet, rsh etc.)
    3. Copy an executable into home directory and try to execute it.
    4. Try to read a file in the /secrets directory.
    5. Try to read the MySQL database (mysqlshow).
    6. Verify that you can not ssh into the machine as xguest_u.
User Passed Failed Skipped References
jkoten G1 G2 G8[1] G9[2] B1-6 [3]
  1. home dir still present - even before login for the first time
  2. cannot login after logout RHBZ #529897
  3. cannot login again :(
User: hdong G1.G2.G3.G7 G8[1].G9[2] G4.G5[3]G6 B1~B6[4]
  1. home dir still present,temporary files in home dir disappear
  2. cannot login again
  3. no device
  4. can not login
User: tpelka G1,G2,G3,G7 G8[1],G9[2] G4,G5[3]G6,B1~B6[4]
  1. home dir still present
  2. cannot login again
  3. no device
  4. can not login

Guest user that can send an email[edit]

As root set up a server machine, with network access. Build policy for sendmail_user_t (Example how to create confined SELinux user). Add an user which can log in as sendmail_user_u (useradd -Z sendmail_user_u USERNAME).

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify you can send a mail as this user.
  • Bad Test - try to do evil
    1. Try to break into the root account via sudo.
    2. Try to read a file in the /secrets directory.
    3. Try to read the MySQL database (mysqlshow).
User Passed Failed Skipped References
ebenes G1,G2[1], B1,B2,B3
  1. RHBZ #529916
User: tpelka G1,G2,B1~3[1]
  1. RHBZ RHBZ #530349

Confined administrator[edit]

User capabilities
Administrator that can manage MySQL and Apache

As root set up a client machine, with network access. Build policy for web_db_admin_t (Example how to create confined SELinux user). Add an user which can log in as staff_u (useradd -Z staff_u USERNAME). Set up a transition from staff_t to web_db_admin_t. Set up sudo to make this happen automatically. Create a directory named /secrets and install MySQL (yum install mysql-server). Make sure MySQL is running (service mysqld start) and the database is world readable. Install Apache (yum install httpd) and make sure the service is running (service httpd start).

Log in to the machine and try the following:

  • Good Test - try to behave correctly
    1. Edit files in home directory.
    2. Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    3. Verify other network protocols work (aol, ssh, mail etc.)
    4. Plug in USB disk and make sure the confined administrator can read/write the disk.
    5. Plug in USB camera and make sure it works.
    6. Plug in other USB devices.
    7. Verify Network Manager works.
    8. Verify printing from Firefox and from the desktop works.
    9. Try to ping off the machine.
    10. Copy an executable into home directory and try to execute it.
    11. Set up sudo and SELinux to allow staff_t to become web_db_adm_t via sudo.
    12. Execute sudo sh and make sure you end up as web_db_adm_t.
    13. Try to edit /var/www/html directory and some of the MySQL directories.
    14. Try to stop and start MySQL and Apache (service NAME start and service NAME stop).
  • Bad Test - try to do evil
    1. Try to break into the root account via su.
    2. Try to read a file in the /secrets directory.
    3. Try to read the MySQL database (mysqlshow).
    4. As web_db_adm_t try to add an user, modify files in /usr/share.
User Passed Failed Skipped References
User: tpelka G1~14,B1~4[1]
  1. RHBZ RHBZ #530349

Links[edit]

  1. http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  2. http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
  3. http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  4. http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html

Long comments[edit]

  1. restorecond -u not running for guest_u (running restorecon -R public_html or adding "~/* ~/public_html/*" to /etc/selinux/restorecond.conf resolves the problem)