From Fedora Project Wiki

No edit summary
No edit summary
Line 13: Line 13:
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except sudo.
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except sudo.


The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like <code>xguest_u</code>, <code>user_u</code> or <code>staff_u</code> try to login to X Windows, try to start '''Firefox''', IM, try to run terminal, try to run <code>ping</code>, <code>sudo</code> and so on.
The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like <code>xguest_u</code>, <code>user_u</code> or <code>staff_u</code> try to login to X Windows, try to start '''Firefox''', IM, try to run terminal, <code>ping</code>, <code>sudo</code> and so on.


== What's Needed to Be Able to Test ==
== What's Needed to Be Able to Test ==
Line 26: Line 26:
== How to Test ==
== How to Test ==


The main goal is testing of chosen users and to do usual things for you with these SELinux users.
The main goal is to test chosen users and to do things which are usual for you with these SELinux users. For example if you log as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.
 
For example if you log as <code>xguest</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.


== Test Cases ==
== Test Cases ==
Line 36: Line 34:
{{admon/note|User capabilities|Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory}}
{{admon/note|User capabilities|Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory}}


Set up a server only machine, with apache service. And apache sharing users home directories. Change default login to guest_u. Create a directory named /secrets, and install mysql, make sure the database is world readable.
Set up a server only machine, with '''Apache''' service. Configure '''Apache''' in such a way that user home directories are accessible. Change default login to <code>guest_u</code>. Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.


Add an user account. Ssh to the box and try the following:
Add an user account. Ssh to the box and try the following:
Line 42: Line 40:
* Good Test - Try to do expected behaviour
* Good Test - Try to do expected behaviour
** Edit files in home directory.
** Edit files in home directory.
** scp files to home directory and public_html directory.
** <code>scp</code> files to home directory and <code>public_html</code> directory.
** Copy files to public_html directory.
** Copy files to <code>public_html</code> directory.
** Verify content is viewable via apache.
** Verify that the content is viewable via '''Apache'''.


* Bad Test - Try to do evil
* Bad Test - Try to do evil
** Try to ping off the box.
** Try to <code>ping</code> off the box.
** Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
** Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
** Copy an executable into home directory and try to execute it.
** Copy an executable into home directory and try to execute it.
** Try to read a file in the /secrets directory.
** Try to read a file in the <code>/secrets</code> directory.
** Try to read the mysql database.
** Try to read the '''MySQL''' database.


=== xguest_u ===
=== xguest_u ===
Line 57: Line 55:
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory}}
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory}}


Set up a client machine, with network access. Change default login to xguest_u. Create a directory named /secrets, and install mysql, make sure the database is world readable.
Set up a client machine, with network access. Change default login to <code>xguest_u</code>. Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.


Add an user account.
Add an user account.
Line 63: Line 61:
* Good Test - Try to do expected behaviour
* Good Test - Try to do expected behaviour
** Edit files in home directory.
** Edit files in home directory.
** Verify firefox works and can access the network. Try it on several sites like www.ford.com to verify flash works.
** Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
** Plug in USB disk and make sure xguest_u user can read/write the disk.
** Plug in USB disk and make sure <code>xguest_u</code> user can read/write the disk.
** Plug in USB camera and make sure it works.
** Plug in USB camera and make sure it works.
** Plug in other USB devices.
** Plug in other USB devices.
** Verify [[NetworkManager|Network Manager]] works.
** Verify '''Network Manager''' works.
** Verify printing from Firefox and from the desktop works.
** Verify printing from '''Firefox''' and from the desktop works.


* Bad Test - Try to do evil
* Bad Test - Try to do evil
** Try to ping off the box.
** Try to <code>ping</code> off the box.
** Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
** Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
** Copy an executable into home directory and try to execute it.
** Copy an executable into home directory and try to execute it.
** Try to read a file in the /secrets directory.
** Try to read a file in the <code>/secrets</code> directory.
** Try to read the mysql database.
** Try to read the '''MySQL''' database.


=== user_u ===
=== user_u ===
Line 81: Line 79:
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, noexec in home directory}}
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, noexec in home directory}}


Setup a client machine, with network access. Change default login to user_u. Create a directory named /secrets, and install mysql, make sure the database is world readable.
Setup a client machine, with network access. Change default login to <code>user_u</code>. Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.


Add an user account. Login to the box.
Add an user account. Login to the box.
Line 87: Line 85:
* Good Test - Try to do expected behaviour
* Good Test - Try to do expected behaviour
** Edit files in home directory
** Edit files in home directory
** verify firefox works and access network. Try it on several sites like www.ford.com to verify flash works.
** Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
** Verify other network protocols work, aol, ssh, sendmail etc.
** Verify other network protocols work (aol, ssh, mail etc.)
** Plug in USB disk and make sure xguest_u user can read/write disk
** Plug in USB disk and make sure <code>user_u</code> user can read/write disk.
** Plugin in USB camera and make sure it works.
** Plug in USB camera and make sure it works.
** Other USB devices.
** Plug in other USB devices.
** Verify [[NetworkManager|Network Manager]] works.
** Verify '''Network Manager''' works.
** Verify Printing from Firefox and from the desktop works.
** Verify printing from '''Firefox''' and from the desktop works.


* Bad Test - Try to do evil
* Bad Test - Try to do evil
** Try to ping off the box
** Try to <code>ping</code> off the box.
** Try to breakinto the root account , su, sudo
** Try to break into the root account via <code>su</code>, <code>sudo</code>.
** Copy and executable into homedir and try to execute it.
** Copy an executable into home directory and try to execute it.
** Try to read a file in the /secrets directory
** Try to read a file in the <code>/secrets</code> directory.
** try to read the mysql database.
** Try to read the '''MySQL''' database.


=== staff_u ===
=== staff_u ===
Line 106: Line 104:
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid except sudo}}
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid except sudo}}


Setup a client machine, with network access. Change default login to user_u.  Create a directory named /secrets, and install mysql, make sure the database is world readable.
Setup a client machine, with network access. Change default login to <code>staff_u</code>.  Create a directory named <code>/secrets</code>, and install '''MySQL'''. Make sure the database is world readable.


Add an user account. Login to the box
Add an user account. Login to the box.


* Good Test - Try to do expected behaviour
* Good Test - Try to do expected behaviour
** Edit files in home directory
** Edit files in home directory.
** verify firefox works and access network. Try it on several sites like www.ford.com to verify flash works.
** Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
** Verify other network protocols work, aol, ssh, sendmail etc.
** Verify other network protocols work (aol, ssh, mail etc.)
** Plug in USB disk and make sure xguest_u user can read/write disk
** Plug in USB disk and make sure <code>staff_u</code> user can read/write disk.
** Plug in USB camera and make sure it works.
** Plug in USB camera and make sure it works.
** Other USB devices.
** Plug in other USB devices.
** Verify [[NetworkManager|Network Manager]] works.
** Verify '''Network Manager''' works.
** Verify Printing from Firefox and from the desktop works.
** Verify printing from '''Firefox''' and from the desktop works.
** Try to ping off the box
** Try to <code>ping</code> off the box.
** Copy and executable into homedir and try to execute it.
** Copy an executable into home directory and try to execute it.
** Set up sudo and selinux to allow staff_t to become unconfined_t via sudo
** Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>unconfined_t</code> via <code>sudo</code>.


* Bad Test - Try to do evil
* Bad Test - Try to do evil
** Try to breakinto the root account sudo
** Try to break into the root account via <code>sudo</code>.
** Try to read a file in the /secrets directory
** Try to read a file in the <code>/secrets</code> directory.
** Try to read the mysql database.
** Try to read the '''MySQL''' database.


=== Kiosk user ===
=== Kiosk user ===


{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and /tmp get destroyed on logout}}
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout}}


Set up a client machine, with network access. Install xguest package.
Set up a client machine, with network access. Install <code>xguest</code> package.


* Good Test - Try to do expected behaviour
* Good Test - Try to do expected behaviour
** Edit files in home directory.
** Edit files in home directory.
** Verify firefox works and can access the network. Try it on several sites like www.ford.com to verify flash works.
** Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
** Plug in USB disk and make sure xguest_u user can read/write the disk.
** Plug in USB disk and make sure kiosk user can read/write the disk.
** Plug in USB camera and make sure it works.
** Plug in USB camera and make sure it works.
** Plug in other USB devices.
** Plug in other USB devices.
** Verify that '''Network Manager''' works.
** Verify that '''Network Manager''' works.
** Verify printing from Firefox and from the desktop works.
** Verify printing from '''Firefox''' and from the desktop works.
** Logout and log back to verify that home directory disappeared.
** Logout and login to verify that home directory disappeared.
** Verify password is not required.
** Verify that password is not required.


* Bad Test - Try to do evil
* Bad Test - Try to do evil
** Try to ping off the box.
** Try to <code>ping</code> off the box.
** Try any network protocol, try to get off the box (ssh, sendmail, telnet, rsh etc.)
** Try any network protocol, try to get off the box (ssh, sendmail, telnet, rsh etc.)
** Copy an executable into home directory and try to execute it.
** Copy an executable into home directory and try to execute it.
** Try to read a file in the /secrets directory
** Try to read a file in the <code>/secrets</code> directory.
** Try to read the mysql database.
** Try to read the '''MySQL''' database.
** Verify that you can not ssh into the box as the xguest account.
** Verify that you can not <code>ssh</code> into the box as the xguest account.


=== Confined administrator ===
=== Confined administrator ===


Let's set up an administrator that can manage '''MySQL''' and '''Apache'''.
Set up an administrator that can manage '''MySQL''' and '''Apache'''.


Set up a client machine, with network access. Build policy for <code>web_db_admin_t</code>. Add an user which can log in as <code>staff_u</code>. Setup a transition from <code>staff_u</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code>, and install '''MySQL''', make sure the database is world readable.
Set up a client machine, with network access. Build policy for <code>web_db_admin_t</code>. Add an user which can log in as <code>staff_u</code>. Setup a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL'''. Make sure the database is world readable.


* Good Test - try to do expected behaviour
* Good Test - try to do expected behaviour
** Edit files in home directory.
** Edit files in home directory.
** Verify '''Firefox''' works and can access the network. Try it on several sites like http://www.ford.com to verify flash works.
** Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
** Verify other network protocols work (aol, ssh, mail etc.)
** Verify other network protocols work (aol, ssh, mail etc.)
** Plug in USB disk and make sure xguest_u user can read/write the disk.
** Plug in USB disk and make sure <code>xguest_u</code> user can read/write the disk.
** Plug in USB camera and make sure it works.
** Plug in USB camera and make sure it works.
** Plug in other USB devices.
** Plug in other USB devices.
** Verify [[NetworkManager|Network Manager]] works.
** Verify '''Network Manager''' works.
** Verify printing from firefox and from the desktop works.
** Verify printing from '''Firefox''' and from the desktop works.
** Try to ping off the box.
** Try to <code>ping</code> off the box.
** Copy an executable into home directory and try to execute it.
** Copy an executable into home directory and try to execute it.
** Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
** Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>unconfined_t</code> via <code>sudo</code>.
** Execute sudo sh and make sure you end up as web_db_adm_t.
** Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>.
** Try to edit /var/www/html directory and some of the mysql directories.
** Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories.
** Try to start/stop mysql and apache.
** Try to start/stop '''MySQL''' and '''Apache'''.


* Bad Test - try to do evil
* Bad Test - try to do evil
Line 187: Line 185:
* Good Test - try to do expected behaviour
* Good Test - try to do expected behaviour
** Edit files in home directory.
** Edit files in home directory.
** Verify you can send a mail from this user.
** Verify you can send a mail as this user.


* Bad Test - try to do evil
* Bad Test - try to do evil

Revision as of 08:38, 15 October 2009

Confined Users Test Day

  • Devel contact: dwalsh, mgrepl
  • QE contact: mmalik, ebenes

What to Test?

Today's Fedora Test Day will focus on Confined SELinux Users. We want to write a policy confining a user by assigning the user an SELinux role where the policy controls what the user can do/access on the system. Current confined SELinux user types with their purpose of use are:

  • guest_u – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
  • xguest_u – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.
  • user_u – X Windows login and terminal login, nosetuid, noexec in home directory.
  • staff_u – X Windows login and terminal login, nosetuid except sudo.

The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like xguest_u, user_u or staff_u try to login to X Windows, try to start Firefox, IM, try to run terminal, ping, sudo and so on.

What's Needed to Be Able to Test

You will need following packages on your system:

  • selinux-policy-targeted
  • policycoreutils-gui
  • setroubleshoot

Set up SELinux users ...

How to Test

The main goal is to test chosen users and to do things which are usual for you with these SELinux users. For example if you log as xguest_u and try to run ping or sudo in your favourite terminal you won't be able to run it. But if you won't be able to run Firefox then probably this is a bug.

Test Cases

guest_u

User capabilities
Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory

Set up a server only machine, with Apache service. Configure Apache in such a way that user home directories are accessible. Change default login to guest_u. Create a directory named /secrets, and install MySQL. Make sure the database is world readable.

Add an user account. Ssh to the box and try the following:

  • Good Test - Try to do expected behaviour
    • Edit files in home directory.
    • scp files to home directory and public_html directory.
    • Copy files to public_html directory.
    • Verify that the content is viewable via Apache.
  • Bad Test - Try to do evil
    • Try to ping off the box.
    • Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
    • Copy an executable into home directory and try to execute it.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.

xguest_u

User capabilities
X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory

Set up a client machine, with network access. Change default login to xguest_u. Create a directory named /secrets, and install MySQL. Make sure the database is world readable.

Add an user account.

  • Good Test - Try to do expected behaviour
    • Edit files in home directory.
    • Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
    • Plug in USB disk and make sure xguest_u user can read/write the disk.
    • Plug in USB camera and make sure it works.
    • Plug in other USB devices.
    • Verify Network Manager works.
    • Verify printing from Firefox and from the desktop works.
  • Bad Test - Try to do evil
    • Try to ping off the box.
    • Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
    • Copy an executable into home directory and try to execute it.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.

user_u

User capabilities
X Windows login and terminal login, nosetuid, noexec in home directory

Setup a client machine, with network access. Change default login to user_u. Create a directory named /secrets, and install MySQL. Make sure the database is world readable.

Add an user account. Login to the box.

  • Good Test - Try to do expected behaviour
    • Edit files in home directory
    • Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    • Verify other network protocols work (aol, ssh, mail etc.)
    • Plug in USB disk and make sure user_u user can read/write disk.
    • Plug in USB camera and make sure it works.
    • Plug in other USB devices.
    • Verify Network Manager works.
    • Verify printing from Firefox and from the desktop works.
  • Bad Test - Try to do evil
    • Try to ping off the box.
    • Try to break into the root account via su, sudo.
    • Copy an executable into home directory and try to execute it.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.

staff_u

User capabilities
X Windows login and terminal login, nosetuid except sudo

Setup a client machine, with network access. Change default login to staff_u. Create a directory named /secrets, and install MySQL. Make sure the database is world readable.

Add an user account. Login to the box.

  • Good Test - Try to do expected behaviour
    • Edit files in home directory.
    • Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    • Verify other network protocols work (aol, ssh, mail etc.)
    • Plug in USB disk and make sure staff_u user can read/write disk.
    • Plug in USB camera and make sure it works.
    • Plug in other USB devices.
    • Verify Network Manager works.
    • Verify printing from Firefox and from the desktop works.
    • Try to ping off the box.
    • Copy an executable into home directory and try to execute it.
    • Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
  • Bad Test - Try to do evil
    • Try to break into the root account via sudo.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.

Kiosk user

User capabilities
X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and /tmp get destroyed on logout

Set up a client machine, with network access. Install xguest package.

  • Good Test - Try to do expected behaviour
    • Edit files in home directory.
    • Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    • Plug in USB disk and make sure kiosk user can read/write the disk.
    • Plug in USB camera and make sure it works.
    • Plug in other USB devices.
    • Verify that Network Manager works.
    • Verify printing from Firefox and from the desktop works.
    • Logout and login to verify that home directory disappeared.
    • Verify that password is not required.
  • Bad Test - Try to do evil
    • Try to ping off the box.
    • Try any network protocol, try to get off the box (ssh, sendmail, telnet, rsh etc.)
    • Copy an executable into home directory and try to execute it.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.
    • Verify that you can not ssh into the box as the xguest account.

Confined administrator

Set up an administrator that can manage MySQL and Apache.

Set up a client machine, with network access. Build policy for web_db_admin_t. Add an user which can log in as staff_u. Setup a transition from staff_t to web_db_admin_t. Set up sudo to make this happen automatically. Create a directory named /secrets and install MySQL. Make sure the database is world readable.

  • Good Test - try to do expected behaviour
    • Edit files in home directory.
    • Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
    • Verify other network protocols work (aol, ssh, mail etc.)
    • Plug in USB disk and make sure xguest_u user can read/write the disk.
    • Plug in USB camera and make sure it works.
    • Plug in other USB devices.
    • Verify Network Manager works.
    • Verify printing from Firefox and from the desktop works.
    • Try to ping off the box.
    • Copy an executable into home directory and try to execute it.
    • Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
    • Execute sudo sh and make sure you end up as web_db_adm_t.
    • Try to edit /var/www/html directory and some of the MySQL directories.
    • Try to start/stop MySQL and Apache.
  • Bad Test - try to do evil
    • Try to break into the root account via su.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.
    • As web_db_adm_t try to add an user, modify files in /usr/share.

Guest user that can send an email

Set up a server machine, with network access. Build policy for sendmail_user_t. Add an user which can log in as sendmail_user_u.

  • Good Test - try to do expected behaviour
    • Edit files in home directory.
    • Verify you can send a mail as this user.
  • Bad Test - try to do evil
    • Try to break into the root account via sudo.
    • Try to read a file in the /secrets directory.
    • Try to read the MySQL database.

Links

  1. http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  2. http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
  3. http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  4. http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
Retrieved from "https://fedoraproject.org/w/index.php?title=Test_Day:2009-10-20_SELinux_Confined_Users&oldid=130010"