From Fedora Project Wiki
(Create a new wiki page to help with debugging SELinux issues)
 
(Additional settings and examples.)
Line 1: Line 1:
== How to debug SELinux issues ==
= How to debug SELinux issues =
This page is a draft.
This page is currently a draft.


=== Install packages useful for debugging ===
== Install packages useful for debugging ==
  dnf -y install setools-console selinux-policy-devel policycoreutils-newrole strace /usr/sbin/service
  $ sudo dnf -y install setools-console selinux-policy-devel policycoreutils-newrole strace initscripts-service bzip2


=== Enable full auditing ===
== Enable full auditing ==
For performance reasons, full auditing is not enabled by default. Instructions:
For performance reasons, full auditing is not enabled by default. Instructions how to enable it:


1. Open the `/etc/audit/rules.d/audit.rules` file in an editor.
1. Open the `/etc/audit/rules.d/audit.rules` file in an editor.
Line 19: Line 19:
  $ sudo service auditd restart
  $ sudo service auditd restart


5. Re-run the scenario which effects in SELinux denials.
5. Run the scenario which effects in SELinux denials.


6. Collect AVC denials:
6. Collect AVC denials:
  $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
  $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today


=== Setting up confined users ===
== Setting up confined users ==
==== Create new users assigned to a particular SELinux user ====
=== Create new users assigned to a particular SELinux user ===


  PWD="my_p4ss-w0rd"
  PWD=${PWD-"my_p4ss-w0rd"}
  for username in guest xguest user staff
  for username in guest xguest user staff
  do
  do
Line 33: Line 33:
   echo "${PWD}" | passwd --stdin "${username}"
   echo "${PWD}" | passwd --stdin "${username}"
  done
  done
==== Assign SELinux user to an existing user ====
=== Assign a SELinux user to an existing Linux user ===
==== Assign default admin roles to Linux users when using sudo ====
$ sudo semanage login -a -s staff_u existinguser
  cat > /etc/sudoers.d/admin-roles << EOF
$ sudo semanage login -l
  staff       ALL=(ALL)      ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: m
Login Name          SELinux User        MLS/MCS Range        Service
...
existinguser        staff_u              s0-s0:c0.c1023      *
=== Assign a SELinux user an additional role ===
By default, the staff user is not allowed to access the dbadm role.
$ sudo semanage user -l
                Labeling  MLS/      MLS/
SELinux User    Prefix    MCS Level  MCS Range                      SELinux Roles
...
staff_u        user      s0        s0-s0:c0.c1023                staff_r sysadm_r system_r unconfined_r
$ sudo semanage user -m -R "staff_r sysadm_r system_r unconfined_r dbadm_r" staff_u
$ sudo semanage user -l
                Labeling  MLS/      MLS/
SELinux User    Prefix    MCS Level  MCS Range                      SELinux Roles
...
staff_u        user      s0        s0-s0:c0.c1023                staff_r sysadm_r system_r unconfined_r dbadm_r
 
=== Assign admin roles to Linux users when they use sudo ===
On the sudo commands execution, sudo can be configured so that the user id changes as well as the SELinux role and the corresponding type.
  $ sudo cat > /etc/sudoers.d/admin-roles << EOF
  # staff can become sysadm for all commands and shell
  staff        ALL=(ALL)      ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
  staff        ALL=(ALL)      ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
# staff2 can only run networking commands
#Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
#staff2        ALL=(ALL)      ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: NETWORKING
# staff3 can become dbadm for databases administration
#CMND_Alias DATABASES = /usr/bin/mariadb-admin /usr/bin/mysqladmin /usr/bin/psql
#staff3        ALL=(ALL)      ROLE=dbadm_r TYPE=dbadm_t NOPASSWD: DATABASES
  EOF
  EOF
== Switch the system to SELinux permissive mode ==
For testing purposes and to gather as many denials as possible, the permissive mode is useful not to be blocked in actual work.
Open the `/etc/selinux/config` file in an editor, change the `SELINUX=enforcing` line to
SELINUX=permissive
and reboot the system.
After tests finish, switch the system back to `enforcing`.
For a one-time change to permissive, execute
$ sudo setenforce 0
The setting will be valid till the next reboot.
== Advanced debugging ==
Install additional tools and debugging information for affected packages (systemd in this example).
$ sudo dnf -y install dnf-utils strace perf
$ debuginfo-install "systemd*"
t.b.c.

Revision as of 12:33, 29 May 2023

How to debug SELinux issues

This page is currently a draft.

Install packages useful for debugging

$ sudo dnf -y install setools-console selinux-policy-devel policycoreutils-newrole strace initscripts-service bzip2

Enable full auditing

For performance reasons, full auditing is not enabled by default. Instructions how to enable it:

1. Open the /etc/audit/rules.d/audit.rules file in an editor.

2. Remove the following line if it exists:

-a task,never

3. Add the following line to the end of the file:

-w /etc/shadow -p w

4. Restart the audit daemon using the legacy service command, or reboot the system:

$ sudo service auditd restart

5. Run the scenario which effects in SELinux denials.

6. Collect AVC denials:

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Setting up confined users

Create new users assigned to a particular SELinux user

PWD=${PWD-"my_p4ss-w0rd"}
for username in guest xguest user staff
do
  adduser -Z ${username}_u ${username}
  echo "${PWD}" | passwd --stdin "${username}"
done

Assign a SELinux user to an existing Linux user

$ sudo semanage login -a -s staff_u existinguser
$ sudo semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
...
existinguser         staff_u              s0-s0:c0.c1023       *

Assign a SELinux user an additional role

By default, the staff user is not allowed to access the dbadm role.

$ sudo semanage user -l
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
...
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
$ sudo semanage user -m -R "staff_r sysadm_r system_r unconfined_r dbadm_r" staff_u
$ sudo semanage user -l
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
...
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r dbadm_r

Assign admin roles to Linux users when they use sudo

On the sudo commands execution, sudo can be configured so that the user id changes as well as the SELinux role and the corresponding type.

$ sudo cat > /etc/sudoers.d/admin-roles << EOF
# staff can become sysadm for all commands and shell
staff        ALL=(ALL)       ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
# staff2 can only run networking commands
#Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
#staff2        ALL=(ALL)       ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: NETWORKING
# staff3 can become dbadm for databases administration
#CMND_Alias DATABASES = /usr/bin/mariadb-admin /usr/bin/mysqladmin /usr/bin/psql
#staff3        ALL=(ALL)       ROLE=dbadm_r TYPE=dbadm_t NOPASSWD: DATABASES
EOF

Switch the system to SELinux permissive mode

For testing purposes and to gather as many denials as possible, the permissive mode is useful not to be blocked in actual work.

Open the /etc/selinux/config file in an editor, change the SELINUX=enforcing line to

SELINUX=permissive

and reboot the system. After tests finish, switch the system back to enforcing.

For a one-time change to permissive, execute

$ sudo setenforce 0

The setting will be valid till the next reboot.

Advanced debugging

Install additional tools and debugging information for affected packages (systemd in this example).

$ sudo dnf -y install dnf-utils strace perf
$ debuginfo-install "systemd*"

t.b.c.