Confined Users Test Day
- Devel contact: dwalsh, mgrepl
- QE contact: mmalik, ebenes
- IRC channel: #fedora-test-day on irc.freenode.net
What to Test?
Today's Fedora Test Day will focus on Confined SELinux Users. We want to write a policy confining a user by assigning the user an SELinux role where the policy controls what the user can do/access on the system. Current confined SELinux user types with their purpose of use are:
guest_u
– Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.xguest_u
– X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.user_u
– X Windows login and terminal login, nosetuid, noexec in home directory.staff_u
– X Windows login and terminal login, nosetuid exceptsudo
.
The purpose of test day is to test these SELinux users on your desktop and in specific cases. So for example like xguest_u
, user_u
or staff_u
try to login to X Windows, try to start Firefox, IM, try to run terminal, ping
, sudo
and so on.
What's Needed to Be Able to Test
You will need a Rawhide or Fedora 12 machine. You will need following packages on the machine:
selinux-policy-targeted
policycoreutils-gui
setroubleshoot
xguest
How to Test
The main goal is to test chosen users and to do things which are usual for you with these SELinux users. For example if you log as xguest_u
and try to run ping
or sudo
in your favourite terminal you won't be able to run it. But if you won't be able to run Firefox then probably this is a bug.
Test Cases
guest_u
As root set up a server only machine, with Apache service. Configure Apache in such a way that user home directories are accessible. Add an user which can log in as guest_u
(useradd -Z guest_u USERNAME
). Create a directory named /secrets
, and install MySQL. Make sure the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
scp
files to home directory andpublic_html
directory.- Copy files to
public_html
directory. - Verify that the content is viewable via Apache.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try any network protocol, try to get off the machine (ssh, sendmail, rsh, telnet etc.)
- Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- Try to
User | PASSED | FAILED | References |
---|
xguest_u
As root set up a client machine, with network access. Add an user which can log in as xguest_u
(useradd -Z xguest_u USERNAME
). Create a directory named /secrets
, and install MySQL. Make sure the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
- Plug in USB disk and make sure
xguest_u
user can read/write the disk. - Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try any network protocol, try to get off the machine (ssh, sendmail, rsh, telnet etc.)
- Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- Try to
user_u
As root set up a client machine, with network access. Add an user which can log in as user_u
(useradd -Z user_u USERNAME
). Create a directory named /secrets
, and install MySQL. Make sure the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Verify other network protocols work (aol, ssh, mail etc.)
- Plug in USB disk and make sure
user_u
user can read/write disk. - Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try to break into the root account via
su
,sudo
. - Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- Try to
staff_u
As root set up a client machine, with network access. Add an user which can log in as staff_u
(useradd -Z staff_u USERNAME
). Create a directory named /secrets
, and install MySQL. Make sure the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Verify other network protocols work (aol, ssh, mail etc.)
- Plug in USB disk and make sure
staff_u
user can read/write disk. - Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Try to
ping
off the machine. - Copy an executable into home directory and try to execute it.
- Set up
sudo
and SELinux to allowstaff_t
to becomeunconfined_t
viasudo
.
- Bad Test - try to do evil
- Try to break into the root account via
sudo
. - Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- Try to break into the root account via
Kiosk user
As root set up a client machine, with network access. Install xguest
package.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Plug in USB disk and make sure the kiosk user can read/write the disk.
- Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify that Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Logout and login to verify that home directory disappeared.
- Verify that password is not required.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try any network protocol, try to get off the machine (ssh, sendmail, telnet, rsh etc.)
- Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- Verify that you can not
ssh
into the machine asxguest_u
.
- Try to
Confined administrator
As root set up a client machine, with network access. Build policy for web_db_admin_t
. Add an user which can log in as staff_u
(useradd -Z staff_u USERNAME
). Set up a transition from staff_t
to web_db_admin_t
. Set up sudo
to make this happen automatically. Create a directory named /secrets
and install MySQL. Make sure the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Verify other network protocols work (aol, ssh, mail etc.)
- Plug in USB disk and make sure the confined administrator can read/write the disk.
- Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Try to
ping
off the machine. - Copy an executable into home directory and try to execute it.
- Set up
sudo
and SELinux to allowstaff_t
to becomeunconfined_t
viasudo
. - Execute
sudo sh
and make sure you end up asweb_db_adm_t
. - Try to edit
/var/www/html
directory and some of the MySQL directories. - Try to start/stop MySQL and Apache.
- Bad Test - try to do evil
- Try to break into the root account via
su
. - Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- As
web_db_adm_t
try to add an user, modify files in/usr/share
.
- Try to break into the root account via
Guest user that can send an email
As root set up a server machine, with network access. Build policy for sendmail_user_t
. Add an user which can log in as sendmail_user_u
(useradd -Z sendmail_user_u USERNAME
).
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify you can send a mail as this user.
- Bad Test - try to do evil
- Try to break into the root account via
sudo
. - Try to read a file in the
/secrets
directory. - Try to read the MySQL database.
- Try to break into the root account via
Links
- http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
- http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
- http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
- http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html