DATE | TIME | WHERE |
Tue Oct 20, 2009 | ALL DAY | #fedora-test-day) |
What to Test?[edit]
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:
user role | terminal login | xwindows login | network | exec in homedir | setuid | notes |
---|---|---|---|---|---|---|
guest_u | yes | no | no | no | no | |
xguest_u | yes | yes | no* | no | no | * only Firefox |
user_u | yes | yes | yes | no | no | |
staff_u | yes | yes | yes | yes | no* | * sudo allowed
|
kiosk user | yes | yes | no | no | no | No password required. Home directory and /tmp get destroyed on logout.
|
confined admin | yes | yes | yes | yes | yes | Able to manage only a predefined set of services. |
The purpose of test day is to test these SELinux users in usual/specific use cases.
Who's available[edit]
The following cast of characters will be available for testing, workarounds, bug fixes, and general discussion.
- Development: dwalsh, mgrepl
- Quality: mmalik, ebenes
What's Needed to test[edit]
- You will need a fully updated Rawhide, Fedora 12 Beta or the Rawhide nightly Live Image
- You will need following packages installed on the machine. Please run
yum install PACKAGE
as root to install them and check that their versions match:selinux-policy-targeted-3.6.32-24.fc12
policycoreutils-gui-2.0.74-4.fc12
setroubleshoot-2.2.37-1.fc12
audit-2.0.1-1.fc12
xguest-1.0.7-7.fc12
- The content of
/var/log/messages
will be useful during testing and reporting issues. Connect to your test system and prepare the system for gathering output using the commands below:
echo > /var/log/audit/audit.log service auditd restart service messagebus start service restorecond restart setenforce 1 tail -f /var/log/messages
Live Image[edit]
You may download a non-destructive rawhide live image for your architecture. Tips on using a live image are available at FedoraLiveCD.
Architecture | SHA256SUM |
---|---|
i686 | b4c8631aeb40bf4594bbb64c189b1c66f0c7f7cd763ae50ce8f6ce800746aee4
|
x86_64 | fa4e971ed3af85b4aaf7ac5630b0efce5b51c11749dc13b42556cfc7ccf5af56
|
How to Test[edit]
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as xguest_u
and try to run ping
or sudo
in your favourite terminal you won't be able to run it. But if you won't be able to run Firefox then probably this is a bug.
If you usually use another web browser than Firefox, please continue to do so during the test day. Our intent is to test at least one program from each of the following groups:
- mail clients (
mutt
,alpine
etc.) - editors (
vim
,emacs
,nano
etc.) - networking tools (
ping
,traceroute
etc.) - FTP clients
- web browsers
- audio / video players
- samba mounting / tools
- NFS mounting / tools
- Java apps
- office apps
- printing / scanning tools
- photo / camera manipulation
- CD/DVD reading / writing
- IM clients
- flash players
Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).
User | audit.log references
|
---|
How to Report Problems[edit]
If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before filing a bug
- Permissive mode - switch to permissive mode (
setenforce 0
) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (setenforce 1
) before next testing. Root shell is needed. ausearch
- Runausearch
as advised below to see if new AVC messages appeared. Root shell is needed.- fpaste.org - Make the AVC message public via http://fpaste.org/ . Add a short description what you did and what happened or did not happen. Please increase the default expiry time to 1 day, because the default is 1 hour.
- IRC - Communicate with others on IRC channel to find out if they encountered the same problem. It's likely that someone on IRC channel knows the solution or already reported the problem.
sealert
- Look at the end of/var/log/messages
and search for messages containingsealert
. Runsealert
with parameters as advised. Root shell is needed.- Bugzilla - Lastly, file a bug in Red Hat Bugzilla. Be sure to set the following attributes: Product: Fedora, Version: rawhide, Component: selinux-policy. Alternatively, follow this link to file a bug against selinux-policy. Do not forget to supply the description of actions you did, the AVC message and the full output of
sealert
.
Here is an example how to display AVCs which arose since a specific time:
START_DATE_TIME=
date "+%m/%d/%Y %T"
- do something as confined user
ausearch -m AVC -ts $START_DATE_TIME
Test Cases[edit]
Here you can find a few test cases. Please run as many of them as possible. Below each test case you can see a table, where you should write your results. Please add a line with your username and list of tests you ran/skipped into the table. The table could look this way:
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
User:mmalik | G.1 G.2 | B.1 B.2 B.3 | G.3 G.4 |
guest_u[edit]
As root set up a server only machine, with Apache service (yum install httpd
). Configure Apache in such a way that user home directories are accessible. Make sure Apache service is running (service httpd start
). Add an user which can log in as guest_u
(useradd -Z guest_u USERNAME
). Create a directory named /secrets
. Install MySQL (yum install mysql-server
). Make sure MySQL service is running (service mysqld start
) and the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
scp
files to home directory andpublic_html
directory.- Copy files to
public_html
directory. - Verify that the content is viewable via Apache.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try any network protocol, try to get off the machine (ssh, mail, rsh, telnet etc.)
- Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
).
- Try to
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
User:czhang | G1.G3.B1.B2.B3.B4.B5 | G4[1] | G2[2] | |
User:hdong | G1.G3.B1~B5 | G4[1] | G2[2] | |
User:Rhe | G1,G2,G3,B3,B4,B5 | G4[1], B1[2], B2[3] | ||
User:tpelka | G1~3,G4[1],B1~5 |
| ||
User:mmaslano | G1,G2,G3,G4,B1,B2,B3 | B4,B5 | Directions are ambiguous. Howto apache was missing. | |
varekova | G1~G3,B1~B5 | G4 [1] |
| |
User:psss | G1, G2, G3, B1, B2, B3, B4, B5 | G4[long 1] | Filed bugs #529852 and #529827. | |
User:mmalik | G1, G2, G3, B1, B2, B3, B4, B5 | G4[1] |
|
xguest_u[edit]
As root set up a client machine, with network access. Add an user which can log in as xguest_u
(useradd -Z xguest_u USERNAME
). Create a directory named /secrets
. Install MySQL (yum install mysql-server
). Make sure MySQL service is running (service mysqld start
) and the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
- Plug in USB disk and make sure
xguest_u
user can read/write the disk. - Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try any network protocol, try to get off the machine (ssh, mail, rsh, telnet etc.)
- Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
).
- Try to
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
User:czhang | G1.G5.G6.G7[1].B1~B5 | G2[2].G3[3] | G4[4] | |
guaneryu | G.1 G.2[1] G.6 G.7 B.1~B.5 | G.3~G.5[2] | ||
User:jbao | G.1 G.2 G.3 G.7 B.1~B.5 | G.6[1] | G.4~G.5[2] | |
hdong | G1.G2.G3.G7 B1~B5 | G6[1] | G4.G5[2] | |
User:Rhe | G1.G5.B1~B5 | G2[1].G3[2].G6[3][4] | G4.G7 | |
varekova | G1 G6 B1~B5 | G2[1] | G3~G5[2] | |
User:mmaslano | G1 G2 G3 G6 G7 B1-4 | G4 G5 | FF worked firefox-3.5.3-1.fc12.x86_64. I have updated rawhide. | |
jkoten | G1 G3 G6 B1-5 | G2[1] | G7 | |
User:psss | G1, G3, G6, B1, B2, B3, B4, B5 | G2[1] | G4, G5, G7 |
|
User:mmalik | G1, B1, B2, B3, B4, B5 | G2[1] | G3, G4, G5, G6, G7 |
|
User:tpelka | [1]G1~4,G7,B1,B2,B3,B4,B5 | G5,G6[2] |
user_u[edit]
As root set up a client machine, with network access. Add an user which can log in as user_u
(useradd -Z user_u USERNAME
). Create a directory named /secrets
. Install MySQL (yum install mysql-server
). Make sure MySQL service is running (service mysqld start
) and the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Verify other network protocols work (aol, ssh, mail etc.)
- Plug in USB disk and make sure
user_u
user can read/write disk. - Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try to break into the root account via
su
,sudo
. - Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
).
- Try to
User | Passed | Failed | Skipped | References\ |
---|---|---|---|---|
guaneryu | G.1 G.2 G.3 G.7 B.1 B.2 B.4 B.5 | B.3[1] | G4~G6[2].G8 | |
User:jbao | G1.G2.G3.G4.G8 B1.B2.B4.B5 | G7[1] B3[2] | G5~G6[3] | |
varekova | G.1 G.3 G.7 B.1 B.2 B.4 | G2[1] B.3[2] | G.4~G.6, G.8[3] | |
User:mmaslano | G1-5 G7 B2-4 | B1 B5 | G6 | G6 no NM applet in KDE tray |
User:Rhe | G1.G3.G4.G6.B1.B2.B4.B5 | G2[1].G7[2].B3[3] | G5.G8 | |
User:hdong | G1.G2.G3.G4.G8.B1.B2.B4.B5 | G7[1].B3[2] | G5.G6[3] | |
User:tpelka | G1~4,G7,G8,B1,B2,B4,B5 | B3[1] | G5,G6[2] |
staff_u[edit]
As root set up a client machine, with network access. Add an user which can log in as staff_u
(useradd -Z staff_u USERNAME
). Create a directory named /secrets
. Install MySQL (yum install mysql-server
). Make sure MySQL service is running (service mysqld start
) and the database is world readable.
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Verify other network protocols work (aol, ssh, mail etc.)
- Plug in USB disk and make sure
staff_u
user can read/write disk. - Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Try to
ping
off the machine - Copy an executable into home directory and try to execute it.
- Set up
sudo
and SELinux to allowstaff_t
to becomeunconfined_t
viasudo
.
add a record to sudoers using visudo:
# semanage user -m -R "staff_r unconfined_r system_r" staff_uUSERNAME ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
- Execute sudo sh and make sure you end up as unconfined_t.
# sudo sh
# id -Z
- Bad Test - try to do evil
- Try to break into the root account via
sudo
. - Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
).
- Try to break into the root account via
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
User:jbao | G1.G2.G3.G4.G8.G9.G10.G11.G12.B1~B3 | G7[1] | G5~G6[2] | |
guaneryu | G.1~G.3 G.7 G.9~G.12 B.1~B.3 | G.4~G.6 G.8[1] |
| |
varekova | G.1 G.3 G.7 G.9~G.12 B.1~B.3 | G.2[1] | G.4~G.6 G.8[2] | |
User:Rhe | G1. G3. G4. G6. G9. G10. B1~B3 | G2[1]. G7[2]. G11[3] | G5. G6. G12 | |
User:hdong | G1.G2.G3.G4.G8.G9.G10.G11.G12 B1~B3 | G7[1] | G5.G6[2] | |
User:tpelka | G1~4,G7,G8~12,B1~3 | G5,G6[1] |
|
Kiosk user[edit]
As root set up a client machine, with network access. Make sure xguest
package is installed (yum install xguest
).
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Plug in USB disk and make sure the kiosk user can read/write the disk.
- Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify that Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Logout and login to verify that home directory disappeared.
- Verify that password is not required.
- Bad Test - try to do evil
- Try to
ping
off the machine. - Try any network protocol, try to get off the machine (ssh, mail, telnet, rsh etc.)
- Copy an executable into home directory and try to execute it.
- Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
). - Verify that you can not
ssh
into the machine asxguest_u
.
- Try to
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
jkoten | G1 G2 | G8[1] G9[2] | B1-6 [3] | |
User: hdong | G1.G2.G3.G7 | G8[1].G9[2] | G4.G5[3]G6 B1~B6[4] | |
User: tpelka | G1,G2,G3,G7 | G8[1],G9[2] | G4,G5[3]G6,B1~B6[4] |
Guest user that can send an email[edit]
As root set up a server machine, with network access. Build policy for sendmail_user_t
(Example how to create confined SELinux user). Add an user which can log in as sendmail_user_u
(useradd -Z sendmail_user_u USERNAME
).
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify you can send a mail as this user.
- Bad Test - try to do evil
- Try to break into the root account via
sudo
. - Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
).
- Try to break into the root account via
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
ebenes | G1,G2[1], B1,B2,B3 | |||
User: tpelka | G1,G2,B1~3[1] |
Confined administrator[edit]
As root set up a client machine, with network access. Build policy for web_db_admin_t
(Example how to create confined SELinux user). Add an user which can log in as staff_u
(useradd -Z staff_u USERNAME
). Set up a transition from staff_t
to web_db_admin_t
. Set up sudo
to make this happen automatically. Create a directory named /secrets
and install MySQL (yum install mysql-server
). Make sure MySQL is running (service mysqld start
) and the database is world readable. Install Apache (yum install httpd
) and make sure the service is running (service httpd start
).
Log in to the machine and try the following:
- Good Test - try to behave correctly
- Edit files in home directory.
- Verify Firefox works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
- Verify other network protocols work (aol, ssh, mail etc.)
- Plug in USB disk and make sure the confined administrator can read/write the disk.
- Plug in USB camera and make sure it works.
- Plug in other USB devices.
- Verify Network Manager works.
- Verify printing from Firefox and from the desktop works.
- Try to
ping
off the machine. - Copy an executable into home directory and try to execute it.
- Set up
sudo
and SELinux to allowstaff_t
to becomeweb_db_adm_t
viasudo
. - Execute
sudo sh
and make sure you end up asweb_db_adm_t
. - Try to edit
/var/www/html
directory and some of the MySQL directories. - Try to stop and start MySQL and Apache (
service NAME start
andservice NAME stop
).
- Bad Test - try to do evil
- Try to break into the root account via
su
. - Try to read a file in the
/secrets
directory. - Try to read the MySQL database (
mysqlshow
). - As
web_db_adm_t
try to add an user, modify files in/usr/share
.
- Try to break into the root account via
User | Passed | Failed | Skipped | References |
---|---|---|---|---|
User: tpelka | G1~14,B1~4[1] |
Links[edit]
- http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
- http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
- http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
- http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
Long comments[edit]
- ↑ restorecond -u not running for guest_u (running restorecon -R public_html or adding "~/* ~/public_html/*" to /etc/selinux/restorecond.conf resolves the problem)