From Fedora Project Wiki

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
{|border="1"
= Confined Users Test Day =
|-style="color: white; background-color: #3074c2; font-weight: bold"
* '''Devel contact:''' dwalsh, mgrepl
| DATE || TIME || WHERE
* '''QE contact:''' mmalik, ebenes
|-
| Tue Oct 20, 2009 || ALL DAY || [irc://irc.freenode.net/fedora-test-day #fedora-test-day])
|-
|}


== What to Test? ==
== What to Test? ==
Today's Fedora Test Day will focus on Confined SELinux Users. We want to write a policy confining a user by assigning the user an SELinux role where the policy controls what the user can do/access on the system. Current confined SELinux user types with their purpose of use are:


Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:
* guest_u – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
* xguest_u – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.
* user_u – X Windows login and terminal login, nosetuid, noexec in home directory.
* staff_u – X Windows login and terminal login, nosetuid except sudo.


{|
The purpose of test day is testing these SELinux users in your desktop and try to test users in specific cases. So for example like xguest_u, user_u or staff_u try to login to X Windows, try to start firefox, IM, try to run terminal, try to run ping, sudo and so on.
! user role            !! terminal login !! xwindows login !! network !! exec in homedir !! setuid !! notes
|-
| '''guest_u'''        || yes            || no            || no      || no              || no    ||
|-                                                                                                             
| '''xguest_u'''        || yes            || yes            || no*    || no              || no    || * only Firefox
|-                                                                                                             
| '''user_u'''          || yes            || yes            || yes    || no              || no    ||
|-                                                                                                             
| '''staff_u'''        || yes            || yes            || yes    || yes            || no*    || * <code>sudo</code> allowed
|-                                                                                                             
| '''kiosk user'''      || yes            || yes            || no      || no              || no    || No password required. Home directory and <code>/tmp</code> get destroyed on logout.
|-                                                                                                             
| '''confined admin'''  || yes            || yes            || yes    || yes            || yes    || Able to manage only a predefined set of services.
|}


The purpose of test day is to test these SELinux users in usual/specific use cases.
== What's Needed to Be Able to Test ==
You will need following packages on your system:
* selinux-policy-targeted
* policycoreutils-gui
* setroubleshoot


== Who's available ==
Set up SELinux users ...
 
The following cast of characters will be available for testing, workarounds, bug fixes, and general discussion.  
 
* '''Development:''' dwalsh, mgrepl
* '''Quality:''' mmalik, ebenes
 
== What's Needed to test ==
 
* You will need a fully updated [[Releases/Rawhide|Rawhide]], [http://fedoraproject.org/get-prerelease Fedora 12 Beta] or the [http://alt.fedoraproject.org/pub/alt/nightly-composes/desktop/ Rawhide nightly Live Image]
* You will need following packages installed on the machine. Please run <code>yum install PACKAGE</code> as root to install them and check that their versions match:
** <code>selinux-policy-targeted-3.6.32-24.fc12</code>
** <code>policycoreutils-gui-2.0.74-4.fc12</code>
** <code>setroubleshoot-2.2.37-1.fc12</code>
** <code>audit-2.0.1-1.fc12</code>
** <code>xguest-1.0.7-7.fc12</code>
* The content of {{filename|/var/log/messages}} will be useful during testing and reporting issues.  Connect to your test system and prepare the system for gathering output using the commands below:
<pre>
echo > /var/log/audit/audit.log
service auditd restart
service messagebus start
service restorecond restart
setenforce 1
tail -f /var/log/messages
</pre>
 
{{admon/important|No production testing| Please do not use production machine for this testing. }}
 
=== '''Live Image''' ===
 
You may download a non-destructive rawhide live image for your architecture. Tips on using a live image are available at [[FedoraLiveCD]].
 
{|
! Architecture !! SHA256SUM
|-
| [http://jlaska.fedorapeople.org/live/livecd-selinux-test-day-200910191654-i386.iso i686] || <code>b4c8631aeb40bf4594bbb64c189b1c66f0c7f7cd763ae50ce8f6ce800746aee4</code>
|-
| [http://jlaska.fedorapeople.org/live/livecd-selinux-test-day-200910191709-x86_64.iso x86_64] || <code>fa4e971ed3af85b4aaf7ac5630b0efce5b51c11749dc13b42556cfc7ccf5af56</code>
|}


== How to Test ==
== How to Test ==
The main goal is testing of chosen users and to do usual things for you with these SELinux users.


The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.
For example if you log as 'xguest' and try to run ping or sudo in your favourite terminal you won't be able to run it. But if you won't be able to run Firefox then probably this is a bug.
 
If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intent is to test at least one program from each of the following groups:
# mail clients (<code>mutt</code>, <code>alpine</code> etc.)
# editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.)
# networking tools (<code>ping</code>, <code>traceroute</code> etc.)
# FTP clients
# web browsers
# audio / video players
# samba mounting / tools
# NFS mounting / tools
# Java apps
# office apps
# printing / scanning tools
# photo / camera manipulation
# CD/DVD reading / writing
# IM clients
# flash players
 
Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).


{{admon/tip|<code>audit.log</code> upload|Be so kind and upload your <code>/var/log/audit/audit.log</code> after you finish the testing. Please leave a reference to it in the following table. This action is optional but it will help us not to forget/miss any of possible AVC messages.}}
=== Test Cases ===
==== guest_u ====
. – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.


{|
Set up a server only machine, with apache service. And apache sharing users home directories. Change default login to guest_u. Create a directory named /secrets, and install mysql, make sure the database is world readable.
! User
! <code>audit.log</code> references
|}


== How to Report Problems ==
Add an user account. Ssh to the box and try the following:


If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before filing a bug
* Good Test - Try to do expected behaviour
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed.
  * Edit files in home directory.
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed.
  * scp files to home directory and public_html directory.
# '''fpaste.org''' - Make the AVC message public via http://fpaste.org/ . Add a short description what you did and what happened or did not happen. Please increase the default expiry time to 1 day, because the default is 1 hour.
  * Copy files to public_html directory.
# '''IRC''' - Communicate with others on IRC channel to find out if they encountered the same problem. It's likely that someone on IRC channel knows the solution or already reported the problem.
  * Verify content is viewable via apache.
# '''{{command|sealert}}''' - Look at the end of {{filename|/var/log/messages}} and search for messages containing <code>sealert</code>. Run <code>sealert</code> with parameters as advised. Root shell is needed.
* Bad Test - Try to do evil
# '''Bugzilla''' - Lastly, file a bug in [http://bugzilla.redhat.com Red Hat Bugzilla].  Be sure to set the following attributes: '''Product:''' Fedora, '''Version:''' rawhide, '''Component:''' selinux-policy.  Alternatively, follow [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=selinux-policy&version=rawhide this link to file a bug]  against selinux-policy.  Do not forget to supply the description of actions you did, the AVC message and the full output of <code>sealert</code>.
  * Try to ping off the box.
  * Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
  * Copy an executable into home directory and try to execute it.
  * Try to read a file in the /secrets directory.
  * Try to read the mysql database.


{{admon/tip|Before filing...|Do not file a bug if the user you are testing now is by the SELinux role prevented from doing certain things (e.g. <code>guest_u</code> is prevented from using network, <code>staff_u</code> is prevented from running <code>su</code>). The actions you are trying to do under userX must make sense considering the SELinux role of the userX.}}
==== xguest_u ====
. – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.  


Here is an example how to display AVCs which arose since a specific time:
Set up a client machine, with network access. Change default login to xguest_u. Create a directory named /secrets, and install mysql, make sure the database is world readable.
# <code>START_DATE_TIME=`date "+%m/%d/%Y %T"`</code>
# do something as confined user
# <code>ausearch -m AVC -ts $START_DATE_TIME</code>


== Test Cases ==
Add an user account.


Here you can find a few test cases. Please run as many of them as possible. Below each test case you can see a table, where you should write your results. Please add a line with your username and list of tests you ran/skipped into the table. The table could look this way:
* Good Test - Try to do expected behaviour
  * Edit files in home directory.
  * Verify firefox works and can access the network. Try it on several sites like www.ford.com to verify flash works.
  * Plug in USB disk and make sure xguest_u user can read/write the disk.
  * Plug in USB camera and make sure it works.
  * Plug in other USB devices.
  * Verify [[NetworkManager|Network Manager]] works.
  * Verify printing from Firefox and from the desktop works.


{|
* Bad Test - Try to do evil
! User
  * Try to ping off the box.
! Passed
  * Try any network protocol, try to get off the box (ssh, sendmail, rsh, telnet etc.)
! Failed
  * Copy an executable into home directory and try to execute it.
! Skipped
  * Try to read a file in the /secrets directory.
! References
  * Try to read the mysql database.
|-
! [[User:mmalik]]
! G.1 G.2
! B.1 B.2 B.3
! G.3 G.4
!
|}


=== guest_u ===
==== Kiosk user ====
. – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory - NO password required. Home directory and /tmp get destroyed on logout.


{{admon/note|User capabilities|Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory}}
Set up a client machine, with network access. Install xguest package.


As root set up a server only machine, with '''Apache''' service (<code>yum install httpd</code>). Configure '''Apache''' in such a way that user home directories are accessible. Make sure '''Apache''' service is running (<code>service httpd start</code>). Add an user which can log in as <code>guest_u</code> (<code>useradd -Z guest_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
* Good Test - Try to do expected behaviour
  * Edit files in home directory.
  * verify firefox works and can access the network. Try it on several sites like www.ford.com to verify flash works.
  * Plug in USB disk and make sure xguest_u user can read/write the disk.
  * Plug in USB camera and make sure it works.
  * Plug in other USB devices.
  * Verify [[NetworkManager|Network Manager]] works.
  * Verify printing from Firefox and from the desktop works.
  * Logout and log back to verify that home directory disappeared.
  * Verify password is not required.


Log in to the machine and try the following:
* Bad Test - Try to do evil
  * Try to ping off the box.
  * Try any network protocol, try to get off the box (ssh, sendmail, telnet, rsh etc.)
  * Copy an executable into home directory and try to execute it.
  * Try to read a file in the /secrets directory
  * Try to read the mysql database.
  * Verify that you can not ssh into the box as the xguest account.


* Good Test - try to behave correctly
==== user_u ====
*# Edit files in home directory.
. – X Windows Login and terminal login, nosetuid, noexec in home directory
*# <code>scp</code> files to home directory and <code>public_html</code> directory.
*# Copy files to <code>public_html</code> directory.
*# Verify that the content is viewable via '''Apache'''.


* Bad Test - try to do evil
Setup a client machine, with network access. Change default login to user_u. Create a directory named /secrets, and install mysql, make sure the database is world readable.
*# Try to <code>ping</code> off the machine.
*# Try any network protocol, try to get off the machine (ssh, mail, rsh, telnet etc.)
*# Copy an executable into home directory and try to execute it.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).


{|
Add a user account. Login to the box.
! User
! Passed
! Failed
! Skipped
! References
|-
! [[User:czhang]]
! G1.G3.B1.B2.B3.B4.B5
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1</ref>
! G2<ref>I don't understand what does this step means, scp from localhost to localhost?</ref>
! <references/>
|-
! [[User:hdong]]
! G1.G3.B1~B5
! G4<ref>don't have permission to access /~guest_u/ on server</ref>
! G2<ref>ssh Permission denied</ref>
! <references/>
|-
! [[User:Rhe]]
! G1,G2,G3,B3,B4,B5
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1 as czhang said</ref>, B1<ref>can ping</ref>, B2<ref>can ssh</ref>
!
! <references/>
|-
! [[User:tpelka]]
! G1~3,G4<ref>Agree with czhang, but 701 is sufficient</ref>,B1~5
!
!
! <references/>
|-
! [[User:mmaslano]]
! G1,G2,G3,G4,B1,B2,B3
!
! B4,B5
! Directions are ambiguous. Howto apache was missing. <references/>
|-
! varekova
! G1~G3,B1~B5
!
! G4 <ref>problems with setting up Appache - it would be good to have describe this step more precisely </ref>
! <references/>
|-
! [[User:psss]]
! G1, G2, G3, B1, B2, B3, B4, B5
! G4<ref group="long">restorecond -u not running for guest_u (running restorecon -R public_html or adding "~/* ~/public_html/*" to /etc/selinux/restorecond.conf resolves the problem)</ref>
!
! <references/> Filed bugs [https://bugzilla.redhat.com/show_bug.cgi?id=529852 #529852] and [https://bugzilla.redhat.com/show_bug.cgi?id=529827 #529827].
|-
! [[User:mmalik]]
! G1, G2, G3, B1, B2, B3, B4, B5
! G4<ref>chmod 711 /home/USER, setsebool httpd_enable_homedirs=1, restorecon -Rv /home/USER were needed</ref>
!
! <references/>
|}


=== xguest_u ===
* Good Test - Try to do expected behaviour
  * Edit files in home directory
  * verify firefox works and access network.  Try it on several sites like www.ford.com to verify flash works.
  * Verify other network protocols work, aol, ssh, sendmail etc.
  * Plug in USB disk and make sure xguest_u user can read/write disk
  * Plugin in USB camera and make sure it works.
  * Other USB devices.
  * Verify [[NetworkManager|Network Manager]] works.
  * Verify Printing from Firefox and from the desktop works.


{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory}}
* Bad Test - Try to do evil
  * Try to ping off the box
  * Try to breakinto the root account , su, sudo
  * Copy and executable into homedir and try to execute it.
  * Try to read a file in the /secrets directory
  * try to read the mysql database.


As root set up a client machine, with network access. Add an user which can log in as <code>xguest_u</code> (<code>useradd -Z xguest_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
==== staff_u ====
. – X Windows Login and terminal login, nosetuid except sudo


Log in to the machine and try the following:
Setup a client machine, with network access. Change default login to user_u.  Create a directory named /secrets, and install mysql, make sure the database is world readable.


* Good Test - try to behave correctly
Add a  user account. Login to the box
*# Edit files in home directory.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify that flash works.
*# Plug in USB disk and make sure <code>xguest_u</code> user can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.


* Bad Test - try to do evil
* Good Test - Try to do expected behaviour
*# Try to <code>ping</code> off the machine.
  * Edit files in home directory
*# Try any network protocol, try to get off the machine (ssh, mail, rsh, telnet etc.)
  * verify firefox works and access network.  Try it on several sites like www.ford.com to verify flash works.
*# Copy an executable into home directory and try to execute it.
  * Verify other network protocols work, aol, ssh, sendmail etc.
*# Try to read a file in the <code>/secrets</code> directory.
  * Plug in USB disk and make sure xguest_u user can read/write disk
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
  * Plugin in USB camera and make sure it works.
  * Other USB devices.
  * Verify [[NetworkManager|Network Manager]] works.
  * Verify Printing from Firefox and from the desktop works.
  * Try to ping off the box
  * Copy and executable into homedir and try to execute it.
  * setup sudo and selinux to allow staff_t to become unconfined_t via sudo


{|
* Bad Test - Try to do evil
! User
  * Try to breakinto the root account sudo
! Passed
  * Try to read a file in the /secrets directory
! Failed
  * try to read the mysql database.
! Skipped
! References
|-
! [[User:czhang]]
! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5
! G2<ref>Firefox core dumped,can't test. Maybe {{bz|512845}} describes this bug.</ref>.G3<ref>ntfs disks is readable/writable, ext2/3/4 are not permitted in enforce mode, setenforce 0 could solve this problem.</ref>
! G4<ref>no device</ref>
! <references/>
|-
! guaneryu
! G.1 G.2<ref>Start firefox with 'firefox -safe-mode'</ref> G.6 G.7 B.1~B.5
!
! G.3~G.5<ref>no device</ref>
! <references/>
|-
! [[User:jbao]]
! G.1 G.2 G.3 G.7 B.1~B.5
! G.6<ref>can't start the NetworkManager</ref>
! G.4~G.5<ref>no device</ref>
! <references/>
|-
! hdong
! G1.G2.G3.G7 B1~B5
! G6<ref>NetworkManager applet icon disappear</ref>
! G4.G5<ref>no device</ref>
! <references/>
|-
! [[User:Rhe]]
! G1.G5.B1~B5
! G2<ref>a crash in package firefox-3.5.3-1.fc12 has been detected.{{bz|530007}}</ref>.G3<ref>couldn't display </ref>.G6<ref>unrecognised service.{{bz|530013}}</ref><ref>cant run selinux management {{bz|530005}}</ref>
! G4.G7
! <references/>
|-
! varekova
! G1 G6 B1~B5
! G2<ref>firefox problem, with 'firefox -safe-mode' OK</ref>
! G3~G5<ref>virt. machines</ref>
! <references/>
|-
! [[User:mmaslano]]
! G1 G2 G3 G6 G7 B1-4
!
! G4 G5
! FF worked firefox-3.5.3-1.fc12.x86_64. I have updated rawhide.<references/>
|-
! [[User: jkoten|jkoten]]
! G1 G3 G6 B1-5
! G2<ref>cannot play streamed video using totem-mozplugin {{bz|529847}}</ref>
! G7
! <references/>
|-
! [[User:psss]]
! G1, G3, G6, B1, B2, B3, B4, B5
! G2<ref>Firefox crashes, works only in -safe-mode</ref>
! G4, G5, G7
! <references/> Filed bug [https://bugzilla.redhat.com/show_bug.cgi?id=529878 #529878] - Unable to login after logout
|-
! [[User:mmalik]]
! G1, B1, B2, B3, B4, B5
! G2<ref>Firefox crashes, must be executed with -safe-mode</ref>
! G3, G4, G5, G6, G7
! <references/>
|-
! [[User:tpelka]]
! <ref>First login as xguest_u cause gphoto2 support for gvfs crash, RHBZ [https://bugzilla.redhat.com/show_bug.cgi?id=530091 #530091]</ref>G1~4,G7,B1,B2,B3,B4,B5
!
! G5,G6<ref>no device</ref>
! <references/>
|}


=== user_u ===
==== Confined administrator ====
. – Let's set up an administrator that can manage mysql and apache.


{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, noexec in home directory}}
Set up a client machine, with network access. Build policy for the web_db_admin_t. Add a user which logins as staff_u. Setup transition from staff_u to web_db_admin_t. Set up sudo to make this happen automatically. Create a directory named /secrets, and install mysql, make sure the database is world readable.


As root set up a client machine, with network access. Add an user which can log in as <code>user_u</code> (<code>useradd -Z user_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
Add an user account. Login to the box.


Log in to the machine and try the following:
* Good Test - Try to do expected behaviour
  * Edit files in home directory.
  * Verify firefox works and can access the network. Try it on several sites like www.ford.com to verify flash works.
  * Verify other network protocols work (aol, ssh, mail etc.)
  * Plug in USB disk and make sure xguest_u user can read/write the disk.
  * Plug in USB camera and make sure it works.
  * Plug in other USB devices.
  * Verify [[NetworkManager|Network Manager]] works.
  * Verify printing from firefox and from the desktop works.
  * Try to ping off the box.
  * Copy an executable into home directory and try to execute it.
  * Set up sudo and SELinux to allow staff_t to become unconfined_t via sudo.
  * Execute sudo sh and make sure you end up as web_db_adm_t.
  * Try to edit /var/www/html directory and some of the mysql directories.
  * Try to start/stop mysql and apache.


* Good Test - try to behave correctly
* Bad Test - Try to do evil
*# Edit files in home directory
  * Try to break into the root account via su.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
  * Try to read a file in the /secrets directory.
*# Verify other network protocols work (aol, ssh, mail etc.)
  * Try to read the mysql database.
*# Plug in USB disk and make sure <code>user_u</code> user can read/write disk.
  * As web_db_adm_t try to add an user, modify files in /usr/share.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.


* Bad Test - try to do evil
==== Generate a guest user that can send a mail ====
*# Try to <code>ping</code> off the machine.
*# Try to break into the root account via <code>su</code>, <code>sudo</code>.
*# Copy an executable into home directory and try to execute it.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).


{|
Set up a server machine, with network access. Build policy for the sendmail_user_t. Add a user which logins as sendmail_user_u.
! User
! Passed
! Failed
! Skipped
! References\
|-
! guaneryu
! G.1 G.2 G.3 G.7 B.1 B.2 B.4 B.5
! B.3<ref>cd;cp /bin/ls ~/;./ls;  can execute ls command at home directory</ref>
! G4~G6<ref>no device</ref>.G8
! <references/>
|-
! [[User:jbao]]
! G1.G2.G3.G4.G8 B1.B2.B4.B5
! G7<ref>can't start the NetworkManager,with the error"(nm-applet:5910): Gtk-WARNING **: cannot open display:
"</ref> B3<ref>{{bz|529830}}</ref>
! G5~G6<ref>no device</ref>
! <references/>
|-
! varekova
! G.1 G.3 G.7 B.1 B.2 B.4
! G2<ref>firefox problem</ref> B.3<ref>{{bz|529830}}</ref>
! G.4~G.6, G.8<ref>virt machine</ref>
! <references/>
|-
! [[User:mmaslano]]
! G1-5 G7 B2-4
! B1 B5
! G6
! G6 no NM applet in KDE tray<references/>
|-
! [[User:Rhe]]
! G1.G3.G4.G6.B1.B2.B4.B5
! G2<ref>firefox crash.{{bz|530007}}</ref>.G7<ref>unrecognized service.{{bz|530013}}</ref>.B3<ref>executable.{{bz|529830}}</ref>
! G5.G8
! <references/>
|-
! [[User:hdong]]
! G1.G2.G3.G4.G8.B1.B2.B4.B5
! G7<ref>Permission denied and applet icon disappear</ref>.B3<ref>executable.{{bz|529830}}</ref>
! G5.G6<ref>no device</ref>
! <references/>
|-
! [[User:tpelka]]
! G1~4,G7,G8,B1,B2,B4,B5
! B3<ref>same as guaneryu [1]</ref>
! G5,G6<ref>no device</ref>
! <references/>
|}


=== staff_u ===
Add an user account. Login to the box.


{{admon/note|User capabilities|X Windows login and terminal login, nosetuid except sudo}}
* Good Test - Try to do expected behaviour
  * Edit files in home directory.
  * Verify you can send a mail from this user.


As root set up a client machine, with network access. Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Create a directory named <code>/secrets</code>. Install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' service is running (<code>service mysqld start</code>) and the database is world readable.
  * Bad Test - Try to do evil
 
  * Try to break into the root account sudo.
Log in to the machine and try the following:
  * Try to read a file in the /secrets directory.
 
  * Try to read the mysql database.
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Verify other network protocols work (aol, ssh, mail etc.)
*# Plug in USB disk and make sure <code>staff_u</code> user can read/write disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Try to <code>ping</code> off the machine
*# Copy an executable into home directory and try to execute it.
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>unconfined_t</code> via <code>sudo</code>.<code><br># semanage user -m -R "staff_r unconfined_r system_r" staff_u<br/></code>add a record to sudoers using visudo:<br/><code>USERNAME ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r  ALL</code>
*# Execute sudo sh and make sure you end up as unconfined_t.<code><br># sudo sh<br/># id -Z</code>
* Bad Test - try to do evil
*# Try to break into the root account via <code>sudo</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
 
{|
! User
! Passed
! Failed
! Skipped
! References
|-
! [[User:jbao]]
! G1.G2.G3.G4.G8.G9.G10.G11.G12.B1~B3
! G7<ref>can't start the NetworkManager</ref>
! G5~G6<ref>no device</ref>
! <references/>
|-
! guaneryu
! G.1~G.3 G.7 G.9~G.12 B.1~B.3
!
! G.4~G.6 G.8<ref>no device</ref>
! <references/>
|-
! varekova
! G.1 G.3 G.7 G.9~G.12 B.1~B.3
! G.2<ref>firefox problem</ref>
! G.4~G.6 G.8<ref>virt machine</ref>
! <references/>
|-
! [[User:Rhe]]
! G1. G3. G4. G6. G9. G10. B1~B3
! G2<ref>firefox crash.{{bz|530007}}</ref>. G7<ref>unrecognised service.{{bz|530013}}</ref>. G11<ref>/user/sbin/semanage:SElinux Policy is not managed or store cannot be accessed.</ref>
! G5. G6. G12
! <references/>
|-
! [[User:hdong]]
! G1.G2.G3.G4.G8.G9.G10.G11.G12 B1~B3
! G7<ref>Permission denied and applet icon disappear.{{bz|530013}}</ref>
! G5.G6<ref>no device</ref>
! <references/>
|-
! [[User:tpelka]]
! G1~4,G7,G8~12,B1~3
!
! G5,G6<ref>no device</ref>
! <references/>
|}
 
=== Kiosk user ===
 
{{admon/note|User capabilities|X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout.}}
 
As root set up a client machine, with network access. Make sure <code>xguest</code> package is installed (<code>yum install xguest</code>).
 
Log in to the machine and try the following:
 
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Plug in USB disk and make sure the kiosk user can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify that '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Logout and login to verify that home directory disappeared.
*# Verify that password is not required.
 
* Bad Test - try to do evil
*# Try to <code>ping</code> off the machine.
*# Try any network protocol, try to get off the machine (ssh, mail, telnet, rsh etc.)
*# Copy an executable into home directory and try to execute it.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# Verify that you can not <code>ssh</code> into the machine as <code>xguest_u</code>.
 
{|
! User
! Passed
! Failed
! Skipped
! References
|-
! [[User: jkoten|jkoten]]
! G1 G2
! G8<ref>home dir still present - even before login for the first time</ref> G9<ref>cannot login after logout {{bz|529897}}</ref>
! B1-6 <ref>cannot login again :(</ref>
! <references/>
|-
| [[User: hdong]]
! G1.G2.G3.G7
! G8<ref>home dir still present,temporary files in home dir disappear</ref>.G9<ref>cannot login again</ref>
! G4.G5<ref>no device</ref>G6 B1~B6<ref>can not login</ref>
! <references/>
|-
| [[User: tpelka]]
! G1,G2,G3,G7
! G8<ref>home dir still present</ref>,G9<ref>cannot login again</ref>
! G4,G5<ref>no device</ref>G6,B1~B6<ref>can not login</ref>
! <references/>
|}
 
=== Guest user that can send an email ===
 
As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>).
 
Log in to the machine and try the following:
 
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Verify you can send a mail as this user.
 
* Bad Test - try to do evil
*# Try to break into the root account via <code>sudo</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
 
{|
! User
! Passed
! Failed
! Skipped
! References
|-
| ebenes      ||  G1,G2<ref>{{bz|529916}}</ref>, B1,B2,B3        ||              ||      ||  <references/>
|-
| [[User: tpelka]]
|         
|G1,G2,B1~3<ref>RHBZ {{bz|530349}}</ref>
|<references/>     
|}
 
=== Confined administrator ===
 
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}
 
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>).
 
Log in to the machine and try the following:
 
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Verify other network protocols work (aol, ssh, mail etc.)
*# Plug in USB disk and make sure the confined administrator can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Try to <code>ping</code> off the machine.
*# Copy an executable into home directory and try to execute it.
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>web_db_adm_t</code> via <code>sudo</code>.
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>.
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories.
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>).
 
* Bad Test - try to do evil
*# Try to break into the root account via <code>su</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.
 
{|
! User
! Passed
! Failed
! Skipped
! References
|-
| [[User: tpelka]]
|         
|G1~14,B1~4<ref>RHBZ {{bz|530349}}</ref>
|<references/>   
|}


== Links ==
== Links ==
# http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
. 1. http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
# http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
. 2. http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/
# http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
. 3. http://www.linuxtopia.org/online_books/fedora_selinux_guides/fedora_10_selinux_user_guide/fedora_10_selinux_sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
. 4. http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
 
== Long comments ==
<references group="long" />
 
[[Category:Fedora 12 Test Days]]
Please note that all contributions to Fedora Project Wiki are considered to be released under the Attribution-Share Alike 4.0 International (see Fedora Project Wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please solve the following task below and enter the answer in the box (more info):

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "https://fedoraproject.org/wiki/Test_Day:2009-10-20_SELinux_Confined_Users"