From Fedora Project Wiki

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 11: Line 11:
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are:


{|
* <code>guest_u</code> – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory.
! user role            !! terminal login !! xwindows login !! network !! exec in homedir !! setuid !! notes
* <code>xguest_u</code> – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory.
|-
* <code>user_u</code> – X Windows login and terminal login, nosetuid, noexec in home directory.
| '''guest_u'''        || yes            || no            || no      || no              || no    ||
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except <code>sudo</code>.
|-                                                                                                             
* kiosk user - X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout.
| '''xguest_u'''        || yes            || yes            || no*     || no              || no    || * only Firefox
* confined administrator - Able to manage only a predefined set of services.
|-                                                                                                             
| '''user_u'''          || yes            || yes            || yes    || no              || no    ||
|-                                                                                                             
| '''staff_u'''        || yes            || yes            || yes    || yes            || no*    || * <code>sudo</code> allowed
|-                                                                                                             
| '''kiosk user'''      || yes            || yes            || no      || no              || no    || No password required. Home directory and <code>/tmp</code> get destroyed on logout.
|-                                                                                                            
| '''confined admin'''  || yes            || yes            || yes    || yes            || yes    || Able to manage only a predefined set of services.
|}


The purpose of test day is to test these SELinux users in usual/specific use cases.
The purpose of test day is to test these SELinux users in usual/specific use cases.
Line 49: Line 40:
echo > /var/log/audit/audit.log
echo > /var/log/audit/audit.log
service auditd restart
service auditd restart
service messagebus start
service messagebus restart
service restorecond restart
service restorecond restart
setenforce 1
setenforce 1
Line 56: Line 47:


{{admon/important|No production testing| Please do not use production machine for this testing. }}
{{admon/important|No production testing| Please do not use production machine for this testing. }}
=== '''Live Image''' ===
You may download a non-destructive rawhide live image for your architecture. Tips on using a live image are available at [[FedoraLiveCD]].
{|
! Architecture !! SHA256SUM
|-
| [http://jlaska.fedorapeople.org/live/livecd-selinux-test-day-200910191654-i386.iso i686] || <code>b4c8631aeb40bf4594bbb64c189b1c66f0c7f7cd763ae50ce8f6ce800746aee4</code>
|-
| [http://jlaska.fedorapeople.org/live/livecd-selinux-test-day-200910191709-x86_64.iso x86_64] || <code>fa4e971ed3af85b4aaf7ac5630b0efce5b51c11749dc13b42556cfc7ccf5af56</code>
|}


== How to Test ==
== How to Test ==
Line 73: Line 52:
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug.


If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intent is to test at least one program from each of the following groups:
If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intend is to test at least one program from each of the following groups:
# mail clients (<code>mutt</code>, <code>alpine</code> etc.)
* mail clients (<code>mutt</code>, <code>alpine</code> etc.)
# editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.)
* editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.)
# networking tools (<code>ping</code>, <code>traceroute</code> etc.)
* networking tools (<code>ping</code>, <code>traceroute</code> etc.)
# FTP clients
* FTP clients
# web browsers
* web browsers
# audio / video players
* audio / video players
# samba mounting / tools
* samba mounting / tools
# NFS mounting / tools
* NFS mounting / tools
# Java apps
* Java apps
# office apps
* office apps
# printing / scanning tools
* printing / scanning tools
# photo / camera manipulation
* photo / camera manipulation
# CD/DVD reading / writing
* CD/DVD reading / writing
# IM clients
* IM clients
# flash players
* flash players


Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).
Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS).
{{admon/tip|<code>audit.log</code> upload|Be so kind and upload your <code>/var/log/audit/audit.log</code> after you finish the testing. Please leave a reference to it in the following table. This action is optional but it will help us not to forget/miss any of possible AVC messages.}}
{|
! User
! <code>audit.log</code> references
|}


== How to Report Problems ==
== How to Report Problems ==


If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before filing a bug
If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before following a bug
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed.
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed.
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed.
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed.
Line 161: Line 133:
! Skipped
! Skipped
! References
! References
|-
! [[User:czhang]]
! G1.G3.B1.B2.B3.B4.B5
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1</ref>
! G2<ref>I don't understand what does this step means, scp from localhost to localhost?</ref>
! <references/>
|-
! [[User:hdong]]
! G1.G3.B1~B5
! G4<ref>don't have permission to access /~guest_u/ on server</ref>
! G2<ref>ssh Permission denied</ref>
! <references/>
|-
! [[User:Rhe]]
! G1,G2,G3,B3,B4,B5
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1 as czhang said</ref>, B1<ref>can ping</ref>, B2<ref>can ssh</ref>
!
! <references/>
|-
! [[User:tpelka]]
! G1~3,G4<ref>Agree with czhang, but 701 is sufficient</ref>,B1~5
!
!
! <references/>
|-
! [[User:mmaslano]]
! G1,G2,G3,G4,B1,B2,B3
!
! B4,B5
! Directions are ambiguous. Howto apache was missing. <references/>
|-
! varekova
! G1~G3,B1~B5
!
! G4 <ref>problems with setting up Appache - it would be good to have describe this step more precisely </ref>
! <references/>
|-
! [[User:psss]]
! G1, G2, G3, B1, B2, B3, B4, B5
! G4<ref group="long">restorecond -u not running for guest_u (running restorecon -R public_html or adding "~/* ~/public_html/*" to /etc/selinux/restorecond.conf resolves the problem)</ref>
!
! <references/> Filed bugs [https://bugzilla.redhat.com/show_bug.cgi?id=529852 #529852] and [https://bugzilla.redhat.com/show_bug.cgi?id=529827 #529827].
|-
! [[User:mmalik]]
! G1, G2, G3, B1, B2, B3, B4, B5
! G4<ref>chmod 711 /home/USER, setsebool httpd_enable_homedirs=1, restorecon -Rv /home/USER were needed</ref>
!
! <references/>
|}
|}


Line 241: Line 165:
! Skipped
! Skipped
! References
! References
|-
! [[User:czhang]]
! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5
! G2<ref>Firefox core dumped,can't test. Maybe {{bz|512845}} describes this bug.</ref>.G3<ref>ntfs disks is readable/writable, ext2/3/4 are not permitted in enforce mode, setenforce 0 could solve this problem.</ref>
! G4<ref>no device</ref>
! <references/>
|-
! guaneryu
! G.1 G.2<ref>Start firefox with 'firefox -safe-mode'</ref> G.6 G.7 B.1~B.5
!
! G.3~G.5<ref>no device</ref>
! <references/>
|-
! [[User:jbao]]
! G.1 G.2 G.3 G.7 B.1~B.5
! G.6<ref>can't start the NetworkManager</ref>
! G.4~G.5<ref>no device</ref>
! <references/>
|-
! hdong
! G1.G2.G3.G7 B1~B5
! G6<ref>NetworkManager applet icon disappear</ref>
! G4.G5<ref>no device</ref>
! <references/>
|-
! [[User:Rhe]]
! G1.G5.B1~B5
! G2<ref>a crash in package firefox-3.5.3-1.fc12 has been detected.{{bz|530007}}</ref>.G3<ref>couldn't display </ref>.G6<ref>unrecognised service.{{bz|530013}}</ref><ref>cant run selinux management {{bz|530005}}</ref>
! G4.G7
! <references/>
|-
! varekova
! G1 G6 B1~B5
! G2<ref>firefox problem, with 'firefox -safe-mode' OK</ref>
! G3~G5<ref>virt. machines</ref>
! <references/>
|-
! [[User:mmaslano]]
! G1 G2 G3 G6 G7 B1-4
!
! G4 G5
! FF worked firefox-3.5.3-1.fc12.x86_64. I have updated rawhide.<references/>
|-
! [[User: jkoten|jkoten]]
! G1 G3 G6 B1-5
! G2<ref>cannot play streamed video using totem-mozplugin {{bz|529847}}</ref>
! G7
! <references/>
|-
! [[User:psss]]
! G1, G3, G6, B1, B2, B3, B4, B5
! G2<ref>Firefox crashes, works only in -safe-mode</ref>
! G4, G5, G7
! <references/> Filed bug [https://bugzilla.redhat.com/show_bug.cgi?id=529878 #529878] - Unable to login after logout
|-
! [[User:mmalik]]
! G1, B1, B2, B3, B4, B5
! G2<ref>Firefox crashes, must be executed with -safe-mode</ref>
! G3, G4, G5, G6, G7
! <references/>
|-
! [[User:tpelka]]
! <ref>First login as xguest_u cause gphoto2 support for gvfs crash, RHBZ [https://bugzilla.redhat.com/show_bug.cgi?id=530091 #530091]</ref>G1~4,G7,B1,B2,B3,B4,B5
!
! G5,G6<ref>no device</ref>
! <references/>
|}
|}


Line 339: Line 197:
! Failed
! Failed
! Skipped
! Skipped
! References\
! References
|-
! guaneryu
! G.1 G.2 G.3 G.7 B.1 B.2 B.4 B.5
! B.3<ref>cd;cp /bin/ls ~/;./ls;  can execute ls command at home directory</ref>
! G4~G6<ref>no device</ref>.G8
! <references/>
|-
! [[User:jbao]]
! G1.G2.G3.G4.G8 B1.B2.B4.B5
! G7<ref>can't start the NetworkManager,with the error"(nm-applet:5910): Gtk-WARNING **: cannot open display:
"</ref> B3<ref>{{bz|529830}}</ref>
! G5~G6<ref>no device</ref>
! <references/>
|-
! varekova
! G.1 G.3 G.7 B.1 B.2 B.4
! G2<ref>firefox problem</ref> B.3<ref>{{bz|529830}}</ref>
! G.4~G.6, G.8<ref>virt machine</ref>
! <references/>
|-
! [[User:mmaslano]]
! G1-5 G7 B2-4
! B1 B5
! G6
! G6 no NM applet in KDE tray<references/>
|-
! [[User:Rhe]]
! G1.G3.G4.G6.B1.B2.B4.B5
! G2<ref>firefox crash.{{bz|530007}}</ref>.G7<ref>unrecognized service.{{bz|530013}}</ref>.B3<ref>executable.{{bz|529830}}</ref>
! G5.G8
! <references/>
|-
! [[User:hdong]]
! G1.G2.G3.G4.G8.B1.B2.B4.B5
! G7<ref>Permission denied and applet icon disappear</ref>.B3<ref>executable.{{bz|529830}}</ref>
! G5.G6<ref>no device</ref>
! <references/>
|-
! [[User:tpelka]]
! G1~4,G7,G8,B1,B2,B4,B5
! B3<ref>same as guaneryu [1]</ref>
! G5,G6<ref>no device</ref>
! <references/>
|}
|}


Line 418: Line 233:
! Skipped
! Skipped
! References
! References
|-
! [[User:jbao]]
! G1.G2.G3.G4.G8.G9.G10.G11.G12.B1~B3
! G7<ref>can't start the NetworkManager</ref>
! G5~G6<ref>no device</ref>
! <references/>
|-
! guaneryu
! G.1~G.3 G.7 G.9~G.12 B.1~B.3
!
! G.4~G.6 G.8<ref>no device</ref>
! <references/>
|-
! varekova
! G.1 G.3 G.7 G.9~G.12 B.1~B.3
! G.2<ref>firefox problem</ref>
! G.4~G.6 G.8<ref>virt machine</ref>
! <references/>
|-
! [[User:Rhe]]
! G1. G3. G4. G6. G9. G10. B1~B3
! G2<ref>firefox crash.{{bz|530007}}</ref>. G7<ref>unrecognised service.{{bz|530013}}</ref>. G11<ref>/user/sbin/semanage:SElinux Policy is not managed or store cannot be accessed.</ref>
! G5. G6. G12
! <references/>
|-
! [[User:hdong]]
! G1.G2.G3.G4.G8.G9.G10.G11.G12 B1~B3
! G7<ref>Permission denied and applet icon disappear.{{bz|530013}}</ref>
! G5.G6<ref>no device</ref>
! <references/>
|-
! [[User:tpelka]]
! G1~4,G7,G8~12,B1~3
!
! G5,G6<ref>no device</ref>
! <references/>
|}
|}


Line 489: Line 268:
! Skipped
! Skipped
! References
! References
|-
! [[User: jkoten|jkoten]]
! G1 G2
! G8<ref>home dir still present - even before login for the first time</ref> G9<ref>cannot login after logout {{bz|529897}}</ref>
! B1-6 <ref>cannot login again :(</ref>
! <references/>
|-
| [[User: hdong]]
! G1.G2.G3.G7
! G8<ref>home dir still present,temporary files in home dir disappear</ref>.G9<ref>cannot login again</ref>
! G4.G5<ref>no device</ref>G6 B1~B6<ref>can not login</ref>
! <references/>
|-
| [[User: tpelka]]
! G1,G2,G3,G7
! G8<ref>home dir still present</ref>,G9<ref>cannot login again</ref>
! G4,G5<ref>no device</ref>G6,B1~B6<ref>can not login</ref>
! <references/>
|}
|}


=== Guest user that can send an email ===
=== Confined administrator ===
 
{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}


As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>).
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>).


Log in to the machine and try the following:
Log in to the machine and try the following:
Line 517: Line 280:
* Good Test - try to behave correctly
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Edit files in home directory.
*# Verify you can send a mail as this user.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Verify other network protocols work (aol, ssh, mail etc.)
*# Plug in USB disk and make sure the confined administrator can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Try to <code>ping</code> off the machine.
*# Copy an executable into home directory and try to execute it.
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>unconfined_t</code> via <code>sudo</code>.
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>.
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories.
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>).


* Bad Test - try to do evil
* Bad Test - try to do evil
*# Try to break into the root account via <code>sudo</code>.
*# Try to break into the root account via <code>su</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.


{|
{|
Line 530: Line 306:
! Skipped
! Skipped
! References
! References
|-
| ebenes      ||  G1,G2<ref>{{bz|529916}}</ref>, B1,B2,B3        ||              ||      ||  <references/>
|-
| [[User: tpelka]]
|         
|G1,G2,B1~3<ref>RHBZ {{bz|530349}}</ref>
|<references/>     
|}
|}


=== Confined administrator ===
=== Guest user that can send an email ===


{{admon/note|User capabilities|Administrator that can manage '''MySQL''' and '''Apache'''}}
As root set up a server machine, with network access. Build policy for <code>sendmail_user_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>sendmail_user_u</code> (<code>useradd -Z sendmail_user_u USERNAME</code>).
 
As root set up a client machine, with network access. Build policy for <code>web_db_admin_t</code> ([http://magazine.redhat.com/2008/07/02/writing-policy-for-confined-selinux-users/ Example how to create confined SELinux user]). Add an user which can log in as <code>staff_u</code> (<code>useradd -Z staff_u USERNAME</code>). Set up a transition from <code>staff_t</code> to <code>web_db_admin_t</code>. Set up <code>sudo</code> to make this happen automatically. Create a directory named <code>/secrets</code> and install '''MySQL''' (<code>yum install mysql-server</code>). Make sure '''MySQL''' is running (<code>service mysqld start</code>) and the database is world readable. Install '''Apache''' (<code>yum install httpd</code>) and make sure the service is running (<code>service httpd start</code>).


Log in to the machine and try the following:
Log in to the machine and try the following:
Line 550: Line 316:
* Good Test - try to behave correctly
* Good Test - try to behave correctly
*# Edit files in home directory.
*# Edit files in home directory.
*# Verify '''Firefox''' works and can access the network. Try to load several sites like http://www.ford.com to verify flash works.
*# Verify you can send a mail as this user.
*# Verify other network protocols work (aol, ssh, mail etc.)
*# Plug in USB disk and make sure the confined administrator can read/write the disk.
*# Plug in USB camera and make sure it works.
*# Plug in other USB devices.
*# Verify '''Network Manager''' works.
*# Verify printing from '''Firefox''' and from the desktop works.
*# Try to <code>ping</code> off the machine.
*# Copy an executable into home directory and try to execute it.
*# Set up <code>sudo</code> and SELinux to allow <code>staff_t</code> to become <code>web_db_adm_t</code> via <code>sudo</code>.
*# Execute <code>sudo sh</code> and make sure you end up as <code>web_db_adm_t</code>.
*# Try to edit <code>/var/www/html</code> directory and some of the '''MySQL''' directories.
*# Try to stop and start '''MySQL''' and '''Apache''' (<code>service NAME start</code> and <code>service NAME stop</code>).


* Bad Test - try to do evil
* Bad Test - try to do evil
*# Try to break into the root account via <code>su</code>.
*# Try to break into the root account via <code>sudo</code>.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read a file in the <code>/secrets</code> directory.
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# Try to read the '''MySQL''' database (<code>mysqlshow</code>).
*# As <code>web_db_adm_t</code> try to add an user, modify files in <code>/usr/share</code>.


{|
{|
Line 576: Line 329:
! Skipped
! Skipped
! References
! References
|-
| [[User: tpelka]]
|         
|G1~14,B1~4<ref>RHBZ {{bz|530349}}</ref>
|<references/>   
|}
|}


Line 590: Line 337:
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html


== Long comments ==
[[Category:Test Days]]
<references group="long" />
 
[[Category:Fedora 12 Test Days]]

Please note that all contributions to Fedora Project Wiki are considered to be released under the Attribution-Share Alike 4.0 International (see Fedora Project Wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please solve the following task below and enter the answer in the box (more info):

Cancel Editing help (opens in new window)