Table of Contents
Introduction to Confining Users
SELinux Confining Users, By default all users are mapped with default SELinux user unconfined_u, which provide privilege across the whole server. To protect the Linux server from user we can change the default SELinux user from unconfined_u to user_u.
| User | Role | Domain | X Window System | su or sudo | Exectute in home directory and /tmp (default) | Networking |
| sysadm_u | sysadm_r | sysadm_t | Yes | su and sudo | Yes | Yes |
| staff_u | staff_r | staff_t | Yes | only sudo | Yes | Yes |
| user_u | user_r | user_t | Yes | no | Yes | Yes |
| guest_u | guest_r | guest_t | No | no | Yes | No |
| xguest_u | xguest_r | xguest_t | Yes | no | Yes | Firefox only |
[root@servera ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@servera ~]#
Let’s create few Linux local users to configure Confining users
System admin user : babin Normal User : lonston
Creating Users
Create the required users by adding the SELinux users as group.
# useradd -G wheel -Z sysadm_u babin # passwd babin # useradd -G wheel -Z user_u lonston # passwd lonston
Listing SELinux Users/Roles
List the existing SELinux Users and Roles.
[root@servera ~]# seinfo --user Users: 8 sysadm_u system_u xguest_u root guest_u staff_u user_u unconfined_u [root@servera ~]#
Or, we can use below command as well.
# semanage user -l
[root@servera ~]# semanage user --list
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[root@servera ~]#
Changing Default Mapping
Let’s change the default mapping from unconfined_u to user_u
# semanage login -m -s "user_u" -r s0 __default__
List the added Linux users mapping and Confining Users
[root@servera ~]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0 * babin sysadm_u s0-s0:c0.c1023 * lonston user_u s0 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * [root@servera ~]#
Here we could see the Linux user babin mapped to SELinux user sysadm_u which have privileges to act as a sysadmin role under SELinux role sysadm_r.
Changing Role
I’m sticking to the default role for now, this how we need to change the role.
# semanage user -m sysadm_u -R "sysadm_r"
Allowing SSH for Sysadmin Role accounts
Now time to allow the SSH connection for Sysadmin role account babin, when the SELinux state in enforcing or permissive it allowed to run su an sudo commands.
[root@servera ~]# getsebool -a | grep "ssh_sysadm_login\|sysadm_exec_content" ssh_sysadm_login --> off sysadm_exec_content --> off [root@servera ~]#
Allowing SSH login and allow sysadmin role users to run privileged commands.
[root@servera ~]# setsebool ssh_sysadm_login -P on [root@servera ~]# [root@servera ~]# setsebool sysadm_exec_content -P on [root@servera ~]#
Testing Admin account
[babin@servera ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [babin@servera ~]$ [babin@servera ~]$ id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 [babin@servera ~]$ [babin@servera ~]$ sudo -i [root@servera ~]#
Restricting Normal users
Normal users are able to SSH, however they are restricted to run SU and SUDO command while SELinux in permissive mode. They are allowed use sudo when SELinux in enforcing mode.
[root@servera ~]# getsebool -a | grep "user_exec_content" user_exec_content --> on [root@servera ~]# [root@servera ~]# setsebool user_exec_content -P off [root@servera ~]# [root@servera ~]# getsebool -a | grep "user_exec_content" user_exec_content --> off [root@servera ~]#
Testing Normal user with SELinux in enforcing mode
[lonston@servera ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [lonston@servera ~]$ [lonston@servera ~]$ sudo -i sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted sudo: no valid sudoers sources found, quitting sudo: setresuid() [0, 0, 0] -> [1002, -1, -1]: Operation not permitted sudo: unable to initialize policy plugin [lonston@servera ~]$
After setting SELinux state to permissive mode.
[lonston@servera ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[lonston@servera ~]$
[lonston@servera ~]$ id -Z
user_u:user_r:user_t:s0
[lonston@servera ~]$
[lonston@servera ~]$ sudo -i
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for lonston:
[root@servera ~]#
[root@servera ~]#
Useful commands
[root@servera ~]# semanage login --extract login -a -s user_u -r 's0' __default__ login -a -s sysadm_u -r 's0-s0:c0.c1023' babin login -a -s user_u -r 's0' lonston [root@servera ~]#
More SSH restriction can be applied by configuring PAM module sepermit.
[root@servera ~]# ls -lthr /etc/security/sepermit.conf -rw-r--r--. 1 root root 449 Apr 24 20:58 /etc/security/sepermit.conf [root@servera ~]#
Getting help and reading manuals
# man sepermit.conf # man pam_sepermit # man semanage # man semanage-user # man semanage-login # cat /usr/share/doc/pam-1.1.8/txts/README.pam_sepermit
That’s it..
More Related Topics as follows