1
00:00:00,780 --> 00:00:04,379
You
let's talk

2
00:00:04,379 --> 00:00:07,980
about
Selinux.

3
00:00:08,720 --> 00:00:13,894
Selinux works with context to define rules in
a policy that allows services to access files

4
00:00:13,894 --> 00:00:19,070
in these contexts. These are labels that
are assigned to processes but also to files.

5
00:00:20,269 --> 00:00:24,469
The default selinux policy is very rich
and it allows for all default access.

6
00:00:25,050 --> 00:00:30,540
To allow the httpd process, for
example to access the document root in

7
00:00:30,540 --> 00:00:36,030
var wwht process uses the httpdt
context type and the document root also

8
00:00:36,030 --> 00:00:41,520
needs a context type which in
this case is set to httpd syscontentt.

9
00:00:42,020 --> 00:00:47,176
If access is blocked, a message will
be sent to the audit system. You

10
00:00:47,176 --> 00:00:52,333
can use grabavc on var log auditaudit
log to find out when a system

11
00:00:52,333 --> 00:00:57,490
is working with sclinux. Getenforce will show
you that it is in enforcing mode.

12
00:00:59,509 --> 00:01:05,329
If you want to temporarily disable it to fix
problems that occurred because of Selinux, you can switch

13
00:01:05,329 --> 00:01:11,150
to permissive mode and permissive mode if you don't
change it back will stay until the next reboot.

14
00:01:12,150 --> 00:01:17,975
And if ever services don't work at Selinux,
you can search for selert output in the system

15
00:01:17,975 --> 00:01:23,800
logs and follow instructions and on location that
is giving useful information. Now to set context labels

16
00:01:23,800 --> 00:01:29,625
because that is what Selinux is all about.
You use selmanage fcontext that will change file context

17
00:01:29,625 --> 00:01:35,450
after which the restorecon command applies the
context from the policy to the file system.

18
00:01:36,290 --> 00:01:42,250
And to allow services to bind to
non standard ports you use semanage port.

19
00:01:42,890 --> 00:01:45,670
Wow, that was a lot
in not even five minutes.

20
00:01:46,400 --> 00:01:53,192
Well I can tell you there is a lot more
to learn about Selinux. I have a five hour recorded video

21
00:01:53,192 --> 00:01:59,984
course on this platform about it, but that is too
much for now. I'd like to do a quick demo that

22
00:01:59,984 --> 00:02:06,777
is showing the most common elements that you will use
while working with Selinux so that we already have the Apache

23
00:02:06,777 --> 00:02:13,569
process up and running. Let me check psaux pipe
grab HTTP and that is showing the apache process.

24
00:02:14,050 --> 00:02:19,546
Now I am going to add the
uppercase z option because the uppercase z option

25
00:02:19,546 --> 00:02:25,043
is displaying selinux information and this is
what it is all about. The u r

26
00:02:25,043 --> 00:02:30,539
part we don't care. We care about
the t which is a context type.

27
00:02:31,259 --> 00:02:36,300
To understand what is going on
I'm using LS z in var www

28
00:02:36,300 --> 00:02:41,340
where we can see the default
directories that Apache has access to.

29
00:02:42,020 --> 00:02:47,463
So on HTML we have httpd sysctentd
and on CGI bin we have httpd syscript

30
00:02:47,463 --> 00:02:52,906
execd and that suggests, and that is
true that you cannot run scripts from The

31
00:02:52,906 --> 00:02:58,349
HTML directory, you need a specific
context label in order to do that.

32
00:02:59,139 --> 00:03:05,889
The good thing about Selinux is that as long
as you are using standard functionality, it will work.

33
00:03:06,449 --> 00:03:10,539
Now, if ever you are going to
change the standards, you need to do something.

34
00:03:11,259 --> 00:03:15,430
So let's change the
etchtpd conf HTTP conf

35
00:03:15,430 --> 00:03:19,600
which is the
Apache web server configuration.

36
00:03:20,400 --> 00:03:26,409
I'm looking for document root and I'm
going to change my document root to

37
00:03:26,409 --> 00:03:32,419
web and then I need to tell
Apache about it. And that is what

38
00:03:32,420 --> 00:03:38,430
I do by changing it here as
well, because otherwise Apache will deny access.

39
00:03:39,349 --> 00:03:45,046
Now I need to create this web directory
and I want to show you before we

40
00:03:45,046 --> 00:03:50,743
get started. LS lzd on slash web and
what do we see? We see that that

41
00:03:50,743 --> 00:03:56,439
has default t as context type. Now
that's going to be the big issue.

42
00:03:57,080 --> 00:04:03,370
In the Sclinux policy there is a rule that
allows HTTPD to access the target that has httpdt.

43
00:04:05,210 --> 00:04:11,375
But there is no rule that allows HTTPD
to access default T. On the contrary, that would

44
00:04:11,375 --> 00:04:17,540
open Apache to access anything. And that is
against what you want to accomplish with Selinux.

45
00:04:18,129 --> 00:04:23,993
So let me show you
what is happening when we do

46
00:04:23,993 --> 00:04:29,856
that. I'm going to use
sudo sh c echo hello. Great.

47
00:04:29,856 --> 00:04:35,720
Then web index HTML to
create a simple index HTML.

48
00:04:36,180 --> 00:04:40,379
And next I'm
restarting the HTTPD process.

49
00:04:40,879 --> 00:04:42,899
That's
systemctl restart.

50
00:04:43,589 --> 00:04:48,899
That will tell it to pick up the
new configuration. And I'm using curl to localhost as

51
00:04:48,899 --> 00:04:54,209
a quick test. And oh no, I see
the default Apache document root and it's not working.

52
00:04:54,870 --> 00:05:00,832
That's also what we can find
if I would use sudo grab

53
00:05:00,832 --> 00:05:06,794
avc from var log audit audit
log. That's the audit log. And

54
00:05:06,795 --> 00:05:12,757
there you can see, hey, Apache
has denied access for the command

55
00:05:12,757 --> 00:05:18,720
httpd to the path
index HTML. Why is that?

56
00:05:19,139 --> 00:05:22,750
Well, we have httpdt
on the source and we

57
00:05:22,750 --> 00:05:26,360
have default t on
the target and not allowed.

58
00:05:26,939 --> 00:05:31,965
You can also see
it in a different way

59
00:05:31,965 --> 00:05:36,990
using sudo grab sealert
on var log messages.

60
00:05:37,500 --> 00:05:44,085
Could also get it from the journal CTL output,
but this should also work. And there we can

61
00:05:44,085 --> 00:05:50,670
see a message that's summarizing what you've just
seen with an interesting addition. And that's this command.

62
00:05:51,600 --> 00:05:56,680
I'm going to copy this command and I'm
going to paste it while running it through less.

63
00:05:57,240 --> 00:06:02,949
And there we can see some explanation. Sometimes
the explanation is very good, sometimes it's not.

64
00:06:03,610 --> 00:06:08,283
It's telling us, hey, this is not working.
You need to change the label on web

65
00:06:08,283 --> 00:06:12,956
index HTML and this command is all right,
but then it's not really helpful in the

66
00:06:12,956 --> 00:06:17,629
label. How do you ever pick your
choice from six different screens of context labels?

67
00:06:19,649 --> 00:06:25,704
Nevertheless, you can. You should always check selert output because
sometimes the output is pretty good. Now what do we need

68
00:06:25,704 --> 00:06:31,759
to do? We need to make sure that the slash
web directory, including its contents has the appropriate context label.

69
00:06:32,420 --> 00:06:37,496
And the best way to do so
is by having a look at the

70
00:06:37,496 --> 00:06:42,573
man page semanage f context using uppercase
d to go all the way down.

71
00:06:42,573 --> 00:06:47,649
And then here it happens that we
see exactly what needs to be done.

72
00:06:48,290 --> 00:06:54,700
Two lines, and without even reading them, I'm going
to copy them and I'm going to paste them one

73
00:06:54,700 --> 00:07:01,110
by one. Well, that doesn't work, but there's a
comment sign in front of it. Let me type it.

74
00:07:01,949 --> 00:07:07,073
Sudo semanage f context
a t that will add

75
00:07:07,073 --> 00:07:12,196
a context. And the
context is httpd syscontent and

76
00:07:12,196 --> 00:07:17,319
I want it
to be on web.

77
00:07:18,060 --> 00:07:22,930
And in case you are wondering what
is this weird stuff behind web, do

78
00:07:22,930 --> 00:07:27,800
you remember regular expressions? This is a
regular expression that ensures that the context

79
00:07:27,800 --> 00:07:32,670
will apply to the web directory
and everything that might exist within.

80
00:07:33,410 --> 00:07:39,930
And then I need to use sudo
restorecon rv on/web to apply the new context.

81
00:07:40,759 --> 00:07:44,754
And you know what? If now
I'm going to Repeat the last

82
00:07:44,754 --> 00:07:48,750
CU command, it works and that's
your SELinux in 5 minutes primer.