1 00:00:00,000 --> 00:00:10,000 In this video, you'll learn about SCLinux labels. 2 00:00:10,000 --> 00:00:14,000 SCLinux labels are the essence of SCLinux. 3 00:00:14,000 --> 00:00:17,000 All items are using context labels. 4 00:00:17,000 --> 00:00:19,000 And this context label is supplied to files, 5 00:00:19,000 --> 00:00:23,000 to directories, to ports, and even users can use them. 6 00:00:23,000 --> 00:00:26,000 Many commands have an option minus uppercase Z 7 00:00:26,000 --> 00:00:29,000 that allows you to print label information. 8 00:00:29,000 --> 00:00:33,000 The context type is the most important part of the labels. 9 00:00:33,000 --> 00:00:36,000 Let me show you before going on. 10 00:00:36,000 --> 00:00:42,000 So I'm going to show you ls minus lz on var www. 11 00:00:42,000 --> 00:00:45,000 I like showing you that because var www 12 00:00:45,000 --> 00:00:48,000 is where you find the default document route. 13 00:00:48,000 --> 00:00:51,000 This highlighted here is the context label. 14 00:00:51,000 --> 00:00:53,000 It consists of four parts. 15 00:00:53,000 --> 00:00:55,000 The first part is system underscore u. 16 00:00:55,000 --> 00:00:57,000 That's the user part. 17 00:00:57,000 --> 00:00:59,000 Second part is the role part. 18 00:00:59,000 --> 00:01:00,000 They don't matter. 19 00:01:00,000 --> 00:01:04,000 The only part that matters is httpd syscontent t. 20 00:01:04,000 --> 00:01:08,000 The user and role are only used in very specific situations. 21 00:01:08,000 --> 00:01:12,000 And I will teach you what to do with this httpd syscontent t. 22 00:01:12,000 --> 00:01:17,000 It identifies the access permissions of this HTML directory 23 00:01:17,000 --> 00:01:21,000 as such that the process that comes in with httpd underscore t 24 00:01:21,000 --> 00:01:24,000 can read the contents. 25 00:01:24,000 --> 00:01:27,000 S0 has to deal with SELinux categories. 26 00:01:27,000 --> 00:01:30,000 That is for multi-category and multi-layer security. 27 00:01:30,000 --> 00:01:34,000 That's something we don't discuss in Linux+. 28 00:01:34,000 --> 00:01:37,000 Now back to the so-called context type. 29 00:01:37,000 --> 00:01:40,000 Here you can see that on CGI bin, 30 00:01:40,000 --> 00:01:43,000 the context type is httpd sysscript xact. 31 00:01:43,000 --> 00:01:45,000 Now why is that? 32 00:01:45,000 --> 00:01:48,000 Well, that is because in the CGI bin directory, 33 00:01:48,000 --> 00:01:50,000 you can find scripts. 34 00:01:50,000 --> 00:01:53,000 And these scripts need execute permission. 35 00:01:53,000 --> 00:01:56,000 And in order to allow scripts to execute, 36 00:01:56,000 --> 00:02:00,000 we have a specific context label, httpd sysscript xact. 37 00:02:00,000 --> 00:02:03,000 If you want to manage context labels, 38 00:02:03,000 --> 00:02:06,000 semanagefcontext is the command to use. 39 00:02:06,000 --> 00:02:09,000 And if you use this command to set context labels on files, 40 00:02:09,000 --> 00:02:12,000 you write the context to the policy. 41 00:02:12,000 --> 00:02:14,000 Now that is not enough, because from the policy, 42 00:02:14,000 --> 00:02:17,000 the context also needs to be applied to the files. 43 00:02:17,000 --> 00:02:20,000 And to do so, you use the resource-con command. 44 00:02:20,000 --> 00:02:23,000 That will apply from the policy to the inodes. 45 00:02:23,000 --> 00:02:25,000 That is always what is happening. 46 00:02:25,000 --> 00:02:28,000 The policy has the default desired state. 47 00:02:28,000 --> 00:02:31,000 And to implement it, resource-con needs to be run. 48 00:02:31,000 --> 00:02:36,000 And if at any time your SC Linux system has gone unprotected 49 00:02:36,000 --> 00:02:38,000 because it was in disabled mode, 50 00:02:38,000 --> 00:02:40,000 you know what's going to happen? 51 00:02:40,000 --> 00:02:42,000 Auto-relabel is going to happen. 52 00:02:42,000 --> 00:02:44,000 We already have seen that happening 53 00:02:44,000 --> 00:02:48,000 after I entered the disabled mode in my previous demo. 54 00:02:48,000 --> 00:02:50,000 You can also set context on ports. 55 00:02:50,000 --> 00:02:53,000 SEManagePort is how to do that. 56 00:02:53,000 --> 00:02:56,000 Now, one big challenge of working with context 57 00:02:56,000 --> 00:02:59,000 is that you need to find the required label. 58 00:02:59,000 --> 00:03:01,000 If default settings are used, 59 00:03:01,000 --> 00:03:04,000 context labels normally don't have to be changed. 60 00:03:04,000 --> 00:03:05,000 What does that mean? 61 00:03:05,000 --> 00:03:07,000 Well, in the case of Apache, 62 00:03:07,000 --> 00:03:10,000 if you put your index.html in the default document route, 63 00:03:10,000 --> 00:03:12,000 there's nothing that you need to do. 64 00:03:12,000 --> 00:03:14,000 If non-default settings are used, 65 00:03:14,000 --> 00:03:17,000 you have to find the appropriate label. 66 00:03:17,000 --> 00:03:20,000 And to do so, you use the following approach. 67 00:03:20,000 --> 00:03:22,000 First, you see the default settings. 68 00:03:22,000 --> 00:03:23,000 That's what we just did. 69 00:03:23,000 --> 00:03:27,000 I use ls-z on var www 70 00:03:27,000 --> 00:03:31,000 to see the default context labels on the directories in there. 71 00:03:31,000 --> 00:03:35,000 Also, you can install the sc-linux-policy-doc package 72 00:03:35,000 --> 00:03:38,000 and consult man-k underscore sc-linux. 73 00:03:38,000 --> 00:03:42,000 That is giving a wide range of SC Linux-related manpages 74 00:03:42,000 --> 00:03:45,000 with lots of information about how to use it. 75 00:03:46,000 --> 00:03:48,000 And the last trick is to use the messages 76 00:03:48,000 --> 00:03:50,000 that are generated by se-alert. 77 00:03:50,000 --> 00:03:52,000 I'll show you later how to do that 78 00:03:52,000 --> 00:03:55,000 when we talk about SC Linux troubleshooting. 79 00:03:55,000 --> 00:03:58,000 For now, I'd like to show you how to set the context 80 00:03:58,000 --> 00:04:01,000 on this web server document route. 81 00:04:01,000 --> 00:04:02,000 So what was the problem? 82 00:04:02,000 --> 00:04:05,000 Well, the problem is that my web server document route 83 00:04:05,000 --> 00:04:06,000 doesn't work. 84 00:04:06,000 --> 00:04:10,000 And when I use grep-avc on var log audit, 85 00:04:10,000 --> 00:04:13,000 audit.log again, we can understand the problem. 86 00:04:13,000 --> 00:04:15,000 I'm only taking out the last line 87 00:04:15,000 --> 00:04:17,000 because the message is always the same. 88 00:04:17,000 --> 00:04:20,000 It's telling me about an s-context. 89 00:04:20,000 --> 00:04:21,000 That's a source context. 90 00:04:21,000 --> 00:04:24,000 That is the context that is used by the command httpd, 91 00:04:24,000 --> 00:04:26,000 which is listed here. 92 00:04:26,000 --> 00:04:29,000 And the relevant part is stating that the source context 93 00:04:29,000 --> 00:04:31,000 is httpd underscore t. 94 00:04:31,000 --> 00:04:33,000 Now we have the target context, 95 00:04:33,000 --> 00:04:35,000 which is the context that is applied 96 00:04:35,000 --> 00:04:37,000 to the file that we are trying to access. 97 00:04:37,000 --> 00:04:40,000 And that is set to default underscore t. 98 00:04:40,000 --> 00:04:42,000 And that is what is wrong here. 99 00:04:42,000 --> 00:04:45,000 SC Linux doesn't allow httpd underscore t 100 00:04:45,000 --> 00:04:48,000 to access default underscore t 101 00:04:48,000 --> 00:04:52,000 because SC Linux is used to protect unauthorized access. 102 00:04:52,000 --> 00:04:54,000 So SC Linux wants controlled access 103 00:04:54,000 --> 00:04:57,000 and default underscore t that is uncontrolled 104 00:04:57,000 --> 00:04:58,000 because that's a default. 105 00:04:58,000 --> 00:05:00,000 That's just anything. 106 00:05:00,000 --> 00:05:01,000 So what do we need? 107 00:05:01,000 --> 00:05:03,000 Well, we can still see it here. 108 00:05:03,000 --> 00:05:04,000 If it's a document route, 109 00:05:04,000 --> 00:05:07,000 this html directory is a document route. 110 00:05:07,000 --> 00:05:10,000 So httpd syscontent t is a document route 111 00:05:10,000 --> 00:05:12,000 that I need to set. 112 00:05:12,000 --> 00:05:13,000 On which? 113 00:05:13,000 --> 00:05:17,000 Well, let me show you ls-ldz on slash web. 114 00:05:17,000 --> 00:05:21,000 Well, slash web currently has default underscore t. 115 00:05:21,000 --> 00:05:22,000 Now how do we do that? 116 00:05:22,000 --> 00:05:27,000 I would advise use man sc-manage-f context. 117 00:05:27,000 --> 00:05:30,000 sc-manage is the main command to manage SC Linux stuff. 118 00:05:30,000 --> 00:05:33,000 sc-manage works with subcommand 119 00:05:33,000 --> 00:05:36,000 and the structure is sc-manage hyphen subcommand. 120 00:05:36,000 --> 00:05:39,000 Use the man page, go all the way down, 121 00:05:39,000 --> 00:05:41,000 and you can see examples. 122 00:05:41,000 --> 00:05:43,000 Now this example is very easy. 123 00:05:43,000 --> 00:05:46,000 It's so easy that I'm just going to copy it 124 00:05:46,000 --> 00:05:49,000 and I'm going to paste it 125 00:05:49,000 --> 00:05:51,000 so that I have the example on screen 126 00:05:51,000 --> 00:05:54,000 and then I'm typing sc-manage-f context. 127 00:05:54,000 --> 00:05:57,000 I like typing it because if you type it a lot, 128 00:05:57,000 --> 00:05:59,000 there will be a moment that you start remembering. 129 00:05:59,000 --> 00:06:03,000 Minus a for add, minus t for the context type 130 00:06:03,000 --> 00:06:08,000 and the context type is going to be set to httpd syscontent t 131 00:06:08,000 --> 00:06:11,000 and we do that on slash web 132 00:06:11,000 --> 00:06:14,000 and this here is a regular expression 133 00:06:14,000 --> 00:06:16,000 that indicates that you want to apply it 134 00:06:16,000 --> 00:06:19,000 to anything below the slash web directory. 135 00:06:19,000 --> 00:06:22,000 And then the second part is restore con 136 00:06:22,000 --> 00:06:24,000 minus rv on slash web. 137 00:06:24,000 --> 00:06:29,000 That will apply the new context from the policy to the directory 138 00:06:29,000 --> 00:06:33,000 and the result, well, if I use my curl localhost command again, 139 00:06:33,000 --> 00:06:37,000 even if we are in enforcing mode right now, 140 00:06:37,000 --> 00:06:39,000 it's working. 141 00:06:39,000 --> 00:06:41,000 Oops, we were still in permissive mode. 142 00:06:41,000 --> 00:06:43,000 Well, that's an easy change. 143 00:06:43,000 --> 00:06:46,000 Set enforce enforcing 144 00:06:46,000 --> 00:06:50,000 and we will see that it is still working.