Running this command however gave some strange output, primarily ? marks. I thought this was a little strange but had other things that I needed to do at the time and decided that I would look into it later.

This weekend was that time. Let me say that I use SELinux on my Red Hat and CentOS machines and think that it is a very good way to help secure a machine. However it is anything but intuitive. If it weren’t for some very good documentation at Red Hat I probably never would have been successful at using this security tool. Mind you I’m no guru with it but I have six servers using it and I know how to troubleshoot SeLinux problems.

Which brings me to the part about Ubuntu and SELinux that I find disturbing. Doing some Google searching I ran across two pages regarding Ubuntu and SELinux. Both of them had no usable information in them other than how to install SELinux. Nothing about what to expect, how to troubleshoot, what a context or a boolean is nor did it mention if Ubuntu provided any troubleshoooting tools like setroubleshoot. You can find these two pages here and here.

The documentation only warned that SELinux is for experienced users. While that is an understatement how do they expect people to start using it to protect their machines? It would seem to indicate that they have no real interest in their users having the ability to use SELinux. I personally think that is a shame. I also believe that it is going to hurt their efforts at becoming enterprise ready especially with their server product. I certainly won’t be installing Ubuntu on any of my critical machines.

-j

Moving on I mentioned that my MySQL server is on one box and my web server on another. One of the applications that I use is KPlaylist. This is a streaming server for mp3s, movies or just about anything you want to stream. My first snag was getting it to log into MySQL and create the database.

After about an hour of looking for normal causes I decided to turn on setroubleshoot. This is a great tool when looking for SELinux problems. After I turned it on I found this in /var/log/messages:

Nov 20 15:40:47 web setroubleshoot: SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages. run sealert -l 65919ff0-ddd1-4a4b-801d-f54023da86ac

So then I ran the sealert command shown in the message:

sealert -l 65919ff0-ddd1-4a4b-801d-f54023da86ac

This gave me the following along with some other information:

setsebool -P httpd_can_network_connect=1


Voila! My problem was fixed. Well almost. I then discovered that iptables was blocking the port. After opening the port using the gui “system-config-securitylevel” all was well. KPLaylist installed it’s database just like it was supposed to.

My next hurdle was getting the nfs share on the music-repo server to mount on to the web server. Checking for another sealert I found one on the webserver called

Nov 20 23:57:33 web setroubleshoot: SELinux prevented the http daemon from reading files stored on a NFS filesytem. For complete SELinux messages. run sealert -l f76bd0be-d375-436f-9c09-2086da0d7a39

After running this I got the following information:

setsebool -P httpd_use_nfs=1


Well this didn’t totally solve my problem but I did notice that things were getting fixed with the setsebool command. I went looking around the net to see what I could learn about it.

What I learned is that if you are having a problem with a service is that you should run the command getsebool -a |grep someservice. I decided to try that with NFS and this is what I got:

[root@music-repo ~]# getsebool -a |grep nfs
allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_disable_trans --> off
samba_share_nfs --> off
use_nfs_home_dirs --> off
[root@music-repo ~]#

The last line was what I found interesting. I had originally had my music directory on the music-repo machine at the root of the system. My thought was OK let’s create a user with a home directory and enable that boolean. I created a user on the musiic-repo system called apache and moved the /music directory into /home/apache. I then ran the command:

setsebool -P use_nfs_home_dirs=on


I also moved my music directory that I was mounting to under /var/www which is apache’s home and ran the same command. Now everything was connected and working like it is supposed to be.

A note of interest to those of you who would prefer a gui..you should install policycoreutils-gui. This will give you a nice gui called system-config-selinux. In this gui you can browse through everthing SELinux has to say and can change.

Now to get that setup as a share for the Windows users so that they can store their music and get it backed up.

-j

The Windows people are looking to lock down their machines because of the horrendous numbers of viruses, trojans and other malware that attacks them. Apparently user education, anti-virus and anti-whatever just is not getting the job done.

Windows machines in the past have used the traditional methods for fighting malware. Anti-virus tracks and quarantines certain bits that are known malware problems. This is known as blacklisting. Whitelisting is the process by where certain executables are approved to run on a certain machine.

Now let’s have a look at SELinux which was first implemented by Red Hat several years ago. While Linux in general does not have a problem with malware an unprotected machine could get hacked and unwanted applications installed. Red Hat wanted a way to stop this type of intrusion. Let’s look a little deeper how this came into play.

SELinux was originally a development project from the National Security Agency (NSA )[19] and others. It is an implementation of the Flask operating system security architecture.[20]The NSA integrated SELinux into the Linux kernel using the Linux Security Modules (LSM ) framework. SELinux motivated the creation of LSM, at the suggestion of Linus Torvalds, who wanted a modular approach to security instead of just accepting SELinux into the kernel.

You can see the rest of the article here

So here we have a security application mostly developed by the NSA.

Much of the work to get the kernel ready for upstream, as well as subsequent SELinux development, has been a joint effort between the NSA, Red Hat, and the community of SELinux developers.

Now let’s look at how SELinux runs under Red Hat and any other *nix that uses it. Red Hat uses what is called a target policy for SELinux. SELinux creates what are known as domains. Each daemon has it’s own domain. Every daemon on the system runs under the unconfined_t domain except for those that have targeted specific domains. Daemons that run under the unconfined_t domain fall back to using standard Linux security. As an example the http and ntp daemons run under the targeted policy by default and are therefore protected. If you haven’t experienced what happens under this protection, if one of the binaries or configuration files get put into the wrong context the daemon will not start.

This should be starting to sound familiar to the definition of Application Whitelisting above. It will be interesting to see if the Windows shops buy into this method of protection. I also expect some announcement from Microsoft or some other big firm how they have developed this new concept and are providing it as a tool to protect Window applications. I wonder how much the licensing fee and yearly maintenance will be on that…

-j

First up are the /var/log/audit/audit.log, /var/log/security and /var/log/messages. If selinux is set to enforcing and you’ve just installed a new application or created a file or directory that is not allowing proper access these three files are the place to go. Before you do this make sure the following applications are installed:
setroubleshoot.noarch
setroubleshoot-plugins.noarch
setroubleshoot-server.noarch

After installing these make sure that you start the setroubleshoot application and set it to start on reboot:

/etc/init.d/setroubleshoot start
Starting setroubleshootd: [ OK ]
chkconfig setroubleshoot on


Watch the logs in real time as you attempt to access the application, file or directory like this:

cd /var/logs
tail -f security audit/audit.log messages

After doing this hit enter three times to give you some white space between the old messages and the new ones that are generated. If selinux is giving you a problem you will see something like the following in the messages log:

Nov 5 08:18:44 centos5-dev setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37


To find out not only what is going on but how to fix it run the sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37 command described in the message.

[root@centos5-dev ~]# sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37

host=centos5-dev.hendricks.org type=SYSCALL msg=audit(1225891119.851:12): arch=40000003 syscall=5 success=no exit=-13 a0=b7fb2b4b a1=0 a2=bfd8a2b4 a3=8 items=0 ppid=2633 pid=2634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hpssd.py" exe="/bin/env" subj=system_u:system_r:hplip_t:s0 key=(null)
[root@centos5-dev ~]#

The part that we are interested in is under the above heading Allowing Access: You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"
When we run this command this will fix our problem. Note that these problems could run from accessing html pages to allowing a public web directory in your home directory.

Next up we have the command:

chcon --reference

Lets say you are using your localhost as your web server. You decide that you want to add some virtual hosts. You then add the virtual host directories outside of the normal /var/www/html directory. You build your virtual hosts but now you can’t access them. Watching your messages you see that this is definitely an selinux problem. Using the above command we can fix our problem like this:

chcon --reference /var/www/html /srv/www/vhosts #This will fix the selinux properties on the root directory of the virtual hosts
chcon -- reference /var/www/html/* /srv/www/vhosts/* # This will fix the properties on the files in case they are different from the directory

This code references the contexts of the given files or directories and applies them to the new files and directories. Now every time that you add a file or directory under /srv/www/vhosts it will get the proper selinux context.

The last way that we are going to discuss is restorecon. Taking the above scenario under either of the directories you find that some files or directories did not pick up the correct context or maybe none at all. Easy enough to fix:

restorecon /var/www/html

The reason this works is because the restorecon looks at the current contexts of the other files and directories and applies that context to the ones with the incorrect or no context.

There you have it. Keep your sanity and still use SELinux.

-j