Sep 052012

This post will guide you through a simple setup to confine users defined in LDAP using Security-Enhanced Linux. SELinux on RHEL6/Debian Wheezy comes with confined user roles which allows quick and easy setup for restricting users who are given access to your machines.

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023

Looking at these default roles, you can see that not a whole lot is restricted on a cleanly-installed machine. Unfortunately, this means that any users you add will be logging in with an unconfined_r role which essentially delegates access controls to systems other than SELinux.

Depending on the role that this machine will play in your organization, you probably want to set the default to something other than unconfined_u. The various default SELinux users can be found in /etc/selinux/targeted/contexts/users/.

# ls -l /etc/selinux/targeted/contexts/users/
total 24
-rw-r--r--. 1 root root 253 Jun 18 09:01 guest_u
-rw-r--r--. 1 root root 389 Jun 18 09:01 root
-rw-r--r--. 1 root root 514 Jun 18 09:01 staff_u
-rw-r--r--. 1 root root 578 Jun 18 09:01 unconfined_u
-rw-r--r--. 1 root root 353 Jun 18 09:01 user_u
-rw-r--r--. 1 root root 307 Jun 18 09:01 xguest_u

For our purposes, we’ll go ahead and set the __default__ selinux user to user_u. To do this, you simply run semanage login -m -s user_u -r s0 __default__. You can see the change below.

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023

Now, any user who does not have an explicit entry in the output above will be confined to user_u. Great! So, what about potential privileged users who may need sudo access? The user_u profile is inadequate for these types of users as it’s very restrictive. A more appropriate role would be something like staff_u. My user account only exists in LDAP.

# grep -c solj /etc/passwd
# getent passwd solj
solj:*:1000:2000:Sol Jerome:/home/solj:/bin/bash

This is okay. The first thing to do is add a login mapping for the user.

semanage login -a -s staff_u solj

Now, logging in as that user should give you the proper security context.

$ id
uid=1000(solj) gid=2000(sysadmin) groups=2000(sysadmin) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023

Okay, now the last part is to give this person sudo access. My sudo configuration resides in LDAP. Therefore, I will need to add 2 new sudoOptions in order to allow my user to transition properly to sysadm_r:sysadm_t. The following is an example of the type of errors you will see if these options are not present.

$ sudo -i
-bash: /root/.bash_profile: Permission denied

The correct sudoers entry should look like the following.

cn: solj
objectClass: sudoRole
objectClass: top
sudoHost: ALL
sudoRunAs: ALL
sudoUser: solj
sudoCommand: ALL
sudoOption: role=sysadm_r
sudoOption: type=sysadm_t

And now when I run sudo, I am able to transition no problem.

$ sudo -i
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
 Posted by at 18:03