Fedora 32 : Can be better? part 010.

In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux. 

SELinux uses a policy store to keep track of its loaded policy modules and related settings. 

You can see my active policy store name is MLS.

[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name:             mls

I want to create policy in the most easy way to denny memory. 

I can use many way to do that or find it on SELinux. 

If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem. 

This is dangerous and the executable should be reported in bugzilla and is is enabled by default. 

You must turn on the deny_execmem boolean.

setsebool -P deny_execmem 1

Let's use it:

[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-WebContent.pp

[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp

Let's see if this SELinux is currently loaded:

[root@desk mythcat]# semodule -l | grep Web
my-WebContent

Fedora 32 : Can be better? part 007.

Another article in the Can be better? series that deals with a very popular feature called SELinux. Here that in this seventh part I will introduce you to the world of SELinux in my own style of simply explaining some SElinux configurations.
Let's recap some basic elements specific to SELinux.
Multi Category Security or MCS is a discretionary implementation of the mandatory Multi Level Security
MCS basically tries to use the MLS attributes: Security Levels and Security Compartments.
MCS implemented have one or more extra fields in their Security Context tuple: user_u:role_r:type_t:s0:c0.
You can see this with id -Z.
The MLS Range contains two components, the low (classification and compartments) and high (clearance).
sensitivity label build from the low component: s2 with c1, c2 ...
MCS does have 1024 categories that can be assigned to processes and files.
On an MLS system are two special labels, SystemLow(s0) and SystemHigh (s15:c0.c255).
The upper end of the MCS range is in an MCS environment s0:c0.c1023 is SystemHigh.
By default, everything in an MCS environment has access to SystemLow or s0.
You will able to access files with s0:c122 and s0:c123 categories.
The MLS translation mechanism to give a more literal meaning to the machine-like policy used in the MLS sensitivity and category declaration.
The MLS rule says: "no read up and no write down".
The MLS model is used to enforce confidentiality.
All processes that are forced to operate with Security Level.
The s0 Security Level or SystemLow level is the lower end of the Security Level Range in an MLS environment.
If you do not have the correct configurations then the SELinux setting operation for Enforcing could generate errors in the linux operation after reboot or during Linux operation.
You will need to have the root password and return for new SELinux settings.
Let's solve this issue: put SELinux into Enforce mode but give my user possibility to use command sudo su.
First, you need to see this table:

SELinux user	Description	Used for
unconfined_u	SELinux user meant for unrestricted users. Unconfined users have hardly any restrictions in a SELinux context and are meant for systems where only Internet-facing services should run confined (i.e. the targeted SELinux policy store).	All users on a targeted system
root	The SELinux user meant for the root account	The Linux root account
sysadm_u	SELinux user with direct system administrative role assigned	Linux accounts that only perform administrative tasks
staff_u	SELinux user for operators that need to run both non-administrative commands (through the staff_r role) and administrative commands (through the sysadm_r role).	Linux accounts used for both end user usage as well as administrative tasks
user_u	SELinux user for non-privileged accounts	Unprivileged Linux accounts
system_u	Special SELinux user meant for system services	Not used directly

Is need to change my user mythcat to staff_u with a good MLS Range.

[root@desk mythcat]# semanage login --modify --seuser staff_u --range s2:c100 mythcat
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s0-s15:c0.c1023 mythcat
[root@desk mythcat]# semanage login -l 
[root@desk mythcat]# setenforce enforcing
[root@desk mythcat]# getenforce
Enforcing
[root@desk mythcat]# semanage login -l 
ValueError: Cannot read policy store.

After reboot need some time to load the new changes, first is the last configuration.

[mythcat@desk ~]$ semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
[mythcat@desk ~]$ id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
[mythcat@desk ~]$ sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33

Few seconds later all is good:

[mythcat@desk ~]$ sudo su 
[sudo] password for mythcat: 
bash: /root/.bashrc: Permission denied
bash-5.0# ls
bash-5.0# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
bash-5.0# id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
bash-5.0# exit 
exit
[mythcat@desk ~]$ sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33

Everything is fine for now, this delay is the reason for using the selinux kernel settings. More information about Multi-Level Security and Multi-Category Security can be found on this webpage.

Fedora 31 : Can be better? part 006.

I try to use the Selinux MLS with Fedora 31 and I wrote on my last article about Fedora 31 : Can be better? part 005.
After relabeling the files and start the environment I get multiple errors and I ask an answer at fedoraproject lists:
This is an example of the problem of implementing MLS in Fedora and can be remedied because MLS Selinux is old in implementing Selinux.

SELinux is preventing su from open access on the file /var/log/lastlog.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that su should be allowed open access on the lastlog file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'su' --raw | audit2allow -M my-su
# semodule -X 300 -i my-su.pp 

I try to fix it but I got this error:

[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  
or (t1 == mlsfilewritetoclr -Fail-)  and (h1 dom l2 -Fail-)  and (l1 domby l2)  or (t2 == 
mlsfilewriteinrange -Fail-)  
and (l1 dom l2 -Fail-)  an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1 == 
mlsfilereadtoclr -Fail-)  
and (h1 dom l2 -Fail-)  or (t1 == mlsfileread -Fail-)  or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  
or (t1 == mlsfilewritetoclr -Fail-)  and (h1 dom l2 -Fail-)  and (l1 domby l2)  or (t2 == 
mlsfilewriteinrange -Fail-)  
and (l1 dom l2 -Fail-)  an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1 == 
mlsfilereadtoclr -Fail-)  
and (h1 dom l2 -Fail-)  or (t1 == mlsfileread -Fail-)  or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration...

Fedora 31 : Can be better? part 005.

Today we have once again dealt with this topic on the possibilities of improving the Fedora distro.
This time the adventure turned to the Selinux system switching to SELinux MLS.
Let's test the SELinux Fedora 31 from default targeted to mls.
First let's see the users:

[root@desk mythcat]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

To use the MLS you need to change this file:

[root@desk mythcat]# vim /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

The changes are:

#SELINUX=enforcing
SELINUX=permissive
...
#SELINUXTYPE=targeted
SELINUXTYPE=mls

Is need to install these packages:

[root@desk mythcat]# dnf search mls | grep selinux
Last metadata expiration check: 2:45:09 ago on Sun 02 Feb 2020 01:28:54 PM EET.
selinux-policy-mls.noarch : SELinux mls base policy
[root@desk mythcat]# dnf install selinux-policy-mls.noarch
...
Installed:
  mcstrans-2.9-2.fc31.x86_64                                                    
  policycoreutils-newrole-2.9-5.fc31.x86_64                                     
  selinux-policy-mls-3.14.4-45.fc31.noarch                                      

Complete!

These commands will relabel and start the MLS.

[mythcat@desk ~]$ setenforce 0
[mythcat@desk ~]$ getenforce
Permissive
...
[root@desk mythcat]# touch /.autorelabel
[root@desk mythcat]# reboot

If you have problems on boot the add selinux=0 on boot kernel.
After I boot and relabel all files I got errors about Gtk-Messages.
I remove my old Cinnamon with this command:

[root@desk mythcat]# dnf groupremove -y "Cinnnamon"

I list all my group with dnf tool:

[root@desk mythcat]# dnf grouplist -v 

I install the MATE environment:

dnf groupinstall -y "MATE Desktop" --allowerasing

After that the only way to start the environement is this command:

[mythcat@desk ~]$ sudo systemctl restart lightdm.service

Another issue comes from SELinux Alert Browser, where I get multiple alerts and these need to fix manually.
First, these alerts are more than 250.
After I fix some of these now I see only 50.
I think this problem with changing the SELinux type can be improved.