Thursday, November 20, 2014

How do I tell what would be allowed by a SELinux boolean

danwalsh
May 28th, 2013

I received and Email today that asked the following question:

I still fail to understand the difference between httpd_can_network_connect_db and httpd_can_network_connect. Some people say the former allows connections to known database ports. My question are:

What are these ports? Where are the corresponding policy defined? I found many .pp files deeply under /etc/selinux, and I feel sorry that they are binary which are almost impossible to interpret, so where can I find the the source files for the compiled policy, and what is the language to define policies?

You could use the semanage command for how the booleans are described.

> semanage boolean -l | grep httpd_can_network_connect
httpd_can_network_connect_db (off , off) Allow HTTPD scripts and modules to connect to databases over the network.
httpd_can_network_connect (off , off) Allow HTTPD scripts and modules to connect to the network using TCP.

The best answer to this is to look at the sesearch and seinfo tools and on newer (Fedora/RHEL7) systems sepolicy command. Also look at the man pages that have been generated.

man httpd_selinux

sesearch and seinfo are available in the setools-cmdline package. sepolicy is in policycoreutils-python package.

httpd_can_network_connect_db

sesearch -A -s httpd_t -b httpd_can_network_connect_db -p name_connect
allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ;
allow httpd_t mssql_port_t : tcp_socket name_connect ;
allow httpd_t oracle_port_t : tcp_socket name_connect ;
allow httpd_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ;
allow httpd_t gds_db_port_t : tcp_socket name_connect ;

The command above reads in the policy and prints out what happens when you enable the httpd_can_network_connect_db boolean. We further restrict the search to see how it affects the httpd_t, apache, process type with the name_connect access. sesearch tells us that turning on httpd_can_network_connect_db would allow the httpd_t domain to connect to tcp ports labeled postgresql_port_t, mssql_port_t, oracle_port_t, mysqld_port_t, gds_db_port_t. You can use seinfo to turn these port types into port definitions. semanage port -l would also work.

> seinfo --port | grep -e postgresql_port_t -e mysqld_port_t -e oracle_port_t -e gds_db_port_t | grep tcp
portcon tcp 3050 system_u:object_r:gds_db_port_t:s0
portcon tcp 1186 system_u:object_r:mysqld_port_t:s0
portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
portcon tcp 63132-63164 system_u:object_r:mysqld_port_t:s0
portcon tcp 1521 system_u:object_r:oracle_port_t:s0
portcon tcp 2483 system_u:object_r:oracle_port_t:s0
portcon tcp 2484 system_u:object_r:oracle_port_t:s0
portcon tcp 5432 system_u:object_r:postgresql_port_t:s0

> sepolicy network -t postgresql_port_t
postgresql_port_t: tcp: 5432

httpd_can_network_connect

> sesearch -A -s httpd_t -b httpd_can_network_connect -p name_connect
Found 1 semantic av rules:
allow httpd_t port_type : tcp_socket name_connect ;

The above command shows that httpd_can_network_connect allows httpd_t to connect to all tcp socket types that have the port_type attribute.

> seinfo -aport_type -x | wc -l
245

Using seinfo above would show you that port_type is the attribute of all port types, meaning that turning on the httpd_can_network_connect boolean, allows the httpd_t domain to connect to ALL tcp network ports.

Bottom Line httpd_can_network_connect_db allows httpd_t to connect to an additional 10 ports while httpd_can_network_connect adds thousands.

http://danwalsh.livejournal.com/64779.html

No comments: