A way to trigger an SELinux policy violation?
To demonstrate SELinux's utility in bug detection for third-party / your own developer's code, here's a memory protection test (modifying the first code example here):
#include <fcntl.h>
#include <stdio.h>
#include <sys/mman.h>
int main (void) {
// open file read-write, get a memory-mapped pointer with private access, write permission
int fd = open ("file_to_test", O_RDWR);
char *p = mmap (NULL, 42, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
p[0] = 'a'; // put something
// Update protection mode; SELinux response depends on sebool: allow_execmod
int r = mprotect (p, 42, PROT_READ | PROT_EXEC);
// Display mprotect result
printf ("mprotect = %d\n", r);
close(fd);
return 0;
}
$ echo "test data" > file_to_test
$ gcc execmod.c
$ ./a.out
mprotect = 0
$ sudo aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
<no events of interest were found>
Change booleans to catch the problem:
$ sudo getsebool allow_execmod
allow_execmod --> on
$ sudo setsebool allow_execmod 0
$ ./a.out
mprotect = -1
$ sudo aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/30/2015 12:26:41 a.out unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 10 file execmod unconfined_u:object_r:user_home_t:s0 denied 3612
This clearly demonstrates a MAC policy where an equivalent DAC could have been bypassed on a base install of CentOS 7.
By default (in CentOS at the time of writing) unprivileged, non-system users are logged in as the 'unconfined_u' role. However we can change our system so that our unprivileged user 'alice' is placed into the 'user_u' role instead. The default policies can be made to clearly restrict this role with only a small amount of additional configuration.
[root]# echo "alice:user_u:s0-s0:c0.c1023" >> /etc/selinux/targeted/seusersNow switch off the ability for these users to execute files located in their home directories and /tmp. Once again, the default is to allow this behaviour. This command may take a moment to complete.
[root]# setsebool -P user_exec_content offNow (with our unprivileged user) we can log in and attempt to execute something on one of these no go areas. As you can see, we are denied.
[alice]$ cp /bin/ls /tmp/ [alice]$ /tmp/ls -bash: /tmp/ls: Permission deniedFinally, we can view the AVC log to see our SELinux denial.
[root]# aureport -a AVC Report ======================================================== # date time comm subj syscall class permission obj event ======================================================== 1. 02/05/15 21:08:33 bash user_u:user_r:user_t:s0 59 file execute user_u:object_r:user_tmp_t:s0 denied 693