Selinux

LinuxMaster9 · February 4, 2019, 2:18pm

I want to setup my Fedora 29 Server to use SELinux to secure my server.

The services I need to use are: SABnzbd, Sonarr, Jellyfin, Plex, Docker, Cockpit.

I have not really found anything on using SABnzbd, Sonarr, Jellyfin or Plex with SELinux other than that I apparently need to disable SELinux. Surely there is a way to use them with SELinux.

AnotherDev · February 4, 2019, 2:34pm

I can’t speak for your other applications, but I did find something similar regarding Plex that I had to do with Zabbix:

setsebool allow_plex_list_all_dirs on

That enables the Plex listings, from what I gather.

I also found this:

It looks like the whole page has a walkthrough for accomplishing what you need.

Regarding SABnzbd:

audit2allow -alrM nzbdrone && semodule -i nzbdrone.pp

Not sure how reliable. From here:

Good luck.

Hammerhead_Corvette · February 4, 2019, 4:21pm

You might have to write your own SELinux policy modules (which would be cool) for these. I haven’t found anything aside from disabling SELinux. You could be the first !

Novasty · February 4, 2019, 8:06pm

On cockpit, there is a SELinux add-on that will tell you what SELinux commands need to be ran to allow the services you are trying to run.

Hammerhead_Corvette · February 4, 2019, 8:47pm

very nice

Baz · February 6, 2019, 9:19am

Don’t forget there’s also the sesandbox feature, just a thought.

Custom modules might get erased over time when an update is installed, so when you have a working module, save the .pp somewhere if you need to reapply it/them in the future.

BookrV · February 6, 2019, 12:39pm

I have the same problem with SELinux and Docker which I need to get both working. Disabling SELinux also works, but an own rule would be preferable but I have no experience in that regard.

But if we throw our brain powers together we should be able to tacke this

Hammerhead_Corvette · February 6, 2019, 7:32pm

@Baz ! We need you to do another video on policycoreutils sandbox.

oO.o · February 7, 2019, 3:02am

I believe the packages for this are:

cockpit-selinux setroubleshoot-server

In theory, the output should essentially tell you what to put into your custom module.

Baz · February 7, 2019, 4:03am

K I’ll share what I know, that one vid was just a crappy intro lol, forgot I ever did it.

SinfulMoose · February 7, 2019, 5:14am

The cockpit add-on is awesome. Also it doesn’t hurt to set things to permissive so that events are logged, before going full-bore into enforcing. I believe if you have the policy core audit utils package installed, events get logged to /var/log/messages (in rhel7/centos7), and if I remember correctly, the logging is actually pretty good. “ls -z” is also going to become your friend

SinfulMoose · February 7, 2019, 5:17am

Exactly. I believe this is also the same info that gets sent to the logs as selinux audit events in /var/log/messages the messages will actually give you what you need to build the contexts, including help url’s etc.

Baz · February 8, 2019, 5:38pm

Ok finally got some time on my hands…
So what are you wanting to setup exactly? The docker service itself runs in its own type domain and so does cockpit; container_runtime_t & cockpit_ws_t.
Cool.
But this part confuses me:

Do you want to run them as independent services or what do you need Docker for?
All of those can be run in Docker containers, and Docker isolates the subprocesses using type enforcement and/or MCS ranges, so SELinux already have you covered, no?

This happens when I fire up an example Debian instance and do a ps

system_u:system_r:container_runtime_t:s0 root 20462 0.0 0.0 696052 2832 ? Sl 19:45 0:00 /usr/libexec/docker/docker-co
system_u:system_r:container_t:s0:c367,c803 root 20480 0.0 0.0 18128 3188 pts/1 Ss+ 19:45 0:00 bash

So there you see that the docker process is running in the ‘container_runtime_t’ domain, and the subprocess’ type-enforcement type is ‘container_t’ with a random MCS range from 367 to 803.

Everything is sandboxed by default.

LinuxMaster9 · February 8, 2019, 11:12pm

I quit using Docker. I determined it was better for me to run them outside of docker. The software wasnt able to access the files so… yeah.

I just want to have my media server software accessed over VPN. I have a bonded/teamed group of 4 Gig NICs that I want to use for VPN.

Baz · February 9, 2019, 7:47am

I see.
Well one idea is, since there’s no custom profiles for those services that we know of, to make use of RBAC and confine the user who’s running them.

usermod -Z user_u ‘username’

Log out and back in

That’s just another layer limiting user actions.
I’m not sure if you’re allowed to run webapps in a user_u domain (there are others, iirc webadm and such), but that domain has no way to escalate privileges at least.
Also, you could kick things up a notch and polyinstantiate tmp dirs.

Anywho gotta look back into the type domains when I’ve got more time, currently in the middle of a move, I’ll get back at ya next week, or possibly on Sunday.

Edit: Oh and a side note, disabling selinux is horrible advice. You should turn it into permissive instead. And not globally either, you can run single processes in permissive mode.
Selinux isn’t hard at all once you understand how it functions, some people just don’t rtfm.