SELinux
Procfs
In order to protect the system against memory dumps, it is needed limit access to minimum as possible to /proc. This folder contains a pseudo-filesystem which provides which provides an interface to kernel data structures<sup>[1]</sup>.
Doing some basic test, SELinux define a protection against non-owned processes. An user, even if escalated to root, cannot access to root processes, because of SELinux labels. Further invetigations should be done during SELinux implementation in BoxOS in order to check if default policy is already set up or it should be hardened to protect the desired use case.
Another easy-to-implement protection that can be enabled for protecting procfs from non privileged user is the mount of proc with **hidepid flag** set to 1 or 2. In this way, a non privileged user can only list and view its own pids.
Intro to SELinux
SELinux can work in two modes: permissive or enforcing.
In permissive mode, it just logs all error that in enforcing mode will be blocking.
Permissive mode is good for debuggging, but a SELinux system must run in enforcing mode.
CHEATSHEET
--- INFO DISCOVERY
sestatus - Get selinux status
setenforce={0|1} - Set selinux enforcing status
semanage login/ user -l - List all users mapped on a selinux user
id -Z - Get current user selinux
semanage boolean -l - List all booleans in SELinux
--- EDITING
semanage login -a -s user_u confined_user - Modify an existing user to a specific SELinux user
--- PERMISSION ERROR COMMANDS
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -i | Asks auditd for permission errors
journalctl -t setroubleshootd | only if you have troubleshootd installed
audit2why -la
audit2allow -a
audit2allow -R -- genera la policy usando le interfacce già esistenti (se il pacchetto selinux-policy-dev è installato)
--- VARIOUS
touch /.autorelabel - Request an autorelabel on next reboot
Useful resources
- /etc/selinux/config: Configuration SELinux mode
- Docker and SELinux - MLS + MCS
Notes
[1] proc(5) - man