Creating Confined Users in SELinux

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Intermediate

In this lab, we'll create an SELinux confined user by mapping an SELinux user to a Linux user. Confined users help us to impart restrictions on users to help protect our systems.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating Confined Users in SELinux

Introduction

In this lab, we'll create an SELinux confined user by mapping an SELinux user to a Linux user. Confined users help us to impart restrictions on users to help protect our systems.

Solution

  1. Begin by logging into the lab server using the credentials provided on the hands-on lab page:

    ssh cloud_user@PUBLIC_IP_ADDRESS
  2. Become the root user:

    sudo su

Map Linux users jhalpert and pbeesley to SELinux users

  1. Map Linux user jhalpert to SELinux user user_u:

    semanage login -a -s user_u jhalpert
  2. Map Linux user pbeesley to SELinux user staff_u:

    semanage login -a -s staff_u pbeesley
  3. Check the user mappings:

    semanage login -l
    • We can see our Linux users successfully mapped to the assigned SELinux users.

Ensure the SELinux user xguest can not mount media

  1. Check SELinux booleans for "xguest":

    getsebool -a | grep xguest
    • We see "xguest_mount_media" is an option and it is enabled, so lets disable it.
  2. Disable SELinux boolean "xguest_mount_media":

    setsebool -P xguest_mount_media off
  3. Check to make sure our changes were successful:

    getsebool -a | grep xguest
    • We can see our change was successful.

Put SELinux into enforcing mode and ensure that setting is persistent

  1. Check SELinux state:

    getenforce
    • It is in permissive mode, so we need to change it to enforcing mode.
  2. Put SELinux into enforcing mode:

    setenforce 1  
  3. Check to make sure SELinux is now in enforcing mode:

    getenforce
    • We can see our change worked and SELinux is now in enforcing mode.
  4. Ensure SELinux boots into enforcing mode:

    vi /etc/selinux/config
    SELINUX=enforcing

Conclusion

Congratulations — you've completed this hands-on lab!