Create a non-base policy template for SELinux

Those who use SELinux sometimes come across with application with a specific security context type, try to access a resource that belongs to another security context type, this will result in SELinux denying access to the resource even if permissions are set to 777 and you change the owner:group of the resource.

Lets have the following example, the vsftd daemon needs to read index.html that belongs to httpd daemon and is marked as httpd_sys_content_t security context.

root# ls -Z
-rw-r--r-- userA userA user_u:object_r:httpd_sys_content_t index.html

Doing if you look into the audit log you will find something similar to the following:

root# tail audit.log
type=AVC msg=audit(1297255596.902:49856): avc: denied { search } for pid=4830 comm="vsftpd" name="html" dev=dm-0 ino=13668059 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir

At this stage you can use audit2allow to help you creating the vsftpd.te file

root# audit2allow > audit.log
#============= ftpd_t ==============
allow ftpd_t httpd_sys_content_t:dir search;

Below is a more complete vsftd.te file, to allow ftpd read, write etc on files and directories, system wide, that belong to the httpd_sys_content_t type.

module vsftpd 1.0;

require {
type ftpd_t;
type httpd_sys_content_t;
class dir { read write search getattr add_name remove_name create rmdir};
class file { lock read write getattr create append unlink rename};
}

#============= ftpd_t ==============
allow ftpd_t httpd_sys_content_t:dir { read write search getattr add_name remove_name create rmdir};
allow ftpd_t httpd_sys_content_t:file { lock read write getattr create append unlink rename};

now that we have our vsftpd.te file we need to transform it into a module(.mod) then into a policy packet(.pp) and finaly load it

root# checkmodule -M -m -o vsftpd.mod vsftpd.te
checkmodule: loading policy configuration from vsftpd.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to vsftpd.mod
root# semodule_package -o vsftpd.pp -m vsftpd.mod
root# semodule -i vsftpd.pp

Or if you’re a lazy admin as myself you can use the follwing script, you just need to create the vsftpd.te file and run it passing the name of the module

#!/bin/bash
MODNAME= $1
if [ ! -f ${MODNAME}.te ];
then
        echo Couldn't find the ${MODNAME}.te, non-base policy module
        exit 1
fi
checkmodule -M -m -o ${MODNAME}.mod ${MODNAME}.te
if [ $? -gt 0 ];
then
        echo Error processing ${MODNAME}.te
        exit 1
fi
semodule_package -o ${MODNAME}.pp -m ${MODNAME}.mod
if [ $? -gt 0 ];
then
        echo Error creating policy module packet ${MODNAME}.pp
        exit 1
fi
semodule -i ${MODNAME}.pp
if [ $? -gt 0 ];
then
        echo Error installing policy module ${MODNAME}.pp
        exit 1
fi

Cisco ASA site-to-site VPN

Recently I needed to create a site-to-site VPN to interconnect two remote sites for a client and choose the CISCO ASA5505 to do so. Being my first time using this device I was drawn to the beautiful ADSM, complete with a Wizard to create the site-to-site VPN, it was too good to be true. For unexplained reasons, the configuration produced by the Wizard failed, tried multiple times, full reset on the ASA and nothing couldn’t get it to work. What next? The good old console cable and some reading got me in the right track.
Below are some tips/steps/guidelines, call it whatever you like, that I use to create the site-to-site VPN, Cisco calls it lan-to-lan (L2L) sometimes.
– Create an access-list to instruct what traffic to encrypt
– Exempt traffic on the inside interface that is going to be encrypted from being NATed
– Create Phase 2 configuration: transform set and crypto map configuration
– Create Phase 1 configuration
– Tunnel group
– Tweaks

Sample configuration

For an example I’ll use the following network configuration and that the public interface is named outside while the internal is named inside.
Site A: London
Public IP: 1.1.1.1
Private network: 192.168.1.0 mask 255.255.255.0
Site B: Manchester
Public IP: 2.2.2.2
Private network: 192.168.2.0 mask 255.255.255.0
Pre-shared Key: MY-PRE-SHARED-KEY

London ASA configuration

 

!---Access list for identify site-to-site traffic to encrypt
access-list ACL_CM_LondontoManchester extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!---Access list for VPN traffic to bypass NAT
access-list ACL_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!---Prevents VPN traffic from undergoing NAT
nat (inside) 0 access-list ACL_NONAT

!---Phase 2 Configuration of IPSec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!---IPsec configuration for static LAN-to-LAN tunnel
crypto map CM_outside 5 match address ACL_CM_LondontoManchester
crypto map CM_outside 5 set pfs group1
crypto map CM_outside 5 set peer 2.2.2.2
crypto map CM_outside 5 set transform-set ESP-AES-128-SHA
crypto map CM_outside 5 set security-association lifetime seconds 28800
!---apply crypto map to outside interface
crypto map CM_outside interface outside

!---Enable Phase 1 isakmp to public interface
crypto isakmp enable outside
!---Phase 1 Configuration
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
exit

!---NAT-T configuration
crypto isakmp nat-traversal 50
!---Allow IPsec tunnel traffic to bypass ACLs
sysopt connection permit-vpn

!---Define tunnel group
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key MY-PRE-SHARED-KEY
exit

Manchester ASA configuration

!---Access list for identify site-to-site traffic to encrypt
access-list ACL_CM_ManchestertoLondon extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!---Access list for VPN traffic to bypass NAT
access-list ACL_NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!---Prevents VPN traffic from undergoing NAT
nat (inside) 0 access-list ACL_NONAT

!---Phase 2 Configuration of IPSec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!---IPsec configuration for static LAN-to-LAN tunnel
crypto map CM_outside 5 match address ACL_CM_ManchestertoLondon
crypto map CM_outside 5 set pfs group1
crypto map CM_outside 5 set peer 1.1.1.1
crypto map CM_outside 5 set transform-set ESP-AES-128-SHA
crypto map CM_outside 5 set security-association lifetime seconds 28800
!---apply crypto map to outside interface
crypto map CM_outside interface outside

!---Enable Phase 1 isakmp to public interface
crypto isakmp enable outside
!---Phase 1 Configuration
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
exit

!---NAT-T configuration
crypto isakmp nat-traversal 50
!---Allow IPsec tunnel traffic to bypass ACLs
sysopt connection permit-vpn

!---Define tunnel group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key MY-PRE-SHARED-KEY
exit

Here is my automated ASA site-to-site VPN config tool

Find and excute

I use this command quite often to set the permissions on multiple files or directories recursively inside a directory tree. I’ve prepared a couple of sample commands first one change the permissions on files only, second change permissions on directories only.

The base command is

user$ find ./ -type _x_ -execdir _command_ {} +
argument list:
./ - the current directory.
-type _x_ what to look for replace _x_ with, d for directories, f for files, l for links and many more in the man page of the find command.
-execdir _command_ the command and its argument to execute on the target, from the directory were the file is located.
{} +  find replaces this with the target file.

The first example set the permissions to rw-r–r– (644) on all files inside a directory tree.

user$ find ./ -type f -execdir chmod 644 {} +

The second is to change the permissions of directories for rwxr-xr-x (or 755) for all the directories in a directory tree

user$ find ./ -type d -execdir chmod 755 {} +

Now imagine that you want to list all the links and its associated target

user$ find ./ -type l -exec file {} +

NOTE: this time I’m using -exec and not -execdir this because I want to see the relative path from where I’m executing the command.

Posted in KB

Search and replace from shell using perl

Perform a search and replace within files using perl and regular expressions. To do this you will need perl installed windows or linux

user$ perl -pi -w -e'/seach_string/replase_string/g;' file pattern
-pi assume loop like -n but print line also, like sed
-w enable many useful warnings (RECOMMENDED)
-e one line of program (several -e's allowed, omit programfile)

Use netcat to dump incoming packets

Use linux netcat to create a server that will listen for incoming connections on a specific port and dump the contents of the network traffic.

user$ nc -l -p port
-l Is used to specify that nc should listen for an incoming connection, rather than initiate a connection to a remote host. Any hostname/IP address and port arguments restrict the source of inbound connections to only that address and source port
-p Specifies the source port nc should use, subject to privilege restrictions and availability
Posted in KB