medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

structure updates

Browse Source
This commit is contained in:
Whisker Jones
2024-05-01 12:28:44 -06:00
parent a689e58eea
commit aeba9bdb34
461 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
tech_docs/linux/SELinux.md Normal file
View File

@@ -0,0 +1,206 @@
Certainly! Let's dive deeper into the technical details of setting up SSH tunnels, configuring SELinux, and troubleshooting common issues.
SSH Tunneling:
- SSH tunneling works by forwarding a specified local port to a remote host and port through an encrypted SSH connection.
- The SSH client listens on the local port, encrypts the traffic, and sends it to the SSH server, which decrypts it and forwards it to the specified remote host and port.
- To create an SSH tunnel, use the `-L` option with the `ssh` command:
```
ssh -L local_port:remote_host:remote_port user@ssh_server
```
- For a persistent SSH tunnel, create a systemd service unit file with the appropriate `ExecStart` and `ExecStop` directives.
- Use the `-N` option to prevent the execution of a remote command and `-T` to disable pseudo-terminal allocation for the tunneling service.
SELinux Configuration:
- SELinux uses a combination of users, roles, types, and levels to enforce access control policies.
- Files and processes are assigned SELinux contexts, which define their security attributes.
- To view the SELinux context of a file, use the `-Z` option with `ls`:
```
ls -Z /path/to/file
```
- To change the SELinux context of a file, use the `chcon` command:
```
chcon -t type_t /path/to/file
```
- To make SELinux context changes persistent across relabeling, use the `semanage fcontext` command:
```
semanage fcontext -a -t type_t /path/to/file
restorecon -v /path/to/file
```
- SELinux policies define rules that allow or deny access based on the types assigned to processes and files.
- To see the current SELinux policy module, use:
```
semodule -l
```
Certainly! Here's a comprehensive document that combines all the information we've discussed so far, with added depth and context:
# Setting Up SSH Tunnels with SELinux and Systemd
SSH tunneling is a powerful technique that allows you to securely access network services running on a remote machine. By encrypting traffic and forwarding ports through an SSH connection, you can protect sensitive data and bypass firewall restrictions. In this guide, we'll walk through the process of setting up an SSH tunnel as a systemd service and configuring SELinux to allow its operation.
## Prerequisites
- Two machines running Linux (e.g., CentOS, Ubuntu) with systemd
- SSH server running on the remote machine
- SSH client installed on the local machine
## Step 1: Create a Dedicated User Account (Optional)
For enhanced security, it's recommended to create a dedicated user account on the remote machine specifically for the SSH tunnel. This limits the potential impact if the tunnel is compromised.
## Step 2: Set Up SSH Key-Based Authentication
1. Generate an SSH key pair on the local machine using the `ssh-keygen` command.
2. Copy the public key to the remote machine using the `ssh-copy-id` command:
```
ssh-copy-id user@remote-host
```
## Step 3: Create a Systemd Service Unit File
1. Create a new file with a `.service` extension (e.g., `ssh-tunnel.service`) in the `/etc/systemd/system/` directory on the local machine.
2. Add the following content to the file:
```
[Unit]
Description=SSH Tunnel Service
After=network.target
[Service]
User=your_username
ExecStart=/usr/bin/ssh -NT -L local_port:remote_host:remote_port user@remote-host
ExecStop=/usr/bin/pkill -f "ssh -NT -L local_port:remote_host:remote_port"
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
```
Replace `your_username`, `local_port`, `remote_host`, `remote_port`, and `user@remote-host` with the appropriate values for your setup.
## Step 4: Configure SELinux
SELinux is a security framework that enforces access control policies on Linux systems. To allow the SSH tunnel service to function properly, you may need to adjust SELinux contexts and policies.
1. Change the SELinux context of the socket file (if applicable):
- If the socket file is located in a user's home directory (e.g., `/home/user/ssh_socket`), change its context to a type accessible by the SSH service, such as `ssh_home_t`:
```
chcon -t ssh_home_t /home/user/ssh_socket
semanage fcontext -a -t ssh_home_t /home/user/ssh_socket
restorecon -v /home/user/ssh_socket
```
2. Allow the SSH service to access the necessary ports:
- Use the `semanage port` command to add the local and remote ports to the SELinux policy:
```
semanage port -a -t ssh_port_t -p tcp local_port
semanage port -a -t ssh_port_t -p tcp remote_port
```
3. If SELinux denials persist, use troubleshooting tools to generate and apply policy modules:
- Install the `setroubleshoot` and `policycoreutils-python-utils` packages if not already installed.
- Check the SELinux audit log for denied access attempts:
```
ausearch -m AVC,USER_AVC -ts recent | grep ssh
```
- Use `audit2allow` or `audit2why` to analyze the denials and generate policy modules:
```
audit2allow -a -M ssh_tunnel
semodule -i ssh_tunnel.pp
```
## Step 5: Start and Enable the SSH Tunnel Service
1. Reload the systemd manager configuration:
```
sudo systemctl daemon-reload
```
2. Start the SSH tunnel service:
```
sudo systemctl start ssh-tunnel.service
```
3. Enable the service to start automatically at boot:
```
sudo systemctl enable ssh-tunnel.service
```
4. Check the status of the service:
```
sudo systemctl status ssh-tunnel.service
```
## Troubleshooting
If you encounter issues with the SSH tunnel service, follow these troubleshooting steps:
1. Check the status of the SSH tunnel service:
```
systemctl status ssh-tunnel.service
```
- If the service is not running or in a failed state, proceed to step 2.
- If the service is running but not functioning as expected, proceed to step 3.
2. Review the systemd unit file for the SSH tunnel service:
- Ensure that the `ExecStart` and `ExecStop` directives are correctly specified with the appropriate SSH command and options.
- Verify that the specified local port, remote host, remote port, and user credentials are correct.
- If any errors are found, fix them and restart the service using `systemctl restart ssh-tunnel.service`.
3. Verify that the SSH client can connect to the SSH server:
- Use the `ssh` command to manually test the connection:
```
ssh -p <ssh_port> user@ssh_server
```
- If the connection fails, check the SSH server logs (e.g., `/var/log/secure` or `/var/log/auth.log`) for any authentication or connection issues.
- Ensure that the SSH server is running and accessible through the firewall.
4. Check the SELinux audit log for any denied access attempts related to the SSH tunnel service:
```
ausearch -m AVC,USER_AVC -ts recent | grep ssh
```
- If any denials are found, use `audit2why` or `setroubleshoot` to analyze them and generate policy modules if needed.
- Apply the generated policy modules using `semodule -i <module_name>.pp` and restart the SSH tunnel service.
5. Verify that the necessary ports are allowed through the firewall on both the client and server:
- Check the firewall rules using tools like `iptables -L`, `firewall-cmd --list-all`, or `ufw status`, depending on your firewall management tool.
- Ensure that the SSH port and the local/remote ports used for the SSH tunnel are allowed through the firewall.
6. Test the SSH tunnel manually using the `ssh` command:
```
ssh -L local_port:remote_host:remote_port user@ssh_server
```
- If the tunnel establishes successfully, the issue might be specific to the systemd unit configuration.
- Double-check the systemd unit file for any discrepancies or typos.
By following this guide and the troubleshooting steps, you should be able to set up a reliable SSH tunnel service with SELinux and systemd. Remember to consult the relevant documentation, man pages, and online resources for more in-depth information on SSH, SELinux, and systemd.
If you have any further questions or need assistance with specific scenarios, don't hesitate to reach out for help!
---
SELinux Troubleshooting:
- When SELinux denies access, it logs the denial in the audit log, typically located at `/var/log/audit/audit.log`.
- Use the `ausearch` command to search the audit log for SELinux denials:
```
ausearch -m AVC,USER_AVC -ts recent
```
- The `audit2allow` tool can generate SELinux policy modules to allow denied access based on the audit log:
```
audit2allow -a -M my_module
semodule -i my_module.pp
```
- The `audit2why` tool provides a more user-friendly explanation of SELinux denials:
```
audit2why < /var/log/audit/audit.log
```
- The `setroubleshoot` package, if installed, provides additional guidance and suggestions for resolving SELinux issues.
Troubleshooting Steps:
1. Check the status of the SSH tunnel service:
```
systemctl status ssh-tunnel.service
```
2. Review the SSH server logs for any authentication or connection issues.
3. Verify that the SSH client can connect to the SSH server using the appropriate credentials and key.
4. Check the SELinux audit log for any denied access attempts related to the SSH tunnel service.
5. Use `audit2why` or `setroubleshoot` to analyze SELinux denials and generate policy modules if needed.
6. Ensure that the necessary ports are allowed through the firewall on both the client and server.
7. Verify that the SSH tunnel configuration in the systemd unit file is correct, including the local port, remote host, remote port, and user credentials.
8. Test the SSH tunnel manually using the `ssh` command to isolate any issues specific to the systemd unit configuration.
Remember to consult the relevant documentation, man pages, and online resources for more in-depth information on SSH, SELinux, and systemd.
If you have any specific questions or need further clarification on any of the technical aspects, feel free to ask!