medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_information_nexus/tech_docs/linux/SELinux.md
Whisker Jones aeba9bdb34 structure updates
2024-05-01 12:28:44 -06:00

9.8 KiB
Raw Permalink Blame History

Certainly! Let's dive deeper into the technical details of setting up SSH tunnels, configuring SELinux, and troubleshooting common issues.

SSH Tunneling:

  • SSH tunneling works by forwarding a specified local port to a remote host and port through an encrypted SSH connection.
  • The SSH client listens on the local port, encrypts the traffic, and sends it to the SSH server, which decrypts it and forwards it to the specified remote host and port.
  • To create an SSH tunnel, use the -L option with the ssh command: 
    ssh -L local_port:remote_host:remote_port user@ssh_server
  • For a persistent SSH tunnel, create a systemd service unit file with the appropriate ExecStart and ExecStop directives.
  • Use the -N option to prevent the execution of a remote command and -T to disable pseudo-terminal allocation for the tunneling service.

SELinux Configuration:

  • SELinux uses a combination of users, roles, types, and levels to enforce access control policies.
  • Files and processes are assigned SELinux contexts, which define their security attributes.
  • To view the SELinux context of a file, use the -Z option with ls: 
    ls -Z /path/to/file
  • To change the SELinux context of a file, use the chcon command: 
    chcon -t type_t /path/to/file
  • To make SELinux context changes persistent across relabeling, use the semanage fcontext command: 
    semanage fcontext -a -t type_t /path/to/file
restorecon -v /path/to/file
  • SELinux policies define rules that allow or deny access based on the types assigned to processes and files.
  • To see the current SELinux policy module, use: 
    semodule -l

Certainly! Here's a comprehensive document that combines all the information we've discussed so far, with added depth and context:

Setting Up SSH Tunnels with SELinux and Systemd

SSH tunneling is a powerful technique that allows you to securely access network services running on a remote machine. By encrypting traffic and forwarding ports through an SSH connection, you can protect sensitive data and bypass firewall restrictions. In this guide, we'll walk through the process of setting up an SSH tunnel as a systemd service and configuring SELinux to allow its operation.

Prerequisites

  • Two machines running Linux (e.g., CentOS, Ubuntu) with systemd
  • SSH server running on the remote machine
  • SSH client installed on the local machine

Step 1: Create a Dedicated User Account (Optional)

For enhanced security, it's recommended to create a dedicated user account on the remote machine specifically for the SSH tunnel. This limits the potential impact if the tunnel is compromised.

Step 2: Set Up SSH Key-Based Authentication

  1. Generate an SSH key pair on the local machine using the ssh-keygen command.
  2. Copy the public key to the remote machine using the ssh-copy-id command: 
    ssh-copy-id user@remote-host

Step 3: Create a Systemd Service Unit File

  1. Create a new file with a .service extension (e.g., ssh-tunnel.service) in the /etc/systemd/system/ directory on the local machine.
  2. Add the following content to the file: 
    [Unit]
Description=SSH Tunnel Service
After=network.target

[Service]
User=your_username
ExecStart=/usr/bin/ssh -NT -L local_port:remote_host:remote_port user@remote-host
ExecStop=/usr/bin/pkill -f "ssh -NT -L local_port:remote_host:remote_port"
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
    Replace your_username, local_port, remote_host, remote_port, and user@remote-host with the appropriate values for your setup.

Step 4: Configure SELinux

SELinux is a security framework that enforces access control policies on Linux systems. To allow the SSH tunnel service to function properly, you may need to adjust SELinux contexts and policies.

  1. Change the SELinux context of the socket file (if applicable):

    • If the socket file is located in a user's home directory (e.g., /home/user/ssh_socket), change its context to a type accessible by the SSH service, such as ssh_home_t: 
      chcon -t ssh_home_t /home/user/ssh_socket
semanage fcontext -a -t ssh_home_t /home/user/ssh_socket
restorecon -v /home/user/ssh_socket

  2. Allow the SSH service to access the necessary ports:

    • Use the semanage port command to add the local and remote ports to the SELinux policy: 
      semanage port -a -t ssh_port_t -p tcp local_port
semanage port -a -t ssh_port_t -p tcp remote_port

  3. If SELinux denials persist, use troubleshooting tools to generate and apply policy modules:

    • Install the setroubleshoot and policycoreutils-python-utils packages if not already installed.
    • Check the SELinux audit log for denied access attempts: 
      ausearch -m AVC,USER_AVC -ts recent | grep ssh
    • Use audit2allow or audit2why to analyze the denials and generate policy modules: 
      audit2allow -a -M ssh_tunnel
semodule -i ssh_tunnel.pp

Step 5: Start and Enable the SSH Tunnel Service

  1. Reload the systemd manager configuration:

    sudo systemctl daemon-reload

  2. Start the SSH tunnel service:

    sudo systemctl start ssh-tunnel.service

  3. Enable the service to start automatically at boot:

    sudo systemctl enable ssh-tunnel.service

  4. Check the status of the service:

    sudo systemctl status ssh-tunnel.service

Troubleshooting

If you encounter issues with the SSH tunnel service, follow these troubleshooting steps:

  1. Check the status of the SSH tunnel service:

    systemctl status ssh-tunnel.service
    • If the service is not running or in a failed state, proceed to step 2.
    • If the service is running but not functioning as expected, proceed to step 3.

  2. Review the systemd unit file for the SSH tunnel service:

    • Ensure that the ExecStart and ExecStop directives are correctly specified with the appropriate SSH command and options.
    • Verify that the specified local port, remote host, remote port, and user credentials are correct.
    • If any errors are found, fix them and restart the service using systemctl restart ssh-tunnel.service.

  3. Verify that the SSH client can connect to the SSH server:

    • Use the ssh command to manually test the connection: 
      ssh -p <ssh_port> user@ssh_server
    • If the connection fails, check the SSH server logs (e.g., /var/log/secure or /var/log/auth.log) for any authentication or connection issues.
    • Ensure that the SSH server is running and accessible through the firewall.

  4. Check the SELinux audit log for any denied access attempts related to the SSH tunnel service:

    ausearch -m AVC,USER_AVC -ts recent | grep ssh
    • If any denials are found, use audit2why or setroubleshoot to analyze them and generate policy modules if needed.
    • Apply the generated policy modules using semodule -i <module_name>.pp and restart the SSH tunnel service.

  5. Verify that the necessary ports are allowed through the firewall on both the client and server:

    • Check the firewall rules using tools like iptables -L, firewall-cmd --list-all, or ufw status, depending on your firewall management tool.
    • Ensure that the SSH port and the local/remote ports used for the SSH tunnel are allowed through the firewall.

  6. Test the SSH tunnel manually using the ssh command:

    ssh -L local_port:remote_host:remote_port user@ssh_server
    • If the tunnel establishes successfully, the issue might be specific to the systemd unit configuration.
    • Double-check the systemd unit file for any discrepancies or typos.

By following this guide and the troubleshooting steps, you should be able to set up a reliable SSH tunnel service with SELinux and systemd. Remember to consult the relevant documentation, man pages, and online resources for more in-depth information on SSH, SELinux, and systemd.

If you have any further questions or need assistance with specific scenarios, don't hesitate to reach out for help!

SELinux Troubleshooting:

  • When SELinux denies access, it logs the denial in the audit log, typically located at /var/log/audit/audit.log.
  • Use the ausearch command to search the audit log for SELinux denials: 
    ausearch -m AVC,USER_AVC -ts recent
  • The audit2allow tool can generate SELinux policy modules to allow denied access based on the audit log: 
    audit2allow -a -M my_module
semodule -i my_module.pp
  • The audit2why tool provides a more user-friendly explanation of SELinux denials: 
    audit2why < /var/log/audit/audit.log
  • The setroubleshoot package, if installed, provides additional guidance and suggestions for resolving SELinux issues.

Troubleshooting Steps:

  1. Check the status of the SSH tunnel service: 
    systemctl status ssh-tunnel.service
  2. Review the SSH server logs for any authentication or connection issues.
  3. Verify that the SSH client can connect to the SSH server using the appropriate credentials and key.
  4. Check the SELinux audit log for any denied access attempts related to the SSH tunnel service.
  5. Use audit2why or setroubleshoot to analyze SELinux denials and generate policy modules if needed.
  6. Ensure that the necessary ports are allowed through the firewall on both the client and server.
  7. Verify that the SSH tunnel configuration in the systemd unit file is correct, including the local port, remote host, remote port, and user credentials.
  8. Test the SSH tunnel manually using the ssh command to isolate any issues specific to the systemd unit configuration.

Remember to consult the relevant documentation, man pages, and online resources for more in-depth information on SSH, SELinux, and systemd.

If you have any specific questions or need further clarification on any of the technical aspects, feel free to ask!