What about SAP and SELinux?

As several customers are already asking about SAP and SELinux, it is time to have a closer look onto this fascinating technology. But first of all, what it SELinux (in case you haven't heard of it already)?. SELinux (or Security-Enhanced Linux) was firstly developed by the NSA, the National Security Agency. To quote the homepage of SELinux regarding the question "What is Security-enhanced Linux?"

"Security-enhanced Linux (SELinux) was originally developed as a research prototype of the Linux kernel and a number of utilities with enhanced security functionality designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Today SELinux is integrated into the mainline Linux 2.6 kernel series and several Linux distributions. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security."



The intension of this blog is, to give you an overview, how you can implement an security policy for your SAP system on RHEL5. The SAP system used in our example is a Solution Manager 4.0 SR1 system with MaxDB. As SELinux modules are compiled binaries with several hard coded directory names (e.g. /usr/sap/LSM) and structures, SAP cannot ship any precompiled policy which can be used by all SAP customers. The intention we have is more like to motivate SAP administrators and security interested people to get in touch with SELinux in general. As the policy rule does not come from SAP, we cannot give any support on it, thus it is very convenient to have this knowledge in house available.

Preparation

Before installing the SAP software, please make sure you have at least the following SELinux rpm packages installed:

• selinux-policy

• selinux-policy-targeted

• selinux-policy-devel

./policygentool sap /sapmnt/LSM/exe/R3trans

..some information..

Return to continue:

Does the module have a init script?

y

Does the module use the network?

y

1. ls -la sap*

-rw-rr 1 root root  265 May  3 17:41 sap.fc

-rw-rr 1 root root  463 May  3 17:41 sap.if

-rw-rr 1 root root 1539 May  3 17:41 sap.te

First of all, we will adept all paths in our sap.fc (file context) file. This file does only contain the two paths which we entered while policygentool was running. We will have some more files to mention here. My example looks like:

/sapmnt/LSM/exe(/.*)? -- gen_context(system_u:object_r:sap_exec_t,s0)
/usr/sap/sapservices -- gen_context(system_u:object_r:sap_exec_t,s0)
/etc/init.d/sapinit -- gen_context(system_u:object_r:sap_exec_t,s0)
/sapdb(/.*)? -- gen_context(system_u:object_r:sap_exec_t,s0)
/usr/sap/(/.*)? -- gen_context(system_u:object_r:sap_exec_t,s0)
/etc/opt/sdb gen_context(system_u:object_r:sap_var_log_t,s0)
/usr/spool/sql(/.*)? gen_context(system_u:object_r:sap_var_log_t,s0)
/devspaces(/.*)? gen_context(system_u:object_r:sap_var_log_t,s0)
/sapmnt/LSM/profile(/.*)? gen_context(system_u:object_r:sap_var_log_t,s0)
/sapmnt/LSM/global(/.*)? gen_context(system_u:object_r:sap_var_log_t,s0)
/usr/sap/LSM/DVEBMGS01/work(/.*)? gen_context(system_u:object_r:sap_var_log_t,s0)
/usr/sap/LSM/SCS00/work(/.*)? gen_context(system_u:object_r:sap_var_log_t,s0)

During installation I put all MaxDB devspaces under /devspaces. After changing this file, we will now compile our policy, load the policy into the kernel, label all sap files mentioned in sap.fc to have to correct label and then try to start the SAP system. The error message from /var/log/audit/audit.log will then tell us, what we have forgotten. To compile the policy, execute the following command while still being in /usr/share/selinux/devel

1. make -f /usr/share/selinux/devel/Makefile

Compiling targeted example module

/usr/bin/checkmodule:  loading policy configuration from tmp/example.tmp

/usr/bin/checkmodule:  policy configuration loaded

/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/example.mod

Creating targeted example.pp policy package

Compiling targeted sap module

/usr/bin/checkmodule:  loading policy configuration from tmp/sap.tmp

/usr/bin/checkmodule:  policy configuration loaded

/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/sap.mod

Creating targeted sap.pp policy package

rm tmp/sap.mod.fc tmp/example.mod tmp/sap.mod tmp/example.mod.fc

We now compiled the already existing example policy and our new sap policy. The make process generated a new file, sap.pp which now can be loaded into the kernel. For testing purposes we will set the currently running SELinux mode to permissive. To load the policy, simply execute while being in /usr/share/selinux/devel:

1. semodule -i sap.pp

and check if the policy is loaded with

1. semodule -l

Now, as the policy is loaded, we have to relabel the whole file system. To make life easier I execute the command on the root filesystem / and tell the tool to check all subdirectories. A second approach is to check only the directories given in the sap.fc file. But as I have to decide between one and several commands, I will execute one single command:

1. /sbin/restorecon -v -r /

You will not get a huge list of files which are relabeled to our new security context. Having this list in place, it is time to start the SAP system and check, which additional privileges we need. But before, I normally reboot the machine at this stage, to check whether the policy gets loaded correctly after a system boot. Lets set the SELinux mode back to enforcing (in /etc/selinux/config).
After rebooting the server, there should be two running processes, both sapstartsrv for each instance. Lets check, if they run in their new security context with:

1. ps auxf -Z | grep sapstartsrv

Oh, they aren't there. We should have a second console on the machine with a running "tail -f /var/log/audit/audit.log" shows you what is happening on the system and which actions are forbidden. I assume there are still some actions denied, and they may look like:

type=AVC msg=audit(1178278368.097:123): avc:  denied  for  pid=2048 comm="sapstartsrv"

name="root" dev=dm-0 ino=1048577 scontext=root:system_r:sap_t:s0 tcontext=root:object_r:user_home_dir_t:s0

tclass=dir type=SYSCALL msg=audit(1178278368.097:123): arch=c000003e syscall=2 success=no exit=-13

a0=7fffcbcf6880 a1=0 a2=2aaaaaaab000 a3=0 items=0 ppid=2029 pid=2048 auid=0 uid=0 gid=0 euid=0 suid=0

fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sapstartsrv" exe="/sapmnt/LSM/exe/sapstartsrv"

subj=root:system_r:sap_t:s0 key=(null)

type=AVC msg=audit(1178278368.097:124): avc:  denied  for  pid=2048 comm="sapstartsrv"

name="root" dev=dm-0 ino=1048577 scontext=root:system_r:sap_t:s0 tcontext=root:object_r:user_home_dir_t:s0

tclass=dir type=SYSCALL msg=audit(1178278368.097:124): arch=c000003e syscall=2 success=no exit=-13

a0=7fffcbcf6880 a1=0 a2=2aaaaaaab000 a3=0 items=0 ppid=2029 pid=2048 auid=0 uid=0 gid=0 euid=0 suid=0

fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sapstartsrv" exe="/sapmnt/LSM/exe/sapstartsrv"

subj=root:system_r:sap_t:s0 key=(null)

Okay, sap_t is not allowed to write to user_home_dir_t, the home directory. Lets check with autit2allow what we have to add to your sap.te file by calling:

1. audit2allow -l -i /var/log/audit/audit.log | grep sap_t

allow sap_t console_device_t:chr_file { read write };

allow sap_t devpts_t:chr_file { read write };

allow sap_t user_home_dir_t:dir search;

allow sap_t usr_t:lnk_file read;

These lines need to be added to our sap.te file. So lets go to /usr/share/selinux/devel and modify sap.te accordingly. We then set the SELinux mode to Permissive, unload the policy and compile a new one with:

setenforce 0

semodule -r sap

1. make -f /usr/share/selinux/devel/Makefile

Compiling targeted sap module

/usr/bin/checkmodule:  loading policy configuration from tmp/sap.tmp

sap.te:57:ERROR 'unknown type console_device_t' at token ';' on line 79958:

1. added

allow sap_t console_device_t:chr_file { read write };

/usr/bin/checkmodule:  error(s) encountered while parsing configuration

make: *** tmp/sap.mod Error 1

Somehow, our sap.te file does contain some errors. This error simply tells us, that we have to put some extra "require" options into sap.te. Just add the following lines to the sap.te file (below logging_log_file(sap_var_log_t) in the Declarations section):

require {
type console_device_t, user_home_dir_t;
}

and try building the policy again:

1. make -f /usr/share/selinux/devel/Makefile

Compiling targeted sap module

/usr/bin/checkmodule:  loading policy configuration from tmp/sap.tmp

/usr/bin/checkmodule:  policy configuration loaded

/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/sap.mod

Creating targeted sap.pp policy package

rm tmp/sap.mod.fc tmp/sap.mod

We now load our policy and enable the Enforcing mode again:

1. semodule -i sap.pp

2. setenforce 1

3. restorecon -v -r /

4. /etc/init.d/sapinit start

The next error message is that sap_t needs access to default_t on /sapmnt. Alternatively you can change the attributes of /sapmnt in general or use audit2allow to generate a new allow rule which needs to be placed inside sap.te. You now have to continue with this process until everything works. Please make sure, that you sometimes reboot your machine, when loading and removing policies all the time. I faced the problem of processes running under unconfined_t, although they ran under sap_t before. After a reboot this strange misbehavior was always gone and the processes were running under sap_t again.



This was already lots of work, until we have a running SELinux SAP policy. Please take into account, that this policy doesn't really protect your SAP system. Every workprocess can access all files in which are mentioned in the sap.fc file. It is a lot of work to create a more sophisticated policy, but in my opinion for the beginning this small example shall be enough.

If you have any more comments, please let me know. I'm really looking forward to any interested people for SAP and SELinux.