Intro To 'runcon' Command In Linux
2024-05-23 - By Robert Elder
I use the 'runcon' command to run a command within a specified security context:
runcon -t unconfined_t date
Fri May 24 12:55:00 PM EDT 2024
What Is SELinux?
According to the PDF document 'configuring-selinux-policy-report.pdf' from nsa.gov: "NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible and fine-grained mandatory access control (MAC) architecture called Flask in the Linux kernel[LoscoccoFreenix2001]."
You can also find more useful information in the 'man' page for SELinux:
man selinux
selinux(8) SELinux Command Line documentation selinux(8)
NAME
SELinux - NSA Security-Enhanced Linux (SELinux)
DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible
mandatory access control architecture in the Linux operating system. The
SELinux architecture provides general support for the enforcement of many
kinds of mandatory access control policies, including those based on the
concepts of Type EnforcementĀ®, Role- Based Access Control, and Multi-
Level Security. Background information and technical documentation about
SELinux can be found at https://github.com/SELinuxProject.
...
A Real-World Use Case Scenario For 'runcon'
Lately, I've been spending way too much time on social media. So I decided to write a script to help me receive wholesome welcome messages from my friends:
#!/bin/bash
# The first parameter to this script should be
# an echo or printf command that displays a
# wholesome and friendly welcome message.
#
# Examples:
#
# ./my-script.sh "echo This is my favourite message"'!'""
# ./my-script.sh 'printf "How are you today?\n"'
#
eval "${1}"
As you can see above, the script that I made is extra simple, and works by simply running whatever command is provided in the first parameter. The script can be run easily like this:
./my-script.sh "echo This is my favourite message"'!'""
./my-script.sh 'printf "How are you today?\n"'
This is my favourite message!
How are you today?
But unfortunately, the script above has an unexpected problem! A computer hacker can easily inject a reverse shell into my script, and totally compromise my computer:
./my-script.sh "nc -l 0.0.0.0 1337 -e /bin/bash"
ps -ef | grep 1337
robert 3054 2766 0 13:19 pts/0 00:00:00 /bin/bash ./my-script.sh nc -l 0.0.0.0 1337 -e /bin/bash
The hacker could use this reverse shell to make fun of me, and send messages that aren't wholesome at all!
Preventing Reverse Shell Injection
To prevent these reverse shell injections, I can use the 'runcon' command to run my script in a pre-configured security context. Here, we can see the current security context:
runcon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
And the security context of the script file:
ls -Z my-script.sh
unconfined_u:object_r:user_home_t:s0 my-script.sh
And now, I can use the 'runcon' command to invoke the script:
runcon -t user_home_t ./my-script.sh "echo This is my favourite message"'!'""
This is my favourite message!
runcon -t user_home_t ./my-script.sh 'printf "How are you today?\n"'
How are you today?
Unlike the default security context, this security context doesn't allow process forking, causing the reverse shell injections to fail:
runcon -t user_home_t ./my-script.sh "nc -l 0.0.0.0 1337 -e /bin/bash"
./my-script.sh: fork: Permission denied
In this case, the policy that disallows process forking was created previously and installed using 'semodule':
vi my-myscriptsh.te
...
class dir { getattr read search };
class lnk_file read;
class process { rlimitinh siginh };
}
#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_t user_home_t:process { rlimitinh siginh };
...
Different Ways To Specify Security Context
You can specify a colon separated security context:
runcon unconfined_u:unconfined_r:user_home_t:s0 ./my-script.sh "echo abc"
abc
or you can also specify user, role, type and range individually:
runcon -u unconfined_u -r unconfined_r -t user_home_t -l s0 ./my-script.sh "echo abc"
abc
SELinux Must Be Installed
The 'runcon' command is only useful on systems that have SELinux installed. For example, if you try to run this command on a system that doesn't use SELinux (such as Ubuntu 20):
runcon unconfined_u:unconfined_r:unconfined_t:s0 date
You'll see a message like this:
runcon: runcon may be used only on a SELinux kernel
However, if you run the same command on a system that does use SELinux by default (such Fedora 37), you'll either see the command run normally:
runcon unconfined_u:unconfined_r:unconfined_t:s0 date
Fri May 24 12:47:43 PM EDT 2024
Printing The Current Security Context
When run without parameters, the 'runcon' command outputs the current security context:
runcon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
And that's why the 'runcon' command is my favourite Linux command.
 Intro To 'stty' Command In Linux
Published 2023-10-04 |
 $1.00 CAD |
 Intro To 'nproc' Command In Linux
Published 2023-07-15 |
 Intro To 'comm' Command In Linux
Published 2023-09-06 |
 How To Force The 'true' Command To Return 'false'
Published 2023-07-09 |
 A Surprisingly Common Mistake Involving Wildcards & The Find Command
Published 2020-01-21 |
 A Guide to Recording 660FPS Video On A $6 Raspberry Pi Camera
Published 2019-08-01 |
 Intro To 'chroot' Command In Linux
Published 2023-06-23 |
| Join My Mailing List Privacy Policy |
Why Bother Subscribing?
|
