SlideShare a Scribd company logo

SELinux basics

Lubomir Rintel
Lubomir Rintel

Practical SELinux basics

Technology
1 of 22
Download to read offline
SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context

Recommended

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introductionMichael Nazzareno Trimarchi
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 

Recommended

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introductionMichael Nazzareno Trimarchi
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)Chuck Reeves
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to SelinuxAtul Jha
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinuxRémy Gottschalk
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...Shawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneAnne Nicolas
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMfaraz hussain
 

More Related Content

What's hot

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)Chuck Reeves
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to SelinuxAtul Jha
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinuxRémy Gottschalk
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...Shawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 

What's hot (20)

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux security
Linux securityLinux security
Linux security
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 

Viewers also liked

Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneAnne Nicolas
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMfaraz hussain
 
Operating system security
Operating system securityOperating system security
Operating system securityRachel Jeewa
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating Systemsohaildanish
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating systemAbou Bakr Ashraf
 
FreeBSD ports
FreeBSD portsFreeBSD ports
FreeBSD portswdv4758h
 
Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0sim303
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpowebuploader
 
Dovecot
DovecotDovecot
DovecotTiago
 
FreeBSD Document Project
FreeBSD Document ProjectFreeBSD Document Project
FreeBSD Document ProjectChinsan Huang
 
Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511Narimichi Takamura
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014chanhduy
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010lincolng
 
Protection in Operating System Layer
Protection in Operating System LayerProtection in Operating System Layer
Protection in Operating System LayerSidharth D
 

Viewers also liked (20)

Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
 
Operating system security
Operating system securityOperating system security
Operating system security
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating System
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
FreeBSD ports
FreeBSD portsFreeBSD ports
FreeBSD ports
 
Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpo
 
Webmail
WebmailWebmail
Webmail
 
Dovecot
DovecotDovecot
Dovecot
 
FreeBSD Document Project
FreeBSD Document ProjectFreeBSD Document Project
FreeBSD Document Project
 
Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorial
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to Prod
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
 
Protection in Operating System Layer
Protection in Operating System LayerProtection in Operating System Layer
Protection in Operating System Layer
 

Similar to SELinux basics

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Get Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic KnowledgeGet Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic KnowledgeDavid Clark
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting StartedAngus Li
 
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxGMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxAhmedWasiu
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Unix system protection and history features
Unix system protection and history featuresUnix system protection and history features
Unix system protection and history featuresroopav27
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Linux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.comLinux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.comPraveen Pandey
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNGene Kartavtsev
 
101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownershipAcácio Oliveira
 
Linux: Everyting-as-a-service
Linux: Everyting-as-a-serviceLinux: Everyting-as-a-service
Linux: Everyting-as-a-serviceRohit Sansiya
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 

Similar to SELinux basics (20)

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Get Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic KnowledgeGet Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic Knowledge
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting Started
 
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxGMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Unix system protection and history features
Unix system protection and history featuresUnix system protection and history features
Unix system protection and history features
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Linux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.comLinux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.com
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
When ACLs Attack
When ACLs AttackWhen ACLs Attack
When ACLs Attack
 
101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership
 
Linux: Everyting-as-a-service
Linux: Everyting-as-a-serviceLinux: Everyting-as-a-service
Linux: Everyting-as-a-service
 
Host security
Host securityHost security
Host security
 
Host security
Host securityHost security
Host security
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Prog ii
Prog iiProg ii
Prog ii
 
Linux training
Linux trainingLinux training
Linux training
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 

More from Lubomir Rintel

Namespaces for Kazimir
Namespaces for KazimirNamespaces for Kazimir
Namespaces for KazimirLubomir Rintel
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLubomir Rintel
 
A journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service managementA journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service managementLubomir Rintel
 
Practical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profilingPractical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profilingLubomir Rintel
 
Reverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown deviceReverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown deviceLubomir Rintel
 
Brno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPMBrno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPMLubomir Rintel
 

More from Lubomir Rintel (8)

Namespaces for Kazimir
Namespaces for KazimirNamespaces for Kazimir
Namespaces for Kazimir
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in Linux
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
A journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service managementA journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service management
 
Practical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profilingPractical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profiling
 
Reverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown deviceReverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown device
 
Brno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPMBrno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPM
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

SELinux basics

  • 2. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  • 3. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  • 4. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  • 5. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  • 6. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  • 7. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  • 8. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  • 9. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  • 10. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  • 11. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
  • 13. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  • 14. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  • 15. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  • 16. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  • 17. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  • 18. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  • 19. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  • 20. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  • 21. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  • 22. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context