SELinux for Everyday Users

SELinux for everyday users

SELinux Don't be afraid!

SELinux – the bad
Developed by the NSA

SELinux – the bad
Mandatory Access Control

SELinux – the bad
Infested with jargon
Policies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!

SELinux – the bad
Infested with jargon
Breaks systems
Root can't just do anything anymore
Applications stop working
Can't make it stop

SELinux – the bad
“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”
Theodore Ts’o (ext2/3/4 maintainer)

SELinux – the bad
Theodore Ts’o (ext2/3/4 maintainer)
Uses Debian

SELinux – the bad
Theodore Ts’o (1 Oct 2007)
Uses Debian
Not an everyday user!

SELinux Don't be afraid!

SELinux – the good
“ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”
Larry Loeb

“ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”
Larry Loeb (Security author and researcher)

Used in many major distributions

In kernel since 2002

Fedora since Core 2 (2004)
RHEL since version 4 (2005)

Fedora since Core 2 (2004)
RHEL since version 4 (2005)
Debian since Etch (2007)
Ubuntu since Hardy Heron 8.04 (2008)

SELinux How does it work?

SELinux – the basics
Compiled into the kernel

Packaged security policy

Checks database of rules on syscalls

Checks database of rules on syscalls
Allows or denies based on policy

SELinux What does it really do?

SELinux – what does it do?
Stops daemons going bad
tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/

Policies in most distributions are applied only to system processes, not user processes.

Policies limit what a daemon can access and how.

Prevents daemon compromise affecting other files.

Prevents daemon compromise affecting other files / users / ports / etc.

User processes are unaffected

root still gets to be root

Firefox still gets to crash your system

Firefox still gets to crash your system
New policy being written to help that

SELinux – demystifying
Everything has a security 'context'

A process has a context

A file has a context

Database of rules

Database of rules
Rules allow a process in one context to do operations on an object in another context

SELinux – how do I see it?
Some commands have the -Z option
ls -Z
netstat -Z
ps -Z

ls -Z drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding
netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

ls -Z drwxr-xr-x paulway paulway user_u:object_r: user_home_t :s0 bin drwxrwxr-x paulway paulway user_u:object_r: user_home_t :s0 coding
netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023
ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
The type_t is the only thing you need look at

SELinux – how do I use it?
restorecon
Restores the context of a file
Based on the rules for the directory structure
chcon

restorecon

restorecon
Restore s the default SELinux con text of a file

restorecon
Restore s the default SELinux con text of a file
Looks up the database of rules and finds the correct context for that file

SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group

SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

SELinux – Lessons
1: Try restorecon

Everything has a context
Database of rules

Database of rules
Switches turn groups of rules on or off

Database of rules
Switches turn groups of rules on or off
Booleans

getsebool -a

getsebool -a
[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

setsebool
[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

setsebool – ONLY THIS SESSION!
[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

setsebool -P
[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool -P samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

SELinux – Lessons
1: Try restorecon
2: getsebool and setsebool

ls -Z
netstat -Z
ps -Z
Audit messages go to /var/log/audit/audit.log

ls -Z
netstat -Z
ps -Z
Audit messages go to /var/log/audit/audit.log
Some messages may be in /var/log/messages

SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log

SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)

SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.

SELinux – Lessons
1: Try restorecon
3: audit2why or audit2allow

SELinux – Lessons
1: Try restorecon
unless you're working on a system daemon problem.

SELinux – Lessons
1: Try restorecon
Much more, but it's not for every day.

Questions?

Questions?
Best effort only ☺

http://www.ossblog.it	1634
http://www.slideshare.net	108
http://www.securitytube.net	100
http://securitytube.net	65
http://blog.dgrossato.com	59
http://brescia.bakeca.it	1
http://www.ereiser.org	1
http://www.aspoitalia.it	1

SELinux for Everyday Users

by PaulWay

Accessibility

Categories

Upload Details

Usage Rights

8 Embeds 1,969

Statistics

SELinux for Everyday Users Presentation Transcript