SELinux for Everyday Users
Upcoming SlideShare
Loading in...5
×
 

SELinux for Everyday Users

on

  • 23,421 views

Much has been written on SELinux, and a lot of it seems confusing. It's buzzword heavy, involves locking your computer up, has a strange new set of permissions that are obscure in architecture and ...

Much has been written on SELinux, and a lot of it seems confusing. It's buzzword heavy, involves locking your computer up, has a strange new set of permissions that are obscure in architecture and silently fails where things used to just work. Why use it?

Well, for most people, it's not actually that hard to understand. In this talk, Paul Wayper talks about how to make sense of what SELinux does, and how to keep it out of the way and get on with using your computer. In the process Paul will deal with the background to SELinux, what it's main aims are, and why you really do want it turned on.

Statistics

Views

Total Views
23,421
Views on SlideShare
21,396
Embed Views
2,025

Actions

Likes
11
Downloads
456
Comments
0

9 Embeds 2,025

http://www.ossblog.it 1679
http://www.slideshare.net 108
http://www.securitytube.net 105
http://securitytube.net 65
http://blog.dgrossato.com 63
http://www.linkedin.com 2
http://brescia.bakeca.it 1
http://www.ereiser.org 1
http://www.aspoitalia.it 1
More...

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SELinux for Everyday Users SELinux for Everyday Users Presentation Transcript

  • SELinux for everyday users
  • SELinux Don't be afraid!
  • SELinux – the bad
    • Developed by the NSA
  • SELinux – the bad
    • Developed by the NSA
    • Mandatory Access Control
  • SELinux – the bad
    • Developed by the NSA
    • Mandatory Access Control
    • Infested with jargon
      • Policies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!
  • SELinux – the bad
    • Developed by the NSA
    • Mandatory Access Control
    • Infested with jargon
    • Breaks systems
      • Root can't just do anything anymore
      • Applications stop working
      • Can't make it stop
  • SELinux – the bad
    • “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”
      • Theodore Ts’o (ext2/3/4 maintainer)
  • SELinux – the bad
    • “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”
      • Theodore Ts’o (ext2/3/4 maintainer)
      • Uses Debian
  • SELinux – the bad
    • “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”
      • Theodore Ts’o (1 Oct 2007)
      • Uses Debian
      • Not an everyday user!
  • SELinux Don't be afraid!
  • SELinux – the good
    • “ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”
      • Larry Loeb
  • SELinux – the good
    • “ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”
      • Larry Loeb (Security author and researcher)
  • SELinux – the good
    • Used in many major distributions
  • SELinux – the good
    • Used in many major distributions
      • In kernel since 2002
  • SELinux – the good
    • Used in many major distributions
      • In kernel since 2002
      • Fedora since Core 2 (2004)
      • RHEL since version 4 (2005)
  • SELinux – the good
    • Used in many major distributions
      • In kernel since 2002
      • Fedora since Core 2 (2004)
      • RHEL since version 4 (2005)
      • Debian since Etch (2007)
      • Ubuntu since Hardy Heron 8.04 (2008)
  • SELinux How does it work?
  • SELinux – the basics
    • Compiled into the kernel
  • SELinux – the basics
    • Compiled into the kernel
    • Packaged security policy
  • SELinux – the basics
    • Compiled into the kernel
    • Packaged security policy
    • Checks database of rules on syscalls
  • SELinux – the basics
    • Compiled into the kernel
    • Packaged security policy
    • Checks database of rules on syscalls
    • Allows or denies based on policy
  • SELinux What does it really do?
  • SELinux – what does it do?
    • Stops daemons going bad
    tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/
  • SELinux – what does it do?
    • Stops daemons going bad
      • Policies in most distributions are applied only to system processes, not user processes.
  • SELinux – what does it do?
    • Stops daemons going bad
      • Policies in most distributions are applied only to system processes, not user processes.
      • Policies limit what a daemon can access and how.
  • SELinux – what does it do?
    • Stops daemons going bad
      • Policies in most distributions are applied only to system processes, not user processes.
      • Policies limit what a daemon can access and how.
      • Prevents daemon compromise affecting other files.
  • SELinux – what does it do?
    • Stops daemons going bad
      • Policies in most distributions are applied only to system processes, not user processes.
      • Policies limit what a daemon can access and how.
      • Prevents daemon compromise affecting other files / users / ports / etc.
  • SELinux – what does it do?
    • Stops daemons going bad
    • User processes are unaffected
  • SELinux – what does it do?
    • Stops daemons going bad
    • User processes are unaffected
      • root still gets to be root
  • SELinux – what does it do?
    • Stops daemons going bad
    • User processes are unaffected
      • root still gets to be root
      • Firefox still gets to crash your system
  • SELinux – what does it do?
    • Stops daemons going bad
    • User processes are unaffected
      • root still gets to be root
      • Firefox still gets to crash your system
      • New policy being written to help that
  • SELinux – demystifying
    • Everything has a security 'context'
  • SELinux – demystifying
    • Everything has a security 'context'
      • A process has a context
  • SELinux – demystifying
    • Everything has a security 'context'
      • A process has a context
      • A file has a context
  • SELinux – demystifying
    • Everything has a security 'context'
      • A process has a context
      • A file has a context
    • Database of rules
  • SELinux – demystifying
    • Everything has a security 'context'
      • A process has a context
      • A file has a context
    • Database of rules
      • Rules allow a process in one context to do operations on an object in another context
  • SELinux – how do I see it?
    • Some commands have the -Z option
      • ls -Z
      • netstat -Z
      • ps -Z
  • SELinux – how do I see it?
    • Some commands have the -Z option
      • ls -Z drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding
      • netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
      • ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
  • SELinux – how do I see it?
    • Some commands have the -Z option
      • ls -Z drwxr-xr-x paulway paulway user_u:object_r: user_home_t :s0 bin drwxrwxr-x paulway paulway user_u:object_r: user_home_t :s0 coding
      • netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023
      • ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
      • The type_t is the only thing you need look at
  • SELinux – how do I use it?
    • restorecon
      • Restores the context of a file
      • Based on the rules for the directory structure
    • chcon
  • SELinux – how do I use it?
    • restorecon
  • SELinux – how do I use it?
    • restorecon
      • Restore s the default SELinux con text of a file
  • SELinux – how do I use it?
    • restorecon
      • Restore s the default SELinux con text of a file
      • Looks up the database of rules and finds the correct context for that file
  • SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  • SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group
  • SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  • SELinux – Lessons
    • 1: Try restorecon
  • SELinux – demystifying
    • Everything has a context
    • Database of rules
      • Rules allow a process in one context to do operations on an object in another context
  • SELinux – demystifying
    • Everything has a context
    • Database of rules
      • Rules allow a process in one context to do operations on an object in another context
    • Switches turn groups of rules on or off
  • SELinux – demystifying
    • Everything has a context
    • Database of rules
      • Rules allow a process in one context to do operations on an object in another context
    • Switches turn groups of rules on or off
      • Booleans
  • SELinux – how do I see it?
    • getsebool -a
  • SELinux – how do I see it?
    • getsebool -a
    [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off
  • SELinux – how do I use it?
    • setsebool
    [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on
  • SELinux – how do I use it?
    • setsebool – ONLY THIS SESSION!
    [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on
  • SELinux – how do I use it?
    • setsebool -P
    [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool -P samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on
  • SELinux – Lessons
    • 1: Try restorecon
    • 2: getsebool and setsebool
  • SELinux – how do I see it?
    • Some commands have the -Z option
      • ls -Z
      • netstat -Z
      • ps -Z
    • Audit messages go to /var/log/audit/audit.log
  • SELinux – how do I see it?
    • Some commands have the -Z option
      • ls -Z
      • netstat -Z
      • ps -Z
    • Audit messages go to /var/log/audit/audit.log
      • Some messages may be in /var/log/messages
  • SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log
  • SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)
  • SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
  • SELinux – Lessons
    • 1: Try restorecon
    • 2: getsebool and setsebool
    • 3: audit2why or audit2allow
  • SELinux – Lessons
    • 1: Try restorecon
    • 2: getsebool and setsebool
    • 3: audit2why or audit2allow
      • unless you're working on a system daemon problem.
  • SELinux – Lessons
    • 1: Try restorecon
    • 2: getsebool and setsebool
    • 3: audit2why or audit2allow
      • Much more, but it's not for every day.
  • Questions?
  • Questions?
    • Best effort only ☺