SELinux for everyday users

SELinux Don't be afraid!

SELinux – the bad Developed by the NSA

Developed by the NSA

SELinux – the bad Developed by the NSA Mandatory Access Control

Developed by the NSA

Mandatory Access Control

SELinux – the bad Developed by the NSA Mandatory Access Control Infested with jargon Policies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!

Developed by the NSA

Mandatory Access Control

Infested with jargon

Policies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!

SELinux – the bad Developed by the NSA Mandatory Access Control Infested with jargon Breaks systems Root can't just do anything anymore Applications stop working Can't make it stop

Developed by the NSA

Mandatory Access Control

Infested with jargon

Breaks systems

Root can't just do anything anymore

Applications stop working

Can't make it stop

SELinux – the bad “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” Theodore Ts’o (ext2/3/4 maintainer)

“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”

Theodore Ts’o (ext2/3/4 maintainer)

SELinux – the bad “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” Theodore Ts’o (ext2/3/4 maintainer) Uses Debian

“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”

Theodore Ts’o (ext2/3/4 maintainer)

Uses Debian

SELinux – the bad “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” Theodore Ts’o (1 Oct 2007) Uses Debian Not an everyday user!

“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.”

Theodore Ts’o (1 Oct 2007)

Uses Debian

Not an everyday user!

SELinux Don't be afraid!

SELinux – the good “ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” Larry Loeb

“ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”

Larry Loeb

SELinux – the good “ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” Larry Loeb (Security author and researcher)

“ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”

Larry Loeb (Security author and researcher)

SELinux – the good Used in many major distributions

Used in many major distributions

SELinux – the good Used in many major distributions In kernel since 2002

Used in many major distributions

In kernel since 2002

SELinux – the good Used in many major distributions In kernel since 2002 Fedora since Core 2 (2004) RHEL since version 4 (2005)

Used in many major distributions

In kernel since 2002

Fedora since Core 2 (2004)

RHEL since version 4 (2005)

SELinux – the good Used in many major distributions In kernel since 2002 Fedora since Core 2 (2004) RHEL since version 4 (2005) Debian since Etch (2007) Ubuntu since Hardy Heron 8.04 (2008)

Used in many major distributions

In kernel since 2002

Fedora since Core 2 (2004)

RHEL since version 4 (2005)

Debian since Etch (2007)

Ubuntu since Hardy Heron 8.04 (2008)

SELinux How does it work?

SELinux – the basics Compiled into the kernel

Compiled into the kernel

SELinux – the basics Compiled into the kernel Packaged security policy

Compiled into the kernel

Packaged security policy

SELinux – the basics Compiled into the kernel Packaged security policy Checks database of rules on syscalls

Compiled into the kernel

Packaged security policy

Checks database of rules on syscalls

SELinux – the basics Compiled into the kernel Packaged security policy Checks database of rules on syscalls Allows or denies based on policy

Compiled into the kernel

Packaged security policy

Checks database of rules on syscalls

Allows or denies based on policy

SELinux What does it really do?

SELinux – what does it do? Stops daemons going bad tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/

Stops daemons going bad

SELinux – what does it do? Stops daemons going bad Policies in most distributions are applied only to system processes, not user processes.

Stops daemons going bad

Policies in most distributions are applied only to system processes, not user processes.

SELinux – what does it do? Stops daemons going bad Policies in most distributions are applied only to system processes, not user processes. Policies limit what a daemon can access and how.

Stops daemons going bad

Policies in most distributions are applied only to system processes, not user processes.

Policies limit what a daemon can access and how.

SELinux – what does it do? Stops daemons going bad Policies in most distributions are applied only to system processes, not user processes. Policies limit what a daemon can access and how. Prevents daemon compromise affecting other files.

Stops daemons going bad

Policies in most distributions are applied only to system processes, not user processes.

Policies limit what a daemon can access and how.

Prevents daemon compromise affecting other files.

SELinux – what does it do? Stops daemons going bad Policies in most distributions are applied only to system processes, not user processes. Policies limit what a daemon can access and how. Prevents daemon compromise affecting other files / users / ports / etc.

Stops daemons going bad

Policies in most distributions are applied only to system processes, not user processes.

Policies limit what a daemon can access and how.

Prevents daemon compromise affecting other files / users / ports / etc.

SELinux – what does it do? Stops daemons going bad User processes are unaffected

Stops daemons going bad

User processes are unaffected

SELinux – what does it do? Stops daemons going bad User processes are unaffected root still gets to be root

Stops daemons going bad

User processes are unaffected

root still gets to be root

SELinux – what does it do? Stops daemons going bad User processes are unaffected root still gets to be root Firefox still gets to crash your system

Stops daemons going bad

User processes are unaffected

root still gets to be root

Firefox still gets to crash your system

SELinux – what does it do? Stops daemons going bad User processes are unaffected root still gets to be root Firefox still gets to crash your system New policy being written to help that

Stops daemons going bad

User processes are unaffected

root still gets to be root

Firefox still gets to crash your system

New policy being written to help that

SELinux – demystifying Everything has a security 'context'

Everything has a security 'context'

SELinux – demystifying Everything has a security 'context' A process has a context

Everything has a security 'context'

A process has a context

SELinux – demystifying Everything has a security 'context' A process has a context A file has a context

Everything has a security 'context'

A process has a context

A file has a context

SELinux – demystifying Everything has a security 'context' A process has a context A file has a context Database of rules

Everything has a security 'context'

A process has a context

A file has a context

Database of rules

SELinux – demystifying Everything has a security 'context' A process has a context A file has a context Database of rules Rules allow a process in one context to do operations on an object in another context

Everything has a security 'context'

A process has a context

A file has a context

Database of rules

Rules allow a process in one context to do operations on an object in another context

SELinux – how do I see it? Some commands have the -Z option ls -Z netstat -Z ps -Z

Some commands have the -Z option

ls -Z

netstat -Z

ps -Z

SELinux – how do I see it? Some commands have the -Z option ls -Z drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

Some commands have the -Z option

ls -Z drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding

netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023

ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

SELinux – how do I see it? Some commands have the -Z option ls -Z drwxr-xr-x paulway paulway user_u:object_r: user_home_t :s0 bin drwxrwxr-x paulway paulway user_u:object_r: user_home_t :s0 coding netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023 ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps The type_t is the only thing you need look at

Some commands have the -Z option

ls -Z drwxr-xr-x paulway paulway user_u:object_r: user_home_t :s0 bin drwxrwxr-x paulway paulway user_u:object_r: user_home_t :s0 coding

netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023

ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

The type_t is the only thing you need look at

SELinux – how do I use it? restorecon Restores the context of a file Based on the rules for the directory structure chcon

restorecon

Restores the context of a file

Based on the rules for the directory structure

chcon

SELinux – how do I use it? restorecon

restorecon

SELinux – how do I use it? restorecon Restore s the default SELinux con text of a file

restorecon

Restore s the default SELinux con text of a file

SELinux – how do I use it? restorecon Restore s the default SELinux con text of a file Looks up the database of rules and finds the correct context for that file

restorecon

Restore s the default SELinux con text of a file

Looks up the database of rules and finds the correct context for that file

SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group

SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

SELinux – Lessons 1: Try restorecon

1: Try restorecon

SELinux – demystifying Everything has a context Database of rules Rules allow a process in one context to do operations on an object in another context

Everything has a context

Database of rules

Rules allow a process in one context to do operations on an object in another context

SELinux – demystifying Everything has a context Database of rules Rules allow a process in one context to do operations on an object in another context Switches turn groups of rules on or off

Everything has a context

Database of rules

Rules allow a process in one context to do operations on an object in another context

Switches turn groups of rules on or off

SELinux – demystifying Everything has a context Database of rules Rules allow a process in one context to do operations on an object in another context Switches turn groups of rules on or off Booleans

Everything has a context

Database of rules

Rules allow a process in one context to do operations on an object in another context

Switches turn groups of rules on or off

Booleans

SELinux – how do I see it? getsebool -a

getsebool -a

SELinux – how do I see it? getsebool -a [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

getsebool -a

SELinux – how do I use it? setsebool [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

setsebool

SELinux – how do I use it? setsebool – ONLY THIS SESSION! [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

setsebool – ONLY THIS SESSION!

SELinux – how do I use it? setsebool -P [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool -P samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

setsebool -P

SELinux – Lessons 1: Try restorecon 2: getsebool and setsebool

1: Try restorecon

2: getsebool and setsebool

SELinux – how do I see it? Some commands have the -Z option ls -Z netstat -Z ps -Z Audit messages go to /var/log/audit/audit.log

Some commands have the -Z option

ls -Z

netstat -Z

ps -Z

Audit messages go to /var/log/audit/audit.log

SELinux – how do I see it? Some commands have the -Z option ls -Z netstat -Z ps -Z Audit messages go to /var/log/audit/audit.log Some messages may be in /var/log/messages

Some commands have the -Z option

ls -Z

netstat -Z

ps -Z

Audit messages go to /var/log/audit/audit.log

Some messages may be in /var/log/messages

SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log

SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)

SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.

SELinux – Lessons 1: Try restorecon 2: getsebool and setsebool 3: audit2why or audit2allow

1: Try restorecon

2: getsebool and setsebool

3: audit2why or audit2allow

SELinux – Lessons 1: Try restorecon 2: getsebool and setsebool 3: audit2why or audit2allow unless you're working on a system daemon problem.

1: Try restorecon

2: getsebool and setsebool

3: audit2why or audit2allow

unless you're working on a system daemon problem.

SELinux – Lessons 1: Try restorecon 2: getsebool and setsebool 3: audit2why or audit2allow Much more, but it's not for every day.

1: Try restorecon

2: getsebool and setsebool

3: audit2why or audit2allow

Much more, but it's not for every day.

Questions?

Questions? Best effort only ☺

Best effort only ☺