SELinux for Sysadmins
SELinux for Sysadmins Beyond 'restorecon'
SELinux for Sysadmins <ul><li>Principles for using SELinux </li></ul>
SELinux for Sysadmins <ul><li>Principles for using SELinux
Through real world examples </li></ul>
Real world example 1 <ul><li>Share home directories through NFS </li></ul>
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>[server]# cat /etc/exports /home 192.168.0.0/...
[client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ... </li></ul></ul>
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>[server]# cat /etc/exports /home 192.168.0.0/...
[client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...
[client]# mount /home Permission denied </li></ul></ul>
SELinux for Sysadmins <ul><li>Share home directories through NFS
Is this a SELinux problem? </li></ul>
SELinux for Sysadmins <ul><li>Share home directories through NFS
Is this a SELinux problem? </li><ul><li>Check /var/log/audit/audit.log </li></ul></ul>
SELinux for Sysadmins <ul><li>Share home directories through NFS
Is this a SELinux problem? </li><ul><li>Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log </li></ul></ul>
SELinux for Sysadmins <ul><li>Share home directories through NFS
If it is a SELinux problem: </li><ul><li>getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvp...
SELinux for Sysadmins <ul><li>Share home directories through NFS
If it is a SELinux problem: </li><ul><li>getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvp...
SELinux for Sysadmins <ul><li>Share home directories through NFS
If it is a SELinux problem: </li><ul><li>setsebool use_nfs_home_dirs on </li></ul></ul>
SELinux for Sysadmins <ul><li>Share home directories through NFS
If it is a SELinux problem: </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul></ul>
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul...
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul...
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul...
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul...
setsebool  -P  samba_enable_home_dirs on </li></ul></ul>
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul...
Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool  -P  use_nfs_home_dirs on </li></ul...
setsebool  -P  samba_enable_home_dirs on </li></ul><li>Share ~/public_html through Apache </li><ul><li>setsebool -P apache...
SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible </li></ul></ul>
Real world example 2 <ul><li>Sharing /data through SaMBa </li></ul>
Real world example 2 <ul><li>Sharing /data through SaMBa </li><ul><li>getsebool -a | grep samba samba_create_home_dirs -->...
SELinux for Sysadmins <ul><li>File contexts </li></ul>
SELinux for Sysadmins <ul><li>File contexts </li></ul>[root@tachyon ~]# ls -laZ /var drwxr-xr-x  root root system_u:object...
SELinux for Sysadmins <ul><li>File contexts </li><ul><li>Specify the context in which it is to be used </li></ul></ul>
SELinux for Sysadmins <ul><li>File contexts </li><ul><li>Specify the context in which it is to be used
Inherited like permissions </li></ul></ul>
Real world example 2 <ul><li>Sharing /data through SaMBa </li></ul>[root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ...
Real world example 2 <ul><li>Sharing /data through SaMBa </li></ul>[root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ...
SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible
Use the right file context
man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux   is your friend! </li></ul></ul>
Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li></ul>
Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Gotcha! </li></ul></ul>
Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Files can only have one security context! </...
Upcoming SlideShare
Loading in...5
×

Slug 2009 06 SELinux For Sysadmins

14,831

Published on

In his previous talk, Paul talked about getting your system to work with SELinux. This involved setting the security on your files and directories so that they worked with SELinux. However, many people have customised their Linux installs and want SELinux to do what they say, not the other way around. Sysadmins in particular are not 'run of the mill' users, and they have different requirements to what typically comes out of the box. Situations such as serving web pages from NFS shares or non-standard directories, or installing applications in custom locations, need specialised configuration of SELinux in order to make it work with your needs.

This talk will deal with those situations. Fortunately for Sysadmins, much of the work in developing SELinux policies for Linux has focussed on their requirements. Paul will show you a few of the things behind
the scenes that make your job as a Sysadmin much easier and safer with SELinux.

Published in: Technology, News & Politics

Slug 2009 06 SELinux For Sysadmins

  1. 1. SELinux for Sysadmins
  2. 2. SELinux for Sysadmins Beyond 'restorecon'
  3. 3. SELinux for Sysadmins <ul><li>Principles for using SELinux </li></ul>
  4. 4. SELinux for Sysadmins <ul><li>Principles for using SELinux
  5. 5. Through real world examples </li></ul>
  6. 6. Real world example 1 <ul><li>Share home directories through NFS </li></ul>
  7. 7. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>[server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)
  8. 8. [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ... </li></ul></ul>
  9. 9. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>[server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)
  10. 10. [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...
  11. 11. [client]# mount /home Permission denied </li></ul></ul>
  12. 12. SELinux for Sysadmins <ul><li>Share home directories through NFS
  13. 13. Is this a SELinux problem? </li></ul>
  14. 14. SELinux for Sysadmins <ul><li>Share home directories through NFS
  15. 15. Is this a SELinux problem? </li><ul><li>Check /var/log/audit/audit.log </li></ul></ul>
  16. 16. SELinux for Sysadmins <ul><li>Share home directories through NFS
  17. 17. Is this a SELinux problem? </li><ul><li>Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log </li></ul></ul>
  18. 18. SELinux for Sysadmins <ul><li>Share home directories through NFS
  19. 19. If it is a SELinux problem: </li><ul><li>getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off </li></ul></ul>
  20. 20. SELinux for Sysadmins <ul><li>Share home directories through NFS
  21. 21. If it is a SELinux problem: </li><ul><li>getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off </li></ul></ul>
  22. 22. SELinux for Sysadmins <ul><li>Share home directories through NFS
  23. 23. If it is a SELinux problem: </li><ul><li>setsebool use_nfs_home_dirs on </li></ul></ul>
  24. 24. SELinux for Sysadmins <ul><li>Share home directories through NFS
  25. 25. If it is a SELinux problem: </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul></ul>
  26. 26. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul></ul>
  27. 27. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul><li>Share home directories through SaMBa </li></ul>
  28. 28. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul><li>Share home directories through SaMBa </li><ul><li>setsebool -P use_samba_home_dirs on </li></ul></ul>
  29. 29. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul><li>Share home directories through SaMBa </li><ul><li>setsebool -P use_samba_home_dirs on
  30. 30. setsebool -P samba_enable_home_dirs on </li></ul></ul>
  31. 31. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul><li>Share home directories through SaMBa </li><ul><li>setsebool -P use_samba_home_dirs on </li><ul><li>Mount SaMBa home dirs on client </li></ul><li>setsebool -P samba_enable_home_dirs on </li><ul><li>Share home dirs on SaMBa server </li></ul></ul></ul>
  32. 32. Real world example 1 <ul><li>Share home directories through NFS </li><ul><li>setsebool -P use_nfs_home_dirs on </li></ul><li>Share home directories through SaMBa </li><ul><li>setsebool -P use_samba_home_dirs on
  33. 33. setsebool -P samba_enable_home_dirs on </li></ul><li>Share ~/public_html through Apache </li><ul><li>setsebool -P apache_enable_homedirs on </li></ul></ul>
  34. 34. SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible </li></ul></ul>
  35. 35. Real world example 2 <ul><li>Sharing /data through SaMBa </li></ul>
  36. 36. Real world example 2 <ul><li>Sharing /data through SaMBa </li><ul><li>getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off </li></ul></ul>
  37. 37. SELinux for Sysadmins <ul><li>File contexts </li></ul>
  38. 38. SELinux for Sysadmins <ul><li>File contexts </li></ul>[root@tachyon ~]# ls -laZ /var drwxr-xr-x root root system_u:object_r:var_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account drwxr-xr-x root root system_u:object_r:var_t:s0 cache drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs drwxr-xr-x root root system_u:object_r:var_t:s0 db drwxr-xr-x root root system_u:object_r:var_t:s0 empty drwxr-xr-x root root system_u:object_r:games_data_t:s0 games drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib drwxr-xr-x root root system_u:object_r:var_t:s0 local drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock drwxr-xr-x root root system_u:object_r:var_log_t:s0 log lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail drwxr-xr-x root root system_u:object_r:var_t:s0 nis drwxr-xr-x root root system_u:object_r:var_t:s0 opt drwxr-xr-x root root system_u:object_r:var_t:s0 preserve ...
  39. 39. SELinux for Sysadmins <ul><li>File contexts </li><ul><li>Specify the context in which it is to be used </li></ul></ul>
  40. 40. SELinux for Sysadmins <ul><li>File contexts </li><ul><li>Specify the context in which it is to be used
  41. 41. Inherited like permissions </li></ul></ul>
  42. 42. Real world example 2 <ul><li>Sharing /data through SaMBa </li></ul>[root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..
  43. 43. Real world example 2 <ul><li>Sharing /data through SaMBa </li></ul>[root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. [root@tachyon ~]# chcon -R -t samba_share_t /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r: samba_share_t :s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..
  44. 44. SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible
  45. 45. Use the right file context
  46. 46. man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend! </li></ul></ul>
  47. 47. Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li></ul>
  48. 48. Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Gotcha! </li></ul></ul>
  49. 49. Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Files can only have one security context! </li></ul></ul>
  50. 50. Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Files can only have one security context!
  51. 51. getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off </li></ul></ul>
  52. 52. Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Files can only have one security context!
  53. 53. allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server! </li></ul></ul>
  54. 54. Real world example 3 <ul><li>Sharing /data with SaMBa and VSFTPD </li><ul><li>Files can only have one security context!
  55. 55. allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!
  56. 56. What to do? </li></ul></ul>
  57. 57. Real world example 3 <ul><li># setenforce off </li></ul>
  58. 58. Real world example 3 <ul><li># setenforce off
  59. 59. # selinuxenabled && echo yes
  60. 60. # </li></ul>
  61. 61. Real world example 3 <ul><li># setenforce off
  62. 62. # run service, exercise functionality </li></ul>
  63. 63. Real world example 3 <ul><li># setenforce off
  64. 64. # run service, exercise functionality
  65. 65. # setenforce on </li></ul>
  66. 66. Real world example 3 <ul><li># setenforce off
  67. 67. # run service, exercise functionality
  68. 68. # setenforce on
  69. 69. # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd </li></ul>
  70. 70. Real world example 3 <ul><li># setenforce off
  71. 71. # run service, exercise functionality
  72. 72. # setenforce on
  73. 73. # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd
  74. 74. # ls vsftpd.* vsftpd.pp vsftpd.te </li></ul>
  75. 75. Real world example 3 <ul><li>cat vsftpd.te module vsftpd 1.0; require { type samba_share_t; type vsftpd_t; class dir { rename write search read remove_name getattr add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow vsftpd_t samba_share_t:dir { rename write search read remove_name getattr add_name }; allow vsftpd_t samba_share_t:file { rename setattr read lock create write getattr unlink }; </li></ul>
  76. 76. Real world example 3 <ul><li># setenforce off
  77. 77. # run service, exercise functionality
  78. 78. # setenforce on
  79. 79. # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd
  80. 80. # semodule -i vsftpd.pp </li></ul>
  81. 81. SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible
  82. 82. Use the right file context
  83. 83. man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
  84. 84. Create policy where necessary </li></ul></ul>
  85. 85. SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible
  86. 86. Use the right file context
  87. 87. man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
  88. 88. Create policy where necessary
  89. 89. Policy must be conservative </li></ul></ul>
  90. 90. SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible
  91. 91. Use the right file context
  92. 92. man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
  93. 93. Create policy where necessary
  94. 94. Policy must be conservative </li></ul></ul>
  95. 95. SELinux for Sysadmins <ul><li>Principles for using SELinux </li><ul><li>Use booleans where possible
  96. 96. Use the right file context
  97. 97. man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
  98. 98. Create policy where necessary
  99. 99. Policy must be conservative
  100. 100. system-config-selinux </li></ul></ul>
  101. 101. Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×