Slug 2009 06 SELinux For Sysadmins

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    2 Favorites

    Slug 2009 06 SELinux For Sysadmins - Presentation Transcript

    1. SELinux for Sysadmins
    2. SELinux for Sysadmins Beyond 'restorecon'
    3. SELinux for Sysadmins
      • Principles for using SELinux
    4. SELinux for Sysadmins
      • Principles for using SELinux
      • Through real world examples
    5. Real world example 1
      • Share home directories through NFS
    6. Real world example 1
      • Share home directories through NFS
        • [server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)
        • [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...
    7. Real world example 1
      • Share home directories through NFS
        • [server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)
        • [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...
        • [client]# mount /home Permission denied
    8. SELinux for Sysadmins
      • Share home directories through NFS
      • Is this a SELinux problem?
    9. SELinux for Sysadmins
      • Share home directories through NFS
      • Is this a SELinux problem?
        • Check /var/log/audit/audit.log
    10. SELinux for Sysadmins
      • Share home directories through NFS
      • Is this a SELinux problem?
        • Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log
    11. SELinux for Sysadmins
      • Share home directories through NFS
      • If it is a SELinux problem:
        • getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off
    12. SELinux for Sysadmins
      • Share home directories through NFS
      • If it is a SELinux problem:
        • getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off
    13. SELinux for Sysadmins
      • Share home directories through NFS
      • If it is a SELinux problem:
        • setsebool use_nfs_home_dirs on
    14. SELinux for Sysadmins
      • Share home directories through NFS
      • If it is a SELinux problem:
        • setsebool -P use_nfs_home_dirs on
    15. Real world example 1
      • Share home directories through NFS
        • setsebool -P use_nfs_home_dirs on
    16. Real world example 1
      • Share home directories through NFS
        • setsebool -P use_nfs_home_dirs on
      • Share home directories through SaMBa
    17. Real world example 1
      • Share home directories through NFS
        • setsebool -P use_nfs_home_dirs on
      • Share home directories through SaMBa
        • setsebool -P use_samba_home_dirs on
    18. Real world example 1
      • Share home directories through NFS
        • setsebool -P use_nfs_home_dirs on
      • Share home directories through SaMBa
        • setsebool -P use_samba_home_dirs on
        • setsebool -P samba_enable_home_dirs on
    19. Real world example 1
      • Share home directories through NFS
        • setsebool -P use_nfs_home_dirs on
      • Share home directories through SaMBa
        • setsebool -P use_samba_home_dirs on
          • Mount SaMBa home dirs on client
        • setsebool -P samba_enable_home_dirs on
          • Share home dirs on SaMBa server
    20. Real world example 1
      • Share home directories through NFS
        • setsebool -P use_nfs_home_dirs on
      • Share home directories through SaMBa
        • setsebool -P use_samba_home_dirs on
        • setsebool -P samba_enable_home_dirs on
      • Share ~/public_html through Apache
        • setsebool -P apache_enable_homedirs on
    21. SELinux for Sysadmins
      • Principles for using SELinux
        • Use booleans where possible
    22. Real world example 2
      • Sharing /data through SaMBa
    23. Real world example 2
      • Sharing /data through SaMBa
        • getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off
    24. SELinux for Sysadmins
      • File contexts
    25. SELinux for Sysadmins
      • File contexts
      [root@tachyon ~]# ls -laZ /var drwxr-xr-x root root system_u:object_r:var_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account drwxr-xr-x root root system_u:object_r:var_t:s0 cache drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs drwxr-xr-x root root system_u:object_r:var_t:s0 db drwxr-xr-x root root system_u:object_r:var_t:s0 empty drwxr-xr-x root root system_u:object_r:games_data_t:s0 games drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib drwxr-xr-x root root system_u:object_r:var_t:s0 local drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock drwxr-xr-x root root system_u:object_r:var_log_t:s0 log lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail drwxr-xr-x root root system_u:object_r:var_t:s0 nis drwxr-xr-x root root system_u:object_r:var_t:s0 opt drwxr-xr-x root root system_u:object_r:var_t:s0 preserve ...
    26. SELinux for Sysadmins
      • File contexts
        • Specify the context in which it is to be used
    27. SELinux for Sysadmins
      • File contexts
        • Specify the context in which it is to be used
        • Inherited like permissions
    28. Real world example 2
      • Sharing /data through SaMBa
      [root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..
    29. Real world example 2
      • Sharing /data through SaMBa
      [root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. [root@tachyon ~]# chcon -R -t samba_share_t /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r: samba_share_t :s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..
    30. SELinux for Sysadmins
      • Principles for using SELinux
        • Use booleans where possible
        • Use the right file context
        • man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
    31. Real world example 3
      • Sharing /data with SaMBa and VSFTPD
    32. Real world example 3
      • Sharing /data with SaMBa and VSFTPD
        • Gotcha!
    33. Real world example 3
      • Sharing /data with SaMBa and VSFTPD
        • Files can only have one security context!
    34. Real world example 3
      • Sharing /data with SaMBa and VSFTPD
        • Files can only have one security context!
        • getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off
    35. Real world example 3
      • Sharing /data with SaMBa and VSFTPD
        • Files can only have one security context!
        • allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!
    36. Real world example 3
      • Sharing /data with SaMBa and VSFTPD
        • Files can only have one security context!
        • allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!
        • What to do?
    37. Real world example 3
      • # setenforce off
    38. Real world example 3
      • # setenforce off
      • # selinuxenabled && echo yes
      • #
    39. Real world example 3
      • # setenforce off
      • # run service, exercise functionality
    40. Real world example 3
      • # setenforce off
      • # run service, exercise functionality
      • # setenforce on
    41. Real world example 3
      • # setenforce off
      • # run service, exercise functionality
      • # setenforce on
      • # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd
    42. Real world example 3
      • # setenforce off
      • # run service, exercise functionality
      • # setenforce on
      • # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd
      • # ls vsftpd.* vsftpd.pp vsftpd.te
    43. Real world example 3
      • cat vsftpd.te module vsftpd 1.0; require { type samba_share_t; type vsftpd_t; class dir { rename write search read remove_name getattr add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow vsftpd_t samba_share_t:dir { rename write search read remove_name getattr add_name }; allow vsftpd_t samba_share_t:file { rename setattr read lock create write getattr unlink };
    44. Real world example 3
      • # setenforce off
      • # run service, exercise functionality
      • # setenforce on
      • # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd
      • # semodule -i vsftpd.pp
    45. SELinux for Sysadmins
      • Principles for using SELinux
        • Use booleans where possible
        • Use the right file context
        • man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
        • Create policy where necessary
    46. SELinux for Sysadmins
      • Principles for using SELinux
        • Use booleans where possible
        • Use the right file context
        • man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
        • Create policy where necessary
        • Policy must be conservative
    47. SELinux for Sysadmins
      • Principles for using SELinux
        • Use booleans where possible
        • Use the right file context
        • man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
        • Create policy where necessary
        • Policy must be conservative
    48. SELinux for Sysadmins
      • Principles for using SELinux
        • Use booleans where possible
        • Use the right file context
        • man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!
        • Create policy where necessary
        • Policy must be conservative
        • system-config-selinux
    49. Questions?

    + PaulWayPaulWay, 4 months ago

    custom

    2145 views, 2 favs, 2 embeds more stats

    In his previous talk, Paul talked about getting you more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 2145
      • 2012 on SlideShare
      • 133 from embeds
    • Comments 0
    • Favorites 2
    • Downloads 60
    Most viewed embeds
    • 115 views on http://www.ossblog.it
    • 18 views on http://blog.dgrossato.com

    more

    All embeds
    • 115 views on http://www.ossblog.it
    • 18 views on http://blog.dgrossato.com

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories