How to live with SELinux


Published on

presentation I gave for the people at whitespace, Ghent..

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • MLS: Multi-Level Security RBAC: Role-based access control TE: Type Enforcement MAC: mandatory acces control <-> DAC: Discretionary acces control Adds extra control over processes and users (what files can x or y change)
  • Good access control, unlike DAC from normal linux system. SELinux user, role, type, level while linux user only have a group and user id Reduces vulnerability to attacks due to access control. Intruders can only access the files the software (like httpd) really need Confined servers: selinux has the abitilty to confine services and deamons so that they are more predictable and are only allowed acces that is required for their normal operation
  • Independent from normal linux ownerships blah blah
  • Var/log/messages are better readable, but rsyslogd is not always running. Chkconfig –levels 2345 rsyslogd on
  • Booleans Changed at runtime No policy writing
  • Predefined policies The semanage boolean command doesn't work yet on RH/Centos 5.x -P flag makes it persistent over reboots
  • Identity authorized for specific set of roles, and mls range. Semange login -l Each linux user is mapped to a sel user Role is part of the RBAC model. Type is an attribute of type enforcement. Defines domain for processes, and type for files. Level of security is attribute for MLS. For process, unconfined_t : is not checked (in targeted)
  • Chcon -t httpd_sys_content_t /web Use full path of file/dir Restore only works with chcon semange fcontext adds rule to file.contexts.local, chcon doesn't After a fcontext -d run restorecon again.
  • Fixfiles relabel can make system unstable Fixfiles -R relies on rpm database
  • Standard type: nfs_t Context changes to the files on the mount won't work. Chcon results in “operation not supported” /dev/sda2: assumes there are no rules that define context for /foo/ Files will keep context when changed Persistent: fstab
  • If you copy a file over a file, original context is preserved
  • matchpathcon - get the default security context for the specified path from the file contexts configuration. Semodule -D : disables dontaudit rules -B : rebuilds policy Run semodule -B again after debugging
  • cat $name.te
  • Semodule: import the module
  • How to live with SELinux

    1. 1. How to live with SELinux Bert Desmet – Fedora Ambassador
    2. 2. You can find me here <ul><li>Kruishoutem, Belgium
    3. 3.
    4. 4.
    5. 5.
    6. 6.
    7. 7. Irc: biertie @ Freenode / Quakenet
    8. 8. Mail: [email_address]
    9. 9. Google me for more </li></ul>And if you have any questions, feel free to contact me..
    10. 10. What I do.. <ul><li>I am still a student ( [email_address] ) </li><ul><li>President CFK </li></ul><li>Job hunting
    11. 11. Fedora </li><ul><li>Fedora Ambassador
    12. 12. Designer of the T shirt
    13. 13. Organise some events </li></ul><li>Start up projects: to many </li></ul>Oh, and I love to party!
    14. 14. How to live with SELinux
    15. 15. Table of contents <ul><li>Introduction
    16. 16. Booleans and ports
    17. 17. Contexts and labels
    18. 18. Backing up and copying
    19. 19. Your own policies </li></ul>
    20. 20. What is SELinux? <ul><li>Kernel based security system
    21. 21. Build by NSA
    22. 22. 3 'functions' </li><ul><li>MLS/MCS: multi level protection
    23. 23. RBAC: user privilege controls
    24. 24. TE: application isolation </li></ul><li>Enabled by default on RH / Fedora </li></ul>
    25. 25. Why would I? <ul><li>Good access control
    26. 26. Reduces vulnerability to attacks
    27. 27. Confined services </li></ul>
    28. 28. but <ul><li>No antivirus
    29. 29. No firewall
    30. 30. .... </li></ul>
    31. 31. keywords <ul><li>Objects </li><ul><li>Files, devices, users, processes, ...
    32. 32. Everything in the operating system </li></ul><li>Context </li><ul><li>Name for the object </li></ul><li>Policy </li><ul><li>Defines how objects interact </li></ul></ul>
    33. 33. configuration <ul><li>3 modes </li><ul><li>Enforcing, Permissive, Disabled </li></ul><li>2 types </li><ul><li>Targeted, Strict </li></ul><li>Permanent: edit /etc/selinux/config
    34. 34. Until next reboot: setenforce {0|1} </li><ul><li>Only Permissive (0) or Enforcing (1) </li></ul><li>Check running config with sestatus </li></ul>
    35. 35. Logging <ul><li>SELinux denial messages </li><ul><li>/var/log/audit/audit.log
    36. 36. Ausearch -m avc </li></ul><li>If rsyslogd is running: </li><ul><li>/var/log/messages </li></ul></ul>
    37. 38. Managing booleans.. <ul><li>List all booleans </li><ul><li>getsebool -a
    38. 39. semange boolean -l </li></ul><li>Set a boolean </li><ul><li>setsebool $boolean {on|off}
    39. 40. setsebool -P $boolean {on|off} </li></ul></ul>
    40. 41. Managing ports <ul><li>List services, ports they can use </li><ul><li>semanage port -l </li></ul><li>add a port </li><ul><li>semange port -at $type -p {tcp|udp} #port </li></ul><li>Delete a port </li><ul><li>semange port -dt $type -p {tcp|udp} #port </li></ul></ul>
    41. 43. SELinux contexts <ul><li>ls -Z | ps Z | id -Z </li><ul><li>unconfined_u:object_r:httpd_sys_content_t:s0 </li><ul><li>unconfined_u: user context for the object
    42. 44. object_r: role aspect for the context
    43. 45. httpd_sys_content_t: type
    44. 46. S0: level of security </li></ul></ul></ul>
    45. 47. Change context <ul><li>Temporary </li><ul><li>chcon -t $type ${file|dir}name </li></ul><li>Persistent </li><ul><li>semanage fcontext -a -t $type ${file|dir}name </li></ul><li>Restore context </li><ul><li>restorecon -v ${file|dir}name
    46. 48. semange fcontext -dv ${file|dir}name </li></ul></ul>
    47. 49. Relabeling the fs <ul><li>With reboot (preferred!) </li><ul><li>touch /.autorelabel
    48. 50. reboot </li></ul><li>Without reboot </li><ul><li>fixfiles relabel
    49. 51. fixfiles -R $packagename restore </li></ul></ul>
    50. 52. Mounting file systems <ul><li>The mount command </li><ul><li>mount server:/export /mount -t nfs -o context=”system_u:object_r:context_t:s0”
    51. 53. Mount /dev/sda2 /foo -o defcontext= “system_u:object_r:context_t:s0” </li></ul><li>Works for multiple NFS mounts </li></ul>
    52. 55. Copying <ul><li>cp doesn't save the context
    53. 56. Copy with context </li><ul><li>Add the '--preserve=context' flag </li></ul><li>Copy while changing context </li><ul><li>cp -Z system_u:object_r:context_t:s0 $file </li></ul></ul>
    54. 57. Moving <ul><li>The mv command doesn't move context over different partitions
    55. 58. It does when you move on the same partition
    56. 59. Use cp command </li></ul>
    57. 60. Tarring <ul><li>Tar doesn't contexts by default </li><ul><li>Use --selinux flag </li></ul><li>Untar an archive without extended attributes </li><ul><li>Tar -xvf $archive | restorecon -f - </li></ul></ul>
    58. 62. Troubles? <ul><li>autit2allow </li><ul><li>Gives you decent tips </li></ul><li>matchpathcon -V $dir </li><ul><li>Checks the context of a dir </li></ul><li>semodule -DB </li><ul><li>allow all denials to be logged </li></ul></ul>
    59. 63. Creating policies <ul><li>Grep for right error in the audit log
    60. 64. audit2allow -am $name > $name.te
    61. 65. -D flag </li></ul>
    62. 66. Applying policies <ul><li>audit2allow -M $name
    63. 67. Semodule -i $name </li></ul>
    64. 68. So why do we enable it? <ul><li>It's easy
    65. 69. It's secure </li></ul>
    66. 70. references <ul><li>Fedora SELinux documentation </li><ul><li> </li></ul><li>Dan Walsh </li><ul><li> </li></ul><li>Fedora SELinux team </li><ul><li>#fedora-selinux @ freenode </li></ul><li>Linux training </li><ul><li> </li></ul></ul>
    67. 71. Questions? E-mail: [email_address] Twitter: @biertie @bdesmet Web: