How to live with SELinux

How to live with SELinux Bert Desmet – Fedora Ambassador

You can find me here
Kruishoutem, Belgium
www.bdesmet.be
www.devnox.be
www.fedoraproject.org/wiki/user:biertie
www.identi.ca/bdesmet
Irc: biertie @ Freenode / Quakenet
Mail: [email_address]
Google me for more
And if you have any questions, feel free to contact me..

What I do..
I am still a student ( [email_address] )
President CFK
Job hunting
Fedora
Fedora Ambassador
Designer of the T shirt
Organise some events
Start up projects: to many
Oh, and I love to party!

Table of contents
Introduction
Booleans and ports
Contexts and labels
Backing up and copying
Your own policies

What is SELinux?
Kernel based security system
Build by NSA
3 'functions'
MLS/MCS: multi level protection
RBAC: user privilege controls
TE: application isolation
Enabled by default on RH / Fedora

Why would I?
Good access control
Reduces vulnerability to attacks
Confined services

but
No antivirus
No firewall
....

keywords
Objects
Files, devices, users, processes, ...
Everything in the operating system
Context
Name for the object
Policy
Defines how objects interact

configuration
3 modes
Enforcing, Permissive, Disabled
2 types
Targeted, Strict
Permanent: edit /etc/selinux/config
Until next reboot: setenforce {0|1}
Only Permissive (0) or Enforcing (1)
Check running config with sestatus

Logging
SELinux denial messages
/var/log/audit/audit.log
Ausearch -m avc
If rsyslogd is running:
/var/log/messages

Managing booleans..
List all booleans
getsebool -a
semange boolean -l
Set a boolean
setsebool $boolean {on|off}
setsebool -P $boolean {on|off}

Managing ports
List services, ports they can use
semanage port -l
add a port
semange port -at $type -p {tcp|udp} #port
Delete a port
semange port -dt $type -p {tcp|udp} #port

SELinux contexts
ls -Z | ps Z | id -Z
unconfined_u:object_r:httpd_sys_content_t:s0
unconfined_u: user context for the object
object_r: role aspect for the context
httpd_sys_content_t: type
S0: level of security

Change context
Temporary
chcon -t $type ${file|dir}name
Persistent
semanage fcontext -a -t $type ${file|dir}name
Restore context
restorecon -v ${file|dir}name
semange fcontext -dv ${file|dir}name

Relabeling the fs
With reboot (preferred!)
touch /.autorelabel
reboot
Without reboot
fixfiles relabel
fixfiles -R $packagename restore

Mounting file systems
The mount command
mount server:/export /mount -t nfs -o context=”system_u:object_r:context_t:s0”
Mount /dev/sda2 /foo -o defcontext= “system_u:object_r:context_t:s0”
Works for multiple NFS mounts

Copying
cp doesn't save the context
Copy with context
Add the '--preserve=context' flag
Copy while changing context
cp -Z system_u:object_r:context_t:s0 $file

Moving
The mv command doesn't move context over different partitions
It does when you move on the same partition
Use cp command

Tarring
Tar doesn't contexts by default
Use --selinux flag
Untar an archive without extended attributes
Tar -xvf $archive | restorecon -f -

Troubles?
autit2allow
Gives you decent tips
matchpathcon -V $dir
Checks the context of a dir
semodule -DB
allow all denials to be logged

Creating policies
Grep for right error in the audit log
audit2allow -am $name > $name.te
-D flag

Applying policies
audit2allow -M $name
Semodule -i $name

So why do we enable it?
It's easy
It's secure

references
Fedora SELinux documentation
http://docs.fedoraproject.org
Dan Walsh
http://danwalsh.livejournal.com
Fedora SELinux team
#fedora-selinux @ freenode
Linux training
http://linux-training.be

Questions? E-mail: [email_address] Twitter: @biertie identi.ca: @bdesmet Web: http://bdesmet.be

How to live with SELinux

by Bert Desmet on Jul 08, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 1

Statistics

How to live with SELinux — Presentation Transcript