SlideShare a Scribd company logo

MR201406 A Re-introduction to SELinux

FFRI, Inc.
FFRI, Inc.

• Each SELinux access control model is simple, but actually access control is more complex • Red Hat puts a lot of effort into SELinux, policy and utils for SELinux usability – Enlarging default policy modules – Encouraging Policy module system – Analyzing and generating policies from access violation log

TechnologyBusiness
1 of 40
Download to read offline
FFRI,Inc. 1 Monthly Research A Re-Introduction to SELinux FFRI, Inc http://www.ffri.jp Ver 2.00.01
FFRI,Inc. Why a Re-Introduction? • SELinux applies virtualization, container isolation and Android recently • However, many server engineers have disabled SELinux up to now • We needs relearning SELinux for new fields 2 It means “disable”
FFRI,Inc. 3 Agenda • SELinux Overview • SELinux Access Control Model – Type Enforcement (TE) – Role-based Access Control (RBAC) – Multi-level Security (MLS) / Multi-category Security (MCS) • SELinux Security Policy – Strict Policy (deprecated) – Targeted Policy – Minimum Policy – MLS/MCS Policy
FFRI,Inc. SELinux Overview A Re-Introduction to SELinux 4
FFRI,Inc. What is SELinux? • SELinux is a security extension for Linux kernel – Developed by NSA – Policy processing based on FLASK architecture – One of Linux security module implementation • SELinux aims military level security • Reference monitor(=linux kernel) forces restriction of application behavior • Demolish root privilege for the principle of least privilege 5
FFRI,Inc. MAC: Mandatory Access Control • Giving SELinux context to all resources • Linux security module hooks can mediate system calls completely • SELinux cannot force application-internal access control – However, several application embedded SELinux hook into itself • X Window System (XACE) • PostgreSQL (SE-PostgreSQL) • Systemd • D-Bus 6
FFRI,Inc. Benefits • Fine-grained(Process-level) access control • Strong isolation • Abolish root privilege 7 Web Server Mail Server System Service Kernel SELinux Hijacked by attacker Attacker cannot access others
FFRI,Inc. SELinux is not • Antivirus software • Intrusion detection • Memory protection 8
FFRI,Inc. SELinux Access Control Models A Re-Introduction to SELinux 9
FFRI,Inc. SELinux Access Control Models • TE: Type Enforcement • RBAC: Role-based Access Control • MLS/MCS: Multi-level Security/Multi-category Security 10
FFRI,Inc. Type Enforcement • The type defines a type for files • The domain defines a type for processes • The rule defines permission between domain and type 11 Domain (Process) Type (Execution File) Type (File) Type (File) Permission Rule1 Permission Rule2 Transition Rule1
FFRI,Inc. Domain transition • Child process inherits SELinux context from parent process normally when process forked 12 Parent Process Execution File Child Process fork() Parent_tParent_t Child_exec_t
FFRI,Inc. Domain transition • SELinux supports process domain transition when process execution using type of execution file 13 Parent Process Execution File Child Process Exec() fork() child_tParent_t Child_exec_t
FFRI,Inc. Example1: myapp.te 14 # Type definition type myapp_t; type myapp_exec_t; #Declaring myapp_t domain_type(myapp_t) #Assigning myapp_t when process executes from myapp_exec_t file domain_entry_file(myapp_t, myapp_exec_t) #Type definition type myapp_log_t #Declaring interface logging_log_file(myapp_log_t) #myapp_t domain can read and append for myapp_log_t files allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
FFRI,Inc. Describing Rule of Type Enforcement • SELinux TE rule declaration is primitive – SELinux prepare some expressive macros, but… • Strictness policy description is composed by huge TE rules – It is difficult to understand for user (incl. security administrator) 15
FFRI,Inc. SELinux Policy Module • SELinux TE rule modularization system • Can load each policy modules – Can defines interfaces of the module – Reusable utilities for security administrator 16 See also: “Getting Started with Reference Policy” http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted
FFRI,Inc. RBAC (Role-based Access Control) • A user is assigned to some roles • Role is granted some permissions 17 Role2Role1 User3User2 Rules Rules User1 RBAC Policy
FFRI,Inc. SELinux Users and roles • SELinux maps Linux users on SELinux users – Moreover, maps SELinux users on SELinux roles – Because Linux user controls under discretionary access control its not mandatory 18 Role1 Linux User1 SELinux User1 Major Linux users: ・user1 ・root SELinux users: ・user_u ・root ・staff_u ・system_u ・sysadm_u ・unconfined_u Major roles: ・user_r ・staff_r ・system_r ・sysadm_r ・unconfined_r
FFRI,Inc. MLS/MCS (Multi-Level/Category Security) • Multi level security is an access control using security level and category – Security level based on a rank of organization(like army) – Isolating access from other category 19 Category0(c0) Category1(c1) Security level3(s3) Security level2(s2) Security level1(s1) Security level0(s0) Security level3(s3) Security level2(s2) Security level1(s1) Security level0(s0) Category Security level MLS = Security level × Category
FFRI,Inc. Bell-LaPadula Model • Mathematical model of Multi level security – Main interests is information leakage prevention • Users cannot read information from upper rank document – Users can write report to upper rank document • User can read information from lower rank document – Users cannot write report to lower rank document 20 Security level3(s3) Security level2(s2) Security level1(s1) Security level0(s0) Users can write to upper(incl. same) rank document only Users can read from lower(incl. same) rank document only
FFRI,Inc. Access Control using MLS/MCS • Assigning default security level and category for all resources – In addition, users are assigned clearance • MLS permissions follows in Bell-LaPadula Models • Different category access requires clearance 21 S0 - s0:c0.c1023 Default security level & category clearance MLS Contexts
FFRI,Inc. File contexts(SELinux Contexts on Files) • A file context enumerates the mapping between resource and SELinux context • File contexts are stored xattr(or xattr like file system extension) by labeling scripts – SELinux requires labeling before enforcing access control 22 /bin/systemd - system_u : object_r : init_exec_t : s0 MLS/MCS Security level TE: TypeSELinux User RBAC: RoleTarget
FFRI,Inc. SELinux Modes • SELinux has three modes – Enforcing: Enabling SELinux access control – Permissive: Policy check only – Disabled: SELinux disabled • Checking SELinux status on your host: – Run sestatus command • If you want change the SELinux mode on boot time: – Edit SELINUX=enforcing/permissive in /etc/selinux/config 23
FFRI,Inc. sestatus • Show current SELinux configurations 24 # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
FFRI,Inc. See Also: stopdisablingselinux.com 25
FFRI,Inc. SELinux Security Policy A Re-Introduction to SELinux 26
FFRI,Inc. Current SELinux Security Policies • Type Enforcement(+RBAC) – Strict (deprecated) – Targeted – Minimum 27 • Multi Level/Category Security – MLS – MCS Default policy is Targeted + MCS on Fedora, RHEL and RHEL-based distributions
FFRI,Inc. Strict policy (deprecated) • Restrict all processes completely – Using both TE and RBAC policies • NSA and Red Hat encouraged strongly – However, SELinux operation cost is unsuitable for the security • Everybody thought that SELinux operation using strict policy is impracticable – Red Hat integrates a part of strict policy into targeted policy 28 “SELinux designed to be a strict policy.” – Dan Walsh (2005)
FFRI,Inc. Targeted Policy • Restrict some process – Only Internet server(httpd, named…) and network service – Preparing against privilege escalation • Permit to run unconfined_t type/domain with no limitation – Ex. Login shell execute with unconfined_t domain • In Fedora20, Red Hat prepared a lot of predefined policy modules – If you want to enforce with strict like policy, remove unconfined_t, unconfined_r • Ref. http://danwalsh.livejournal.com/27885.html 29
FFRI,Inc. Predefined Policy Modules in Targeted Policy on Fedora20 30 abrt.pp, accountsd.pp, acct.pp, afs.pp, aiccu.pp, aide.pp, ajaxterm.pp, alsa.pp, amanda.pp, amtu.pp, anaconda.pp, antivirus.pp, apache.pp, apcupsd.pp, apm.pp, application.pp, arpwatch.pp, asterisk.pp, auditadm.pp, authconfig.pp, authlogin.pp, automount.pp, avahi.pp, awstats.pp, bacula.pp, bcfg2.pp, bind.pp, bitlbee.pp, blueman.pp, bluetooth.pp, boinc.pp, bootloader.pp, brctl.pp, bugzilla.pp, bumblebee.pp, cachefilesd.pp, calamaris.pp, callweaver.pp, canna.pp, ccs.pp, cdrecord.pp, certmaster.pp, certmonger.pp, certwatch.pp, cfengine.pp, cgroup.pp, chrome.pp, chronyd.pp, cipe.pp, clock.pp, clogd.pp, cloudform.pp, cmirrord.pp, cobbler.pp, collectd.pp, colord.pp, comsat.pp, condor.pp, conman.pp, consolekit.pp, couchdb.pp, courier.pp, cpucontrol.pp, cpufreqselector.pp, cron.pp, ctdb.pp, cups.pp, cvs.pp, cyphesis.pp, cyrus.pp, daemontools.pp, dbadm.pp, dbskk.pp, dbus.pp, dcc.pp, ddclient.pp, denyhosts.pp, devicekit.pp, dhcp.pp, dictd.pp, dirsrv-admin.pp, dirsrv.pp, dmesg.pp, dmidecode.pp, dnsmasq.pp, dnssec.pp, docker.pp, dovecot.pp, drbd.pp, dspam.pp, entropyd.pp, exim.pp, fail2ban.pp, fcoe.pp, fetchmail.pp, finger.pp, firewalld.pp, firewallgui.pp, firstboot.pp, fprintd.pp, freeipmi.pp, freqset.pp, fstools.pp, ftp.pp, games.pp, gear.pp, getty.pp, git.pp, gitosis.pp, glance.pp, glusterd.pp, gnome.pp, gpg.pp, gpm.pp, gpsd.pp, gssproxy.pp, guest.pp, hddtemp.pp, hostname.pp, hypervkvp.pp, icecast.pp, inetd.pp, init.pp, inn.pp, iodine.pp, ipa.pp, ipsec.pp, iptables.pp, irc.pp, irqbalance.pp, iscsi.pp, isns.pp, jabber.pp, jetty.pp, jockey.pp, kdump.pp, kdumpgui.pp, keepalived.pp, kerberos.pp, keyboardd.pp, keystone.pp, kismet.pp, ksmtuned.pp, ktalk.pp, l2tp.pp, ldap.pp, libraries.pp, likewise.pp, lircd.pp, livecd.pp, lldpad.pp, loadkeys.pp, locallogin.pp, lockdev.pp, logadm.pp, logging.pp, logrotate.pp, logwatch.pp, lpd.pp, lsm.pp, lvm.pp, mailman.pp, mailscanner.pp, man2html.pp, mandb.pp, mcelog.pp, mediawiki.pp, memcached.pp, milter.pp, mip6d.pp, miscfiles.pp, mock.pp, modemmanager.pp, modutils.pp, mojomojo.pp, motion.pp, mount.pp, mozilla.pp, mpd.pp, mplayer.pp, mrtg.pp, mta.pp, munin.pp, mysql.pp, mythtv.pp, nagios.pp, namespace.pp, ncftool.pp, netlabel.pp, netutils.pp, networkmanager.pp, ninfod.pp, nis.pp, nova.pp, nscd.pp, nsd.pp, nslcd.pp, ntop.pp, ntp.pp, numad.pp, nut.pp, nx.pp, obex.pp, oddjob.pp, openct.pp, openhpid.pp, openshift-origin.pp, openshift.pp, opensm.pp, openvpn.pp, openvswitch.pp, openwsman.pp, oracleasm.pp, osad.pp, pads.pp, passenger.pp, pcmcia.pp, pcp.pp, pcscd.pp, pegasus.pp, permissivedomains.pp, pesign.pp, pingd.pp, piranha.pp, pkcsslotd.pp, pki.pp, plymouthd.pp, podsleuth.pp, policykit.pp, polipo.pp, portmap.pp, portreserve.pp, postfix.pp, postgresql.pp, postgrey.pp, ppp.pp, prelink.pp, prelude.pp, privoxy.pp, procmail.pp, prosody.pp, psad.pp, ptchown.pp, publicfile.pp, pulseaudio.pp, puppet.pp, pwauth.pp, qmail.pp, qpid.pp, quantum.pp, quota.pp, rabbitmq.pp, radius.pp, radvd.pp, raid.pp, rasdaemon.pp, rdisc.pp, readahead.pp, realmd.pp, redis.pp, remotelogin.pp, rhcs.pp, rhev.pp, rhgb.pp, rhnsd.pp, rhsmcertd.pp, ricci.pp, rkhunter.pp, rlogin.pp, rngd.pp, roundup.pp, rpc.pp, rpcbind.pp, rpm.pp, rshd.pp, rssh.pp, rsync.pp, rtas.pp, rtkit.pp, rwho.pp, samba.pp, sambagui.pp, sandbox.pp, sandboxX.pp, sanlock.pp, sasl.pp, sblim.pp, screen.pp, secadm.pp, sectoolm.pp, selinuxutil.pp, sendmail.pp, sensord.pp, setrans.pp, setroubleshoot.pp, seunshare.pp, sge.pp, shorewall.pp, slocate.pp, slpd.pp, smartmon.pp, smokeping.pp, smoltclient.pp, smsd.pp, snapper.pp, snmp.pp, snort.pp, sosreport.pp, soundserver.pp, spamassassin.pp, speech-dispatcher.pp, squid.pp, ssh.pp, sssd.pp, staff.pp, stapserver.pp, stunnel.pp, su.pp, sudo.pp, svnserve.pp, swift.pp, sysadm.pp, sysadm_secadm.pp, sysnetwork.pp, sysstat.pp, systemd.pp, tcpd.pp, tcsd.pp, telepathy.pp, telnet.pp, tftp.pp, tgtd.pp, thin.pp, thumb.pp, tmpreaper.pp, tomcat.pp, tor.pp, tuned.pp, tvtime.pp, udev.pp, ulogd.pp, uml.pp, unconfined.pp, unconfineduser.pp, unlabelednet.pp, unprivuser.pp, updfstab.pp, usbmodules.pp, usbmuxd.pp, userdomain.pp, userhelper.pp, usermanage.pp, usernetctl.pp,uucp.pp, uuidd.pp, varnishd.pp, vbetool.pp, vdagent.pp, vhostmd.pp, virt.pp, vlock.pp, vmtools.pp, vmware.pp, vnstatd.pp, vpn.pp, w3c.pp, watchdog.pp, wdmd.pp, webadm.pp, webalizer.pp, wine.pp, wireshark.pp, xen.pp, xguest.pp,xserver.pp, zabbix.pp, zarafa.pp, zebra.pp, zoneminder.pp, zosremote.pp
FFRI,Inc. Minimum Policy • New policy type since Fedora10 – Minimum policy focus to reduce memory and storage usage consumption • Suitable size for embedded systems, container, cloud components – Policy binary file size reduced to 2.0MB(minimum) from 3.5MB(targeted) 31
FFRI,Inc. Multi Level Security Policy (MLS) • MLS policy enforces MLS access control – Default security level is s0, category is nothing • Practically, military use only • Cannot run on X window system – MLS policy is unsuitable for X 32 # ls –laZ --snip-- lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin drwxr-xr-x. root root system_u:object_r:var_t:s0 srv dr-xr-xr-x. root root system_u:object_r:sysfs_t:s0 sys drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr drwxr-xr-x. root root system_u:object_r:var_t:s0 var
FFRI,Inc. Multi Category Security Policy (MCS) • MLS enables casual resource isolation – Red Hat applied MLS to sandbox, container, virtualization • Enabling since FedoraCore6 – However, every users have right of access to category0-1023 – All resources no assigned category 33 # id –Z context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
FFRI,Inc. To continue enforcing SELinux • Take care with file context – Verify existing SELinux context using semanage – sealert command recommends good labeling to you when access violation has occurred • You cannot change SELinux context, generate policy module using access violation log – Using audit2allow command • You *MUST* confirm generated policy source 34
FFRI,Inc. Quick Reference • Sestatus – Show SELinux status • Semanage module/user/login/fcontext –l – Show SELinux configuration on your system • sealert -a /var/log/audit/audit.log • Recommend good labeling to you when access violation has occurred 35
FFRI,Inc. Quick Reference(2) • Chcon –t hogehoge_t /var/www/hogehoge/index.html – Changing SELinux context (temporary) • Semanage fcontext –a –t hogehoge_t “/var/www/hogehoge(/.*?)” – Changing SELinux context (permanently) • Restorecon –rv /var/www – Applying file context rule to directory 36
FFRI,Inc. Conclusion • Each SELinux access control model is simple, but actually access control is more complex • Red Hat puts a lot of effort into SELinux, policy and utils for SELinux usability – Enlarging default policy modules – Encouraging Policy module system – Analyzing and generating policies from access violation log 37
FFRI,Inc. Appendix: SELinux history • 2003 – Merged Linux kernel 2.6 • 2004 – Enabling SELinux default on FC2(targeted) • 2006 – Policy reconstruction with reference policy (semanage, policy module) – Full labeled networking support – setroubleshot developed by Red Hat – MCS debut on FC5 • 2007 – Xguest developed by Dan Walsh – SE-PostgreSQL developed by Kohei Kaigai – Strict policy sunked on Fedora 8 (merged targeted policy) • 2009 – sVirt presented by Red Hat – SELinux Sandbox developed by Dan Walsh • 2012 – SE-Android developed by NSA • 2014 – Enforcing SELinux on Android 4.4 38
FFRI,Inc. References • “The Flask Security Architecture: System Support for Diverse Security Policies” http://www.nsa.gov/research/_files/publications/flask.pdf • “SELinux Targeted vs Strict policy History and Strategy” http://selinuxsymposium.org/2005/presentations/session4/4-1-walsh.pdf • SELinux/Tutorials/How is the policy provided and loaded http://wiki.gentoo.org/wiki/SELinux/Tutorials/How_is_the_policy_provided_and_loaded • NB PolicyType http://selinuxproject.org/page/NB_PolicyType#Policy_Versions_Monolithic • Getting Started with Reference Policy http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted • Using SELinux on RHEL 6 http://www.redhat.com/summit/2012/pdf/2012-DevDay-Lab-SELinux-Hacker.pdf • Introducing the SELinux Sandbox http://danwalsh.livejournal.com/28545.html • Fedora19 Security Guide - Fedora Documentation http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/ch09.html • MCS (Multi Category Security), New feature of Fedora Core 5 http://www.secureos.jp/index.php?plugin=attach&refer=events&openfile=20060531_lw e2006_KaiGai.pdf 39
FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter: @FFRI_Research 40

Recommended

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
The Linux Command Cheat Sheet
The Linux Command Cheat SheetThe Linux Command Cheat Sheet
The Linux Command Cheat SheetTola LENG
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF AbyssSasha Goldshtein
 
Tp n 1 linux
Tp n 1 linuxTp n 1 linux
Tp n 1 linuxAmir Souissi
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 

Recommended

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
The Linux Command Cheat Sheet
The Linux Command Cheat SheetThe Linux Command Cheat Sheet
The Linux Command Cheat SheetTola LENG
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF AbyssSasha Goldshtein
 
Tp n 1 linux
Tp n 1 linuxTp n 1 linux
Tp n 1 linuxAmir Souissi
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 
Rapport Kernel Linux - Configuration – Compilation & installation
Rapport Kernel Linux - Configuration – Compilation & installationRapport Kernel Linux - Configuration – Compilation & installation
Rapport Kernel Linux - Configuration – Compilation & installationAyoub Rouzi
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To LinuxIshan A B Ambanwela
 
Part-1.pdf
Part-1.pdfPart-1.pdf
Part-1.pdfjahangirwpoly2019
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel SourceMotaz Saad
 
alphorm.com - Formation VMware vSphere 5
alphorm.com - Formation VMware vSphere 5alphorm.com - Formation VMware vSphere 5
alphorm.com - Formation VMware vSphere 5Alphorm
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015Chris Simmonds
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Spi drivers
Spi driversSpi drivers
Spi driverspradeep_tewani
 
SSH
SSHSSH
SSHZach Dennis
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemSadia Bashir
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Network Drivers
Network DriversNetwork Drivers
Network DriversAnil Kumar Pugalia
 
X Window System
X Window SystemX Window System
X Window SystemRon Bandes
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentationnishantsri
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Basic commands of linux
Basic commands of linuxBasic commands of linux
Basic commands of linuxshravan saini
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 

More Related Content

What's hot

Rapport Kernel Linux - Configuration – Compilation & installation
Rapport Kernel Linux - Configuration – Compilation & installationRapport Kernel Linux - Configuration – Compilation & installation
Rapport Kernel Linux - Configuration – Compilation & installationAyoub Rouzi
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel SourceMotaz Saad
 
alphorm.com - Formation VMware vSphere 5
alphorm.com - Formation VMware vSphere 5alphorm.com - Formation VMware vSphere 5
alphorm.com - Formation VMware vSphere 5Alphorm
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015Chris Simmonds
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemSadia Bashir
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
X Window System
X Window SystemX Window System
X Window SystemRon Bandes
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentationnishantsri
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Basic commands of linux
Basic commands of linuxBasic commands of linux
Basic commands of linuxshravan saini
 

What's hot (20)

Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Rapport Kernel Linux - Configuration – Compilation & installation
Rapport Kernel Linux - Configuration – Compilation & installationRapport Kernel Linux - Configuration – Compilation & installation
Rapport Kernel Linux - Configuration – Compilation & installation
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Part-1.pdf
Part-1.pdfPart-1.pdf
Part-1.pdf
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel Source
 
alphorm.com - Formation VMware vSphere 5
alphorm.com - Formation VMware vSphere 5alphorm.com - Formation VMware vSphere 5
alphorm.com - Formation VMware vSphere 5
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 
SSH
SSHSSH
SSH
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Network Drivers
Network DriversNetwork Drivers
Network Drivers
 
X Window System
X Window SystemX Window System
X Window System
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
Basic commands of linux
Basic commands of linuxBasic commands of linux
Basic commands of linux
 

Similar to MR201406 A Re-introduction to SELinux

2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinuxRémy Gottschalk
 
Week 13, Protection and Security.ppt
Week 13, Protection and Security.pptWeek 13, Protection and Security.ppt
Week 13, Protection and Security.pptPriyadarshiSharma7
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
PENTRATION TESTING Linux Escalation.ppt
PENTRATION TESTING Linux Escalation.pptPENTRATION TESTING Linux Escalation.ppt
PENTRATION TESTING Linux Escalation.pptjospinjj
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 

Similar to MR201406 A Re-introduction to SELinux (20)

2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Selinux
SelinuxSelinux
Selinux
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
Week 13, Protection and Security.ppt
Week 13, Protection and Security.pptWeek 13, Protection and Security.ppt
Week 13, Protection and Security.ppt
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
PENTRATION TESTING Linux Escalation.ppt
PENTRATION TESTING Linux Escalation.pptPENTRATION TESTING Linux Escalation.ppt
PENTRATION TESTING Linux Escalation.ppt
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Recently uploaded

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

MR201406 A Re-introduction to SELinux

  • 1. FFRI,Inc. 1 Monthly Research A Re-Introduction to SELinux FFRI, Inc http://www.ffri.jp Ver 2.00.01
  • 2. FFRI,Inc. Why a Re-Introduction? • SELinux applies virtualization, container isolation and Android recently • However, many server engineers have disabled SELinux up to now • We needs relearning SELinux for new fields 2 It means “disable”
  • 3. FFRI,Inc. 3 Agenda • SELinux Overview • SELinux Access Control Model – Type Enforcement (TE) – Role-based Access Control (RBAC) – Multi-level Security (MLS) / Multi-category Security (MCS) • SELinux Security Policy – Strict Policy (deprecated) – Targeted Policy – Minimum Policy – MLS/MCS Policy
  • 5. FFRI,Inc. What is SELinux? • SELinux is a security extension for Linux kernel – Developed by NSA – Policy processing based on FLASK architecture – One of Linux security module implementation • SELinux aims military level security • Reference monitor(=linux kernel) forces restriction of application behavior • Demolish root privilege for the principle of least privilege 5
  • 6. FFRI,Inc. MAC: Mandatory Access Control • Giving SELinux context to all resources • Linux security module hooks can mediate system calls completely • SELinux cannot force application-internal access control – However, several application embedded SELinux hook into itself • X Window System (XACE) • PostgreSQL (SE-PostgreSQL) • Systemd • D-Bus 6
  • 7. FFRI,Inc. Benefits • Fine-grained(Process-level) access control • Strong isolation • Abolish root privilege 7 Web Server Mail Server System Service Kernel SELinux Hijacked by attacker Attacker cannot access others
  • 8. FFRI,Inc. SELinux is not • Antivirus software • Intrusion detection • Memory protection 8
  • 9. FFRI,Inc. SELinux Access Control Models A Re-Introduction to SELinux 9
  • 10. FFRI,Inc. SELinux Access Control Models • TE: Type Enforcement • RBAC: Role-based Access Control • MLS/MCS: Multi-level Security/Multi-category Security 10
  • 11. FFRI,Inc. Type Enforcement • The type defines a type for files • The domain defines a type for processes • The rule defines permission between domain and type 11 Domain (Process) Type (Execution File) Type (File) Type (File) Permission Rule1 Permission Rule2 Transition Rule1
  • 12. FFRI,Inc. Domain transition • Child process inherits SELinux context from parent process normally when process forked 12 Parent Process Execution File Child Process fork() Parent_tParent_t Child_exec_t
  • 13. FFRI,Inc. Domain transition • SELinux supports process domain transition when process execution using type of execution file 13 Parent Process Execution File Child Process Exec() fork() child_tParent_t Child_exec_t
  • 14. FFRI,Inc. Example1: myapp.te 14 # Type definition type myapp_t; type myapp_exec_t; #Declaring myapp_t domain_type(myapp_t) #Assigning myapp_t when process executes from myapp_exec_t file domain_entry_file(myapp_t, myapp_exec_t) #Type definition type myapp_log_t #Declaring interface logging_log_file(myapp_log_t) #myapp_t domain can read and append for myapp_log_t files allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
  • 15. FFRI,Inc. Describing Rule of Type Enforcement • SELinux TE rule declaration is primitive – SELinux prepare some expressive macros, but… • Strictness policy description is composed by huge TE rules – It is difficult to understand for user (incl. security administrator) 15
  • 16. FFRI,Inc. SELinux Policy Module • SELinux TE rule modularization system • Can load each policy modules – Can defines interfaces of the module – Reusable utilities for security administrator 16 See also: “Getting Started with Reference Policy” http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted
  • 17. FFRI,Inc. RBAC (Role-based Access Control) • A user is assigned to some roles • Role is granted some permissions 17 Role2Role1 User3User2 Rules Rules User1 RBAC Policy
  • 18. FFRI,Inc. SELinux Users and roles • SELinux maps Linux users on SELinux users – Moreover, maps SELinux users on SELinux roles – Because Linux user controls under discretionary access control its not mandatory 18 Role1 Linux User1 SELinux User1 Major Linux users: ・user1 ・root SELinux users: ・user_u ・root ・staff_u ・system_u ・sysadm_u ・unconfined_u Major roles: ・user_r ・staff_r ・system_r ・sysadm_r ・unconfined_r
  • 19. FFRI,Inc. MLS/MCS (Multi-Level/Category Security) • Multi level security is an access control using security level and category – Security level based on a rank of organization(like army) – Isolating access from other category 19 Category0(c0) Category1(c1) Security level3(s3) Security level2(s2) Security level1(s1) Security level0(s0) Security level3(s3) Security level2(s2) Security level1(s1) Security level0(s0) Category Security level MLS = Security level × Category
  • 20. FFRI,Inc. Bell-LaPadula Model • Mathematical model of Multi level security – Main interests is information leakage prevention • Users cannot read information from upper rank document – Users can write report to upper rank document • User can read information from lower rank document – Users cannot write report to lower rank document 20 Security level3(s3) Security level2(s2) Security level1(s1) Security level0(s0) Users can write to upper(incl. same) rank document only Users can read from lower(incl. same) rank document only
  • 21. FFRI,Inc. Access Control using MLS/MCS • Assigning default security level and category for all resources – In addition, users are assigned clearance • MLS permissions follows in Bell-LaPadula Models • Different category access requires clearance 21 S0 - s0:c0.c1023 Default security level & category clearance MLS Contexts
  • 22. FFRI,Inc. File contexts(SELinux Contexts on Files) • A file context enumerates the mapping between resource and SELinux context • File contexts are stored xattr(or xattr like file system extension) by labeling scripts – SELinux requires labeling before enforcing access control 22 /bin/systemd - system_u : object_r : init_exec_t : s0 MLS/MCS Security level TE: TypeSELinux User RBAC: RoleTarget
  • 23. FFRI,Inc. SELinux Modes • SELinux has three modes – Enforcing: Enabling SELinux access control – Permissive: Policy check only – Disabled: SELinux disabled • Checking SELinux status on your host: – Run sestatus command • If you want change the SELinux mode on boot time: – Edit SELINUX=enforcing/permissive in /etc/selinux/config 23
  • 24. FFRI,Inc. sestatus • Show current SELinux configurations 24 # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
  • 26. FFRI,Inc. SELinux Security Policy A Re-Introduction to SELinux 26
  • 27. FFRI,Inc. Current SELinux Security Policies • Type Enforcement(+RBAC) – Strict (deprecated) – Targeted – Minimum 27 • Multi Level/Category Security – MLS – MCS Default policy is Targeted + MCS on Fedora, RHEL and RHEL-based distributions
  • 28. FFRI,Inc. Strict policy (deprecated) • Restrict all processes completely – Using both TE and RBAC policies • NSA and Red Hat encouraged strongly – However, SELinux operation cost is unsuitable for the security • Everybody thought that SELinux operation using strict policy is impracticable – Red Hat integrates a part of strict policy into targeted policy 28 “SELinux designed to be a strict policy.” – Dan Walsh (2005)
  • 29. FFRI,Inc. Targeted Policy • Restrict some process – Only Internet server(httpd, named…) and network service – Preparing against privilege escalation • Permit to run unconfined_t type/domain with no limitation – Ex. Login shell execute with unconfined_t domain • In Fedora20, Red Hat prepared a lot of predefined policy modules – If you want to enforce with strict like policy, remove unconfined_t, unconfined_r • Ref. http://danwalsh.livejournal.com/27885.html 29
  • 30. FFRI,Inc. Predefined Policy Modules in Targeted Policy on Fedora20 30 abrt.pp, accountsd.pp, acct.pp, afs.pp, aiccu.pp, aide.pp, ajaxterm.pp, alsa.pp, amanda.pp, amtu.pp, anaconda.pp, antivirus.pp, apache.pp, apcupsd.pp, apm.pp, application.pp, arpwatch.pp, asterisk.pp, auditadm.pp, authconfig.pp, authlogin.pp, automount.pp, avahi.pp, awstats.pp, bacula.pp, bcfg2.pp, bind.pp, bitlbee.pp, blueman.pp, bluetooth.pp, boinc.pp, bootloader.pp, brctl.pp, bugzilla.pp, bumblebee.pp, cachefilesd.pp, calamaris.pp, callweaver.pp, canna.pp, ccs.pp, cdrecord.pp, certmaster.pp, certmonger.pp, certwatch.pp, cfengine.pp, cgroup.pp, chrome.pp, chronyd.pp, cipe.pp, clock.pp, clogd.pp, cloudform.pp, cmirrord.pp, cobbler.pp, collectd.pp, colord.pp, comsat.pp, condor.pp, conman.pp, consolekit.pp, couchdb.pp, courier.pp, cpucontrol.pp, cpufreqselector.pp, cron.pp, ctdb.pp, cups.pp, cvs.pp, cyphesis.pp, cyrus.pp, daemontools.pp, dbadm.pp, dbskk.pp, dbus.pp, dcc.pp, ddclient.pp, denyhosts.pp, devicekit.pp, dhcp.pp, dictd.pp, dirsrv-admin.pp, dirsrv.pp, dmesg.pp, dmidecode.pp, dnsmasq.pp, dnssec.pp, docker.pp, dovecot.pp, drbd.pp, dspam.pp, entropyd.pp, exim.pp, fail2ban.pp, fcoe.pp, fetchmail.pp, finger.pp, firewalld.pp, firewallgui.pp, firstboot.pp, fprintd.pp, freeipmi.pp, freqset.pp, fstools.pp, ftp.pp, games.pp, gear.pp, getty.pp, git.pp, gitosis.pp, glance.pp, glusterd.pp, gnome.pp, gpg.pp, gpm.pp, gpsd.pp, gssproxy.pp, guest.pp, hddtemp.pp, hostname.pp, hypervkvp.pp, icecast.pp, inetd.pp, init.pp, inn.pp, iodine.pp, ipa.pp, ipsec.pp, iptables.pp, irc.pp, irqbalance.pp, iscsi.pp, isns.pp, jabber.pp, jetty.pp, jockey.pp, kdump.pp, kdumpgui.pp, keepalived.pp, kerberos.pp, keyboardd.pp, keystone.pp, kismet.pp, ksmtuned.pp, ktalk.pp, l2tp.pp, ldap.pp, libraries.pp, likewise.pp, lircd.pp, livecd.pp, lldpad.pp, loadkeys.pp, locallogin.pp, lockdev.pp, logadm.pp, logging.pp, logrotate.pp, logwatch.pp, lpd.pp, lsm.pp, lvm.pp, mailman.pp, mailscanner.pp, man2html.pp, mandb.pp, mcelog.pp, mediawiki.pp, memcached.pp, milter.pp, mip6d.pp, miscfiles.pp, mock.pp, modemmanager.pp, modutils.pp, mojomojo.pp, motion.pp, mount.pp, mozilla.pp, mpd.pp, mplayer.pp, mrtg.pp, mta.pp, munin.pp, mysql.pp, mythtv.pp, nagios.pp, namespace.pp, ncftool.pp, netlabel.pp, netutils.pp, networkmanager.pp, ninfod.pp, nis.pp, nova.pp, nscd.pp, nsd.pp, nslcd.pp, ntop.pp, ntp.pp, numad.pp, nut.pp, nx.pp, obex.pp, oddjob.pp, openct.pp, openhpid.pp, openshift-origin.pp, openshift.pp, opensm.pp, openvpn.pp, openvswitch.pp, openwsman.pp, oracleasm.pp, osad.pp, pads.pp, passenger.pp, pcmcia.pp, pcp.pp, pcscd.pp, pegasus.pp, permissivedomains.pp, pesign.pp, pingd.pp, piranha.pp, pkcsslotd.pp, pki.pp, plymouthd.pp, podsleuth.pp, policykit.pp, polipo.pp, portmap.pp, portreserve.pp, postfix.pp, postgresql.pp, postgrey.pp, ppp.pp, prelink.pp, prelude.pp, privoxy.pp, procmail.pp, prosody.pp, psad.pp, ptchown.pp, publicfile.pp, pulseaudio.pp, puppet.pp, pwauth.pp, qmail.pp, qpid.pp, quantum.pp, quota.pp, rabbitmq.pp, radius.pp, radvd.pp, raid.pp, rasdaemon.pp, rdisc.pp, readahead.pp, realmd.pp, redis.pp, remotelogin.pp, rhcs.pp, rhev.pp, rhgb.pp, rhnsd.pp, rhsmcertd.pp, ricci.pp, rkhunter.pp, rlogin.pp, rngd.pp, roundup.pp, rpc.pp, rpcbind.pp, rpm.pp, rshd.pp, rssh.pp, rsync.pp, rtas.pp, rtkit.pp, rwho.pp, samba.pp, sambagui.pp, sandbox.pp, sandboxX.pp, sanlock.pp, sasl.pp, sblim.pp, screen.pp, secadm.pp, sectoolm.pp, selinuxutil.pp, sendmail.pp, sensord.pp, setrans.pp, setroubleshoot.pp, seunshare.pp, sge.pp, shorewall.pp, slocate.pp, slpd.pp, smartmon.pp, smokeping.pp, smoltclient.pp, smsd.pp, snapper.pp, snmp.pp, snort.pp, sosreport.pp, soundserver.pp, spamassassin.pp, speech-dispatcher.pp, squid.pp, ssh.pp, sssd.pp, staff.pp, stapserver.pp, stunnel.pp, su.pp, sudo.pp, svnserve.pp, swift.pp, sysadm.pp, sysadm_secadm.pp, sysnetwork.pp, sysstat.pp, systemd.pp, tcpd.pp, tcsd.pp, telepathy.pp, telnet.pp, tftp.pp, tgtd.pp, thin.pp, thumb.pp, tmpreaper.pp, tomcat.pp, tor.pp, tuned.pp, tvtime.pp, udev.pp, ulogd.pp, uml.pp, unconfined.pp, unconfineduser.pp, unlabelednet.pp, unprivuser.pp, updfstab.pp, usbmodules.pp, usbmuxd.pp, userdomain.pp, userhelper.pp, usermanage.pp, usernetctl.pp,uucp.pp, uuidd.pp, varnishd.pp, vbetool.pp, vdagent.pp, vhostmd.pp, virt.pp, vlock.pp, vmtools.pp, vmware.pp, vnstatd.pp, vpn.pp, w3c.pp, watchdog.pp, wdmd.pp, webadm.pp, webalizer.pp, wine.pp, wireshark.pp, xen.pp, xguest.pp,xserver.pp, zabbix.pp, zarafa.pp, zebra.pp, zoneminder.pp, zosremote.pp
  • 31. FFRI,Inc. Minimum Policy • New policy type since Fedora10 – Minimum policy focus to reduce memory and storage usage consumption • Suitable size for embedded systems, container, cloud components – Policy binary file size reduced to 2.0MB(minimum) from 3.5MB(targeted) 31
  • 32. FFRI,Inc. Multi Level Security Policy (MLS) • MLS policy enforces MLS access control – Default security level is s0, category is nothing • Practically, military use only • Cannot run on X window system – MLS policy is unsuitable for X 32 # ls –laZ --snip-- lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin drwxr-xr-x. root root system_u:object_r:var_t:s0 srv dr-xr-xr-x. root root system_u:object_r:sysfs_t:s0 sys drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr drwxr-xr-x. root root system_u:object_r:var_t:s0 var
  • 33. FFRI,Inc. Multi Category Security Policy (MCS) • MLS enables casual resource isolation – Red Hat applied MLS to sandbox, container, virtualization • Enabling since FedoraCore6 – However, every users have right of access to category0-1023 – All resources no assigned category 33 # id –Z context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  • 34. FFRI,Inc. To continue enforcing SELinux • Take care with file context – Verify existing SELinux context using semanage – sealert command recommends good labeling to you when access violation has occurred • You cannot change SELinux context, generate policy module using access violation log – Using audit2allow command • You *MUST* confirm generated policy source 34
  • 35. FFRI,Inc. Quick Reference • Sestatus – Show SELinux status • Semanage module/user/login/fcontext –l – Show SELinux configuration on your system • sealert -a /var/log/audit/audit.log • Recommend good labeling to you when access violation has occurred 35
  • 36. FFRI,Inc. Quick Reference(2) • Chcon –t hogehoge_t /var/www/hogehoge/index.html – Changing SELinux context (temporary) • Semanage fcontext –a –t hogehoge_t “/var/www/hogehoge(/.*?)” – Changing SELinux context (permanently) • Restorecon –rv /var/www – Applying file context rule to directory 36
  • 37. FFRI,Inc. Conclusion • Each SELinux access control model is simple, but actually access control is more complex • Red Hat puts a lot of effort into SELinux, policy and utils for SELinux usability – Enlarging default policy modules – Encouraging Policy module system – Analyzing and generating policies from access violation log 37
  • 38. FFRI,Inc. Appendix: SELinux history • 2003 – Merged Linux kernel 2.6 • 2004 – Enabling SELinux default on FC2(targeted) • 2006 – Policy reconstruction with reference policy (semanage, policy module) – Full labeled networking support – setroubleshot developed by Red Hat – MCS debut on FC5 • 2007 – Xguest developed by Dan Walsh – SE-PostgreSQL developed by Kohei Kaigai – Strict policy sunked on Fedora 8 (merged targeted policy) • 2009 – sVirt presented by Red Hat – SELinux Sandbox developed by Dan Walsh • 2012 – SE-Android developed by NSA • 2014 – Enforcing SELinux on Android 4.4 38
  • 39. FFRI,Inc. References • “The Flask Security Architecture: System Support for Diverse Security Policies” http://www.nsa.gov/research/_files/publications/flask.pdf • “SELinux Targeted vs Strict policy History and Strategy” http://selinuxsymposium.org/2005/presentations/session4/4-1-walsh.pdf • SELinux/Tutorials/How is the policy provided and loaded http://wiki.gentoo.org/wiki/SELinux/Tutorials/How_is_the_policy_provided_and_loaded • NB PolicyType http://selinuxproject.org/page/NB_PolicyType#Policy_Versions_Monolithic • Getting Started with Reference Policy http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted • Using SELinux on RHEL 6 http://www.redhat.com/summit/2012/pdf/2012-DevDay-Lab-SELinux-Hacker.pdf • Introducing the SELinux Sandbox http://danwalsh.livejournal.com/28545.html • Fedora19 Security Guide - Fedora Documentation http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/ch09.html • MCS (Multi Category Security), New feature of Fedora Core 5 http://www.secureos.jp/index.php?plugin=attach&refer=events&openfile=20060531_lw e2006_KaiGai.pdf 39
  • 40. FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter: @FFRI_Research 40