• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SE Linux(app armor)
 

SE Linux(app armor)

on

  • 742 views

 

Statistics

Views

Total Views
742
Views on SlideShare
742
Embed Views
0

Actions

Likes
0
Downloads
28
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SE Linux(app armor) SE Linux(app armor) Presentation Transcript

    • SELinuxA presentation for C4A Kenya S
    • Table of contentsS IntroductionS Rationale and designS How to use it S SELinux states S Managing SELinux S Policies
    • BackgroundS Community Project S Originated in 1980s security research S Academic research prototype (Flask) 1990s S Ported to Linux, released under GPL in 2000 S Distro adoption, upstream merge, certification S Adoption and innovation by users
    • BackgroundS SELinux= Security Enhanced Linux S Formally knows as SE tools S It is a mechanism for supporting mandatory access control security policies S Linux Security Modules(LSM) run in the Linux kernel
    • SELinux FeaturesS Separation of policy from enforcement Predefined policy interfacesS Support for applications querying the policy and enforcing access controlS Independent of specific policies, policy languages, security label formats and contentsS Caching of access decisions for efficiency Policy changes are possible (!!!)S Separate measures for protecting system integrity and data confidentialityS Controls over process initialization and inheritance and program executionS Controls file systems, directories, files, and open file descriptorsS Controls over sockets, messages, and network interfacesS Coherent stacking
    • Where is SELinuxS Redhat Enterprise Linux v4 / v5S CentOS v4 / v5S Novel SLES, OpenSuSES GentooS Debian
    • Misconceptions about SELinuxS ―Life is too short for SELinux‖ – Theodore Ts’oS Upstream vendors requires me to disable SELinux
    • Why use SELinuxS It confines services in compartmentsS No, it isn’t difficultS FlexibleS Increases securityS Existing SELinux solution S Inflexible S Don’t meet general requirements S Hindered adoption S Niche products: expensive and weird
    • HOW TO USE IT
    • Changing SELinux StatesS Enforcing S Enable and enforce the SELinux security policy on the system, denying access and logging actionsS Permissive Enables, but will not enforce the security policy, only warn and log actionsS Disabled SELinux is turned off
    • Checking the state of SELinuxS Sestatus S Enforcing S permissive
    • Access ConrtolS Type Enforcement (TE) The primary mechanism of access control used in the targeted policyS Role-Based Access Control (RBAC) Based around SELinux users (not necessarily the same as the Linux user)S Multi-Level Security (MLS) Not used and often hidden in the default targeted policy.
    • Relabeling filesS chcon -R -t httpd sys content t /usr/srv/wwwS semanage fcontext -a -t httpd sys content t ‖/usr/srv/www(/.*)?‖S restorecon -Rv -n /var/www/html Relabelling whole the filesystem S genhomedircon S touch /.autorelabel S reboot
    • Enabling bools and portsS Managing ports semanage port -lS semanage port -a -t http port t -p tcp 8181 Managing predefined policiesS getsebool -a — grep samba setsebool -P samba enable home dirs on
    • Generating policiesS less /var/log/audit/audit.logS grep zarafa /var/log/audit/audit.log — audit2allow -m zarafa > zarafa.te
    • Some policyS Dovecot PolicyS Zarafa PolicyS Spamassassin Policy
    • Finally overS Contact me on twitter: @Fonuonga S EMAIL:Frankie.onuonga@gmail.comS DONE BY :FRANK ONUONGA