SELinux basics

2,323 views

Published on

Practical SELinux basics

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,323
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
84
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

SELinux basics

  1. 1. SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
  2. 2. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  3. 3. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  4. 4. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  5. 5. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  6. 6. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  7. 7. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  8. 8. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  9. 9. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  10. 10. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  11. 11. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
  12. 12. SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
  13. 13. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  14. 14. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  15. 15. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  16. 16. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  17. 17. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  18. 18. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  19. 19. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  20. 20. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  21. 21. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  22. 22. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context

×