SlideShare a Scribd company logo
1 of 66
SELinux for everyday users
SELinux Don't be afraid!
SELinux – the bad ,[object Object]
SELinux – the bad ,[object Object]
Mandatory Access Control
SELinux – the bad ,[object Object]
Mandatory Access Control
Infested with jargon ,[object Object]
SELinux – the bad ,[object Object]
Mandatory Access Control
Infested with jargon
Breaks systems ,[object Object]
Applications stop working
Can't make it stop
SELinux – the bad ,[object Object]
SELinux – the bad ,[object Object]
Uses Debian
SELinux – the bad ,[object Object]
Uses Debian
Not an everyday user!
SELinux Don't be afraid!
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
SELinux – the good ,[object Object]
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
Debian since Etch (2007)
Ubuntu since Hardy Heron 8.04 (2008)
SELinux How does it work?
SELinux – the basics ,[object Object]
SELinux – the basics ,[object Object]
Packaged security policy
SELinux – the basics ,[object Object]
Packaged security policy
Checks database of rules on syscalls
SELinux – the basics ,[object Object]
Packaged security policy
Checks database of rules on syscalls
Allows or denies based on policy
SELinux What does it  really  do?
SELinux – what does it do? ,[object Object],tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/
SELinux – what does it do? ,[object Object]
SELinux – what does it do? ,[object Object]
Policies limit what a daemon can access and how.
SELinux – what does it do? ,[object Object]
Policies limit what a daemon can access and how.
Prevents daemon compromise affecting other files.
SELinux – what does it do? ,[object Object]
Policies limit what a daemon can access and how.
Prevents daemon compromise affecting other files / users / ports / etc.
SELinux – what does it do? ,[object Object]
User processes are unaffected
SELinux – what does it do? ,[object Object]
User processes are unaffected ,[object Object]
SELinux – what does it do? ,[object Object]
User processes are unaffected ,[object Object]
Firefox still gets to crash your system
SELinux – what does it do? ,[object Object]
User processes are unaffected ,[object Object]
Firefox still gets to crash your system
New policy being written to help that

More Related Content

What's hot

Linux command ppt
Linux command pptLinux command ppt
Linux command pptkalyanineve
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examplesabclearnn
 
package mangement
package mangementpackage mangement
package mangementARYA TM
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linuxPapu Kumar
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Scriptsbmguys
 
101 2.5 use rpm and yum package management
101 2.5 use rpm and yum package management101 2.5 use rpm and yum package management
101 2.5 use rpm and yum package managementAcácio Oliveira
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Ahmed El-Arabawy
 
Linux commands and file structure
Linux commands and file structureLinux commands and file structure
Linux commands and file structureSreenatha Reddy K R
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux Harish R
 
Intro to Linux Shell Scripting
Intro to Linux Shell ScriptingIntro to Linux Shell Scripting
Intro to Linux Shell Scriptingvceder
 
Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Wave Digitech
 
File permission in linux
File permission in linuxFile permission in linux
File permission in linuxPrakash Poudel
 

What's hot (20)

Linux crontab
Linux crontabLinux crontab
Linux crontab
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Linux command ppt
Linux command pptLinux command ppt
Linux command ppt
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examples
 
package mangement
package mangementpackage mangement
package mangement
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linux
 
Shell Scripting
Shell ScriptingShell Scripting
Shell Scripting
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful Commands
 
101 2.5 use rpm and yum package management
101 2.5 use rpm and yum package management101 2.5 use rpm and yum package management
101 2.5 use rpm and yum package management
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
 
Basic 50 linus command
Basic 50 linus commandBasic 50 linus command
Basic 50 linus command
 
Linux commands and file structure
Linux commands and file structureLinux commands and file structure
Linux commands and file structure
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux
 
Intro to Linux Shell Scripting
Intro to Linux Shell ScriptingIntro to Linux Shell Scripting
Intro to Linux Shell Scripting
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commands
 
Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013Unix Linux Commands Presentation 2013
Unix Linux Commands Presentation 2013
 
Linux commands
Linux commandsLinux commands
Linux commands
 
File permission in linux
File permission in linuxFile permission in linux
File permission in linux
 

Viewers also liked

Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesDustin Kirkland
 
Supply Chain som Værdiskaber - Associate Professor Kim Sundtoft Hald
Supply Chain som Værdiskaber - Associate Professor Kim Sundtoft HaldSupply Chain som Værdiskaber - Associate Professor Kim Sundtoft Hald
Supply Chain som Værdiskaber - Associate Professor Kim Sundtoft HaldCBS Competitiveness Platform
 
46 customizing se linux policy
46  customizing se linux policy46  customizing se linux policy
46 customizing se linux policyAprende Viendo
 
Ubuntu an absolute beginners guide
Ubuntu an absolute beginners guideUbuntu an absolute beginners guide
Ubuntu an absolute beginners guideCOMSATS
 
Linux training
Linux trainingLinux training
Linux trainingartisriva
 
Linux Based Network Proposal
Linux Based Network ProposalLinux Based Network Proposal
Linux Based Network ProposalChris Riccio
 
Linux conf-admin
Linux conf-adminLinux conf-admin
Linux conf-adminbadamisri
 
CLUG 2010 09 - systemd - the new init system
CLUG 2010 09 - systemd - the new init systemCLUG 2010 09 - systemd - the new init system
CLUG 2010 09 - systemd - the new init systemPaulWay
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i  auditing operating systems and networksChapter 3 security part i  auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
Linux apache installation
Linux apache installationLinux apache installation
Linux apache installationDima Gomaa
 
ISCSI server configuration
ISCSI server configurationISCSI server configuration
ISCSI server configurationThamizharasan P
 
Nagios Conference 2013 - David Stern - The Nagios Light Bar
Nagios Conference 2013 - David Stern - The Nagios Light BarNagios Conference 2013 - David Stern - The Nagios Light Bar
Nagios Conference 2013 - David Stern - The Nagios Light BarNagios
 
Apache server configuration
Apache server configurationApache server configuration
Apache server configurationThamizharasan P
 
DNS server configurationDns server configuration
DNS server configurationDns server configurationDNS server configurationDns server configuration
DNS server configurationDns server configurationThamizharasan P
 
Network configuration in Linux
Network configuration in LinuxNetwork configuration in Linux
Network configuration in LinuxMohammed Yazdani
 

Viewers also liked (20)

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
Supply Chain som Værdiskaber - Associate Professor Kim Sundtoft Hald
Supply Chain som Værdiskaber - Associate Professor Kim Sundtoft HaldSupply Chain som Værdiskaber - Associate Professor Kim Sundtoft Hald
Supply Chain som Værdiskaber - Associate Professor Kim Sundtoft Hald
 
46 customizing se linux policy
46  customizing se linux policy46  customizing se linux policy
46 customizing se linux policy
 
Ubuntu an absolute beginners guide
Ubuntu an absolute beginners guideUbuntu an absolute beginners guide
Ubuntu an absolute beginners guide
 
Linux training
Linux trainingLinux training
Linux training
 
Linux Based Network Proposal
Linux Based Network ProposalLinux Based Network Proposal
Linux Based Network Proposal
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-I
 
Linux conf-admin
Linux conf-adminLinux conf-admin
Linux conf-admin
 
CLUG 2010 09 - systemd - the new init system
CLUG 2010 09 - systemd - the new init systemCLUG 2010 09 - systemd - the new init system
CLUG 2010 09 - systemd - the new init system
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i  auditing operating systems and networksChapter 3 security part i  auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Linux apache installation
Linux apache installationLinux apache installation
Linux apache installation
 
ISCSI server configuration
ISCSI server configurationISCSI server configuration
ISCSI server configuration
 
Nagios Conference 2013 - David Stern - The Nagios Light Bar
Nagios Conference 2013 - David Stern - The Nagios Light BarNagios Conference 2013 - David Stern - The Nagios Light Bar
Nagios Conference 2013 - David Stern - The Nagios Light Bar
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
 
Apache server configuration
Apache server configurationApache server configuration
Apache server configuration
 
DNS server configurationDns server configuration
DNS server configurationDns server configurationDNS server configurationDns server configuration
DNS server configurationDns server configuration
 
Network configuration in Linux
Network configuration in LinuxNetwork configuration in Linux
Network configuration in Linux
 

Similar to SELinux for everyday users demystified

SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptxPandiya Rajan
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNGene Kartavtsev
 
SELinux workshop
SELinux workshopSELinux workshop
SELinux workshopjohseg
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanentlychinkshady
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 

Similar to SELinux for everyday users demystified (20)

SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
کارگاه امنیت با عنوان Stop Disabling SElinux
کارگاه امنیت با عنوان Stop Disabling SElinuxکارگاه امنیت با عنوان Stop Disabling SElinux
کارگاه امنیت با عنوان Stop Disabling SElinux
 
File000127
File000127File000127
File000127
 
SELinux workshop
SELinux workshopSELinux workshop
SELinux workshop
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
Selinux
SelinuxSelinux
Selinux
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Hiding files.pptx
Hiding files.pptxHiding files.pptx
Hiding files.pptx
 
Linux remote
Linux remoteLinux remote
Linux remote
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
About linux-english
About linux-englishAbout linux-english
About linux-english
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
 
App locker
App lockerApp locker
App locker
 
Divya
DivyaDivya
Divya
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

SELinux for everyday users demystified

  • 3.
  • 4.
  • 6.
  • 8.
  • 9.
  • 12.
  • 15.
  • 16.
  • 18.
  • 21. SELinux Don't be afraid!
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27. Fedora since Core 2 (2004)
  • 28. RHEL since version 4 (2005)
  • 29.
  • 30. Fedora since Core 2 (2004)
  • 31. RHEL since version 4 (2005)
  • 33. Ubuntu since Hardy Heron 8.04 (2008)
  • 34. SELinux How does it work?
  • 35.
  • 36.
  • 38.
  • 40. Checks database of rules on syscalls
  • 41.
  • 43. Checks database of rules on syscalls
  • 44. Allows or denies based on policy
  • 45. SELinux What does it really do?
  • 46.
  • 47.
  • 48.
  • 49. Policies limit what a daemon can access and how.
  • 50.
  • 51. Policies limit what a daemon can access and how.
  • 52. Prevents daemon compromise affecting other files.
  • 53.
  • 54. Policies limit what a daemon can access and how.
  • 55. Prevents daemon compromise affecting other files / users / ports / etc.
  • 56.
  • 57. User processes are unaffected
  • 58.
  • 59.
  • 60.
  • 61.
  • 62. Firefox still gets to crash your system
  • 63.
  • 64.
  • 65. Firefox still gets to crash your system
  • 66. New policy being written to help that
  • 67.
  • 68.
  • 69.
  • 70. A file has a context
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 77. ps -Z
  • 78.
  • 79. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
  • 80. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
  • 81.
  • 82. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023
  • 83. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
  • 84. The type_t is the only thing you need look at
  • 85.
  • 86.
  • 87.
  • 88.
  • 89.
  • 90. Looks up the database of rules and finds the correct context for that file
  • 91. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  • 92. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group
  • 93. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  • 94.
  • 95.
  • 96.
  • 97.
  • 98.
  • 99.
  • 100.
  • 101.
  • 102.
  • 103.
  • 104.
  • 105.
  • 106.
  • 107. 2: getsebool and setsebool
  • 108.
  • 110.
  • 111.
  • 113.
  • 114. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log
  • 115. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)
  • 116. SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
  • 117.
  • 118. 2: getsebool and setsebool
  • 119. 3: audit2why or audit2allow
  • 120.
  • 121. 2: getsebool and setsebool
  • 122.
  • 123.
  • 124. 2: getsebool and setsebool
  • 125.
  • 127.