Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

SELinux for Everyday Users Slide 1 SELinux for Everyday Users Slide 2 SELinux for Everyday Users Slide 3 SELinux for Everyday Users Slide 4 SELinux for Everyday Users Slide 5 SELinux for Everyday Users Slide 6 SELinux for Everyday Users Slide 7 SELinux for Everyday Users Slide 8 SELinux for Everyday Users Slide 9 SELinux for Everyday Users Slide 10 SELinux for Everyday Users Slide 11 SELinux for Everyday Users Slide 12 SELinux for Everyday Users Slide 13 SELinux for Everyday Users Slide 14 SELinux for Everyday Users Slide 15 SELinux for Everyday Users Slide 16 SELinux for Everyday Users Slide 17 SELinux for Everyday Users Slide 18 SELinux for Everyday Users Slide 19 SELinux for Everyday Users Slide 20 SELinux for Everyday Users Slide 21 SELinux for Everyday Users Slide 22 SELinux for Everyday Users Slide 23 SELinux for Everyday Users Slide 24 SELinux for Everyday Users Slide 25 SELinux for Everyday Users Slide 26 SELinux for Everyday Users Slide 27 SELinux for Everyday Users Slide 28 SELinux for Everyday Users Slide 29 SELinux for Everyday Users Slide 30 SELinux for Everyday Users Slide 31 SELinux for Everyday Users Slide 32 SELinux for Everyday Users Slide 33 SELinux for Everyday Users Slide 34 SELinux for Everyday Users Slide 35 SELinux for Everyday Users Slide 36 SELinux for Everyday Users Slide 37 SELinux for Everyday Users Slide 38 SELinux for Everyday Users Slide 39 SELinux for Everyday Users Slide 40 SELinux for Everyday Users Slide 41 SELinux for Everyday Users Slide 42 SELinux for Everyday Users Slide 43 SELinux for Everyday Users Slide 44 SELinux for Everyday Users Slide 45 SELinux for Everyday Users Slide 46 SELinux for Everyday Users Slide 47 SELinux for Everyday Users Slide 48 SELinux for Everyday Users Slide 49 SELinux for Everyday Users Slide 50 SELinux for Everyday Users Slide 51 SELinux for Everyday Users Slide 52 SELinux for Everyday Users Slide 53 SELinux for Everyday Users Slide 54 SELinux for Everyday Users Slide 55 SELinux for Everyday Users Slide 56 SELinux for Everyday Users Slide 57 SELinux for Everyday Users Slide 58 SELinux for Everyday Users Slide 59 SELinux for Everyday Users Slide 60 SELinux for Everyday Users Slide 61 SELinux for Everyday Users Slide 62 SELinux for Everyday Users Slide 63 SELinux for Everyday Users Slide 64 SELinux for Everyday Users Slide 65 SELinux for Everyday Users Slide 66
Upcoming SlideShare
Slug 2009 06 SELinux For Sysadmins
Next
Download to read offline and view in fullscreen.

23 Likes

Share

Download to read offline

SELinux for Everyday Users

Download to read offline

Much has been written on SELinux, and a lot of it seems confusing. It's buzzword heavy, involves locking your computer up, has a strange new set of permissions that are obscure in architecture and silently fails where things used to just work. Why use it?

Well, for most people, it's not actually that hard to understand. In this talk, Paul Wayper talks about how to make sense of what SELinux does, and how to keep it out of the way and get on with using your computer. In the process Paul will deal with the background to SELinux, what it's main aims are, and why you really do want it turned on.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

SELinux for Everyday Users

  1. 1. SELinux for everyday users
  2. 2. SELinux Don't be afraid!
  3. 3. SELinux – the bad <ul><li>Developed by the NSA </li></ul>
  4. 4. SELinux – the bad <ul><li>Developed by the NSA
  5. 5. Mandatory Access Control </li></ul>
  6. 6. SELinux – the bad <ul><li>Developed by the NSA
  7. 7. Mandatory Access Control
  8. 8. Infested with jargon </li><ul><li>Policies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my! </li></ul></ul>
  9. 9. SELinux – the bad <ul><li>Developed by the NSA
  10. 10. Mandatory Access Control
  11. 11. Infested with jargon
  12. 12. Breaks systems </li><ul><li>Root can't just do anything anymore
  13. 13. Applications stop working
  14. 14. Can't make it stop </li></ul></ul>
  15. 15. SELinux – the bad <ul><li>“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” </li><ul><li>Theodore Ts’o (ext2/3/4 maintainer) </li></ul></ul>
  16. 16. SELinux – the bad <ul><li>“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” </li><ul><li>Theodore Ts’o (ext2/3/4 maintainer)
  17. 17. Uses Debian </li></ul></ul>
  18. 18. SELinux – the bad <ul><li>“ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” </li><ul><li>Theodore Ts’o (1 Oct 2007)
  19. 19. Uses Debian
  20. 20. Not an everyday user! </li></ul></ul>
  21. 21. SELinux Don't be afraid!
  22. 22. SELinux – the good <ul><li>“ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” </li><ul><li>Larry Loeb </li></ul></ul>
  23. 23. SELinux – the good <ul><li>“ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” </li><ul><li>Larry Loeb (Security author and researcher) </li></ul></ul>
  24. 24. SELinux – the good <ul><li>Used in many major distributions </li></ul>
  25. 25. SELinux – the good <ul><li>Used in many major distributions </li><ul><li>In kernel since 2002 </li></ul></ul>
  26. 26. SELinux – the good <ul><li>Used in many major distributions </li><ul><li>In kernel since 2002
  27. 27. Fedora since Core 2 (2004)
  28. 28. RHEL since version 4 (2005) </li></ul></ul>
  29. 29. SELinux – the good <ul><li>Used in many major distributions </li><ul><li>In kernel since 2002
  30. 30. Fedora since Core 2 (2004)
  31. 31. RHEL since version 4 (2005)
  32. 32. Debian since Etch (2007)
  33. 33. Ubuntu since Hardy Heron 8.04 (2008) </li></ul></ul>
  34. 34. SELinux How does it work?
  35. 35. SELinux – the basics <ul><li>Compiled into the kernel </li></ul>
  36. 36. SELinux – the basics <ul><li>Compiled into the kernel
  37. 37. Packaged security policy </li></ul>
  38. 38. SELinux – the basics <ul><li>Compiled into the kernel
  39. 39. Packaged security policy
  40. 40. Checks database of rules on syscalls </li></ul>
  41. 41. SELinux – the basics <ul><li>Compiled into the kernel
  42. 42. Packaged security policy
  43. 43. Checks database of rules on syscalls
  44. 44. Allows or denies based on policy </li></ul>
  45. 45. SELinux What does it really do?
  46. 46. SELinux – what does it do? <ul><li>Stops daemons going bad </li></ul>tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/
  47. 47. SELinux – what does it do? <ul><li>Stops daemons going bad </li><ul><li>Policies in most distributions are applied only to system processes, not user processes. </li></ul></ul>
  48. 48. SELinux – what does it do? <ul><li>Stops daemons going bad </li><ul><li>Policies in most distributions are applied only to system processes, not user processes.
  49. 49. Policies limit what a daemon can access and how. </li></ul></ul>
  50. 50. SELinux – what does it do? <ul><li>Stops daemons going bad </li><ul><li>Policies in most distributions are applied only to system processes, not user processes.
  51. 51. Policies limit what a daemon can access and how.
  52. 52. Prevents daemon compromise affecting other files. </li></ul></ul>
  53. 53. SELinux – what does it do? <ul><li>Stops daemons going bad </li><ul><li>Policies in most distributions are applied only to system processes, not user processes.
  54. 54. Policies limit what a daemon can access and how.
  55. 55. Prevents daemon compromise affecting other files / users / ports / etc. </li></ul></ul>
  56. 56. SELinux – what does it do? <ul><li>Stops daemons going bad
  57. 57. User processes are unaffected </li></ul>
  58. 58. SELinux – what does it do? <ul><li>Stops daemons going bad
  59. 59. User processes are unaffected </li><ul><li>root still gets to be root </li></ul></ul>
  60. 60. SELinux – what does it do? <ul><li>Stops daemons going bad
  61. 61. User processes are unaffected </li><ul><li>root still gets to be root
  62. 62. Firefox still gets to crash your system </li></ul></ul>
  63. 63. SELinux – what does it do? <ul><li>Stops daemons going bad
  64. 64. User processes are unaffected </li><ul><li>root still gets to be root
  65. 65. Firefox still gets to crash your system
  66. 66. New policy being written to help that </li></ul></ul>
  67. 67. SELinux – demystifying <ul><li>Everything has a security 'context' </li></ul>
  68. 68. SELinux – demystifying <ul><li>Everything has a security 'context' </li><ul><li>A process has a context </li></ul></ul>
  69. 69. SELinux – demystifying <ul><li>Everything has a security 'context' </li><ul><li>A process has a context
  70. 70. A file has a context </li></ul></ul>
  71. 71. SELinux – demystifying <ul><li>Everything has a security 'context' </li><ul><li>A process has a context
  72. 72. A file has a context </li></ul><li>Database of rules </li></ul>
  73. 73. SELinux – demystifying <ul><li>Everything has a security 'context' </li><ul><li>A process has a context
  74. 74. A file has a context </li></ul><li>Database of rules </li><ul><li>Rules allow a process in one context to do operations on an object in another context </li></ul></ul>
  75. 75. SELinux – how do I see it? <ul><li>Some commands have the -Z option </li><ul><li>ls -Z
  76. 76. netstat -Z
  77. 77. ps -Z </li></ul></ul>
  78. 78. SELinux – how do I see it? <ul><li>Some commands have the -Z option </li><ul><li>ls -Z drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding
  79. 79. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
  80. 80. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps </li></ul></ul>
  81. 81. SELinux – how do I see it? <ul><li>Some commands have the -Z option </li><ul><li>ls -Z drwxr-xr-x paulway paulway user_u:object_r: user_home_t :s0 bin drwxrwxr-x paulway paulway user_u:object_r: user_home_t :s0 coding
  82. 82. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023
  83. 83. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
  84. 84. The type_t is the only thing you need look at </li></ul></ul>
  85. 85. SELinux – how do I use it? <ul><li>restorecon </li><ul><li>Restores the context of a file
  86. 86. Based on the rules for the directory structure </li></ul><li>chcon </li></ul>
  87. 87. SELinux – how do I use it? <ul><li>restorecon </li></ul>
  88. 88. SELinux – how do I use it? <ul><li>restorecon </li><ul><li>Restore s the default SELinux con text of a file </li></ul></ul>
  89. 89. SELinux – how do I use it? <ul><li>restorecon </li><ul><li>Restore s the default SELinux con text of a file
  90. 90. Looks up the database of rules and finds the correct context for that file </li></ul></ul>
  91. 91. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  92. 92. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group
  93. 93. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  94. 94. SELinux – Lessons <ul><li>1: Try restorecon </li></ul>
  95. 95. SELinux – demystifying <ul><li>Everything has a context
  96. 96. Database of rules </li><ul><li>Rules allow a process in one context to do operations on an object in another context </li></ul></ul>
  97. 97. SELinux – demystifying <ul><li>Everything has a context
  98. 98. Database of rules </li><ul><li>Rules allow a process in one context to do operations on an object in another context </li></ul><li>Switches turn groups of rules on or off </li></ul>
  99. 99. SELinux – demystifying <ul><li>Everything has a context
  100. 100. Database of rules </li><ul><li>Rules allow a process in one context to do operations on an object in another context </li></ul><li>Switches turn groups of rules on or off </li><ul><li>Booleans </li></ul></ul>
  101. 101. SELinux – how do I see it? <ul><li>getsebool -a </li></ul>
  102. 102. SELinux – how do I see it? <ul><li>getsebool -a </li></ul>[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off
  103. 103. SELinux – how do I use it? <ul><li>setsebool </li></ul>[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on
  104. 104. SELinux – how do I use it? <ul><li>setsebool – ONLY THIS SESSION! </li></ul>[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on
  105. 105. SELinux – how do I use it? <ul><li>setsebool -P </li></ul>[root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool -P samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on
  106. 106. SELinux – Lessons <ul><li>1: Try restorecon
  107. 107. 2: getsebool and setsebool </li></ul>
  108. 108. SELinux – how do I see it? <ul><li>Some commands have the -Z option </li><ul><li>ls -Z
  109. 109. netstat -Z
  110. 110. ps -Z </li></ul><li>Audit messages go to /var/log/audit/audit.log </li></ul>
  111. 111. SELinux – how do I see it? <ul><li>Some commands have the -Z option </li><ul><li>ls -Z
  112. 112. netstat -Z
  113. 113. ps -Z </li></ul><li>Audit messages go to /var/log/audit/audit.log </li><ul><li>Some messages may be in /var/log/messages </li></ul></ul>
  114. 114. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log
  115. 115. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm=&quot;hald&quot; name=&quot;group&quot; dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm=&quot;hald&quot; exe=&quot;/usr/sbin/hald&quot; subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm=&quot;hald&quot; name=&quot;group&quot; dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm=&quot;hald&quot; exe=&quot;/usr/sbin/hald&quot; subj=system_u:system_r:hald_t:s0 key=(null)
  116. 116. SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm=&quot;hald&quot; name=&quot;group&quot; dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
  117. 117. SELinux – Lessons <ul><li>1: Try restorecon
  118. 118. 2: getsebool and setsebool
  119. 119. 3: audit2why or audit2allow </li></ul>
  120. 120. SELinux – Lessons <ul><li>1: Try restorecon
  121. 121. 2: getsebool and setsebool
  122. 122. 3: audit2why or audit2allow </li><ul><li>unless you're working on a system daemon problem. </li></ul></ul>
  123. 123. SELinux – Lessons <ul><li>1: Try restorecon
  124. 124. 2: getsebool and setsebool
  125. 125. 3: audit2why or audit2allow </li><ul><li>Much more, but it's not for every day. </li></ul></ul>
  126. 126. Questions?
  127. 127. Questions? <ul><li>Best effort only ☺ </li></ul>
  • ViniciusMello8

    Nov. 8, 2017
  • DesireeBalladarez

    Aug. 27, 2017
  • CristhianoECdeSouzaH1

    Mar. 16, 2017
  • AhmedAlhebsi2

    Aug. 18, 2016
  • RobSherwood5

    Aug. 3, 2016
  • dougaus1

    Apr. 18, 2016
  • carlosadean

    Jan. 27, 2016
  • jeffhuangus

    Oct. 15, 2015
  • MorganWu

    Jul. 14, 2015
  • ycchen0416

    Nov. 6, 2014
  • ssusere868ea

    Nov. 6, 2014
  • amuatta

    Sep. 3, 2014
  • mrdeepak2100

    Aug. 14, 2014
  • maxjhuang

    Jan. 5, 2014
  • trifbogdan

    Aug. 17, 2013
  • sugar861977

    Apr. 24, 2012
  • manojsamtnai

    Jan. 2, 2012
  • rieeda

    Dec. 11, 2011
  • mcassi

    Oct. 9, 2010
  • mlphelp

    Oct. 15, 2009

Much has been written on SELinux, and a lot of it seems confusing. It's buzzword heavy, involves locking your computer up, has a strange new set of permissions that are obscure in architecture and silently fails where things used to just work. Why use it? Well, for most people, it's not actually that hard to understand. In this talk, Paul Wayper talks about how to make sense of what SELinux does, and how to keep it out of the way and get on with using your computer. In the process Paul will deal with the background to SELinux, what it's main aims are, and why you really do want it turned on.

Views

Total views

26,055

On Slideshare

0

From embeds

0

Number of embeds

2,040

Actions

Downloads

666

Shares

0

Comments

0

Likes

23

×