SlideShare a Scribd company logo

SELinux for Everyday Users

‱Download as ODP, PDF‱
‱
P
PaulWay

Much has been written on SELinux, and a lot of it seems confusing. It's buzzword heavy, involves locking your computer up, has a strange new set of permissions that are obscure in architecture and silently fails where things used to just work. Why use it? Well, for most people, it's not actually that hard to understand. In this talk, Paul Wayper talks about how to make sense of what SELinux does, and how to keep it out of the way and get on with using your computer. In the process Paul will deal with the background to SELinux, what it's main aims are, and why you really do want it turned on.

Technology
1 of 66
SELinux for everyday users
SELinux Don't be afraid!
SELinux – the bad ,[object Object]
SELinux – the bad ,[object Object]
Mandatory Access Control
SELinux – the bad ,[object Object]
Mandatory Access Control
Infested with jargon ,[object Object]
SELinux – the bad ,[object Object]
Mandatory Access Control
Infested with jargon
Breaks systems ,[object Object]
Applications stop working
Can't make it stop
SELinux – the bad ,[object Object]
SELinux – the bad ,[object Object]
Uses Debian
SELinux – the bad ,[object Object]
Uses Debian
Not an everyday user!
SELinux Don't be afraid!
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
SELinux – the good ,[object Object]
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
SELinux – the good ,[object Object]
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
Debian since Etch (2007)
Ubuntu since Hardy Heron 8.04 (2008)
SELinux How does it work?
SELinux – the basics ,[object Object]
SELinux – the basics ,[object Object]
Packaged security policy
SELinux – the basics ,[object Object]
Packaged security policy
Checks database of rules on syscalls
SELinux – the basics ,[object Object]
Packaged security policy
Checks database of rules on syscalls
Allows or denies based on policy
SELinux What does it really do?
SELinux – what does it do? ,[object Object],tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/
SELinux – what does it do? ,[object Object]
SELinux – what does it do? ,[object Object]
Policies limit what a daemon can access and how.
SELinux – what does it do? ,[object Object]
Policies limit what a daemon can access and how.
Prevents daemon compromise affecting other files.
SELinux – what does it do? ,[object Object]
Policies limit what a daemon can access and how.
Prevents daemon compromise affecting other files / users / ports / etc.
SELinux – what does it do? ,[object Object]
User processes are unaffected
SELinux – what does it do? ,[object Object]
User processes are unaffected ,[object Object]
SELinux – what does it do? ,[object Object]
User processes are unaffected ,[object Object]
Firefox still gets to crash your system
SELinux – what does it do? ,[object Object]
User processes are unaffected ,[object Object]
Firefox still gets to crash your system
New policy being written to help that

Recommended

Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For Sysadmins
PaulWay
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Linux LVM Logical Volume Management
Linux LVM Logical Volume ManagementLinux LVM Logical Volume Management
Linux LVM Logical Volume Management
Manolis Kartsonakis
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-I
n|u - The Open Security Community
 
そろそろSELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸ
そろそろSELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸăă‚ăă‚SELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸ
そろそろSELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸ
Atsushi Mitsu
 

Recommended

Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For Sysadmins
PaulWay
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Linux LVM Logical Volume Management
Linux LVM Logical Volume ManagementLinux LVM Logical Volume Management
Linux LVM Logical Volume Management
Manolis Kartsonakis
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-I
n|u - The Open Security Community
 
そろそろSELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸ
そろそろSELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸăă‚ăă‚SELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸ
そろそろSELinux ă‚’æœ‰ćŠčă«ă—ăŠăżăŸă›ă‚“ă‹ïŒŸ
Atsushi Mitsu
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1
Lilesh Pathe
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
Nikhil Jain
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Users and groups
Users and groupsUsers and groups
Users and groups
Varnnit Jain
 
Selinux
SelinuxSelinux
Selinux
Mohitgupta8560
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
Michal Sedlak
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linux
anandvaidya
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
SUSE Labs Taipei
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
Shay Cohen
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
JĂ©rĂŽme Petazzoni
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
Raghu nath
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Md. Abdul Barek
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
Devin Olson
 
Course 102: Lecture 14: Users and Permissions
Course 102: Lecture 14: Users and PermissionsCourse 102: Lecture 14: Users and Permissions
Course 102: Lecture 14: Users and Permissions
Ahmed El-Arabawy
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
User and groups administrator
User and groups administratorUser and groups administrator
User and groups administrator
Aisha Talat
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
Dustin Kirkland
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
Lubomir Rintel
 

More Related Content

What's hot

Linux presentation
Linux presentationLinux presentation
Linux presentation
Nikhil Jain
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
JĂ©rĂŽme Petazzoni
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
Raghu nath
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Md. Abdul Barek
 

What's hot (20)

Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Users and groups
Users and groupsUsers and groups
Users and groups
 
Selinux
SelinuxSelinux
Selinux
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linux
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
 
Course 102: Lecture 14: Users and Permissions
Course 102: Lecture 14: Users and PermissionsCourse 102: Lecture 14: Users and Permissions
Course 102: Lecture 14: Users and Permissions
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
User and groups administrator
User and groups administratorUser and groups administrator
User and groups administrator
 

Viewers also liked

46 customizing se linux policy
46 customizing se linux policy46 customizing se linux policy
46 customizing se linux policy
Aprende Viendo
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
Dayal Dilli
 
Linux apache installation
Linux apache installationLinux apache installation
Linux apache installation
Dima Gomaa
 
Webmin configuration in Linux
Webmin configuration in LinuxWebmin configuration in Linux
Webmin configuration in Linux
Thamizharasan P
 

Viewers also liked (20)

Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
Supply Chain som VĂŠrdiskaber - Associate Professor Kim Sundtoft Hald
Supply Chain som VĂŠrdiskaber - Associate Professor Kim Sundtoft HaldSupply Chain som VĂŠrdiskaber - Associate Professor Kim Sundtoft Hald
Supply Chain som VĂŠrdiskaber - Associate Professor Kim Sundtoft Hald
 
46 customizing se linux policy
46 customizing se linux policy46 customizing se linux policy
46 customizing se linux policy
 
Ubuntu an absolute beginners guide
Ubuntu an absolute beginners guideUbuntu an absolute beginners guide
Ubuntu an absolute beginners guide
 
Linux training
Linux trainingLinux training
Linux training
 
Linux Based Network Proposal
Linux Based Network ProposalLinux Based Network Proposal
Linux Based Network Proposal
 
Linux conf-admin
Linux conf-adminLinux conf-admin
Linux conf-admin
 
CLUG 2010 09 - systemd - the new init system
CLUG 2010 09 - systemd - the new init systemCLUG 2010 09 - systemd - the new init system
CLUG 2010 09 - systemd - the new init system
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Linux apache installation
Linux apache installationLinux apache installation
Linux apache installation
 
ISCSI server configuration
ISCSI server configurationISCSI server configuration
ISCSI server configuration
 
Nagios Conference 2013 - David Stern - The Nagios Light Bar
Nagios Conference 2013 - David Stern - The Nagios Light BarNagios Conference 2013 - David Stern - The Nagios Light Bar
Nagios Conference 2013 - David Stern - The Nagios Light Bar
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
 
Apache server configuration
Apache server configurationApache server configuration
Apache server configuration
 
DNS server configurationDns server configuration
DNS server configurationDns server configurationDNS server configurationDns server configuration
DNS server configurationDns server configuration
 
Network configuration in Linux
Network configuration in LinuxNetwork configuration in Linux
Network configuration in Linux
 
Webmin configuration in Linux
Webmin configuration in LinuxWebmin configuration in Linux
Webmin configuration in Linux
 
Samba server configuration
Samba server configurationSamba server configuration
Samba server configuration
 

Similar to SELinux for Everyday Users

SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
AbhradipChatterjee2
 
Ú©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinux
Ú©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinuxÚ©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinux
Ú©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinux
ŰŹŰŽÙ†ÙˆŰ§Ű±Ù‡Ù” Ű±ÙˆŰČ ŰąŰČŰ§ŰŻÛŒ Ù†Ű±Ù…â€ŒŰ§ÙŰČۧ۱ ŰȘÙ‡Ű±Ű§Ù†
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
chinkshady
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
Ashley Deuble
 
Divya
DivyaDivya
Divya
diva23
 
Divya
DivyaDivya
Divya
diva23
 

Similar to SELinux for Everyday Users (20)

SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
 
Ú©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinux
Ú©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinuxÚ©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinux
Ú©Ű§Ű±ÚŻŰ§Ù‡ Ű§Ù…Ù†ÛŒŰȘ ۚۧ ŰčÙ†ÙˆŰ§Ù† Stop Disabling SElinux
 
File000127
File000127File000127
File000127
 
SELinux workshop
SELinux workshopSELinux workshop
SELinux workshop
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Hiding files.pptx
Hiding files.pptxHiding files.pptx
Hiding files.pptx
 
Linux remote
Linux remoteLinux remote
Linux remote
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
About linux-english
About linux-englishAbout linux-english
About linux-english
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
 
App locker
App lockerApp locker
App locker
 
Divya
DivyaDivya
Divya
 
Divya
DivyaDivya
Divya
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 

Recently uploaded (20)

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Intro in Product Management - ĐšĐŸŃ€ĐŸŃ‚ĐșĐŸ ĐżŃ€ĐŸ ĐżŃ€ĐŸŃ„Đ”ŃŃ–ŃŽ ĐżŃ€ĐŸĐŽĐ°Đșт ĐŒĐ”ĐœĐ”ĐŽĐ¶Đ”Ń€Đ°
Intro in Product Management - ĐšĐŸŃ€ĐŸŃ‚ĐșĐŸ ĐżŃ€ĐŸ ĐżŃ€ĐŸŃ„Đ”ŃŃ–ŃŽ ĐżŃ€ĐŸĐŽĐ°Đșт ĐŒĐ”ĐœĐ”ĐŽĐ¶Đ”Ń€Đ°Intro in Product Management - ĐšĐŸŃ€ĐŸŃ‚ĐșĐŸ ĐżŃ€ĐŸ ĐżŃ€ĐŸŃ„Đ”ŃŃ–ŃŽ ĐżŃ€ĐŸĐŽĐ°Đșт ĐŒĐ”ĐœĐ”ĐŽĐ¶Đ”Ń€Đ°
Intro in Product Management - ĐšĐŸŃ€ĐŸŃ‚ĐșĐŸ ĐżŃ€ĐŸ ĐżŃ€ĐŸŃ„Đ”ŃŃ–ŃŽ ĐżŃ€ĐŸĐŽĐ°Đșт ĐŒĐ”ĐœĐ”ĐŽĐ¶Đ”Ń€Đ°
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 

SELinux for Everyday Users

  • 3.
  • 4.
  • 6.
  • 8.
  • 9.
  • 12.
  • 15.
  • 16.
  • 18.
  • 21. SELinux Don't be afraid!
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27. Fedora since Core 2 (2004)
  • 28. RHEL since version 4 (2005)
  • 29.
  • 30. Fedora since Core 2 (2004)
  • 31. RHEL since version 4 (2005)
  • 33. Ubuntu since Hardy Heron 8.04 (2008)
  • 34. SELinux How does it work?
  • 35.
  • 36.
  • 38.
  • 40. Checks database of rules on syscalls
  • 41.
  • 43. Checks database of rules on syscalls
  • 44. Allows or denies based on policy
  • 45. SELinux What does it really do?
  • 46.
  • 47.
  • 48.
  • 49. Policies limit what a daemon can access and how.
  • 50.
  • 51. Policies limit what a daemon can access and how.
  • 52. Prevents daemon compromise affecting other files.
  • 53.
  • 54. Policies limit what a daemon can access and how.
  • 55. Prevents daemon compromise affecting other files / users / ports / etc.
  • 56.
  • 57. User processes are unaffected
  • 58.
  • 59.
  • 60.
  • 61.
  • 62. Firefox still gets to crash your system
  • 63.
  • 64.
  • 65. Firefox still gets to crash your system
  • 66. New policy being written to help that
  • 67.
  • 68.
  • 69.
  • 70. A file has a context
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 77. ps -Z
  • 78.
  • 79. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
  • 80. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
  • 81.
  • 82. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023
  • 83. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps
  • 84. The type_t is the only thing you need look at
  • 85.
  • 86.
  • 87.
  • 88.
  • 89.
  • 90. Looks up the database of rules and finds the correct context for that file
  • 91. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  • 92. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group
  • 93. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
  • 94.
  • 95.
  • 96.
  • 97.
  • 98.
  • 99.
  • 100.
  • 101.
  • 102.
  • 103.
  • 104.
  • 105.
  • 106.
  • 107. 2: getsebool and setsebool
  • 108.
  • 110.
  • 111.
  • 113.
  • 114. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log
  • 115. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)
  • 116. SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
  • 117.
  • 118. 2: getsebool and setsebool
  • 119. 3: audit2why or audit2allow
  • 120.
  • 121. 2: getsebool and setsebool
  • 122.
  • 123.
  • 124. 2: getsebool and setsebool
  • 125.
  • 127.