Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to live with SELinux

5,326 views

Published on

presentation I gave for the people at whitespace, Ghent..

Published in: Technology
  • Be the first to comment

How to live with SELinux

  1. 1. How to live with SELinux Bert Desmet – Fedora Ambassador
  2. 2. You can find me here <ul><li>Kruishoutem, Belgium
  3. 3. www.bdesmet.be
  4. 4. www.devnox.be
  5. 5. www.fedoraproject.org/wiki/user:biertie
  6. 6. www.identi.ca/bdesmet
  7. 7. Irc: biertie @ Freenode / Quakenet
  8. 8. Mail: [email_address]
  9. 9. Google me for more </li></ul>And if you have any questions, feel free to contact me..
  10. 10. What I do.. <ul><li>I am still a student ( [email_address] ) </li><ul><li>President CFK </li></ul><li>Job hunting
  11. 11. Fedora </li><ul><li>Fedora Ambassador
  12. 12. Designer of the T shirt
  13. 13. Organise some events </li></ul><li>Start up projects: to many </li></ul>Oh, and I love to party!
  14. 14. How to live with SELinux
  15. 15. Table of contents <ul><li>Introduction
  16. 16. Booleans and ports
  17. 17. Contexts and labels
  18. 18. Backing up and copying
  19. 19. Your own policies </li></ul>
  20. 20. What is SELinux? <ul><li>Kernel based security system
  21. 21. Build by NSA
  22. 22. 3 'functions' </li><ul><li>MLS/MCS: multi level protection
  23. 23. RBAC: user privilege controls
  24. 24. TE: application isolation </li></ul><li>Enabled by default on RH / Fedora </li></ul>
  25. 25. Why would I? <ul><li>Good access control
  26. 26. Reduces vulnerability to attacks
  27. 27. Confined services </li></ul>
  28. 28. but <ul><li>No antivirus
  29. 29. No firewall
  30. 30. .... </li></ul>
  31. 31. keywords <ul><li>Objects </li><ul><li>Files, devices, users, processes, ...
  32. 32. Everything in the operating system </li></ul><li>Context </li><ul><li>Name for the object </li></ul><li>Policy </li><ul><li>Defines how objects interact </li></ul></ul>
  33. 33. configuration <ul><li>3 modes </li><ul><li>Enforcing, Permissive, Disabled </li></ul><li>2 types </li><ul><li>Targeted, Strict </li></ul><li>Permanent: edit /etc/selinux/config
  34. 34. Until next reboot: setenforce {0|1} </li><ul><li>Only Permissive (0) or Enforcing (1) </li></ul><li>Check running config with sestatus </li></ul>
  35. 35. Logging <ul><li>SELinux denial messages </li><ul><li>/var/log/audit/audit.log
  36. 36. Ausearch -m avc </li></ul><li>If rsyslogd is running: </li><ul><li>/var/log/messages </li></ul></ul>
  37. 38. Managing booleans.. <ul><li>List all booleans </li><ul><li>getsebool -a
  38. 39. semange boolean -l </li></ul><li>Set a boolean </li><ul><li>setsebool $boolean {on|off}
  39. 40. setsebool -P $boolean {on|off} </li></ul></ul>
  40. 41. Managing ports <ul><li>List services, ports they can use </li><ul><li>semanage port -l </li></ul><li>add a port </li><ul><li>semange port -at $type -p {tcp|udp} #port </li></ul><li>Delete a port </li><ul><li>semange port -dt $type -p {tcp|udp} #port </li></ul></ul>
  41. 43. SELinux contexts <ul><li>ls -Z | ps Z | id -Z </li><ul><li>unconfined_u:object_r:httpd_sys_content_t:s0 </li><ul><li>unconfined_u: user context for the object
  42. 44. object_r: role aspect for the context
  43. 45. httpd_sys_content_t: type
  44. 46. S0: level of security </li></ul></ul></ul>
  45. 47. Change context <ul><li>Temporary </li><ul><li>chcon -t $type ${file|dir}name </li></ul><li>Persistent </li><ul><li>semanage fcontext -a -t $type ${file|dir}name </li></ul><li>Restore context </li><ul><li>restorecon -v ${file|dir}name
  46. 48. semange fcontext -dv ${file|dir}name </li></ul></ul>
  47. 49. Relabeling the fs <ul><li>With reboot (preferred!) </li><ul><li>touch /.autorelabel
  48. 50. reboot </li></ul><li>Without reboot </li><ul><li>fixfiles relabel
  49. 51. fixfiles -R $packagename restore </li></ul></ul>
  50. 52. Mounting file systems <ul><li>The mount command </li><ul><li>mount server:/export /mount -t nfs -o context=”system_u:object_r:context_t:s0”
  51. 53. Mount /dev/sda2 /foo -o defcontext= “system_u:object_r:context_t:s0” </li></ul><li>Works for multiple NFS mounts </li></ul>
  52. 55. Copying <ul><li>cp doesn't save the context
  53. 56. Copy with context </li><ul><li>Add the '--preserve=context' flag </li></ul><li>Copy while changing context </li><ul><li>cp -Z system_u:object_r:context_t:s0 $file </li></ul></ul>
  54. 57. Moving <ul><li>The mv command doesn't move context over different partitions
  55. 58. It does when you move on the same partition
  56. 59. Use cp command </li></ul>
  57. 60. Tarring <ul><li>Tar doesn't contexts by default </li><ul><li>Use --selinux flag </li></ul><li>Untar an archive without extended attributes </li><ul><li>Tar -xvf $archive | restorecon -f - </li></ul></ul>
  58. 62. Troubles? <ul><li>autit2allow </li><ul><li>Gives you decent tips </li></ul><li>matchpathcon -V $dir </li><ul><li>Checks the context of a dir </li></ul><li>semodule -DB </li><ul><li>allow all denials to be logged </li></ul></ul>
  59. 63. Creating policies <ul><li>Grep for right error in the audit log
  60. 64. audit2allow -am $name > $name.te
  61. 65. -D flag </li></ul>
  62. 66. Applying policies <ul><li>audit2allow -M $name
  63. 67. Semodule -i $name </li></ul>
  64. 68. So why do we enable it? <ul><li>It's easy
  65. 69. It's secure </li></ul>
  66. 70. references <ul><li>Fedora SELinux documentation </li><ul><li>http://docs.fedoraproject.org </li></ul><li>Dan Walsh </li><ul><li>http://danwalsh.livejournal.com </li></ul><li>Fedora SELinux team </li><ul><li>#fedora-selinux @ freenode </li></ul><li>Linux training </li><ul><li>http://linux-training.be </li></ul></ul>
  67. 71. Questions? E-mail: [email_address] Twitter: @biertie identi.ca: @bdesmet Web: http://bdesmet.be

×