How to live with SELinux

5,251 views

Published on

presentation I gave for the people at whitespace, Ghent..

Published in: Technology
  • Be the first to comment

How to live with SELinux

  1. 1. How to live with SELinux Bert Desmet – Fedora Ambassador
  2. 2. You can find me here <ul><li>Kruishoutem, Belgium
  3. 3. www.bdesmet.be
  4. 4. www.devnox.be
  5. 5. www.fedoraproject.org/wiki/user:biertie
  6. 6. www.identi.ca/bdesmet
  7. 7. Irc: biertie @ Freenode / Quakenet
  8. 8. Mail: [email_address]
  9. 9. Google me for more </li></ul>And if you have any questions, feel free to contact me..
  10. 10. What I do.. <ul><li>I am still a student ( [email_address] ) </li><ul><li>President CFK </li></ul><li>Job hunting
  11. 11. Fedora </li><ul><li>Fedora Ambassador
  12. 12. Designer of the T shirt
  13. 13. Organise some events </li></ul><li>Start up projects: to many </li></ul>Oh, and I love to party!
  14. 14. How to live with SELinux
  15. 15. Table of contents <ul><li>Introduction
  16. 16. Booleans and ports
  17. 17. Contexts and labels
  18. 18. Backing up and copying
  19. 19. Your own policies </li></ul>
  20. 20. What is SELinux? <ul><li>Kernel based security system
  21. 21. Build by NSA
  22. 22. 3 'functions' </li><ul><li>MLS/MCS: multi level protection
  23. 23. RBAC: user privilege controls
  24. 24. TE: application isolation </li></ul><li>Enabled by default on RH / Fedora </li></ul>
  25. 25. Why would I? <ul><li>Good access control
  26. 26. Reduces vulnerability to attacks
  27. 27. Confined services </li></ul>
  28. 28. but <ul><li>No antivirus
  29. 29. No firewall
  30. 30. .... </li></ul>
  31. 31. keywords <ul><li>Objects </li><ul><li>Files, devices, users, processes, ...
  32. 32. Everything in the operating system </li></ul><li>Context </li><ul><li>Name for the object </li></ul><li>Policy </li><ul><li>Defines how objects interact </li></ul></ul>
  33. 33. configuration <ul><li>3 modes </li><ul><li>Enforcing, Permissive, Disabled </li></ul><li>2 types </li><ul><li>Targeted, Strict </li></ul><li>Permanent: edit /etc/selinux/config
  34. 34. Until next reboot: setenforce {0|1} </li><ul><li>Only Permissive (0) or Enforcing (1) </li></ul><li>Check running config with sestatus </li></ul>
  35. 35. Logging <ul><li>SELinux denial messages </li><ul><li>/var/log/audit/audit.log
  36. 36. Ausearch -m avc </li></ul><li>If rsyslogd is running: </li><ul><li>/var/log/messages </li></ul></ul>
  37. 38. Managing booleans.. <ul><li>List all booleans </li><ul><li>getsebool -a
  38. 39. semange boolean -l </li></ul><li>Set a boolean </li><ul><li>setsebool $boolean {on|off}
  39. 40. setsebool -P $boolean {on|off} </li></ul></ul>
  40. 41. Managing ports <ul><li>List services, ports they can use </li><ul><li>semanage port -l </li></ul><li>add a port </li><ul><li>semange port -at $type -p {tcp|udp} #port </li></ul><li>Delete a port </li><ul><li>semange port -dt $type -p {tcp|udp} #port </li></ul></ul>
  41. 43. SELinux contexts <ul><li>ls -Z | ps Z | id -Z </li><ul><li>unconfined_u:object_r:httpd_sys_content_t:s0 </li><ul><li>unconfined_u: user context for the object
  42. 44. object_r: role aspect for the context
  43. 45. httpd_sys_content_t: type
  44. 46. S0: level of security </li></ul></ul></ul>
  45. 47. Change context <ul><li>Temporary </li><ul><li>chcon -t $type ${file|dir}name </li></ul><li>Persistent </li><ul><li>semanage fcontext -a -t $type ${file|dir}name </li></ul><li>Restore context </li><ul><li>restorecon -v ${file|dir}name
  46. 48. semange fcontext -dv ${file|dir}name </li></ul></ul>
  47. 49. Relabeling the fs <ul><li>With reboot (preferred!) </li><ul><li>touch /.autorelabel
  48. 50. reboot </li></ul><li>Without reboot </li><ul><li>fixfiles relabel
  49. 51. fixfiles -R $packagename restore </li></ul></ul>
  50. 52. Mounting file systems <ul><li>The mount command </li><ul><li>mount server:/export /mount -t nfs -o context=”system_u:object_r:context_t:s0”
  51. 53. Mount /dev/sda2 /foo -o defcontext= “system_u:object_r:context_t:s0” </li></ul><li>Works for multiple NFS mounts </li></ul>
  52. 55. Copying <ul><li>cp doesn't save the context
  53. 56. Copy with context </li><ul><li>Add the '--preserve=context' flag </li></ul><li>Copy while changing context </li><ul><li>cp -Z system_u:object_r:context_t:s0 $file </li></ul></ul>
  54. 57. Moving <ul><li>The mv command doesn't move context over different partitions
  55. 58. It does when you move on the same partition
  56. 59. Use cp command </li></ul>
  57. 60. Tarring <ul><li>Tar doesn't contexts by default </li><ul><li>Use --selinux flag </li></ul><li>Untar an archive without extended attributes </li><ul><li>Tar -xvf $archive | restorecon -f - </li></ul></ul>
  58. 62. Troubles? <ul><li>autit2allow </li><ul><li>Gives you decent tips </li></ul><li>matchpathcon -V $dir </li><ul><li>Checks the context of a dir </li></ul><li>semodule -DB </li><ul><li>allow all denials to be logged </li></ul></ul>
  59. 63. Creating policies <ul><li>Grep for right error in the audit log
  60. 64. audit2allow -am $name > $name.te
  61. 65. -D flag </li></ul>
  62. 66. Applying policies <ul><li>audit2allow -M $name
  63. 67. Semodule -i $name </li></ul>
  64. 68. So why do we enable it? <ul><li>It's easy
  65. 69. It's secure </li></ul>
  66. 70. references <ul><li>Fedora SELinux documentation </li><ul><li>http://docs.fedoraproject.org </li></ul><li>Dan Walsh </li><ul><li>http://danwalsh.livejournal.com </li></ul><li>Fedora SELinux team </li><ul><li>#fedora-selinux @ freenode </li></ul><li>Linux training </li><ul><li>http://linux-training.be </li></ul></ul>
  67. 71. Questions? E-mail: [email_address] Twitter: @biertie identi.ca: @bdesmet Web: http://bdesmet.be

×