SlideShare a Scribd company logo
Maciej Lasyk, Stop Disabling SELinux
Maciej Lasyk
Kraków, InfoSec meetup #1
2014-03-12
1/32
Stop Disabling SELinux
Maciej Lasyk, High Availability Explained
● Business value and security
● Does stock price change after security fail?
● Apps or env? Which one should be 'secure'?
Does security matter?
Maciej Lasyk, Stop Disabling SELinux 2/32
Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux
App
Env
3/32
Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux 4/32
Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux
Security is based on layers!Security is based on layers!
NetworkNetwork
OSOS
App / DBApp / DB
HardwareHardware
LSMLSM
Maybe virt-sec?Maybe virt-sec?
4/32
Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux
Such security..Such security..
Very fortress!!1Very fortress!!1
WOW :)WOW :)
5/32
Maciej Lasyk, High Availability Explained
● Think about it as an internal firewall
● Guarding procs, files, users
● Users don't manage security, admin does
SELinux – what?
Maciej Lasyk, Stop Disabling SELinux 6/32
Maciej Lasyk, High Availability Explained
- 2000: NSA, GPL
- 2001: Linux Kernel Summit, NSA vs Linus, LSM announced
(SELinux, Apparmor, Smack, and TOMOYO Linux)
- 2003: Merge with mainline Kernel 2.6.0-test3
- RHEL4
- Ubuntu LTS 8.04 Hardy Heron & rest (even Novell)
SELinux – short history recap
Maciej Lasyk, Stop Disabling SELinux 7/32
Maciej Lasyk, High Availability Explained
- hosting multiple services on one box / vps
- virtualization host (imagine containers)
- libvirt-sandbox FTW!
- any apps that are not secure or sec – aware
- SELinux sandbox
- root access for anyone :)
- DBAs, devs - whatever :)
- try it yourself: http://www.coker.com.au/selinux/play.html
- Gentoo Hardened: https://wiki.gentoo.org/wiki/Project:Hardened
- Desktops (yes!)
SELinux – use cases
Maciej Lasyk, Stop Disabling SELinux 8/32
Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux
syscalls work like interfaces for accessing some resources
9/32
Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux 10/32
Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux
DAC
MAC
upstream kernel has been fixed to report
check for mmap_zero for MAC AFTER DAC
(2014-03-05, http://danwalsh.livejournal.com/69035.html)
11/32
Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux 12/32
Maciej Lasyk, High Availability Explained
- http://www.nsa.gov/research/_files/selinux/papers/freenix01/node18.shtml#sec:perf:macro
SELinux – performance
Maciej Lasyk, Stop Disabling SELinux
Just test it yourself: git://git.selinuxproject.org/~serge/selinux-testsuite
13/32
avcstat
uptime: 10h
hit ratio: 99.94%!
(57mln of lookups)
Maciej Lasyk, High Availability Explained
SELinux – learning curve
Maciej Lasyk, Stop Disabling SELinux 14/32
Maciej Lasyk, High Availability Explained
SELinux – installation
Maciej Lasyk, Stop Disabling SELinux
apt-get install selinux-basics selinux-policy-default auditd
Gentoo is.. like always – little complicated..
emerge hardened-sources
EC2? yum install libselinux* selinux-policy* policycoreutils
RHEL / CentOS / Fedora is rdy
11/3215/32
Maciej Lasyk, High Availability Explained
SELinux – need assistance?
Maciej Lasyk, Stop Disabling SELinux
- IRC: freenode, #selinux
- Mailing list: selinux@lists.fedoraproject.org
- URLs:
- http://stopdisablingselinux.com/
- http://www.nsa.gov/research/selinux/faqs.shtml
- https://fedoraproject.org/wiki/SELinux
- Books?
- SELinux System Administration, Sven Vermeulen,
2013, ISBN-10: 1783283173 ($15)
- SELinux by Example: Using Security Enhanced Linux,
Frank Mayer, Karl MacMillan,
David Caplan, 2006,
ISBN-10: 0131963694
16/32
Maciej Lasyk, High Availability Explained
SELinux and Android
Maciej Lasyk, Stop Disabling SELinux
- from 4.3 – permissive
- from 4.4 enforcing
- Will help us with BYOD :)
- No setuid/setgid programs (4.3)
http://selinuxproject.org/page/SEAndroid
http://source.android.com/devices/tech/security/se-linux.html
17/32
Maciej Lasyk, High Availability ExplainedMaciej Lasyk, Stop Disabling SELinux
- Currently RPM based (but could build from sources)
- Sandboxes for LXC / Qemu / KVM
- Rather with systemd
- virt-sandbox -c lxc:/// /bin/sh
- virt-sandbox-service create ... httpd.service myhttpd
- systemctl start myhttpd_sandbox.service
libvirt-sandbox!
18/32
Maciej Lasyk, High Availability Explained
libvirt-sandbox!
Maciej Lasyk, Stop Disabling SELinux
- The libvirt guest is created when the virt-sandbox command starts
- The libvirt guest is automatically deleted when the virt-sandbox
command completes, or dies from a signal
- The sandboxed command sees a read-only view of the entire host
filesystem
- Specific areas can be made writable by mapping in an alternative
host directory
- There is no network access inside the sandbox by default
- Virtual network interfaces can be associated with libvirt virtual
networks
- The stdin/stdout/stderr file handles of the sandbox command
will be connected to the controlling terminal.
19/32
Maciej Lasyk, High Availability Explained
So what about other LSMs?
Maciej Lasyk, Stop Disabling SELinux
http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html
20/32
Maciej Lasyk, High Availability Explained
So what about other LSMs?
Maciej Lasyk, Stop Disabling SELinux
- AppArmor identifies file system objects by path name
instead of inode
- There is no notion of multi-level security with AppArmor
- AppArmor user rather flat files based configuration
- SELinux supports the concept of a "remote policy server"
- There is no apparmor or grsec in android :)
21/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
stopdisablingselinux.com
or
http://opensource.com/business/13/11/selinux-policy-guide
22/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
Everyone gets a label!
23/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
allow cat cat_chow:food eat;
allow dog dog_chow:food eat;
24/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
AVC (Access Vector Cache)
25/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
AVC (Access Vector Cache)
26/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
In real world...
process: httpd_t
files under Apache: httpd_sys_content_t
database data: mysqld_data_t
hacked Apache process can not access mysqld files!
27/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
Can same type of process be confined differently?
28/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
Yes! With MCS enforcement!
29/32
Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
In real world...
2 processes: httpd_t
files under httpd: httpd_sys_content_t
So how to deny files from differ instances of httpd_t?
With MCS labels like s0:c1,c2 ; s0:c3,c4 etc
s0, s1, s2 – sensitivity levels
c1,c2,c3... - categories (up to 255)
30/32
Maciej Lasyk, High Availability Explained
So remember..
Maciej Lasyk, Stop Disabling SELinux
Every time you run setenforce 0, you make Dan Walsh
weep
Dan is a nice guy and he certainly doesn't deserve that.
31/32
Maciej Lasyk, High Availability Explained
Maciej Lasyk
Kraków, InfoSec meetup #1
2014-03-12
http://maciek.lasyk.info/sysop
maciek@lasyk.info
@docent-net
Stop Disabling SELinux
Thank you :)
32/32

More Related Content

What's hot

RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)
Maciej Lasyk
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
SUSE
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
Chuck Reeves
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Vulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container EnvironmentsVulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container Environments
FlawCheck
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
Cisco Canada
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
Chris Gates
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
Suresh Thivanka Rupasinghe
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
All Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a ContainerAll Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a Container
Rosemary Wang
 

What's hot (20)

RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Container security
Container securityContainer security
Container security
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Vulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container EnvironmentsVulnerability Exploitation in Docker Container Environments
Vulnerability Exploitation in Docker Container Environments
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
All Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a ContainerAll Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a Container
 

Viewers also liked

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Roberto Marras - An unusual portfolio
Roberto Marras - An unusual portfolioRoberto Marras - An unusual portfolio
Roberto Marras - An unusual portfolio
Roberto Marras
 
Start With Strengths - Canadian Association of Principals 2015
Start With Strengths - Canadian Association of Principals 2015Start With Strengths - Canadian Association of Principals 2015
Start With Strengths - Canadian Association of Principals 2015
Chris Wejr
 
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}
Eric Carlisle
 
Project Petersburg: An Xbox Kinect Ballet Videogame Proposal
Project Petersburg: An Xbox Kinect Ballet Videogame ProposalProject Petersburg: An Xbox Kinect Ballet Videogame Proposal
Project Petersburg: An Xbox Kinect Ballet Videogame Proposal
John Scott Tynes
 
Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)
Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)
Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)
Rosenfeld Media
 
First-time users, longtime strategies: Why Parkinson’s Law is making you less...
First-time users, longtime strategies: Why Parkinson’s Law is making you less...First-time users, longtime strategies: Why Parkinson’s Law is making you less...
First-time users, longtime strategies: Why Parkinson’s Law is making you less...
Rosenfeld Media
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Lightning Talk #11: Designer spaces by Alastair Simpson
Lightning Talk #11: Designer spaces by Alastair SimpsonLightning Talk #11: Designer spaces by Alastair Simpson
Lightning Talk #11: Designer spaces by Alastair Simpson
ux singapore
 
16 Reasons Why You Need to Address Payment Security
16 Reasons Why You Need to Address Payment Security16 Reasons Why You Need to Address Payment Security
16 Reasons Why You Need to Address Payment Security
Cognizant
 
Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]
Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]
Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]
Kate Rutter
 
Ballet
BalletBallet
Ballet
guest99d5c9
 
Chemical reactions: Acids/Alkalis and Acids/Carbonate
Chemical reactions: Acids/Alkalis and Acids/CarbonateChemical reactions: Acids/Alkalis and Acids/Carbonate
Chemical reactions: Acids/Alkalis and Acids/Carbonate
Jacques Zeefenbergen
 
Roadmap Lightning Updates (November 3, 2016)
Roadmap Lightning Updates (November 3, 2016)Roadmap Lightning Updates (November 3, 2016)
Roadmap Lightning Updates (November 3, 2016)
Salesforce Partners
 
Chemical reaction between metals and water/acid
Chemical reaction between metals and water/acidChemical reaction between metals and water/acid
Chemical reaction between metals and water/acid
Jacques Zeefenbergen
 
EURO Currency
EURO CurrencyEURO Currency
EURO Currency
skyranger_007
 
English projects
English projectsEnglish projects
English projects
andygc25
 
Plani vjetor lëndor byirenakotobelli
Plani vjetor lëndor byirenakotobelliPlani vjetor lëndor byirenakotobelli
Plani vjetor lëndor byirenakotobelli
irena kotobelli
 
Ghost in the shell
Ghost in the shellGhost in the shell
Ghost in the shell
Maciej Lasyk
 
Do Real Company Stuff - Mozcon 2012 Version
Do Real Company Stuff - Mozcon 2012 Version Do Real Company Stuff - Mozcon 2012 Version
Do Real Company Stuff - Mozcon 2012 Version
Wil Reynolds
 

Viewers also liked (20)

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
Roberto Marras - An unusual portfolio
Roberto Marras - An unusual portfolioRoberto Marras - An unusual portfolio
Roberto Marras - An unusual portfolio
 
Start With Strengths - Canadian Association of Principals 2015
Start With Strengths - Canadian Association of Principals 2015Start With Strengths - Canadian Association of Principals 2015
Start With Strengths - Canadian Association of Principals 2015
 
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}
 
Project Petersburg: An Xbox Kinect Ballet Videogame Proposal
Project Petersburg: An Xbox Kinect Ballet Videogame ProposalProject Petersburg: An Xbox Kinect Ballet Videogame Proposal
Project Petersburg: An Xbox Kinect Ballet Videogame Proposal
 
Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)
Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)
Beyond the Toolkit (Nathan Curtis at Enterprise UX 2016)
 
First-time users, longtime strategies: Why Parkinson’s Law is making you less...
First-time users, longtime strategies: Why Parkinson’s Law is making you less...First-time users, longtime strategies: Why Parkinson’s Law is making you less...
First-time users, longtime strategies: Why Parkinson’s Law is making you less...
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Lightning Talk #11: Designer spaces by Alastair Simpson
Lightning Talk #11: Designer spaces by Alastair SimpsonLightning Talk #11: Designer spaces by Alastair Simpson
Lightning Talk #11: Designer spaces by Alastair Simpson
 
16 Reasons Why You Need to Address Payment Security
16 Reasons Why You Need to Address Payment Security16 Reasons Why You Need to Address Payment Security
16 Reasons Why You Need to Address Payment Security
 
Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]
Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]
Sketchnotes-SF Meetup :: Round 17 :: People & Faces [Wed Apr 29, 2015]
 
Ballet
BalletBallet
Ballet
 
Chemical reactions: Acids/Alkalis and Acids/Carbonate
Chemical reactions: Acids/Alkalis and Acids/CarbonateChemical reactions: Acids/Alkalis and Acids/Carbonate
Chemical reactions: Acids/Alkalis and Acids/Carbonate
 
Roadmap Lightning Updates (November 3, 2016)
Roadmap Lightning Updates (November 3, 2016)Roadmap Lightning Updates (November 3, 2016)
Roadmap Lightning Updates (November 3, 2016)
 
Chemical reaction between metals and water/acid
Chemical reaction between metals and water/acidChemical reaction between metals and water/acid
Chemical reaction between metals and water/acid
 
EURO Currency
EURO CurrencyEURO Currency
EURO Currency
 
English projects
English projectsEnglish projects
English projects
 
Plani vjetor lëndor byirenakotobelli
Plani vjetor lëndor byirenakotobelliPlani vjetor lëndor byirenakotobelli
Plani vjetor lëndor byirenakotobelli
 
Ghost in the shell
Ghost in the shellGhost in the shell
Ghost in the shell
 
Do Real Company Stuff - Mozcon 2012 Version
Do Real Company Stuff - Mozcon 2012 Version Do Real Company Stuff - Mozcon 2012 Version
Do Real Company Stuff - Mozcon 2012 Version
 

Similar to Stop disabling SELinux!

SELinux workshop
SELinux workshopSELinux workshop
SELinux workshop
johseg
 
Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)
Maciej Lasyk
 
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with UciprovLukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Zabbix
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
Maciej Lasyk
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud   intro (cloudexpo)Lxc – next gen virtualization for cloud   intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
Boden Russell
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
nicerussianpainter
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
Kohei KaiGai
 
Reusing your existing software on Android
Reusing your existing software on AndroidReusing your existing software on Android
Reusing your existing software on Android
Tetsuyuki Kobayashi
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challenges
Wojciech Barczyński
 
FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
Xavier Mertens
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
SULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpress
SULTHAN BASHA
 
Building and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and MarathonBuilding and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and Marathon
Julia Mateo
 
Its all about the... containers!
Its all about the... containers!Its all about the... containers!
Its all about the... containers!
Claudio Kuenzler
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
DevOps_project.pdf
DevOps_project.pdfDevOps_project.pdf
DevOps_project.pdf
Prateek Srivastava
 

Similar to Stop disabling SELinux! (20)

SELinux workshop
SELinux workshopSELinux workshop
SELinux workshop
 
Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)
 
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with UciprovLukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with Uciprov
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud   intro (cloudexpo)Lxc – next gen virtualization for cloud   intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
 
Reusing your existing software on Android
Reusing your existing software on AndroidReusing your existing software on Android
Reusing your existing software on Android
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challenges
 
FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
SULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpress
 
Building and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and MarathonBuilding and deploying a distributed application with Docker, Mesos and Marathon
Building and deploying a distributed application with Docker, Mesos and Marathon
 
Its all about the... containers!
Its all about the... containers!Its all about the... containers!
Its all about the... containers!
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
DevOps_project.pdf
DevOps_project.pdfDevOps_project.pdf
DevOps_project.pdf
 

More from Maciej Lasyk

Rundeck & Ansible
Rundeck & AnsibleRundeck & Ansible
Rundeck & Ansible
Maciej Lasyk
 
Docker 1.11
Docker 1.11Docker 1.11
Docker 1.11
Maciej Lasyk
 
Programowanie AWSa z CLI, boto, Ansiblem i libcloudem
Programowanie AWSa z CLI, boto, Ansiblem i libcloudemProgramowanie AWSa z CLI, boto, Ansiblem i libcloudem
Programowanie AWSa z CLI, boto, Ansiblem i libcloudem
Maciej Lasyk
 
Co powinieneś wiedzieć na temat devops?f
Co powinieneś wiedzieć na temat devops?f Co powinieneś wiedzieć na temat devops?f
Co powinieneś wiedzieć na temat devops?f
Maciej Lasyk
 
Git Submodules
Git SubmodulesGit Submodules
Git Submodules
Maciej Lasyk
 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)
Maciej Lasyk
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
About cultural change w/Devops
About cultural change w/DevopsAbout cultural change w/Devops
About cultural change w/Devops
Maciej Lasyk
 
Scaling and securing node.js apps
Scaling and securing node.js appsScaling and securing node.js apps
Scaling and securing node.js apps
Maciej Lasyk
 
High Availability (HA) Explained - second edition
High Availability (HA) Explained - second editionHigh Availability (HA) Explained - second edition
High Availability (HA) Explained - second edition
Maciej Lasyk
 
Monitoring with Nagios and Ganglia
Monitoring with Nagios and GangliaMonitoring with Nagios and Ganglia
Monitoring with Nagios and Ganglia
Maciej Lasyk
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) Explained
Maciej Lasyk
 
Shall we play a game? PL version
Shall we play a game? PL versionShall we play a game? PL version
Shall we play a game? PL version
Maciej Lasyk
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
Maciej Lasyk
 

More from Maciej Lasyk (14)

Rundeck & Ansible
Rundeck & AnsibleRundeck & Ansible
Rundeck & Ansible
 
Docker 1.11
Docker 1.11Docker 1.11
Docker 1.11
 
Programowanie AWSa z CLI, boto, Ansiblem i libcloudem
Programowanie AWSa z CLI, boto, Ansiblem i libcloudemProgramowanie AWSa z CLI, boto, Ansiblem i libcloudem
Programowanie AWSa z CLI, boto, Ansiblem i libcloudem
 
Co powinieneś wiedzieć na temat devops?f
Co powinieneś wiedzieć na temat devops?f Co powinieneś wiedzieć na temat devops?f
Co powinieneś wiedzieć na temat devops?f
 
Git Submodules
Git SubmodulesGit Submodules
Git Submodules
 
Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)Under the Dome (of failure driven pipeline)
Under the Dome (of failure driven pipeline)
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
 
About cultural change w/Devops
About cultural change w/DevopsAbout cultural change w/Devops
About cultural change w/Devops
 
Scaling and securing node.js apps
Scaling and securing node.js appsScaling and securing node.js apps
Scaling and securing node.js apps
 
High Availability (HA) Explained - second edition
High Availability (HA) Explained - second editionHigh Availability (HA) Explained - second edition
High Availability (HA) Explained - second edition
 
Monitoring with Nagios and Ganglia
Monitoring with Nagios and GangliaMonitoring with Nagios and Ganglia
Monitoring with Nagios and Ganglia
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) Explained
 
Shall we play a game? PL version
Shall we play a game? PL versionShall we play a game? PL version
Shall we play a game? PL version
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 

Recently uploaded

Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
Stephanie Beckett
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
DianaGray10
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
Alison B. Lowndes
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 

Recently uploaded (20)

Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 

Stop disabling SELinux!

  • 1. Maciej Lasyk, Stop Disabling SELinux Maciej Lasyk Kraków, InfoSec meetup #1 2014-03-12 1/32 Stop Disabling SELinux
  • 2. Maciej Lasyk, High Availability Explained ● Business value and security ● Does stock price change after security fail? ● Apps or env? Which one should be 'secure'? Does security matter? Maciej Lasyk, Stop Disabling SELinux 2/32
  • 3. Maciej Lasyk, High Availability Explained How does security look like? Maciej Lasyk, Stop Disabling SELinux App Env 3/32
  • 4. Maciej Lasyk, High Availability Explained How does security look like? Maciej Lasyk, Stop Disabling SELinux 4/32
  • 5. Maciej Lasyk, High Availability Explained How does security look like? Maciej Lasyk, Stop Disabling SELinux Security is based on layers!Security is based on layers! NetworkNetwork OSOS App / DBApp / DB HardwareHardware LSMLSM Maybe virt-sec?Maybe virt-sec? 4/32
  • 6. Maciej Lasyk, High Availability Explained How does security look like? Maciej Lasyk, Stop Disabling SELinux Such security..Such security.. Very fortress!!1Very fortress!!1 WOW :)WOW :) 5/32
  • 7. Maciej Lasyk, High Availability Explained ● Think about it as an internal firewall ● Guarding procs, files, users ● Users don't manage security, admin does SELinux – what? Maciej Lasyk, Stop Disabling SELinux 6/32
  • 8. Maciej Lasyk, High Availability Explained - 2000: NSA, GPL - 2001: Linux Kernel Summit, NSA vs Linus, LSM announced (SELinux, Apparmor, Smack, and TOMOYO Linux) - 2003: Merge with mainline Kernel 2.6.0-test3 - RHEL4 - Ubuntu LTS 8.04 Hardy Heron & rest (even Novell) SELinux – short history recap Maciej Lasyk, Stop Disabling SELinux 7/32
  • 9. Maciej Lasyk, High Availability Explained - hosting multiple services on one box / vps - virtualization host (imagine containers) - libvirt-sandbox FTW! - any apps that are not secure or sec – aware - SELinux sandbox - root access for anyone :) - DBAs, devs - whatever :) - try it yourself: http://www.coker.com.au/selinux/play.html - Gentoo Hardened: https://wiki.gentoo.org/wiki/Project:Hardened - Desktops (yes!) SELinux – use cases Maciej Lasyk, Stop Disabling SELinux 8/32
  • 10. Maciej Lasyk, High Availability Explained SELinux – how it works? Maciej Lasyk, Stop Disabling SELinux syscalls work like interfaces for accessing some resources 9/32
  • 11. Maciej Lasyk, High Availability Explained SELinux – how it works? Maciej Lasyk, Stop Disabling SELinux 10/32
  • 12. Maciej Lasyk, High Availability Explained SELinux – how it works? Maciej Lasyk, Stop Disabling SELinux DAC MAC upstream kernel has been fixed to report check for mmap_zero for MAC AFTER DAC (2014-03-05, http://danwalsh.livejournal.com/69035.html) 11/32
  • 13. Maciej Lasyk, High Availability Explained SELinux – how it works? Maciej Lasyk, Stop Disabling SELinux 12/32
  • 14. Maciej Lasyk, High Availability Explained - http://www.nsa.gov/research/_files/selinux/papers/freenix01/node18.shtml#sec:perf:macro SELinux – performance Maciej Lasyk, Stop Disabling SELinux Just test it yourself: git://git.selinuxproject.org/~serge/selinux-testsuite 13/32 avcstat uptime: 10h hit ratio: 99.94%! (57mln of lookups)
  • 15. Maciej Lasyk, High Availability Explained SELinux – learning curve Maciej Lasyk, Stop Disabling SELinux 14/32
  • 16. Maciej Lasyk, High Availability Explained SELinux – installation Maciej Lasyk, Stop Disabling SELinux apt-get install selinux-basics selinux-policy-default auditd Gentoo is.. like always – little complicated.. emerge hardened-sources EC2? yum install libselinux* selinux-policy* policycoreutils RHEL / CentOS / Fedora is rdy 11/3215/32
  • 17. Maciej Lasyk, High Availability Explained SELinux – need assistance? Maciej Lasyk, Stop Disabling SELinux - IRC: freenode, #selinux - Mailing list: selinux@lists.fedoraproject.org - URLs: - http://stopdisablingselinux.com/ - http://www.nsa.gov/research/selinux/faqs.shtml - https://fedoraproject.org/wiki/SELinux - Books? - SELinux System Administration, Sven Vermeulen, 2013, ISBN-10: 1783283173 ($15) - SELinux by Example: Using Security Enhanced Linux, Frank Mayer, Karl MacMillan, David Caplan, 2006, ISBN-10: 0131963694 16/32
  • 18. Maciej Lasyk, High Availability Explained SELinux and Android Maciej Lasyk, Stop Disabling SELinux - from 4.3 – permissive - from 4.4 enforcing - Will help us with BYOD :) - No setuid/setgid programs (4.3) http://selinuxproject.org/page/SEAndroid http://source.android.com/devices/tech/security/se-linux.html 17/32
  • 19. Maciej Lasyk, High Availability ExplainedMaciej Lasyk, Stop Disabling SELinux - Currently RPM based (but could build from sources) - Sandboxes for LXC / Qemu / KVM - Rather with systemd - virt-sandbox -c lxc:/// /bin/sh - virt-sandbox-service create ... httpd.service myhttpd - systemctl start myhttpd_sandbox.service libvirt-sandbox! 18/32
  • 20. Maciej Lasyk, High Availability Explained libvirt-sandbox! Maciej Lasyk, Stop Disabling SELinux - The libvirt guest is created when the virt-sandbox command starts - The libvirt guest is automatically deleted when the virt-sandbox command completes, or dies from a signal - The sandboxed command sees a read-only view of the entire host filesystem - Specific areas can be made writable by mapping in an alternative host directory - There is no network access inside the sandbox by default - Virtual network interfaces can be associated with libvirt virtual networks - The stdin/stdout/stderr file handles of the sandbox command will be connected to the controlling terminal. 19/32
  • 21. Maciej Lasyk, High Availability Explained So what about other LSMs? Maciej Lasyk, Stop Disabling SELinux http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html 20/32
  • 22. Maciej Lasyk, High Availability Explained So what about other LSMs? Maciej Lasyk, Stop Disabling SELinux - AppArmor identifies file system objects by path name instead of inode - There is no notion of multi-level security with AppArmor - AppArmor user rather flat files based configuration - SELinux supports the concept of a "remote policy server" - There is no apparmor or grsec in android :) 21/32
  • 23. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux stopdisablingselinux.com or http://opensource.com/business/13/11/selinux-policy-guide 22/32
  • 24. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux Everyone gets a label! 23/32
  • 25. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux allow cat cat_chow:food eat; allow dog dog_chow:food eat; 24/32
  • 26. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux AVC (Access Vector Cache) 25/32
  • 27. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux AVC (Access Vector Cache) 26/32
  • 28. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux In real world... process: httpd_t files under Apache: httpd_sys_content_t database data: mysqld_data_t hacked Apache process can not access mysqld files! 27/32
  • 29. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux Can same type of process be confined differently? 28/32
  • 30. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux Yes! With MCS enforcement! 29/32
  • 31. Maciej Lasyk, High Availability Explained SELinux primer Maciej Lasyk, Stop Disabling SELinux In real world... 2 processes: httpd_t files under httpd: httpd_sys_content_t So how to deny files from differ instances of httpd_t? With MCS labels like s0:c1,c2 ; s0:c3,c4 etc s0, s1, s2 – sensitivity levels c1,c2,c3... - categories (up to 255) 30/32
  • 32. Maciej Lasyk, High Availability Explained So remember.. Maciej Lasyk, Stop Disabling SELinux Every time you run setenforce 0, you make Dan Walsh weep Dan is a nice guy and he certainly doesn't deserve that. 31/32
  • 33. Maciej Lasyk, High Availability Explained Maciej Lasyk Kraków, InfoSec meetup #1 2014-03-12 http://maciek.lasyk.info/sysop maciek@lasyk.info @docent-net Stop Disabling SELinux Thank you :) 32/32