SlideShare a Scribd company logo

SELinux workshop

J
johseg

SELinux workshop for openSUSE conference

Technology
1 of 31
Download to read offline
2023-05-27, NUREMBERG SELinux introduction Johannes Segitz <jsegitz@suse.com>
Whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
Outline We will cover: – Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
Ressources needed Please have an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
Expectation management As always it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
Nomenclature How to read the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
Mandatory access control Discretionary access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
Mandatory access control Discretionary access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
Mandatory access control Mandatory access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
SELinux History Security Enhanced Linux – Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
SELinux Basic idea – Type Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
SELinux SELinux expert with one character If you remember one thing: let it be this Copyright © SUSE 2023 12
SELinux Basic idea (Almost) everything has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
SELinux Basic idea – DAC comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
SELinux SELinux log messages Found in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
Practice You’ll now change an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
Practice Initial setup Install packages: $ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
Practice Initial setup Set the necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
Practice Look around Current SELinux status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
Practice Look around Check your identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
Practice Linux users to SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
Practice Booleans: $ semanage boolean -l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
Practice audit2allow audit2allow: – Analyzes SELinux denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
Practice audit2allow Either pipe AVCs into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
Practice avcs.rb Small wrapper around auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
Practice Lets cause problems Mislabel some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
Practice Lets cause problems Check the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
Practice How to debug SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
Practice How to debug SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
Practice How to rescue a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
Questions? Thank you for your attention! Copyright © SUSE 2023 31

Recommended

SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -Naoto MATSUMOTO
 
Kablosuz Ağlara Yapılan Saldırılar
Kablosuz Ağlara Yapılan SaldırılarKablosuz Ağlara Yapılan Saldırılar
Kablosuz Ağlara Yapılan SaldırılarBGA Cyber Security
 
Free radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationFree radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationChanaka Lasantha
 
Linux scheduling and input and output
Linux scheduling and input and outputLinux scheduling and input and output
Linux scheduling and input and outputSanidhya Chugh
 
Holynix v1
Holynix v1Holynix v1
Holynix v1BGA Cyber Security
 

Recommended

SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -Naoto MATSUMOTO
 
Kablosuz Ağlara Yapılan Saldırılar
Kablosuz Ağlara Yapılan SaldırılarKablosuz Ağlara Yapılan Saldırılar
Kablosuz Ağlara Yapılan SaldırılarBGA Cyber Security
 
Free radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationFree radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationChanaka Lasantha
 
Linux scheduling and input and output
Linux scheduling and input and outputLinux scheduling and input and output
Linux scheduling and input and outputSanidhya Chugh
 
Holynix v1
Holynix v1Holynix v1
Holynix v1BGA Cyber Security
 
systemd
systemdsystemd
systemdnussbauml
 
Ubuntu installation-presentations
Ubuntu installation-presentationsUbuntu installation-presentations
Ubuntu installation-presentationsPrimeAsia University
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
Yaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows KarşılıklarıYaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows KarşılıklarıMert Hakki Bingol
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
step by step to install the ubuntu
step by step to install the ubuntustep by step to install the ubuntu
step by step to install the ubuntuDr.M.G.R. University,chennai
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3BGA Cyber Security
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Centos
CentosCentos
Centossandyy12
 
Linux architecture
Linux architectureLinux architecture
Linux architectureICI Bucharest - roTLD
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18BGA Cyber Security
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İncelemeBilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İncelemeBGA Cyber Security
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind mapdasdwwe1
 
Linux programming lecture_notes
Linux programming lecture_notesLinux programming lecture_notes
Linux programming lecture_notesIMRAN KHAN
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systemsMarian Marinov
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği RehberiCumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği RehberiSparta Bilişim
 
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıTemel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıAhmet Gürel
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptxPandiya Rajan
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 

More Related Content

What's hot

Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
Yaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows KarşılıklarıYaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows KarşılıklarıMert Hakki Bingol
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3BGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18BGA Cyber Security
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İncelemeBilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İncelemeBGA Cyber Security
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind mapdasdwwe1
 
Linux programming lecture_notes
Linux programming lecture_notesLinux programming lecture_notes
Linux programming lecture_notesIMRAN KHAN
 
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği RehberiCumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği RehberiSparta Bilişim
 
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıTemel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıAhmet Gürel
 

What's hot (20)

systemd
systemdsystemd
systemd
 
Ubuntu installation-presentations
Ubuntu installation-presentationsUbuntu installation-presentations
Ubuntu installation-presentations
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
Yaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows KarşılıklarıYaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows Karşılıkları
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
step by step to install the ubuntu
step by step to install the ubuntustep by step to install the ubuntu
step by step to install the ubuntu
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
Centos
CentosCentos
Centos
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
 
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İncelemeBilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
 
Ethical hacking mind map
Ethical hacking mind mapEthical hacking mind map
Ethical hacking mind map
 
Linux programming lecture_notes
Linux programming lecture_notesLinux programming lecture_notes
Linux programming lecture_notes
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systems
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
 
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği RehberiCumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
 
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıTemel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve Komutları
 

Similar to SELinux workshop

selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptxPandiya Rajan
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanentlychinkshady
 
CloudStack templates with OpenVM
CloudStack templates with OpenVMCloudStack templates with OpenVM
CloudStack templates with OpenVMShapeBlue
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Alex Lau
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlKohei KaiGai
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsmiaemedu
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)Wail Hassan
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022SUSE
 

Similar to SELinux workshop (20)

selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Selinux
SelinuxSelinux
Selinux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
CloudStack templates with OpenVM
CloudStack templates with OpenVMCloudStack templates with OpenVM
CloudStack templates with OpenVM
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsm
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

SELinux workshop

  • 2. Whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
  • 3. Outline We will cover: – Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
  • 4. Ressources needed Please have an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
  • 5. Expectation management As always it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
  • 6. Nomenclature How to read the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
  • 7. Mandatory access control Discretionary access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
  • 8. Mandatory access control Discretionary access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
  • 9. Mandatory access control Mandatory access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
  • 10. SELinux History Security Enhanced Linux – Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
  • 11. SELinux Basic idea – Type Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
  • 12. SELinux SELinux expert with one character If you remember one thing: let it be this Copyright © SUSE 2023 12
  • 13. SELinux Basic idea (Almost) everything has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
  • 14. SELinux Basic idea – DAC comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
  • 15. SELinux SELinux log messages Found in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
  • 16. Practice You’ll now change an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
  • 17. Practice Initial setup Install packages: $ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
  • 18. Practice Initial setup Set the necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
  • 19. Practice Look around Current SELinux status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
  • 20. Practice Look around Check your identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
  • 21. Practice Linux users to SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
  • 22. Practice Booleans: $ semanage boolean -l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
  • 23. Practice audit2allow audit2allow: – Analyzes SELinux denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
  • 24. Practice audit2allow Either pipe AVCs into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
  • 25. Practice avcs.rb Small wrapper around auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
  • 26. Practice Lets cause problems Mislabel some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
  • 27. Practice Lets cause problems Check the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
  • 28. Practice How to debug SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
  • 29. Practice How to debug SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
  • 30. Practice How to rescue a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
  • 31. Questions? Thank you for your attention! Copyright © SUSE 2023 31