Submit Search
Upload
SELinux workshop
•
0 likes
•
68 views
J
johseg
Follow
SELinux workshop for openSUSE conference
Read less
Read more
Technology
Report
Share
Report
Share
1 of 31
Download now
Download to read offline
Recommended
SELinux for Everyday Users
SELinux for Everyday Users
PaulWay
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For Sysadmins
PaulWay
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
Naoto MATSUMOTO
Kablosuz Ağlara Yapılan Saldırılar
Kablosuz Ağlara Yapılan Saldırılar
BGA Cyber Security
Free radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integration
Chanaka Lasantha
Linux scheduling and input and output
Linux scheduling and input and output
Sanidhya Chugh
Holynix v1
Holynix v1
BGA Cyber Security
Recommended
SELinux for Everyday Users
SELinux for Everyday Users
PaulWay
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For Sysadmins
PaulWay
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
Naoto MATSUMOTO
Kablosuz Ağlara Yapılan Saldırılar
Kablosuz Ağlara Yapılan Saldırılar
BGA Cyber Security
Free radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integration
Chanaka Lasantha
Linux scheduling and input and output
Linux scheduling and input and output
Sanidhya Chugh
Holynix v1
Holynix v1
BGA Cyber Security
systemd
systemd
nussbauml
Ubuntu installation-presentations
Ubuntu installation-presentations
PrimeAsia University
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
Sunil Paudel
Yaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows Karşılıkları
Mert Hakki Bingol
CentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
Linux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
step by step to install the ubuntu
step by step to install the ubuntu
Dr.M.G.R. University,chennai
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
BGA Cyber Security
SELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
Centos
Centos
sandyy12
Linux architecture
Linux architecture
ICI Bucharest - roTLD
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
BGA Cyber Security
Linux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
BGA Cyber Security
Ethical hacking mind map
Ethical hacking mind map
dasdwwe1
Linux programming lecture_notes
Linux programming lecture_notes
IMRAN KHAN
4. linux file systems
4. linux file systems
Marian Marinov
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Sparta Bilişim
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve Komutları
Ahmet Gürel
selinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
More Related Content
What's hot
systemd
systemd
nussbauml
Ubuntu installation-presentations
Ubuntu installation-presentations
PrimeAsia University
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
Sunil Paudel
Yaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows Karşılıkları
Mert Hakki Bingol
CentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
Linux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
step by step to install the ubuntu
step by step to install the ubuntu
Dr.M.G.R. University,chennai
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
BGA Cyber Security
SELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
Centos
Centos
sandyy12
Linux architecture
Linux architecture
ICI Bucharest - roTLD
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
BGA Cyber Security
Linux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
BGA Cyber Security
Ethical hacking mind map
Ethical hacking mind map
dasdwwe1
Linux programming lecture_notes
Linux programming lecture_notes
IMRAN KHAN
4. linux file systems
4. linux file systems
Marian Marinov
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Sparta Bilişim
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve Komutları
Ahmet Gürel
What's hot
(20)
systemd
systemd
Ubuntu installation-presentations
Ubuntu installation-presentations
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
Yaygın Linux Komutları ve Windows Karşılıkları
Yaygın Linux Komutları ve Windows Karşılıkları
CentOS Linux Server Hardening
CentOS Linux Server Hardening
Linux Hardening - nullhyd
Linux Hardening - nullhyd
step by step to install the ubuntu
step by step to install the ubuntu
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
SELinux Basic Usage
SELinux Basic Usage
Centos
Centos
Linux architecture
Linux architecture
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Linux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Ethical hacking mind map
Ethical hacking mind map
Linux programming lecture_notes
Linux programming lecture_notes
4. linux file systems
4. linux file systems
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Rehberi
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve Komutları
Similar to SELinux workshop
selinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
Selinux
Selinux
Ankit Raj
Unix Security
Unix Security
replay21
Stop disabling SELinux!
Stop disabling SELinux!
Maciej Lasyk
Security Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
Introduction To SELinux
Introduction To SELinux
Rene Cunningham
Understanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
chinkshady
CloudStack templates with OpenVM
CloudStack templates with OpenVM
ShapeBlue
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
Martin Holovský
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
Alex Lau
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15
SUSE
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
Kohei KaiGai
Process behaviour modelling using lsm
Process behaviour modelling using lsm
iaemedu
Module 17 (novell hacking)
Module 17 (novell hacking)
Wail Hassan
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022
SUSE
Similar to SELinux workshop
(20)
selinuxbasicusage.pptx
selinuxbasicusage.pptx
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Selinux
Selinux
Unix Security
Unix Security
Stop disabling SELinux!
Stop disabling SELinux!
Security Enhanced Linux Overview
Security Enhanced Linux Overview
Introduction To SELinux
Introduction To SELinux
Understanding SELinux For the Win
Understanding SELinux For the Win
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
CloudStack templates with OpenVM
CloudStack templates with OpenVM
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
Process behaviour modelling using lsm
Process behaviour modelling using lsm
Module 17 (novell hacking)
Module 17 (novell hacking)
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022
Recently uploaded
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
MarianaLemus7
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
ngoud9212
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Andrey Dotsenko
costume and set research powerpoint presentation
costume and set research powerpoint presentation
phoebematthew05
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Hyundai Motor Group
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Precisely
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
Recently uploaded
(20)
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
costume and set research powerpoint presentation
costume and set research powerpoint presentation
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
The transition to renewables in India.pdf
The transition to renewables in India.pdf
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
SELinux workshop
1.
2023-05-27, NUREMBERG SELinux introduction Johannes
Segitz <jsegitz@suse.com>
2.
Whoami Johannes Segitz, security
engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
3.
Outline We will cover: –
Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
4.
Ressources needed Please have
an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
5.
Expectation management As always
it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
6.
Nomenclature How to read
the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
7.
Mandatory access control Discretionary
access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
8.
Mandatory access control Discretionary
access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
9.
Mandatory access control Mandatory
access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
10.
SELinux History Security Enhanced Linux –
Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
11.
SELinux Basic idea – Type
Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
12.
SELinux SELinux expert with
one character If you remember one thing: let it be this Copyright © SUSE 2023 12
13.
SELinux Basic idea (Almost) everything
has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
14.
SELinux Basic idea – DAC
comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
15.
SELinux SELinux log messages Found
in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
16.
Practice You’ll now change
an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
17.
Practice Initial setup Install packages: $
zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
18.
Practice Initial setup Set the
necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
19.
Practice Look around Current SELinux
status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
20.
Practice Look around Check your
identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
21.
Practice Linux users to
SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
22.
Practice Booleans: $ semanage boolean
-l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
23.
Practice audit2allow audit2allow: – Analyzes SELinux
denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
24.
Practice audit2allow Either pipe AVCs
into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
25.
Practice avcs.rb Small wrapper around
auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
26.
Practice Lets cause problems Mislabel
some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
27.
Practice Lets cause problems Check
the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
28.
Practice How to debug
SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
29.
Practice How to debug
SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
30.
Practice How to rescue
a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
31.
Questions? Thank you for
your attention! Copyright © SUSE 2023 31
Download now