SlideShare a Scribd company logo

Load2010 Se Linux Presentation

L
loadays
Technology
1 of 18
Download to read offline
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba An Introduction to SELinux Introduction How to use it Toshaan Bharvani - VanTosh bvba SELinux states <toshaan@vantosh.com> Managing SELinux Policies The End Linux Open Administration Days 10 April 2010 An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 1 / 18
An Introduction $ whoami to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux Toshaan Bharvani states Managing Currently working at VanTosh SELinux Policies Has been involved with CentOS The End Like to keep everything secure Involved with hardware and software An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 2 / 18
An Introduction Table of contents to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it 1 Introduction SELinux states Managing SELinux Policies 2 How to use it The End SELinux states Managing SELinux Policies An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 3 / 18
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states 1 Managing SELinux Policies Introduction The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 4 / 18
An Introduction What is SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states SELinux = Security-Enhanced Linux Managing SELinux Mechanism for supporting mandatory access control Policies security policies The End Linux Security Modules (LSM) run in the Linux kernel An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 5 / 18
An Introduction SELinux features to SELinux Toshaan Separation of policy from enforcement Bharvani - VanTosh bvba Predefined policy interfaces Introduction Support for applications querying the policy and enforcing How to use it access control SELinux states Independent of specific policies, policy languages, security Managing label formats and contents SELinux Policies Caching of access decisions for efficiency The End Policy changes are possible (!!!) Separate measures for protecting system integrity and data confidentiality Controls over process initialization and inheritance and program execution Controls file systems, directories, files, and open file descriptors Controls over sockets, messages, and network interfaces An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 6 / 18
An Introduction Where is SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Redhat Enterprise Linux v4 / v5 SELinux states CentOS v4 / v5 Managing SELinux Novel SLES, OpenSuSE Policies The End Gentoo Debian ... An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 7 / 18
An Introduction Misconceptions about SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux “Life is too short for SELinux” – Theodore Ts’o Policies Upstream vendors requires me to disable SELinux The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 8 / 18
An Introduction Why use SELinux? to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing It confines services in compartments SELinux Policies No, it isn’t difficult The End Increases security An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 9 / 18
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states 2 Managing SELinux Policies How to use it The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 10 / 18
An Introduction Changing SELinux states to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Enforcing SELinux states Enable and enforce the SELinux security policy on the Managing system, denying access and logging actions SELinux Policies Permissive The End Enables, but will not enforce the security policy, only warn and log actions Disabled SELinux is turned off An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 11 / 18
An Introduction Checking the state of SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing sestatus SELinux Policies Enforcing The End Permissive An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 12 / 18
An Introduction Access Control to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Type Enforcement (TE) SELinux The primary mechanism of access control used in the states Managing targeted policy SELinux Role-Based Access Control (RBAC) Policies Based around SELinux users (not necessarily the same as The End the Linux user) Multi-Level Security (MLS) Not used and often hidden in the default targeted policy. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 13 / 18
An Introduction Relabbeling files to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it chcon -R -t httpd sys content t /usr/srv/www SELinux states semanage fcontext -a -t httpd sys content t Managing ”/usr/srv/www(/.*)?” SELinux Policies restorecon -Rv -n /var/www/html The End Relabelling whole the filesystem genhomedircon touch /.autorelabel reboot An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 14 / 18
An Introduction Enabling bools & ports to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux Managing ports states Managing semanage port -l SELinux semanage port -a -t http port t -p tcp 8181 Policies The End Managing predefined policies getsebool -a — grep samba setsebool -P samba enable home dirs on An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 15 / 18
An Introduction Generating policies to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing less /var/log/audit/audit.log SELinux Policies grep zarafa /var/log/audit/audit.log — audit2allow -m The End zarafa > zarafa.te An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 16 / 18
An Introduction Some Policy to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing Dovecot Policy SELinux Policies Zarafa Policy The End Spamassassin Policy An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 17 / 18
An Introduction The End to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Thank You Managing SELinux Policies The End Toshaan Bharvani - VanTosh bvba <toshaan@vantosh.com> http://www.vantosh.com/publications A Made with Beamer L TEX a TEXbased Presentation program An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 18 / 18

Recommended

Outsource Cad Brochure
Outsource Cad BrochureOutsource Cad Brochure
Outsource Cad Brochure
outsourcecad
 
Social MediaTools For Today's Recruiters
Social MediaTools For Today's RecruitersSocial MediaTools For Today's Recruiters
Social MediaTools For Today's Recruiters
The Tech Cult
 
Presentation Gosa Loaddays2010
Presentation Gosa Loaddays2010Presentation Gosa Loaddays2010
Presentation Gosa Loaddays2010
loadays
 
Class 7 f500
Class 7 f500Class 7 f500
Class 7 f500
Kelly
 
Technical Presentation Zcp
Technical Presentation ZcpTechnical Presentation Zcp
Technical Presentation Zcp
loadays
 
Load2010 Enterprise Linux Open Space
Load2010 Enterprise Linux Open SpaceLoad2010 Enterprise Linux Open Space
Load2010 Enterprise Linux Open Space
loadays
 
Analiza - funkcje
Analiza - funkcjeAnaliza - funkcje
Analiza - funkcje
knbb_mat
 
Puppet managed loadays
Puppet managed loadaysPuppet managed loadays
Puppet managed loadays
loadays
 

Recommended

Outsource Cad Brochure
Outsource Cad BrochureOutsource Cad Brochure
Outsource Cad Brochure
outsourcecad
 
Social MediaTools For Today's Recruiters
Social MediaTools For Today's RecruitersSocial MediaTools For Today's Recruiters
Social MediaTools For Today's Recruiters
The Tech Cult
 
Presentation Gosa Loaddays2010
Presentation Gosa Loaddays2010Presentation Gosa Loaddays2010
Presentation Gosa Loaddays2010
loadays
 
Class 7 f500
Class 7 f500Class 7 f500
Class 7 f500
Kelly
 
Technical Presentation Zcp
Technical Presentation ZcpTechnical Presentation Zcp
Technical Presentation Zcp
loadays
 
Load2010 Enterprise Linux Open Space
Load2010 Enterprise Linux Open SpaceLoad2010 Enterprise Linux Open Space
Load2010 Enterprise Linux Open Space
loadays
 
Analiza - funkcje
Analiza - funkcjeAnaliza - funkcje
Analiza - funkcje
knbb_mat
 
Puppet managed loadays
Puppet managed loadaysPuppet managed loadays
Puppet managed loadays
loadays
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
AbhradipChatterjee2
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
chinkshady
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
 

More Related Content

Similar to Load2010 Se Linux Presentation

SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
AbhradipChatterjee2
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
chinkshady
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 

Similar to Load2010 Se Linux Presentation (7)

SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
Selinux
SelinuxSelinux
Selinux
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

Load2010 Se Linux Presentation

  • 1. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba An Introduction to SELinux Introduction How to use it Toshaan Bharvani - VanTosh bvba SELinux states <toshaan@vantosh.com> Managing SELinux Policies The End Linux Open Administration Days 10 April 2010 An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 1 / 18
  • 2. An Introduction $ whoami to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux Toshaan Bharvani states Managing Currently working at VanTosh SELinux Policies Has been involved with CentOS The End Like to keep everything secure Involved with hardware and software An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 2 / 18
  • 3. An Introduction Table of contents to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it 1 Introduction SELinux states Managing SELinux Policies 2 How to use it The End SELinux states Managing SELinux Policies An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 3 / 18
  • 4. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states 1 Managing SELinux Policies Introduction The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 4 / 18
  • 5. An Introduction What is SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states SELinux = Security-Enhanced Linux Managing SELinux Mechanism for supporting mandatory access control Policies security policies The End Linux Security Modules (LSM) run in the Linux kernel An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 5 / 18
  • 6. An Introduction SELinux features to SELinux Toshaan Separation of policy from enforcement Bharvani - VanTosh bvba Predefined policy interfaces Introduction Support for applications querying the policy and enforcing How to use it access control SELinux states Independent of specific policies, policy languages, security Managing label formats and contents SELinux Policies Caching of access decisions for efficiency The End Policy changes are possible (!!!) Separate measures for protecting system integrity and data confidentiality Controls over process initialization and inheritance and program execution Controls file systems, directories, files, and open file descriptors Controls over sockets, messages, and network interfaces An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 6 / 18
  • 7. An Introduction Where is SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Redhat Enterprise Linux v4 / v5 SELinux states CentOS v4 / v5 Managing SELinux Novel SLES, OpenSuSE Policies The End Gentoo Debian ... An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 7 / 18
  • 8. An Introduction Misconceptions about SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux “Life is too short for SELinux” – Theodore Ts’o Policies Upstream vendors requires me to disable SELinux The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 8 / 18
  • 9. An Introduction Why use SELinux? to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing It confines services in compartments SELinux Policies No, it isn’t difficult The End Increases security An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 9 / 18
  • 10. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states 2 Managing SELinux Policies How to use it The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 10 / 18
  • 11. An Introduction Changing SELinux states to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Enforcing SELinux states Enable and enforce the SELinux security policy on the Managing system, denying access and logging actions SELinux Policies Permissive The End Enables, but will not enforce the security policy, only warn and log actions Disabled SELinux is turned off An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 11 / 18
  • 12. An Introduction Checking the state of SELinux to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing sestatus SELinux Policies Enforcing The End Permissive An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 12 / 18
  • 13. An Introduction Access Control to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Type Enforcement (TE) SELinux The primary mechanism of access control used in the states Managing targeted policy SELinux Role-Based Access Control (RBAC) Policies Based around SELinux users (not necessarily the same as The End the Linux user) Multi-Level Security (MLS) Not used and often hidden in the default targeted policy. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 13 / 18
  • 14. An Introduction Relabbeling files to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it chcon -R -t httpd sys content t /usr/srv/www SELinux states semanage fcontext -a -t httpd sys content t Managing ”/usr/srv/www(/.*)?” SELinux Policies restorecon -Rv -n /var/www/html The End Relabelling whole the filesystem genhomedircon touch /.autorelabel reboot An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 14 / 18
  • 15. An Introduction Enabling bools & ports to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux Managing ports states Managing semanage port -l SELinux semanage port -a -t http port t -p tcp 8181 Policies The End Managing predefined policies getsebool -a — grep samba setsebool -P samba enable home dirs on An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 15 / 18
  • 16. An Introduction Generating policies to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing less /var/log/audit/audit.log SELinux Policies grep zarafa /var/log/audit/audit.log — audit2allow -m The End zarafa > zarafa.te An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 16 / 18
  • 17. An Introduction Some Policy to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing Dovecot Policy SELinux Policies Zarafa Policy The End Spamassassin Policy An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 17 / 18
  • 18. An Introduction The End to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Thank You Managing SELinux Policies The End Toshaan Bharvani - VanTosh bvba <toshaan@vantosh.com> http://www.vantosh.com/publications A Made with Beamer L TEX a TEXbased Presentation program An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 18 / 18