SE Linux(app armor)


Published on

Published in: Technology
  • Be the first to comment

SE Linux(app armor)

  1. 1. SELinuxA presentation for C4A Kenya S
  2. 2. Table of contentsS IntroductionS Rationale and designS How to use it S SELinux states S Managing SELinux S Policies
  3. 3. BackgroundS Community Project S Originated in 1980s security research S Academic research prototype (Flask) 1990s S Ported to Linux, released under GPL in 2000 S Distro adoption, upstream merge, certification S Adoption and innovation by users
  4. 4. BackgroundS SELinux= Security Enhanced Linux S Formally knows as SE tools S It is a mechanism for supporting mandatory access control security policies S Linux Security Modules(LSM) run in the Linux kernel
  5. 5. SELinux FeaturesS Separation of policy from enforcement Predefined policy interfacesS Support for applications querying the policy and enforcing access controlS Independent of specific policies, policy languages, security label formats and contentsS Caching of access decisions for efficiency Policy changes are possible (!!!)S Separate measures for protecting system integrity and data confidentialityS Controls over process initialization and inheritance and program executionS Controls file systems, directories, files, and open file descriptorsS Controls over sockets, messages, and network interfacesS Coherent stacking
  6. 6. Where is SELinuxS Redhat Enterprise Linux v4 / v5S CentOS v4 / v5S Novel SLES, OpenSuSES GentooS Debian
  7. 7. Misconceptions about SELinuxS ―Life is too short for SELinux‖ – Theodore Ts’oS Upstream vendors requires me to disable SELinux
  8. 8. Why use SELinuxS It confines services in compartmentsS No, it isn’t difficultS FlexibleS Increases securityS Existing SELinux solution S Inflexible S Don’t meet general requirements S Hindered adoption S Niche products: expensive and weird
  9. 9. HOW TO USE IT
  10. 10. Changing SELinux StatesS Enforcing S Enable and enforce the SELinux security policy on the system, denying access and logging actionsS Permissive Enables, but will not enforce the security policy, only warn and log actionsS Disabled SELinux is turned off
  11. 11. Checking the state of SELinuxS Sestatus S Enforcing S permissive
  12. 12. Access ConrtolS Type Enforcement (TE) The primary mechanism of access control used in the targeted policyS Role-Based Access Control (RBAC) Based around SELinux users (not necessarily the same as the Linux user)S Multi-Level Security (MLS) Not used and often hidden in the default targeted policy.
  13. 13. Relabeling filesS chcon -R -t httpd sys content t /usr/srv/wwwS semanage fcontext -a -t httpd sys content t ‖/usr/srv/www(/.*)?‖S restorecon -Rv -n /var/www/html Relabelling whole the filesystem S genhomedircon S touch /.autorelabel S reboot
  14. 14. Enabling bools and portsS Managing ports semanage port -lS semanage port -a -t http port t -p tcp 8181 Managing predefined policiesS getsebool -a — grep samba setsebool -P samba enable home dirs on
  15. 15. Generating policiesS less /var/log/audit/audit.logS grep zarafa /var/log/audit/audit.log — audit2allow -m zarafa > zarafa.te
  16. 16. Some policyS Dovecot PolicyS Zarafa PolicyS Spamassassin Policy
  17. 17. Finally overS Contact me on twitter: @Fonuonga S EMAIL:Frankie.onuonga@gmail.comS DONE BY :FRANK ONUONGA