SELinux by Example

•

0 likes•84 views

This document discusses using SELinux to restrict access when running untrusted code on a backend server. It provides an example policy that defines new types like myserver_t and convert_exec_t, sets domain transitions between them, uses policy macros to grant access to necessary files, and defines file contexts. The example policy restricts a PHP server and image conversion process while allowing them minimal access to perform their functions.

Software

SELinux by Example
Miroslav Spousta <qiq@ucw.cz>

Example
Running untrusted code on the backend server

Example
Running untrusted code on the backend server
- WTF?

Example
Running untrusted code on the backend server
- export web page as PDF to send it by e-mail
- use headless browser (e.g. PhantomJS)
- based on (obsolete?) WebKit browser
- possibly running customer’s code (JavaScript)
- must restrict access to filesystem and network

How to Restrict Access?
Separate virtual machine for every export task?
- too heavy weight (setup, resources)
UNIX permissions and ACLs?
- coarse-grained, hard to manage, inflexible
SELinux seems to be a perfect fit here
- may be used to restrict all programs

SELinux?!
Available since ~2004 (Fedora 3), kernel 2.6
- everybody knows how to switch it off
MAC (Mandatory Access Control)
Too complicated? Not really!
Not explicitly allowed? => denied
- targeted policy - only restrict some programs

SELinux Labels
Label for files, processes, ports
- process is given access to files, ports

SELinux Labels
Label for files, processes, ports
- process is given access to files, ports
UNIX: almost everything is file

SELinux Labels
Label for files, processes, ports
- process is given access to files, ports
UNIX: almost everything is file
subject objects

SELinux Labels
Label for files, processes, ports
- process is given access to files, ports
Every process is running in some domain
- confined or unconfined
- transition from domain to another on exec(2)

How to Create Policy
1. create domain transition
2. run program in permissive mode, inspect log
3. add rules (use policy macros, if possible)
- audit2allow helps
- setenforce 1; setenforce 0 clears AVC cache
4. run program in enforcing mode

Example
… example policy for HTTP server running
image to PDF conversion service

Example
… example policy for HTTP server running
image to PDF conversion service
- policy consists of .fc, .if and .te files
- compile and load using Makefile provided

Example
- type definitions
# myserver.te
policy_module(myserver, 1.0.0)
# required types
gen_require(`
type unconfined_t;
type proc_t;
type sysfs_t;
type tmp_t;
')
# new types
type myserver_exec_t;
type myserver_t;
type convert_exec_t;
role unconfined_r types myserver_t;

Example
- type definitions
- domain transition
# force domain transition executing myserver_exec_t
domain_type(myserver_t)
domain_entry_file(myserver_t,myserver_exec_t)
domtrans_pattern(unconfined_t,myserver_exec_t,myserv
er_t)

Example
- type definitions
- domain transition
- macros
# allow read of /usr/bin/* files
corecmd_read_bin_files(myserver_t)
# allow read of e.g. /usr/share/* files
files_read_usr_files(myserver_t)
# localization
miscfiles_read_localization(myserver_t)

$Example - type definitions - domain transition - macros - allow rules # allow to listen on port 8080 allow myserver_t http_cache_port_t:tcp_socket name_bind; # allow to run convert allow myserver_t convert_exec_t:file { read execute open getattr execute_no_trans }; allow myserver_t node_t:tcp_socket node_bind; allow myserver_t self:fifo_file { read write ioctl getattr }; allow myserver_t self:process getsched; allow myserver_t self:tcp_socket { setopt read bind create ioctl accept write getattr listen };$

$Example - type definitions - domain transition - macros - allow rules - dontaudit rules dontaudit myserver_t etc_t:file { read getattr open }; dontaudit myserver_t proc_t:file { read getattr open }; dontaudit myserver_t sysfs_t:dir search; dontaudit myserver_t sysfs_t:file { read open }; dontaudit myserver_t user_devpts_t:chr_file { read write ioctl }; dontaudit myserver_t user_home_dir_t:dir search;$

Example
- type definitions
- domain transition
- macros
- allow rules
- dontaudit rules
- file contexts
# myserver.fc
/usr/bin/myserver.pl --
gen_context(system_u:object_r:myserver_exec_t,s0)
/usr/bin/convert --
gen_context(system_u:object_r:convert_exec_t,s0)

- make -f /usr/share/selinux/default/include/Makefile load
- semanage; sestatus; setenforce [0|1]
- ps -Z; ls -Z; id -Z
- chcon; restorecon; fixfiles
- audit2allow </var/log/audit/audit.log
- strace
Tooling

What's hot

On November 7, 2013, the FreeBSD Vendor Summit was held at the Yahoo! campus in Sunnyvale, California. Craig Rodrigues, iXsystems software engineer, gave a presentation, "Jenkins, BHyve, and WebDriver: Continuous Integration Testing on FreeNAS". Craig's presentation described how iXsystems is using modern best practices for building and testing FreeNAS code. Jenkins is a framework for doing continuous builds and integration, and is used by hundreds of companies. BHyve (BSD Hypvervisor) is the new virtual machine system which will be part of FreeBSD 10. Webdriver is a Python toolkit for testing web applications. By combining these technologies, iXsystems is developing a modern and sophisticated workflow for testing and improving the quality of FreeNAS.

Jenkins, Bhyve, and Webdriver: Continuous Integration testing on FreeNAS by C...

iXsystems

Samba

tmavroidis

Ltsp talk

Kanchilug

SELF 2014: PBI v10: Application Management Made Easy

Ken Moore

Websocket technology for XPages

Csaba Kiss

Presentation on samba server & apache server

Manoz Kumar

At SCALE 12x, John Hixson, Senior Software Developer at iXsystems, gave a his talk, "Introduction to FreeNAS development". FreeNAS has been around for several years now but development on it has been by very few people. Even with corporate sponsorshipt and a team of full time developers, outside interest has been minimal. Not a week goes by when a bug report or feature request is not filed. Documentation on how to develop on FreeNAS simply does not exist. Currently, the only way to come up to speed on FreeNAS development is to obtain the source code, read through it, modify it and verify it works. The goal of this paper is to create a simple FreeNAS application to demonstrate some of the common methods used when dealing with FreeNAS development, as well as showcase some of the API.

Introduction to FreeNAS development by John Hixson

iXsystems

Linux system administration

orionsconsulting

ops300 Week5 storage (1)

trayyoo

بسم الله الرحمن الرحیم

Zia Hotak

Sweden11

Dru Lavigne

Стажировка 2015. Разработка. Занятие 5. Использование nginx

Ltsp Slide

Ltsp

Cloud Compt

BSD for Linux Users

Restricting unix users

Muqthiyar Pasha

SMB3 Offload Data Transfer (ODX)

gordonross

Python on FreeBSD

pycontw

What's hot (19)

Jenkins, Bhyve, and Webdriver: Continuous Integration testing on FreeNAS by C...

Samba

Ltsp talk

SELF 2014: PBI v10: Application Management Made Easy

Websocket technology for XPages

Presentation on samba server & apache server

Introduction to FreeNAS development by John Hixson

Linux system administration

ops300 Week5 storage (1)

بسم الله الرحمن الرحیم

Sweden11

Стажировка 2015. Разработка. Занятие 5. Использование nginx

Ltsp Slide

Ltsp

Cloud Compt

BSD for Linux Users

Restricting unix users

SMB3 Offload Data Transfer (ODX)

Python on FreeBSD

Similar to SELinux by Example

Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp

rgster

Php myadmin

IDEUCOM TECHNICAL SUPORT NETORKING COMPUTER

Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

webhostingguy

FreeBSD and Hardening Web Server

Muhammad Moinur Rahman

Docker offers a new, lightweight approach to application portability. Applications are shipped using a common container format, and managed with a high-level API. Their processes run within isolated namespaces which abstract the operating environment, independently of the distribution, versions, network setup, and other details of this environment. This "containerization" has often been nicknamed "the new virtualization". But containers are more than lightweight virtual machines. Beyond their smaller footprint, shorter boot times, and higher consolidation factors, they also bring a lot of new features and use cases which were not possible with classical virtual machines. We will focus on one of those features: separation of operational concerns. Specifically, we will demonstrate how some fundamental tasks like logging, remote access, backups, and troubleshooting can be entirely decoupled from the deployment of applications and services. This decoupling results in independent, smaller, simpler moving parts; just like microservice architectures break down large monolithic apps in more manageable components.

Containerization is more than the new Virtualization: enabling separation of ...

Jérôme Petazzoni

So wie sich PHP weiterentwickelt, so entwickelt sich auch die Art der Programmierung weiter. Die Zeiten sind vorbei, in denen PHP nur von Hobbyprogrammierern genutzt wurde. Doch mit dem Anspruch an die Projekte steigt auch der Anspruch bei der Entwicklung. Schnell wird hierbei auf eine leistungsstarke IDE wie Eclipse PDT, Zend Studio oder Netbeans zurückgegriffen. Doch wie sieht eine anspruchsvolle Entwicklung mit solch einer IDE aus? Dieser Workshop wird Ihnen am Beispiel von der IDE Eclipse PDT demonstrieren, wie solch eine Entwicklung aussehen kann. Im Detail wird Ihnen gezeigt, wie Sie mittels SVN und Subversive Ihren Code mit mehreren Leuten gemeinsam pflegen und entwickeln und wie Sie die Entwicklungsumgebung Ihren Bedürfnissen anpassen, um z.B. mittels phing eigene Build-Prozesse anstoßen zu können. Damit Sie direkt eigene Erfahrungen sammeln können, würden wir Ihnen herzlich anraten, Ihren Laptop mitzubringen. Um zeitraubenden Installationen vorzubeugen, wird Ihnen ein Ubuntu in Form einer Live-CD bereitgestellt. Teilnehmer mit bestehender Linux-Installation und entsprechenden Rechten können ihr System während des Workshops direkt für den täglichen Gebrauch einrichten.

Advanced Eclipse Workshop (held at IPC2010 -spring edition-)

Bastian Feder

This presentation introduces Node.js in a few simple, straightforward steps. First, Node.js is presented as just JavaScript on the browser, then HTTP handling is discussed with core module http and subsequently using Express. Running Oracle JET from Node.js is explained. The implementation of APIs - REST services supporting various [operations on] resources is discussed. The single-thread nature of Node.js is presented, along with the essentials of asynchrous programming, working with callbacks and using the async module. The Node Oracle DB Database driver is introduced and demonstrated. Finally, further steps are suggested. This presentation is supported by a set of resources that constitute a three hour hands on session - sources are in GitHub https://github.com/lucasjellema/sig-nodejs-amis-2016.

Introducing Node.js in an Oracle technology environment (including hands-on)

Lucas Jellema

LCJ2010-KaiGai-Memcached

Kohei KaiGai

Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more. In this demo, I will show how to build a Apache image from a Dockerfile and deploy a PHP application which is present in an external folder using custom configuration files.

Docker - Demo on PHP Application deployment

Arun prasath

Deploying nginx with minimal system resources

Max Ukhanov

RHCE (RED HAT CERTIFIED ENGINEERING)

Sumant Garg

PuppetDB: Sneaking Clojure into Operations

grim_radical

Linux has become integral part of Embedded systems. This presentation gives deeper perspective of Linux from system programming perspective. Stating with basics of Linux it goes on till advanced aspects like system calls, process subsystem, inter process communication mechanisms, thread and various synchronization mechanisms like mutex and semaphores. Understanding these services provided by Linux are essential for embedded systems engineer. These constructs helps users to write efficient programs in Linux environment

Linux-Internals-and-Networking

Emertxe Information Technologies Pvt Ltd

IT Operations for Web Developers

Mahmoud Said

Docker interview Questions-3.pdf

Yogeshwaran R

Open shift and docker - october,2014

Hojoong Kim

SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments

SaltStack

Ch 22: Web Hosting and Internet Servers

webhostingguy

Evil Superuser's HOWTO: Launching instances to do your bidding. You click 'run' on the OpenStack dashboard, or launch a new instance via the api. Some provisioning magic happens and soon you've got a server created especially for you. Did you ever wonder what magic happens to a standard image on boot? Have you wanted to launch instances and have them into your infrastructure with no manual interaction? Cloud-init is software that runs in most linux instances. It can take your input and do your bidding. Learn what things cloud-init magically does for you and how you can make it do more. Also, take advantage of the after-talk to pester cloud-init developers on what is missing or throw rotten fruits in their direction.

Cloud init and cloud provisioning [openstack summit vancouver]

Joshua Harlow

Lotus Domino 8.5

Lalit Sharma

Similar to SELinux by Example (20)

Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp

Php myadmin

Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea

FreeBSD and Hardening Web Server

Containerization is more than the new Virtualization: enabling separation of ...

Advanced Eclipse Workshop (held at IPC2010 -spring edition-)

Introducing Node.js in an Oracle technology environment (including hands-on)

LCJ2010-KaiGai-Memcached

Docker - Demo on PHP Application deployment

Deploying nginx with minimal system resources

RHCE (RED HAT CERTIFIED ENGINEERING)

PuppetDB: Sneaking Clojure into Operations

Linux-Internals-and-Networking

IT Operations for Web Developers

Docker interview Questions-3.pdf

Open shift and docker - october,2014

SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments

Ch 22: Web Hosting and Internet Servers

Cloud init and cloud provisioning [openstack summit vancouver]

Lotus Domino 8.5

Recently uploaded

AI/ML Infra Meetup | Perspective on Deep Learning Framework

Alluxio, Inc.

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

XfilesPro

GlobusWorld 2024 Opening Keynote session

Globus

COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Globus

The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month. The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies. However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News. Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!

SOCRadar Research Team: Latest Activities of IntelBroker

SOCRadar

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos https://www.amb-review.com/tubetrivia-ai Exclusive Features: AI-Powered Questions, Wide Range of Categories, Adaptive Difficulty, User-Friendly Interface, Multiplayer Mode, Regular Updates. #TubeTriviaAI #QuizVideoMagic #ViralQuizVideos #AIQuizGenerator #EngageExciteExplode #MarketingRevolution #BoostYourTraffic #SocialMediaSuccess #AIContentCreation #UnlimitedTraffic

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

AMB-Review

Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.

How Recreation Management Software Can Streamline Your Operations.pptx

wottaspaceseo

Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ? Venez le découvrir lors de cette session ignite

Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...

Anthony Dahanne

AI/ML Infra Meetup May. 23, 2024 Organized by Alluxio For more Alluxio Events: https://www.alluxio.io/events/ Speaker: - Junchen Jiang (Assistant Professor of Computer Science, @University of Chicago) Prefill in LLM inference is known to be resource-intensive, especially for long LLM inputs. While better scheduling can mitigate prefill’s impact, it would be fundamentally better to avoid (most of) prefill. This talk introduces our preliminary effort towards drastically minimizing prefill delay for LLM inputs that naturally reuse text chunks, such as in retrieval-augmented generation. While keeping the KV cache of all text chunks in memory is difficult, we show that it is possible to store them on cheaper yet slower storage. By improving the loading process of the reused KV caches, we can still significantly speed up prefill delay while maintaining the same generation quality.

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG

Alluxio, Inc.

Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...

informapgpstrackings

AI/ML Infra Meetup May. 23, 2024 Organized by Alluxio For more Alluxio Events: https://www.alluxio.io/events/ Speaker: - Lu Qiu (Data & AI Platform Tech Lead, @Alluxio) - Siyuan Sheng (Senior Software Engineer, @Alluxio) Speed and efficiency are two requirements for the underlying infrastructure for machine learning model development. Data access can bottleneck end-to-end machine learning pipelines as training data volume grows and when large model files are more commonly used for serving. For instance, data loading can constitute nearly 80% of the total model training time, resulting in less than 30% GPU utilization. Also, loading large model files for deployment to production can be slow because of slow network or storage read operations. These challenges are prevalent when using popular frameworks like PyTorch, Ray, or HuggingFace, paired with cloud object storage solutions like S3 or GCS, or downloading models from the HuggingFace model hub. In this presentation, Lu and Siyuan will offer comprehensive insights into improving speed and GPU utilization for model training and serving. You will learn: - The data loading challenges hindering GPU utilization - The reference architecture for running PyTorch and Ray jobs while reading data from S3, with benchmark results of training ResNet50 and BERT - Real-world examples of boosting model performance and GPU utilization through optimized data access

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...

Alluxio, Inc.

Studiovity film pre-production and screenwriting software

info611746

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Shahin Sheidaei

Globus Connect Server Deep Dive - GlobusWorld 2024

Globus

Using IESVE for Room Loads Analysis - Australia & New Zealand

IES VE

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

2024 RoOUG Security model for the cloud.pptx

Georgi Kodinov

AI/ML Infra Meetup May. 23, 2024 Organized by Alluxio For more Alluxio Events: https://www.alluxio.io/events/ Speaker: - Eric Wang (Software Engineer, @Uber) Uber has numerous deep learning models, most of which are highly complex with many layers and a vast number of features. Understanding how these models work is challenging and demands significant resources to experiment with various training algorithms and feature sets. With ML explainability, the ML team aims to bring transparency to these models, helping to clarify their predictions and behavior. This transparency also assists the operations and legal teams in explaining the reasons behind specific prediction outcomes. In this talk, Eric Wang will discuss the methods Uber used for explaining deep learning models and how we integrated these methods into the Uber AI Michelangelo ecosystem to support offline explaining.

AI/ML Infra Meetup | ML explainability in Michelangelo

Alluxio, Inc.

Recently uploaded (20)

AI/ML Infra Meetup | Perspective on Deep Learning Framework

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

GlobusWorld 2024 Opening Keynote session

Developing Distributed High-performance Computing Capabilities of an Open Sci...

SOCRadar Research Team: Latest Activities of IntelBroker

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

How Recreation Management Software Can Streamline Your Operations.pptx

Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG

Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...

Studiovity film pre-production and screenwriting software

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Globus Connect Server Deep Dive - GlobusWorld 2024

Using IESVE for Room Loads Analysis - Australia & New Zealand

BoxLang: Review our Visionary Licenses of 2024

2024 RoOUG Security model for the cloud.pptx

AI/ML Infra Meetup | ML explainability in Michelangelo

SELinux by Example

1. SELinux by Example Miroslav Spousta <qiq@ucw.cz>

2. Example Running untrusted code on the backend server

3. Example Running untrusted code on the backend server - WTF?

4. Example Running untrusted code on the backend server - export web page as PDF to send it by e-mail - use headless browser (e.g. PhantomJS) - based on (obsolete?) WebKit browser - possibly running customer’s code (JavaScript) - must restrict access to filesystem and network

5. How to Restrict Access? Separate virtual machine for every export task? - too heavy weight (setup, resources) UNIX permissions and ACLs? - coarse-grained, hard to manage, inflexible SELinux seems to be a perfect fit here - may be used to restrict all programs

6. SELinux?! Available since ~2004 (Fedora 3), kernel 2.6 - everybody knows how to switch it off MAC (Mandatory Access Control) Too complicated? Not really! Not explicitly allowed? => denied - targeted policy - only restrict some programs

7. SELinux Labels Label for files, processes, ports - process is given access to files, ports

8. SELinux Labels Label for files, processes, ports - process is given access to files, ports UNIX: almost everything is file

9. SELinux Labels Label for files, processes, ports - process is given access to files, ports UNIX: almost everything is file subject objects

10. SELinux Labels Label for files, processes, ports - process is given access to files, ports Every process is running in some domain - confined or unconfined - transition from domain to another on exec(2)

11. How to Create Policy 1. create domain transition 2. run program in permissive mode, inspect log 3. add rules (use policy macros, if possible) - audit2allow helps - setenforce 1; setenforce 0 clears AVC cache 4. run program in enforcing mode

12. Example … example policy for HTTP server running image to PDF conversion service

13. Example … example policy for HTTP server running image to PDF conversion service - policy consists of .fc, .if and .te files - compile and load using Makefile provided

14. Example - type definitions # myserver.te policy_module(myserver, 1.0.0) # required types gen_require(` type unconfined_t; type proc_t; type sysfs_t; type tmp_t; ') # new types type myserver_exec_t; type myserver_t; type convert_exec_t; role unconfined_r types myserver_t;

15. Example - type definitions - domain transition # force domain transition executing myserver_exec_t domain_type(myserver_t) domain_entry_file(myserver_t,myserver_exec_t) domtrans_pattern(unconfined_t,myserver_exec_t,myserv er_t)

16. Example - type definitions - domain transition - macros # allow read of /usr/bin/* files corecmd_read_bin_files(myserver_t) # allow read of e.g. /usr/share/* files files_read_usr_files(myserver_t) # localization miscfiles_read_localization(myserver_t)

17. Example - type definitions - domain transition - macros - allow rules # allow to listen on port 8080 allow myserver_t http_cache_port_t:tcp_socket name_bind; # allow to run convert allow myserver_t convert_exec_t:file { read execute open getattr execute_no_trans }; allow myserver_t node_t:tcp_socket node_bind; allow myserver_t self:fifo_file { read write ioctl getattr }; allow myserver_t self:process getsched; allow myserver_t self:tcp_socket { setopt read bind create ioctl accept write getattr listen };

18. Example - type definitions - domain transition - macros - allow rules - dontaudit rules dontaudit myserver_t etc_t:file { read getattr open }; dontaudit myserver_t proc_t:file { read getattr open }; dontaudit myserver_t sysfs_t:dir search; dontaudit myserver_t sysfs_t:file { read open }; dontaudit myserver_t user_devpts_t:chr_file { read write ioctl }; dontaudit myserver_t user_home_dir_t:dir search;

19. Example - type definitions - domain transition - macros - allow rules - dontaudit rules - file contexts # myserver.fc /usr/bin/myserver.pl -- gen_context(system_u:object_r:myserver_exec_t,s0) /usr/bin/convert -- gen_context(system_u:object_r:convert_exec_t,s0)

20. - make -f /usr/share/selinux/default/include/Makefile load - semanage; sestatus; setenforce [0|1] - ps -Z; ls -Z; id -Z - chcon; restorecon; fixfiles - audit2allow </var/log/audit/audit.log - strace Tooling

SELinux by Example

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to SELinux by Example

Similar to SELinux by Example (20)

Recently uploaded

Recently uploaded (20)

SELinux by Example