SlideShare a Scribd company logo

SELinux workshop

J
johseg

Johannes Segitz from SUSE introduced SELinux and provided an overview of its basic concepts and components. The presentation covered installing and configuring SELinux on openSUSE Tumbleweed, including setting the SELinux mode to enforcing. Attendees were instructed to mislabel files to cause SELinux denials and shown how to use tools like audit2allow, sestatus, and restorecon to debug issues.

Technology
1 of 31
Download to read offline
2023-05-27, NUREMBERG SELinux introduction Johannes Segitz <jsegitz@suse.com>
Whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
Outline We will cover: – Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
Ressources needed Please have an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
Expectation management As always it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
Nomenclature How to read the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
Mandatory access control Discretionary access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
Mandatory access control Discretionary access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
Mandatory access control Mandatory access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
SELinux History Security Enhanced Linux – Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
SELinux Basic idea – Type Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
SELinux SELinux expert with one character If you remember one thing: let it be this Copyright © SUSE 2023 12
SELinux Basic idea (Almost) everything has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
SELinux Basic idea – DAC comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
SELinux SELinux log messages Found in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
Practice You’ll now change an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
Practice Initial setup Install packages: $ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
Practice Initial setup Set the necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
Practice Look around Current SELinux status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
Practice Look around Check your identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
Practice Linux users to SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
Practice Booleans: $ semanage boolean -l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
Practice audit2allow audit2allow: – Analyzes SELinux denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
Practice audit2allow Either pipe AVCs into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
Practice avcs.rb Small wrapper around auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
Practice Lets cause problems Mislabel some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
Practice Lets cause problems Check the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
Practice How to debug SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
Practice How to debug SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
Practice How to rescue a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
Questions? Thank you for your attention! Copyright © SUSE 2023 31

Recommended

SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemd
Yusaku OGAWA
 
Yocto project and open embedded training
Yocto project and open embedded trainingYocto project and open embedded training
Yocto project and open embedded training
H Ming
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
RSS++
RSS++RSS++
RSS++
Tom Barbette
 
A practical guide to buildroot
A practical guide to buildrootA practical guide to buildroot
A practical guide to buildroot
Emertxe Information Technologies Pvt Ltd
 
what is LINUX ? presentation.
what is LINUX ? presentation.what is LINUX ? presentation.
what is LINUX ? presentation.
saad_khan1122
 

Recommended

SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemd
Yusaku OGAWA
 
Yocto project and open embedded training
Yocto project and open embedded trainingYocto project and open embedded training
Yocto project and open embedded training
H Ming
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
RSS++
RSS++RSS++
RSS++
Tom Barbette
 
A practical guide to buildroot
A practical guide to buildrootA practical guide to buildroot
A practical guide to buildroot
Emertxe Information Technologies Pvt Ltd
 
what is LINUX ? presentation.
what is LINUX ? presentation.what is LINUX ? presentation.
what is LINUX ? presentation.
saad_khan1122
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
Jian-Hong Pan
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
Stephan Cadene
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver
艾鍗科技
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
Overview of github
Overview of githubOverview of github
Overview of github
Sangeetha Subramani
 
InfiniBand on Debian
InfiniBand on DebianInfiniBand on Debian
InfiniBand on Debian
Taisuke Yamada
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
Henry Osborne
 
Linux file system
Linux file systemLinux file system
Linux file system
Md. Tanvir Hossain
 
Linux basics
Linux basicsLinux basics
Linux basics
Santosh Khadsare
 
Linux file system
Linux file systemLinux file system
Linux file system
Midaga Mengistu
 
Spi drivers
Spi driversSpi drivers
Spi drivers
pradeep_tewani
 
Linux
Linux Linux
Linux
Kevin James
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
Md. Zahid Hossain Shoeb
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
emBO_Conference
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
Cheng Wig
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 

More Related Content

What's hot

System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
Jian-Hong Pan
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
Stephan Cadene
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver
艾鍗科技
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
Overview of github
Overview of githubOverview of github
Overview of github
Sangeetha Subramani
 
InfiniBand on Debian
InfiniBand on DebianInfiniBand on Debian
InfiniBand on Debian
Taisuke Yamada
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
Henry Osborne
 
Linux file system
Linux file systemLinux file system
Linux file system
Md. Tanvir Hossain
 
Linux basics
Linux basicsLinux basics
Linux basics
Santosh Khadsare
 
Linux file system
Linux file systemLinux file system
Linux file system
Midaga Mengistu
 
Spi drivers
Spi driversSpi drivers
Spi drivers
pradeep_tewani
 
Linux
Linux Linux
Linux
Kevin James
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
Md. Zahid Hossain Shoeb
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
emBO_Conference
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
Cheng Wig
 

What's hot (20)

System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
 
Overview of github
Overview of githubOverview of github
Overview of github
 
InfiniBand on Debian
InfiniBand on DebianInfiniBand on Debian
InfiniBand on Debian
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
Linux file system
Linux file systemLinux file system
Linux file system
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Linux file system
Linux file systemLinux file system
Linux file system
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 
Linux
Linux Linux
Linux
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 

Similar to SELinux workshop

selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
Maciej Lasyk
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
chinkshady
 
CloudStack templates with OpenVM
CloudStack templates with OpenVMCloudStack templates with OpenVM
CloudStack templates with OpenVM
ShapeBlue
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
Martin Holovský
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
Alex Lau
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15
SUSE
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
AbhradipChatterjee2
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
Kohei KaiGai
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsm
iaemedu
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
Wail Hassan
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 

Similar to SELinux workshop (20)

selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Selinux
SelinuxSelinux
Selinux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
CloudStack templates with OpenVM
CloudStack templates with OpenVMCloudStack templates with OpenVM
CloudStack templates with OpenVM
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsm
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 

Recently uploaded

[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 

Recently uploaded (20)

[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 

SELinux workshop

  • 2. Whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
  • 3. Outline We will cover: – Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
  • 4. Ressources needed Please have an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
  • 5. Expectation management As always it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
  • 6. Nomenclature How to read the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
  • 7. Mandatory access control Discretionary access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
  • 8. Mandatory access control Discretionary access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
  • 9. Mandatory access control Mandatory access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
  • 10. SELinux History Security Enhanced Linux – Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
  • 11. SELinux Basic idea – Type Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
  • 12. SELinux SELinux expert with one character If you remember one thing: let it be this Copyright © SUSE 2023 12
  • 13. SELinux Basic idea (Almost) everything has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
  • 14. SELinux Basic idea – DAC comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
  • 15. SELinux SELinux log messages Found in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
  • 16. Practice You’ll now change an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
  • 17. Practice Initial setup Install packages: $ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
  • 18. Practice Initial setup Set the necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
  • 19. Practice Look around Current SELinux status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
  • 20. Practice Look around Check your identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
  • 21. Practice Linux users to SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
  • 22. Practice Booleans: $ semanage boolean -l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
  • 23. Practice audit2allow audit2allow: – Analyzes SELinux denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
  • 24. Practice audit2allow Either pipe AVCs into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
  • 25. Practice avcs.rb Small wrapper around auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
  • 26. Practice Lets cause problems Mislabel some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
  • 27. Practice Lets cause problems Check the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
  • 28. Practice How to debug SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
  • 29. Practice How to debug SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
  • 30. Practice How to rescue a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
  • 31. Questions? Thank you for your attention! Copyright © SUSE 2023 31