What is SELinux trying to tell me? The 4 key causes of SELinux errors.

Slides:

Advertisements

Similar presentations

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

Advertisements

SELinux (Security Enhanced Linux) By: Corey McClurg.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Linux Networking CIS Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

GreenSQL Yuli Stremovsky /MSN/Gtalk:

APACHE SERVER By Innovationframes.com »

Security Enhanced Linux (SELinux)

FTP (File Transfer Protocol) & Telnet

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Review Security Hardening IPTables SELinux. Today Installations and updates – Rpm command and packages Apache “Issue Ownership”

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Network Security SSH Tunneling David Funk Matt McLaughlin Systems Administrators Computer Systems Support COE, University of Iowa.

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Realtime Technologies, Inc. Distributed Simulation Training  April 2005.

How to configure, build and install Trilinos November 2, :30-9:30 a.m. Jim Willenbring Mike Phenow.

How Users Can Help a Project? Samisa Abeysinghe. Who Am I? Samisa Abeysinghe –ASF Member WS PMC –Projects Started with Apache Axis/C++ Now with Apache.

Operating Systems Proj.. Background A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections.

Linux services troubleshooting. If you cannot connect to your service.. When you start service, check that it says ok (most services say that when starting.

CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.

Getting Started with Trilinos October 14, :30-10:30 a.m. Jim Willenbring.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

(1) Introduction to Continuous Integration Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan.

Web Server Apache PHP HTTP Request User types URL into browser Address resolved if nec. We use directly Most browsers request.

How to configure, build and install Trilinos November 2, :30-9:30 a.m. Jim Willenbring.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Apache Web Server v. 2.2 Reference Manual Chapter 2 Starting Apache.

1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)

How to live with SELinux

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

SELinux Sandbox Daniel Walsh Red Hat. What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes.

Server Security 1 SE Linux, Systrace Lars Noodén March – April 2009.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

Writing SELinux Policy Daniel Walsh Red Hat. Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)

SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007.

SELinux Overview DAC vs MAC Discretionary Access Control Mandatory

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

Managing SELinux in the Enterprise

Demystifying SELinux Part II: Who’s Policy Is It Anyway

Multi-Category Security (MCS)

Computer System Structures

OpenShift & SELinux Dan Walsh Twitter: #rhatdan

The Distributed Application Debugger (DAD)

Open OnDemand: Open Source General Purpose HPC Portal

Writing SELinux Policy | Permissive Domains | Real bugs

SELinux for Dummies Dan Walsh.

Demystifying SELinux: WTF is it saying?

ABRT (Automatic Bug Reporting Tool)

DriveScale Proprietary Information © 2016

Fix yahoo mail error code 475 Call Toll-free number

Dan Walsh Red Hat, Inc. Sandbox Dan Walsh Red Hat, Inc.

SELinux Daniel J Walsh SELinux Lead Engineer.

Vulnerability Scanning With 'lynis'

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

SELinux RHEL5: A benchmark

New Features in Fedora Core 5

Firewall Exercise.

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Access Permission and Protection mode

SHELLSHOCK ATTACK.

Presentation transcript:

What is SELinux trying to tell me? The 4 key causes of SELinux errors.

SELinux Problem Solutions 1. SELinux == Labeling 2. SELinux Needs to Know 3. SELinux Policy/Apps can have bugs. 4. You could be COMPROMISED!!!!

SELinux == Labeling ➔ Every process and object on the machine has a label associated with it ➔ If your files are not labeled correctly access might be denied. ➔ If you use alternative paths for confined domains SELinux needs to KNOW. ➔ http files in /srv/myweb instead of /var/www/html? Tell SELinux. ➔ # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' ➔ # restorecon -R /srv/myweb

SELinux == Labeling

➔ Fedora 11 introduces equivalency labeling ➔ semanage fcontext -a -e /srv/myweb /var/www ➔ Tells SELinux to label all files directories under /srv/myweb the same as /var/www ➔ /srv/myweb/cgi-bin/mycgi.cgi will get labeled httpd_sys_script_t ➔ semanage fcontext -a -e /export/home /home ➔ Label all files under /export/home as if they were under /home ➔ /export/home/dwalsh/.ssh will get labeled ssh_home_t

SELinux needs to KNOW ➔ How did you configure your apache server? Tell SELinux!! ➔ If you want httpd to send ➔ # setsebool -P httpd_can_sendmail 1 ➔ Vsftp setup for users to login ➔ # setsebool -P ftp_home_dir 1 ➔ Http is setup to listen on port 8585 ➔ # semanage port -a -t http_port_t -p tcp 8585

SELinux needs to KNOW

SELinux Policy/Apps Can Have bugs ➔ SELinux Policy might have a bug ➔ Unusual Code Paths ➔ Configurations ➔ Redirection of stdout ➔ Apps have bugs ➔ Leaked File Descriptors ➔ Executable Memory ➔ Badly built libraries ➔ Report the bugs in Bugzilla so we can fix them

SELinux Policy/Apps Can Have bugs!!! ➔ You can tell SELinux to just allow ➔ Selinux is blocking postgresql ➔ Labeling is correct? No appropriate boolean? ➔ Use audit2allow to build a policy module ➔ #grep postgresql /var/log/audit/audit.log | audit2allow -M mypostgresql ➔ # semodule -i mypostsql.pp ➔ Examine mypostgresq.te ➔ Make sure you are not allowing too much? ➔ Ask for help? ➔ #fedora ➔ Fedora-selinux mail list ➔

You could be COMPROMISED!!! ➔ Current tools do not do a good job of differentiating ➔ If you have a confined domain that tries to: ➔ Load a kernel module ➔ Turn off SELinux enforcing mode ➔ Write to etc_t? shadow_t ➔ Modify iptables rules ➔ Sendmail???? ➔ others ➔ You might be compromised