Demystifying SELinux: WTF is it saying?

Slides:

Advertisements

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Advertisements

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

SELinux (Security Enhanced Linux) By: Corey McClurg.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

APACHE SERVER By Innovationframes.com »

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Microsoft ® Official Course Module 9 Configuring Applications.

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Cosc 4750 Configuring httpd, Mysql, And Samba. defaults By default httpd demean will startup and work User directories are turned off Default directory.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

Linux Operations and Administration

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.

Day 15 Apache. Being a web server Once your system is correctly connected to the network, you could be a web server. –When you go to a web site such as.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

C Copyright © 2006, Oracle. All rights reserved. Oracle Secure Backup Additional Installation Topics.

How to use Drupal Awdhesh Kumar (Team Leader) Presentation Topic.

1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)

How to live with SELinux

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

SELinux Sandbox Daniel Walsh Red Hat. What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes.

Server Security 1 SE Linux, Systrace Lars Noodén March – April 2009.

Overview of NSA Security Enhanced Linux Russell Coker.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007.

What is SELinux trying to tell me? The 4 key causes of SELinux errors.

SELinux Overview DAC vs MAC Discretionary Access Control Mandatory

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

WampServer 2 Installation WAMP is a solution stack of open source programs used together to run dynamic Web sites or servers Most common expansion:  Windows,

Demystifying SELinux Part II: Who’s Policy Is It Anyway

OpenShift & SELinux Dan Walsh Twitter: #rhatdan

Unit 7 Learning Objectives

Apache web server Quick overview.

COP 4343 Unix System Administration

Writing SELinux Policy | Permissive Domains | Real bugs

LINUX ADMINISTRATION 1

Unix System Administration

CCNA 3 v3.1 Module 6 Switch Configuration

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

SELinux Daniel J Walsh SELinux Lead Engineer.

SE Linux Implementation

Vulnerability Scanning With 'lynis'

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

Lab 1 introduction, debrief

SELinux RHEL5: A benchmark

New Features in Fedora Core 5

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Utilize Group Policy Terminal Server Settings

FTP and UNIX TOPICS Exploring your Web Hosting Site FTP UNIX

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

IS3440 Linux Security Unit 4 Securing the Linux Filesystem

Lesson 16-Windows NT Security Issues

Setting Up Firewall using Netfilter and Iptables

SELinux (Security Enhanced Linux)

Architecture of the web

Designing IIS Security (IIS – Internet Information Service)

How to install and manage exchange server 2010 OP Saklani.

Presentation transcript:

Demystifying SELinux: WTF is it saying? Dave Quigley SELinux Ninja/Linux Kernel Developer dpquigl@davequigley.com www.davequigley.com/dquigley www.davequigley.com/selinux

Access Controls determine who/what can access system resources What is Access Control? Access Controls determine who/what can access system resources

What You're Use To Web Content Home Directory Files Sensitive Credit Card Data Dave (Apache) Dave (Firefox)

A “New” Type of Access Controls Web Content TCP Port 80 Sensitive Credit Card Data Database Socket Apache Logs Dave (Apache) Dave (PostgreSQL) Database Files

What is SELinux? SELinux is a label based security system Every process has a label, every object on the system has a label Files, Directories, network ports … The SELinux policy controls how process labels interact with other labels on the system The kernel enforces the policy rules

All information needed for SELinux to make an access control decision What is a Label? -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd DAC Components Security Label system_u:object_r:etc_t:s0 User Role Type MLS All information needed for SELinux to make an access control decision

How do I see Labels? Files Processes Ports ls -Z ps -Z, pstree -Z netstat -Z, semanage ports -l

How to tell if something is wrong? Logged to /var/log/messages if no auditd or during early boot before auditd. grep avc /var/log/messages Logged to /var/log/audit/audit.log if running auditd. /sbin/ausearch -mAVC,SELINUX_ERR -i Notification via setroubleshoot if running. /var/log/audit/audit.log, desktop pop-up

Most Common SELinux Problems Incorrect Labeling Non-Default Config of a Confined Program Bug in Policy or an Application Your machine may have been compromised

Labeling Problems Every process and object on the system is labeled If labels are not correct access may be denied Causes Alternative paths (semanage fcontext) Files created in wrong context (restorecon) Processes started in wrong context

Usecase: Move instead of copy Administrator uploads and extracts a tarball of static web content to his home directory Administrator moves the files into the document root for www.example-labels.com Administrator tries to access site Access fails, why?

Non-Default Configuration SELinux needs to know how a confined daemon is configured Non-default directories Need to ensure files are labeled properly Booleans Allow optional functionality to be enabled Non-default ports Need to ensure ports labeled properly

Usecase: Non Default Location Administrator decides to setup a website www.example-opt.com with the location of /opt/www Administrator creates the directory and copies files into it. Administrator tries to access site Page access fails, why?

Usecase: Web content in user home directories Administrator decides to setup a website www.example-userhome.com to allow users to host personal webpages. Administrator enables Userdirs to public_html. Administrator tries to access site www.example- userhome.com/~sedemo Page access fails, why?

Usecase: Apache on a non-standard port Administrator decides to change the port his apache server at www.example-port.com to 10321 to heighten security. Administrator changes the listening port in the config. Administrator tries start httpd. Server fails to start, why?

Bugs in Policy/Apps SELinux policy bugs Incomplete policy (unusual code path) Unknown application configuration Application bugs Leaked File Descriptors Executable Memory (execmem) Badly built libraries (execmem and others)

Bugs in Policy/Apps (2) Options Report bugs in bugzilla (Best long term solution) Create a policy module (Temporary fix) Labeling is correct? No appropriate booleans? Use audit2allow to create a policy module Examine resulting policy Make sure it's safe Ask for help (#fedora-selinux and mailing lists)

Your machine may have been compromised Current tools not good at differentiating Warning signs: a confined domain tries to: Load a kernel module Turn off SELinux enforcing mode Write to etc_t or shadow_t Modify iptables rules Sendmail others You may be compromised

Resources Google+ SELinux SELinux Community Websites www.selinuxproject.or g Mailing Lists Fedora SELinux NSA SELinux IRC #selinux on FreeNode Presentation files https://github.com/dpq uigl/demystifying- selinux

Questions?

Survey Thank you for listening to me talk. Please help improve the talk by filling out a quick survey at http://goo.gl/S3QGk