Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to live with SELinux

Published by拥 葛 Modified over 8 years ago

Similar presentations

Presentation on theme: "How to live with SELinux"— Presentation transcript:

1 How to live with SELinux
Bert Desmet – Fedora Ambassador

2 You can find me here Kruishoutem, Belgium www.bdesmet.be www.devnox.be
Irc: Freenode / Quakenet Mail: Google me for more And if you have any questions, feel free to contact me..

3 What I do.. I am still a student (Elektronics-IT@Ghent) President CFK
Job hunting Fedora Fedora Ambassador Designer of the T shirt Organise some events Start up projects: to many Oh, and I love to party!

4 How to live with SELinux

5 Table of contents Introduction Booleans and ports Contexts and labels
Backing up and copying Your own policies

6 What is SELinux? Kernel based security system Build by NSA
3 'functions' MLS/MCS: multi level protection RBAC: user privilege controls TE: application isolation Enabled by default on RH / Fedora MLS: Multi-Level Security RBAC: Role-based access control TE: Type Enforcement MAC: mandatory acces control <-> DAC: Discretionary acces control Adds extra control over processes and users (what files can x or y change)

7 Why would I? Good access control Reduces vulnerability to attacks
Confined services Good access control, unlike DAC from normal linux system. SELinux user, role, type, level while linux user only have a group and user id Reduces vulnerability to attacks due to access control. Intruders can only access the files the software (like httpd) really need Confined servers: selinux has the abitilty to confine services and deamons so that they are more predictable and are only allowed acces that is required for their normal operation

8 but No antivirus No firewall ....

9 keywords Objects Files, devices, users, processes, ...
Everything in the operating system Context Name for the object Policy Defines how objects interact Independent from normal linux ownerships blah blah

10 configuration 3 modes Enforcing, Permissive, Disabled 2 types
Targeted, Strict Permanent: edit /etc/selinux/config Until next reboot: setenforce {0|1} Only Permissive (0) or Enforcing (1) Check running config with sestatus

11 Logging SELinux denial messages /var/log/audit/audit.log
Ausearch -m avc If rsyslogd is running: /var/log/messages Var/log/messages are better readable, but rsyslogd is not always running. Chkconfig –levels 2345 rsyslogd on

12 Booleans Changed at runtime No policy writing

13 Managing booleans.. List all booleans getsebool -a semange boolean -l
Set a boolean setsebool $boolean {on|off} setsebool -P $boolean {on|off} Predefined policies The semanage boolean command doesn't work yet on RH/Centos 5.x -P flag makes it persistent over reboots

14 Managing ports List services, ports they can use semanage port -l
add a port semange port -at $type -p {tcp|udp} #port Delete a port semange port -dt $type -p {tcp|udp} #port

15

16 SELinux contexts ls -Z | ps Z | id -Z
unconfined_u:object_r:httpd_sys_content_t:s 0 unconfined_u: user context for the object object_r: role aspect for the context httpd_sys_content_t: type S0: level of security Identity authorized for specific set of roles, and mls range. Semange login -l Each linux user is mapped to a sel user Role is part of the RBAC model. Type is an attribute of type enforcement. Defines domain for processes, and type for files. Level of security is attribute for MLS. For process, unconfined_t : is not checked (in targeted)

17 Change context Temporary chcon -t $type ${file|dir}name Persistent
semanage fcontext -a -t $type ${file|dir}name Restore context restorecon -v ${file|dir}name semange fcontext -dv ${file|dir}name Chcon -t httpd_sys_content_t /web Use full path of file/dir Restore only works with chcon semange fcontext adds rule to file.contexts.local, chcon doesn't After a fcontext -d run restorecon again.

18 Relabeling the fs With reboot (preferred!) touch /.autorelabel reboot
Without reboot fixfiles relabel fixfiles -R $packagename restore Fixfiles relabel can make system unstable Fixfiles -R relies on rpm database

19 Mounting file systems The mount command
mount server:/export /mount -t nfs -o \ context=”system_u:object_r:context_t:s0” Mount /dev/sda2 /foo -o defcontext=\ “system_u:object_r:context_t:s0” Works for multiple NFS mounts Standard type: nfs_t Context changes to the files on the mount won't work. Chcon results in “operation not supported” /dev/sda2: assumes there are no rules that define context for /foo/ Files will keep context when changed Persistent: fstab

20

21 Copying cp doesn't save the context Copy with context
Add the '--preserve=context' flag Copy while changing context cp -Z system_u:object_r:context_t:s0 $file If you copy a file over a file, original context is preserved

22 Moving The mv command doesn't move context over different partitions
It does when you move on the same partition Use cp command

23 Tarring Tar doesn't contexts by default Use --selinux flag
Untar an archive without extended attributes Tar -xvf $archive | restorecon -f -

24

25 Troubles? autit2allow Gives you decent tips matchpathcon -V $dir
Checks the context of a dir semodule -DB allow all denials to be logged matchpathcon - get the default security context for the specified path from the file contexts configuration. Semodule -D : disables dontaudit rules -B : rebuilds policy Run semodule -B again after debugging

26 Creating policies Grep for right error in the audit log
audit2allow -am $name > $name.te -D flag cat $name.te

27 Applying policies audit2allow -M $name Semodule -i $name
Semodule: import the module

28 So why do we enable it? It's easy It's secure

29 references Fedora SELinux documentation http://docs.fedoraproject.org
Dan Walsh Fedora SELinux team freenode Linux training

30 Questions? E-mail: bert@bdesmet.be Twitter: @biertie
Web:

Download ppt "How to live with SELinux"

Similar presentations

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
Introduction to UNIX/Linux Exercises Dan Stanzione.

Introduction to UNIX/Linux Exercises Dan Stanzione.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
Controlling Files Richard Newman based on Smith “Elementary Information Security”

Controlling Files Richard Newman based on Smith “Elementary Information Security”
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Similar presentations

Ads by Google