Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is SELinux trying to tell me? The 4 key causes of SELinux errors.

Published byAnabel Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "What is SELinux trying to tell me? The 4 key causes of SELinux errors."— Presentation transcript:

1 What is SELinux trying to tell me? The 4 key causes of SELinux errors.

2 SELinux Problem Solutions 1. SELinux == Labeling 2. SELinux Needs to Know 3. SELinux Policy/Apps can have bugs. 4. You could be COMPROMISED!!!!

3 SELinux == Labeling ➔ Every process and object on the machine has a label associated with it ➔ If your files are not labeled correctly access might be denied. ➔ If you use alternative paths for confined domains SELinux needs to KNOW. ➔ http files in /srv/myweb instead of /var/www/html? Tell SELinux. ➔ # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' ➔ # restorecon -R /srv/myweb

4 SELinux == Labeling

5 ➔ Fedora 11 introduces equivalency labeling ➔ semanage fcontext -a -e /srv/myweb /var/www ➔ Tells SELinux to label all files directories under /srv/myweb the same as /var/www ➔ /srv/myweb/cgi-bin/mycgi.cgi will get labeled httpd_sys_script_t ➔ semanage fcontext -a -e /export/home /home ➔ Label all files under /export/home as if they were under /home ➔ /export/home/dwalsh/.ssh will get labeled ssh_home_t

6 SELinux needs to KNOW ➔ How did you configure your apache server? Tell SELinux!! ➔ If you want httpd to send email ➔ # setsebool -P httpd_can_sendmail 1 ➔ Vsftp setup for users to login ➔ # setsebool -P ftp_home_dir 1 ➔ Http is setup to listen on port 8585 ➔ # semanage port -a -t http_port_t -p tcp 8585

7 SELinux needs to KNOW

8

9 SELinux Policy/Apps Can Have bugs ➔ SELinux Policy might have a bug ➔ Unusual Code Paths ➔ Configurations ➔ Redirection of stdout ➔ Apps have bugs ➔ Leaked File Descriptors ➔ Executable Memory ➔ Badly built libraries ➔ Report the bugs in Bugzilla so we can fix them

10 SELinux Policy/Apps Can Have bugs!!! ➔ You can tell SELinux to just allow ➔ Selinux is blocking postgresql ➔ Labeling is correct? No appropriate boolean? ➔ Use audit2allow to build a policy module ➔ #grep postgresql /var/log/audit/audit.log | audit2allow -M mypostgresql ➔ # semodule -i mypostsql.pp ➔ Examine mypostgresq.te ➔ Make sure you are not allowing too much? ➔ Ask for help? ➔ #fedora ➔ Fedora-selinux mail list ➔ dwalsh@redhat.com

11 You could be COMPROMISED!!! ➔ Current tools do not do a good job of differentiating ➔ If you have a confined domain that tries to: ➔ Load a kernel module ➔ Turn off SELinux enforcing mode ➔ Write to etc_t? shadow_t ➔ Modify iptables rules ➔ Sendmail???? ➔ others ➔ You might be compromised

Download ppt "What is SELinux trying to tell me? The 4 key causes of SELinux errors."

Similar presentations

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
Linux Networking CIS230.0325. Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.

Linux Networking CIS Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.
SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.
GreenSQL Yuli Stremovsky /MSN/Gtalk:

GreenSQL Yuli Stremovsky /MSN/Gtalk:
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
FTP (File Transfer Protocol) & Telnet

FTP (File Transfer Protocol) & Telnet
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Review Security Hardening IPTables SELinux. Today Installations and updates – Rpm command and packages Apache “Issue Ownership”

Review Security Hardening IPTables SELinux. Today Installations and updates – Rpm command and packages Apache “Issue Ownership”
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Network Security SSH Tunneling David Funk Matt McLaughlin Systems Administrators Computer Systems Support COE, University of Iowa.

Network Security SSH Tunneling David Funk Matt McLaughlin Systems Administrators Computer Systems Support COE, University of Iowa.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.
Realtime Technologies, Inc. Distributed Simulation Training  April 2005.

Realtime Technologies, Inc. Distributed Simulation Training  April 2005.
How to configure, build and install Trilinos November 2, 2004 8:30-9:30 a.m. Jim Willenbring Mike Phenow.

How to configure, build and install Trilinos November 2, :30-9:30 a.m. Jim Willenbring Mike Phenow.

Similar presentations

Ads by Google