Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing SELinux Policy | Permissive Domains | Real bugs

Published byPamela Allison Modified over 6 years ago

Similar presentations

Presentation on theme: "Writing SELinux Policy | Permissive Domains | Real bugs"— Presentation transcript:

1 Writing SELinux Policy | Permissive Domains | Real bugs
Fun with SELinux Writing SELinux Policy | Permissive Domains | Real bugs Presented by Miroslav Grepl

2 Today's Topics Show process of writing a policy Real examples
- understanding basics of SELinux == labels - using SELinux tools - Permissive Domains Real examples - creating & testing portreserve policy - how to solve real bug (Bip – IRC proxy) - creating a new policy???

3 Known basics? the most important part of SELinux
type enforcement language everything on a SELinux system has a type - processes, files security context system_u:object_r:etc_t:s0 policy decision security context labels are used to make access control decisions between processes and objects

4 Known basics? SELinux decision

5 Known basics? using security context audit log records the following:
# id -Z root:staff_r:staff_t # cat /etc/shadow cat: /etc/shadow: Permission denied # sesearch -A -s staff_t -t shadow_t -c file -p read ... what does it return?? audit log records the following: avc: denied { read } for pid=13653 exe=/bin/cat name=shadow dev=hda6 ino= scontext=root:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file

6 Policy rules type field
each subject (process), object (file) has a type declaration type portreserve_t; # Process Type (Domain) type portreserve_exec_t; # File Type

7 Policy rules policy rules statement COMMAND
COMMAND SOURCETYPE TARGETTYPE:CLASS PERMS; COMMAND allow, dontaudit, audit2allow, neverallow allow staff_t etc_t:file { open read getattr ioctl lock}; dontaudit staff_t shadow_t:file { open read getattr ioctl lock};

8 Policy rules policy rules statement CLASS
COMMAND SOURCETYPE TARGETTYPE:CLASS PERMS; CLASS file, dir, sock_file, tcp_socket, process PERMS read, open, write macros can be used define(`r_file_perms', `{ open read getattr lock ioctl } /usr/share/selinux/devel/include/support/obj_perm_sets.spt

9 Policy rules attribute group types attribute file_type
type etc_t, file_type typeattribute etc_t, file_type allow rpm_t file_type:file manage_file_perms

10 Policy rules Attributes decrease size of policy on a Fedora 15
$ seinfo Allow: Dontaudit: on Fedora 16 Allow: Dontaudit:

11 Policy module place where all policy statements are located
allows users to easily customize policy allows third parties to ship policy with their rpms similar to kernel modules recompile and reload

12 Policy module Policy Package (pp) Three Components
Type Enforcement (TE) File Contains all the rules used to confine your application File Context (FC) File Contains the regular expression mappings for on disk file contexts Interface (IF) Files Contains the interfaces defined for other confined applications, to interact with your confined application Policy Package (pp) Compiler/packager roles generates policy package to be installed on systems.

13 LET'S START GENERATING POLICY

14 Setup environment Disable portreserve policy
# semodule -d portreserve.pp Fix labels # for i in `rpm -ql portreserve`;do restorecon -R -v $i;done # systemctl restart portreserve.service Default initrc_t domain unconfined domain for process started by init system process without policy

15 SELinux transition, labels
Transitions without transition using service script -> initrc_t with transition using service script -> portreserve_t run directly unconfined_t => SELINUX IS ALL ABOUT LABELS

16 Generating initial policy
Using sepolgen or sepolgen-gui give you policy files # sepolgen -n myportreserve -t 0 `which portreserve` Created the following files in: ./ portreserve.te # Type Enforcement file Contains all the rules used to confine your application portreserve.fc # Interface file Contains the regular expression mappings for on disk file contexts portreserve.if # File Contexts file Contains the interfaces defined for other confined applications, to interact with your confined application

17 Generating initial policy
Install policy using setup script # sh myportreserve.sh using Makefile # make -f /usr/share/selinux/deve/Makefile # semodule -i myportreserve.pp # for i in `rpm -ql portreserve`;do restorecon -R -v $i;done Do some checks # semodule -l | grep portreserve # ps -eZ | grep portre # ausearch -m avc -ts recent

18 Permissive Domains initial policies are running as permissive domains
# permissive myportreserve_t checks are performed but not enforced users don't have to switch to permissive mode globally we can catch AVC messages # ausearch -m avc -ts recent | grep portreserve make domain permissive # semanage permissive -a httpd_t

19 Building policy loop until good policy test application
generate avc messages audit2allow examines /var/log/audit/audit.log and /var/log/messages for AVC messages searches interface files for correct interface if no interface found generates allow rules

20 Building policy audit2allow in practise audit2allow -R require {
type=AVC msg=audit(04/22/ :53:51.194:49) : avc: denied { read } for pid=7695 comm=dictd scontext=unconfined_u:system_r:dictd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=fil audit2allow -R require { type dictd_t; } #=========== dictd_t ============== kernel_read_kernel_sysctls(dictd_t)

21 Complete our policy ausearch, audit2allow tools
# ausearch -m avc -ts today | grep portreserve | audit2allow -R compile and load rules # ausearch -m avc -ts today | grep portreserve | audit2allow -R >> myportreserve.te # make -f /usr/share/selinux/devel/Makefile # semodule -i myportreserve.pp test it without permissive domain sed -i s/^permissive/#permissive/ portreserve.te

22 Complete our policy MOST IMPORTANT THING TO LEARN TODAY
audit2allow – Just MAKE IT WORK?????

23 Real bug – bip issue new policies for new unconfined services/apps?
are not always necessary spamc_t domain type treat a lot of spam apps does not make sense creating new policy for each spam apps? policy has many types to use for example bip IRC proxy there was the following bug

24 Real bug – bip issue avc: denied { name_bind } for pid=2897 comm="bip" src=6667 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket runnig as initrc_t -> causes issues - add a custom module using audit2allow - create a new policy - use a current policy => which one ???

25 Real bug – bip issue use a current policy which one?
=> we know bitlbee is similar => does bitlbee policy exist? # seinfo -t |grep bitlbee which type will we use for bip binary? # chcon -t ???_t `which bip` # service bip restart

26 Real bug – unconfined services
There are services without SELinux confinement => running as initrc_t bcfg2-server, glusterd rpc.rstatd, rpc.rusersd pacemaker, pkcsslotd, fence_virtd, openhpid, isnsd, sfcbd, svnserve, stap-serverd

27 Backup your environment
load the default policy using semodule # semodule -r myportreserve -e portreserve fix labels using restorecon # for i in .. # systemctl restart portreserve.service remove permissive domain using semanage # semanage permissive -d httpd

28 Links http://danwalsh.livejournal.com/ http://dwalsh.fedorapeople.org/

29 Questions? Contact:

Download ppt "Writing SELinux Policy | Permissive Domains | Real bugs"

Similar presentations

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
Operating System Program 5 I/O System DMA Device Driver.

Operating System Program 5 I/O System DMA Device Driver.
1 Integrated Development Environment Building Your First Project (A Step-By-Step Approach)

1 Integrated Development Environment Building Your First Project (A Step-By-Step Approach)
Secure Operating Systems

Secure Operating Systems
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Firewall Dave Grizzanti Steve Curti. What is an Internet Firewall? An Internet firewall is most often installed at the point where your protected internal.

Firewall Dave Grizzanti Steve Curti. What is an Internet Firewall? An Internet firewall is most often installed at the point where your protected internal.
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
Security-Enhanced Linux. References  Implementation of Security-Enhanced Linux by Yue Cui, Xiang Sha, Li Song  Security Enhanced Linux by David Quigley.

Security-Enhanced Linux. References  Implementation of Security-Enhanced Linux by Yue Cui, Xiang Sha, Li Song  Security Enhanced Linux by David Quigley.
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Similar presentations

Ads by Google