2012 DevDay Lab SELinux Hacker
-
Upload
claudio-urbina -
Category
Documents
-
view
17 -
download
1
description
Transcript of 2012 DevDay Lab SELinux Hacker
![Page 1: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/1.jpg)
Using SELinux on RHEL 6
George HackerCurriculum Manager, Red Hat06.26.12
![Page 2: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/2.jpg)
What Is SELinux?
● A security feature of the Linux kernel● Originally developed by the NSA● Initially used to secure services● All system objects (files, ports, processes) are labeled● The policy defines the rules that affect how various
system objects can interact with each other● The policy is loaded into the kernel at boot time
![Page 3: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/3.jpg)
CLI Support for SELinux
● SELinux activation state● getenforce(8), setenforce(8)
● Display file/process context information● -Z option to ls(1) and ps(1)
● Manipulate file contexts● chcon(8), restorecon(8), setfiles(8)
● Display and adjust policy booleans● getsebool(8), setsebool(8), togglesebool(8)
![Page 4: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/4.jpg)
CLI Support for SELinux (cont.)
● Examples● getenforce● setenforce 0● ls -Z● ps -eZ● chcon -t tmp_t tempdir● restorecon /var/www/html/index.html● getsebool -a● setsebool httpd_enable_homedirs 1
![Page 5: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/5.jpg)
Introducing libselinux
● Provided by libselinux and libselinux-devel packages● libselinux provides run-time support● libselinux-devel required for building SELinux programs
● C source code must include selinux.h header file● #include <selinux/selinux.h>
● Link with the libselinux library● gcc -o program program.c -lselinux
![Page 6: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/6.jpg)
Provided Header Files
● Primary header file● #include <selinux/selinux.h>
● Additional header files● #include <selinux/avc.h>● #include <selinux/context.h>● #include <selinux/flask.h>● #include <selinux/get_context_list.h>● #include <selinux/label.h>
![Page 7: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/7.jpg)
libselinux – SELinux Status Functions
● Get current SELinux status● security_getenforce()
● Get boot-time SELinux configuration● selinux_getenforcemode(int *mode)
● Set current SELinux status● security_setenforce(int enforce)
![Page 8: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/8.jpg)
libselinux – File Context Functions
● Data type: security_context_t● Get the SELinux context of a file
● getfilecon(char *path, security_context_t *context)● Free an allocated context
● freecon(security_context_t context)
![Page 9: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/9.jpg)
libselinux – File Context Functions (cont.)
● Set the SELinux context of a file● setfilecon(char *path, security_context_t context)● fsetfilecon(int fd, security_context_t context)● lsetfilecon(char *path, security_context_tcontext)
● Get/set the default SELinux context of a program● getfscreatecon(security_context_t *context)● setfscreatecon(security_context_t context)
![Page 10: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/10.jpg)
libselinux – Context Functions
● Manipulate fields of security_context_t strings● Header file
● #include <selinux/context.h>● Data type: context_t● Functions to allocate/free context_t variables
● context_new(security_context_t context)● context_free(context_t ct_context)
● Conversion to security_context_t● context_str(context_t ct_context)
![Page 11: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/11.jpg)
libselinux – Context Functions (cont.)
● Functions to extract context elements● context_user_get(context_t ct_context)● context_role_get(context_t ct_context)● context_type_get(context_t ct_context)● context_range_get(context_t ct_context)
● Functions to assign context elements● context_user_set(context_t ct_context, char *user)● context_role_set(context_t ct_context, char *role)● context_type_set(context_t ct_context, char *type)● context_range_set(context_t ct_context, char *range)
![Page 12: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/12.jpg)
libselinux – Process Context Functions
● Get the SELinux context of the current process● getcon(security_context_t *context)
● Get the SELinux context of another process● getpidcon(int pid, security_context_t *context)
● Use freecon(3) when finished
![Page 13: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/13.jpg)
libselinux – Process Context Functions (cont.)
● Set the SELinux context of the current process● setcon(security_context_t *context)
● Set the SELinux context of a spawned process● setexeccon(security_context_t *context)● Sets the SELinux context for the next process created
with the execve(2) system call
![Page 14: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/14.jpg)
libselinux – Boolean Functions
● Get the value of a boolean● security_get_boolean_active(char *bool_name)● security_get_boolean_pending(char *bool_name)
● Set the value of a boolean● security_set_ boolean(char *bool_name, int value)
● Commit all pending boolean changes● security_commit_booleans()
![Page 15: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/15.jpg)
libselinux – Boolean Functions (cont.)
● Data type: SELboolean● A structure with two fields: char *name, int value
● Set multiple boolean values● security_set_boolean_list(size_t nbools, SELboolean
*boolean_list, int permanent)
![Page 16: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/16.jpg)
For Further Study
● Overview of SELinux● Red Hat Summit 2010 - SELinux for Mere Mortals,
Thomas Cameron and Dan Walsh● Red Hat Enterprise Linux 6 SELinux Features
● Red Hat Summit 2010 - Not Your Grandfather's SELinux, Dan Walsh
● RHS429 – Red Hat Enterprise SELinux Policy Administration
● http://www.redhat.com/training/courses/rhs429
![Page 17: 2012 DevDay Lab SELinux Hacker](https://reader033.fdocuments.us/reader033/viewer/2022052401/55cf990c550346d0339b3cef/html5/thumbnails/17.jpg)