SELinux for Mere Mortals - Software Summit...Thomas Cameron — SELinux for Mere Mortals (or,...
Transcript of SELinux for Mere Mortals - Software Summit...Thomas Cameron — SELinux for Mere Mortals (or,...
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 1
SELinux for Mere MortalsOr, “Don't Turn It Off!”
Thomas Cameron
Lead Solutions Architect,
Red Hat
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 2
Agenda
What is SELinux
A brief History
Type Enforcement
Role-Based Access Control (RBAC)
Multi-Level Security (MLS)
Mandatory vs. Discretionary AccessControl
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 3
Agenda
What Can I Do with SELinux?
Confine Programs' Privileges
Protect from Exploits
Prevent System Access to Users' PrivateDetails
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 4
Agenda
SELinux Architecture
Security Context• Users
• Roles
• Domains/Types
• Sensitivity
• Category
Security Policy
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 5
What is SELinux?
A brief HistoryCreated by the United States NationalSecurity Agency (NSA) as set of patchesto the Linux kernel using Linux SecurityModules (LSM)
Released by the NSA under the GNUGeneral Public License (GPL) in 2000
Adopted by the upstream Linux kernel in2003
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 6
What is SELinux?
Type Enforcement (TE)Enforces Mandatory Access Control (MAC)over Discretionary Access Control (DAC)
Provides control over process execution aswell as domain transition. For example,the init process kicks off various scripts inthe /etc/rc.d directory and those scriptscall executable binaries. TE manages thetransition of those executables from theirparent domain (init) to their own domain(like httpd).
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 7
What is SELinux?
Role-Based Access Control (RBAC)Roles defined for various processes
Permissions assigned to roles rather thanindividual users
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 8
What is SELinux?
Multi-Level Security (MLS)Allows different access levels to differentdata based on security levels• Top level can access top, middle and low
• Mid level can access mid and low but not top
• Low level can access low but not mid or top
Can even have different windows in theGUI with different levels of security and noway to copy/paste from high to mid
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 9
What is SELinux?
Mandatory vs. Discretionary AccessControl
DAC – standard mechanism for Linux.• All processes run with a user and group. If
that user/group has access to files, so does theprocess
• Root and users have ability (discretion) tooverride or change security with chmod, chownand related utilities
• Processes which run as root (think applicationservices) can access *everything*
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 10
What is SELinux?
Mandatory vs. Discretionary AccessControl
MAC – SELinux is a MAC implementation• Fine grained permissions on all processes, files,
devices, sockets, ports, etc.
• Administratively defined policy.
• Security decisions made based on allinformation, not just identity
• Processes running as root can still only accessthose areas of the system which policy allows.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 11
What can I do with it?
Confine Programs' PrivilegesPrograms confined to their own context,even programs running as root can stillnot access information outside of theirown security context
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 12
What can I do with it?
Protects against exploitsRBAC and TE (sandboxing) means thateven if a “bad guy” exploits something likea buffer overflow, since that process runsin a specific context it can't accessanything else on the system.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 13
What can I do with it?
Prevent System Access to Users'Private Details
Rogue/compromised processes can stillnot access home directories or mail files
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 14
SELinux Architecture
Security ContextUsers
Roles
Domains/Types
Sensitivity (optional)
Category (optional)
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 15
SELinux Architecture
Security Context (example)
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 16
User identity and role
SELinux user account correlated withobject, typically ends in _u, as in thesystem_u identity in the previous slide
Role defines which SELinux useridentities are permitted in whichdomains, typically ends in _r as inobject_r in the previous slide
Role can be changed using newrole
Role has access to types or domains
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 17
Domain Type and Role
Processes (subjects) execute indomains
Resources (objects) are in protecteddomains called types
Subjects and objects have a domain ora type, ending in _t as in thehttpd_config_t and etc_t types in theearlier slide
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 18
Id, role, domain and type
Example:
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 19
Domain Type and Role
For example, the web server binary(httpd) has a type of httpd_exec_t.
The running process (httpd) belongs tothe httpd_t domain
Web server data is of the typehttpd_sys_content_t.
The targeted policy allows subjects inhttpd_t to access files withhttpd_sys_content_t
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 20
Sensitivity and categories
Only used in strict and mls policies(think government)
Hierarchical
Category is optional
No read up, no write down
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 21
Security Context
Every object and subject has a context
Stored in extended attributes (xattrs)on ext2/3 filesystems
Stored in running kernel for port,network interfaces and so on.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 22
Security Context
Format:user:role:type:sensitivity:category
Can be changed with chcon,restorecon, fixfiles
Defined in:/etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts.homedirs
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 23
SELinux Policy
Set of rules used by SELinuxDefines the security context• User identity
• Role
• Type/domain
• Sensitivity
• Category
Defines how each domain accesses eachtype
Defines transitions and other access
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 24
Targeted Policy
Default policy for RHEL, Fedora
Targets only specific services
Available in source or binary
Source policy written with m4
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 25
Targeted Policy
Every subject and object runs inunconfined_t domain except for thosewith defined policy
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 26
Strict Policy
EVERY subject is in a confined domain
Much more complexFor instance, root has low privileges, mustenter password for system configurationjust like a regular user
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 27
MLS Policy
Multi-layer security
Different security levels for differentprocesses and objects
Allows for different apps to run indifferent contexts on the same system
One window might be higher or lowersecurity than another, no read up, nowrite down.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 28
Protected services
There are over 100, including all ofthe standard ones
dhcpd
httpd
mysqld
named
nscd
ntpd
portmap
postmaster
snmpd
squid
syslogd
winbindd
bind
ypbind
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 29
SELinux tools
system-config-selinux
chcon
restorecon
setfiles
fixfiles
setenforce
getenforce
newrole
getsebool
setsebool
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 30
Policy Location
Look in /etc/selinux/etc/selinux/targeted
/etc/selinux/targeted/policy
/etc/selinux/targeted/contexts
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 31
Policy Booleans
Allow runtime policy modification
Each has a default, usually false
getsebool and setsebool to manage
setsebool -P recompiles with change
Writes changes to:/etc/selinux/targeted/modules/active/booleans.local
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 32
Policy Booleans
Can display all booleans usinggetsebool -a (there are hundreds ofthem)
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 33
Security context info
Almost every command takes the -Zargument
ls -Z
id -Z or secon
ps -Z
mkdir -Z
install -Z
cp -Z
find -context
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 34
Security context info
Note that using su does NOT setcontext correctly!
Example:
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 35
Security context info
In this example, root logs in via ssh:
Example:
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 36
SELinux Examples
Checking contexts of various files
/home
/tmp
/etc/httpd
/var/ftp/pub
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 37
SELinux Examples
Creating files and noting contexts
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 38
SELinux Examples
Changing file contexts
Example - web page created inwrong context and moved
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 39
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 40
SELinux Examples
Use chcon to manually change context
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 41
SELinux Examples
Or do it the easy way with restorecon:
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 42
SELinux Examples
How to troubleshoot Apache vs.
SELinux issues
For instance, allowing access to~/public_html
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 43
SELinux Examples
Set up Apache to allow access to~/public_html
Add a user and have that user set up a~/public_html directory with all theright permissions (711 /home/user,755 /home/user/public_html)
In this example, a simple error ismade:
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 44
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 45
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 46
SELinux Examples
Use sealert to see what happened.
sealert -a /var/log/audit/audit.log
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 47
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 48
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 49
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 50
SELinux Examples
What about something like setting up avirtual host?
Set up the virtual host in httpd.conf,but put it somewhere weird.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 51
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 52
SELinux Examples
Restart the httpd service
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 53
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 54
SELinux Examples
sealert to the rescue!
Or maybe not...?
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 55
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 56
SELinux Examples
But wait, relabeling the filesystemwon't help here!
You can use chcon --reference to setcontext, then semanage fcontext tomake it permanent (i.e. survive arelabel)
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 57
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 58
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 59
SELinux Examples
Some examples of booleans
Setting up public_html on NFSmounted home directories
Mount an exported filesystem under/home and set up the home andpublic_html directories andpermissions
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 60
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 61
SELinux Examples
In this case, there are two possiblesets of booleans which might beinterfering.
getsebool -a | grep http
getsebool -a | grep nfs
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 62
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 63
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 64
SELinux Examples
You can always use sealert to check aswell
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 65
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 66
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 67
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 68
SELinux Examples
How about mounting an ISO image ordrive so that Apache can export it?
It's common to mount an ISO imageunder /var/www/html so that it can beused as an installation source
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 69
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 70
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 71
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 72
SELinux Examples
ZOMG!!! WTF?!?!
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 73
SELinux Examples
This will happen for things like USBdrives and ISO images.
The key is to tell mount what contextto mount the device under
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 74
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 75
SELinux Examples
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 76
setroubleshoot browser
Graphical tool which does the samething as sealert.
Available from the desktop or via thecommand sealert -b
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 77
setrouble browser
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 78
setrouble browser
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 79
Activating SELinux
SELinux is enabled or disabled in/etc/sysconfig/selinux (which isactually just a link to/etc/selinux/config)
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 80
Activating SELinux
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 81
Activating SELinux
To activate SELinux on your machine,there are a couple of ways to do it.
Set SELINUX=enforcing
touch /.autorelabel
reboot
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 82
Activating SELinux
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 83
Activating SELinux
Alternatively, you can issue thecommand "fixfiles relabel" as root
Reboot after it's done
Don't do it in runlevel 5 since itdeletes everything in /tmp includingfiles the X server needs
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 84
Activating SELinux
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 85
Activating SELinux
You can also run SELinux in permissivemode, where it will not block anythingbut it will still log AVC errors.
Do this in development environmentand set policy or booleans as neededon production machines.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 86
Creating basic policies
audit2why and audit2allow are twoutlities to tell you why something wasdenied and how to allow it
Note that just because audit2allow willcreate a policy, that does not mean itis the smartest thing to do! Considersecurity implications before applyingpolicies.
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 87
Creating basic policies
In this example, the VPN client on mylaptop causes an AVC denial
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 88
Creating basic policies
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 89
Creating basic policies
Use audit2why to see why the alertwas triggered
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 90
Creating basic policies
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 91
Creating basic policies
Use audit2allow see what needs to bechanged
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 92
Creating basic policies
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 93
Creating basic policies
Use audit2allow -M [policyname] tocreate a .te and a .pp file
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 94
Creating basic policies
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 95
Creating basic policies
As indicated, run the commandsemodule -i [policyname.pp] to installthe policy module
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 96
Creating basic policies
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 97
Creating basic policies
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 98
Final Thoughts
Don't turn it off!
SELinux can really save you in theevent of a breach.
It's *much* easier to use SELinuxtoday than it was just a few monthsago
NSA grade security is available at noextra cost - use it!
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 99
Questions?
© Copyright 2008, Red Hat, Inc.
Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)
Colorado Software Summit: October 19 – 24, 2008
Slide 100
Contact Info
Thomas Cameron([email protected])
512-241-0774
http://people.redhat.com/tcameron