SELinux for Everyday Users

1. SELinux for everyday users

2. SELinux Don't be afraid!

3. SELinux – the bad Developed by the NSA

5. Mandatory Access Control

8. Infested with jargon Policies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!

11. Infested with jargon

12. Breaks systems Root can't just do anything anymore

13. Applications stop working

14. Can't make it stop

15. SELinux – the bad “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” Theodore Ts’o (ext2/3/4 maintainer)

16. SELinux – the bad “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” Theodore Ts’o (ext2/3/4 maintainer)

17. Uses Debian

18. SELinux – the bad “ SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” Theodore Ts’o (1 Oct 2007)

19. Uses Debian

20. Not an everyday user!

21. SELinux Don't be afraid!

22. SELinux – the good “ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” Larry Loeb

23. SELinux – the good “ Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” Larry Loeb (Security author and researcher)

24. SELinux – the good Used in many major distributions

25. SELinux – the good Used in many major distributions In kernel since 2002

27. Fedora since Core 2 (2004)

28. RHEL since version 4 (2005)

30. Fedora since Core 2 (2004)

31. RHEL since version 4 (2005)

32. Debian since Etch (2007)

33. Ubuntu since Hardy Heron 8.04 (2008)

34. SELinux How does it work?

35. SELinux – the basics Compiled into the kernel

37. Packaged security policy

40. Checks database of rules on syscalls

43. Checks database of rules on syscalls

44. Allows or denies based on policy

45. SELinux What does it really do?

46. SELinux – what does it do? Stops daemons going bad tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/

47. SELinux – what does it do? Stops daemons going bad Policies in most distributions are applied only to system processes, not user processes.

49. Policies limit what a daemon can access and how.

52. Prevents daemon compromise affecting other files.

55. Prevents daemon compromise affecting other files / users / ports / etc.

56. SELinux – what does it do? Stops daemons going bad

57. User processes are unaffected

59. User processes are unaffected root still gets to be root

62. Firefox still gets to crash your system

65. Firefox still gets to crash your system

66. New policy being written to help that

67. SELinux – demystifying Everything has a security 'context'

68. SELinux – demystifying Everything has a security 'context' A process has a context

70. A file has a context

72. A file has a context Database of rules

74. A file has a context Database of rules Rules allow a process in one context to do operations on an object in another context

75. SELinux – how do I see it? Some commands have the -Z option ls -Z

76. netstat -Z

77. ps -Z

78. SELinux – how do I see it? Some commands have the -Z option ls -Z drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding

79. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023

80. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

81. SELinux – how do I see it? Some commands have the -Z option ls -Z drwxr-xr-x paulway paulway user_u:object_r: user_home_t :s0 bin drwxrwxr-x paulway paulway user_u:object_r: user_home_t :s0 coding

82. netstat -Z tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r: unconfined_execmem_t :s0-s0:c0.c1023

83. ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 5950 pts/1 00:00:00 bash unconfined_u:unconfined_r: unconfined_t :s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

84. The type_t is the only thing you need look at

85. SELinux – how do I use it? restorecon Restores the context of a file

86. Based on the rules for the directory structure chcon

87. SELinux – how do I use it? restorecon

88. SELinux – how do I use it? restorecon Restore s the default SELinux con text of a file

89. SELinux – how do I use it? restorecon Restore s the default SELinux con text of a file

90. Looks up the database of rules and finds the correct context for that file

91. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

92. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group

93. SELinux – how do I use it? [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group [root@tachyon ~]# cp /etc/group /tmp [root@tachyon ~]# mv /tmp/group /etc [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group [root@tachyon ~]# restorecon -R -v /etc/group restorecon reset /etc/group context system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0 [root@tachyon ~]# ls -Z /etc/group -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

94. SELinux – Lessons 1: Try restorecon

95. SELinux – demystifying Everything has a context

96. Database of rules Rules allow a process in one context to do operations on an object in another context

98. Database of rules Rules allow a process in one context to do operations on an object in another context Switches turn groups of rules on or off

100. Database of rules Rules allow a process in one context to do operations on an object in another context Switches turn groups of rules on or off Booleans

101. SELinux – how do I see it? getsebool -a

102. SELinux – how do I see it? getsebool -a [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

103. SELinux – how do I use it? setsebool [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

104. SELinux – how do I use it? setsebool – ONLY THIS SESSION! [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

105. SELinux – how do I use it? setsebool -P [root@tachyon ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off [root@tachyon ~]# setsebool -P samba_enable_home_dirs on [root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs samba_enable_home_dirs --> on

107. 2: getsebool and setsebool

109. netstat -Z

110. ps -Z Audit messages go to /var/log/audit/audit.log

112. netstat -Z

113. ps -Z Audit messages go to /var/log/audit/audit.log Some messages may be in /var/log/messages

114. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log

115. SELinux – how do I see it? [root@tachyon ~]# tail -4 /var/log/audit/audit.log type=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)

116. SELinux – how do I use it? [root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2why type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.

119. 3: audit2why or audit2allow

122. 3: audit2why or audit2allow unless you're working on a system daemon problem.

125. 3: audit2why or audit2allow Much more, but it's not for every day.

126. Questions?

127. Questions? Best effort only ☺

SELinux for Everyday Users

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to SELinux for Everyday Users (20)

Recently uploaded (20)

SELinux for Everyday Users