SlideShare uma empresa Scribd logo

SELinux basics

Lubomir Rintel
Lubomir Rintel

Practical SELinux basics

Tecnologia
1 de 22
Baixar para ler offline
SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context

Recomendados

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
Michael Nazzareno Trimarchi
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
Shawn Wells
 
Selinux
SelinuxSelinux
Selinux
Mohitgupta8560
 

Recomendados

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
Michael Nazzareno Trimarchi
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
Shawn Wells
 
Selinux
SelinuxSelinux
Selinux
Mohitgupta8560
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
Chuck Reeves
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
Atul Jha
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
Shawn Wells
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
Shay Cohen
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
Rémy Gottschalk
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
Shawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
faraz hussain
 

Mais conteúdo relacionado

Mais procurados

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
Atul Jha
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 

Mais procurados (20)

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux security
Linux securityLinux security
Linux security
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 

Destaque

Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
Operating system security
Operating system securityOperating system security
Operating system security
Rachel Jeewa
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpo
webuploader
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014
chanhduy
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
Dayal Dilli
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
lincolng
 

Destaque (20)

Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
 
Operating system security
Operating system securityOperating system security
Operating system security
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating System
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
FreeBSD ports
FreeBSD portsFreeBSD ports
FreeBSD ports
 
Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpo
 
Webmail
WebmailWebmail
Webmail
 
Dovecot
DovecotDovecot
Dovecot
 
FreeBSD Document Project
FreeBSD Document ProjectFreeBSD Document Project
FreeBSD Document Project
 
Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorial
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to Prod
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
 
Protection in Operating System Layer
Protection in Operating System LayerProtection in Operating System Layer
Protection in Operating System Layer
 

Semelhante a SELinux basics

GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxGMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
AhmedWasiu
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 

Semelhante a SELinux basics (20)

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Get Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic KnowledgeGet Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic Knowledge
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting Started
 
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxGMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Unix system protection and history features
Unix system protection and history featuresUnix system protection and history features
Unix system protection and history features
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Linux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.comLinux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.com
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
When ACLs Attack
When ACLs AttackWhen ACLs Attack
When ACLs Attack
 
101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership
 
Linux: Everyting-as-a-service
Linux: Everyting-as-a-serviceLinux: Everyting-as-a-service
Linux: Everyting-as-a-service
 
Host security
Host securityHost security
Host security
 
Host security
Host securityHost security
Host security
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Prog ii
Prog iiProg ii
Prog ii
 
Linux training
Linux trainingLinux training
Linux training
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 

Mais de Lubomir Rintel

Mais de Lubomir Rintel (8)

Namespaces for Kazimir
Namespaces for KazimirNamespaces for Kazimir
Namespaces for Kazimir
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in Linux
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
A journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service managementA journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service management
 
Practical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profilingPractical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profiling
 
Reverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown deviceReverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown device
 
Brno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPMBrno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPM
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

SELinux basics

  • 2. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  • 3. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  • 4. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  • 5. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  • 6. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  • 7. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  • 8. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  • 9. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  • 10. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  • 11. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
  • 13. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  • 14. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  • 15. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  • 16. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  • 17. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  • 18. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  • 19. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  • 20. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  • 21. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  • 22. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context