1. 2023-05-27, NUREMBERG
SELinux introduction
Johannes Segitz <jsegitz@suse.com>

2. Whoami
Johannes Segitz, security engineer at SUSE (Nuremberg, Germany)
– code review
– product pentesting
– The SELinux guy (not the policy maintainer)
Copyright © SUSE 2023 2

3. Outline
We will cover:
– Basic SELinux introduction
– Install it on openSUSE tumbleweed
Copyright © SUSE 2023 3

4. Ressources needed
Please have an openSUSE Tumbleweed VM ready to play along
Make sure you have internet connectivity
Copyright © SUSE 2023 4

5. Expectation management
As always it’s not possible to cover everything in one talk, so:
– Mix between
– higher level concepts (∼15 minutes)
– practice (∼45 minutes)
– You will not become a SELinux expert in an hour
– We will go as far as possible with the examples. I can stick around
afterwards, but we’ll stop officially after the slot ends
Copyright © SUSE 2023 5

6. Nomenclature
How to read the slides
Shell:
$ this is a root shell
Default is root. If it’s a different user you’ll see it in the prompt.
Listing:
I'm the content of a file
Copyright © SUSE 2023 6

7. Mandatory access control
Discretionary access control (DAC)
Usual form of access control in Linux
– Typical example:
root@workstation ~/ $ ls -l /etc/shadow
-rw-r-----. 1 root shadow 1421 /etc/shadow
– Discretionary: The owner of an object can control the access of the
objects he owns
Copyright © SUSE 2023 7

8. Mandatory access control
Discretionary access control (DAC)
Drawbacks:
– Coarse: Basically 3 x rwx
– Prone to (user) error
johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa
-rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa
– Hard to analyze
– root == God (- capabilities)
But it’s familiar, easy to use and to understand
Copyright © SUSE 2023 8

9. Mandatory access control
Mandatory access control (MAC)
Mandatory (in this context):
– Access control decisions are not made by the owner
– Access control rules are managed centrally
Advantages:
– Access control in the hand of people who know what they’re doing
– Centralized control and review is easy
– Often very fine grained → compartmentalization
Drawbacks:
– Harder to understand
– Complex to administrate
– Missing experience
Copyright © SUSE 2023 9

10. SELinux
History
Security Enhanced Linux
– Linux security module (LSM), developed by the National Security
Agency (NSA)
Don’t panic, it’s open source and reviewed thoroughly
– First release 2000, since then integrated in the Linux kernel
Didn’t play a big role at SUSE up to this point
Will be the MAC system for ALP (and already is for SLE Micro)
So very likely it’s also the future MAC system for openSUSE
Copyright © SUSE 2023 10

11. SELinux
Basic idea
– Type Enforcement (TE). Every object has a
– user: unconfined_u
– role: unconfined_r
– type: unconfined_t
– sensitivity: s0-s0
– category: c0.c1023
– These form the Security Context (SC)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
– In practice the type unconfined_t is all you need
Copyright © SUSE 2023 11

12. SELinux
SELinux expert with one character
If you remember one thing: let it be this
Copyright © SUSE 2023 12

13. SELinux
Basic idea
(Almost) everything has a SC. Sockets, packets, ... 134 security classes
– Files
root@workstation ~/ $ ls -lZ /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
– Processes
root@workstation ~/ $ ps axZ | grep 'postfix/master'
system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/
Copyright © SUSE 2023 13

14. SELinux
Basic idea
– DAC comes first
– Then SELinux. Deny by default
– Firewall for system calls
Copyright © SUSE 2023 14

15. SELinux
SELinux log messages
Found in the audit.log
type=AVC msg=audit(1416499522.810:77): avc: denied
{ transition } for pid=1282 comm="sshd" path="/usr/bin/zsh"
dev="vda2" ino=40462
scontext=system_u:system_r:kernel_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process
Copyright © SUSE 2023 15

16. Practice
You’ll now change an openSUSE installation to use SELinux. Please boot
the machine
Copyright © SUSE 2023 16

17. Practice
Initial setup
Install packages:
$ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console
policycoreutils-devel selinux-autorelabel podman
Set SELinux to enforcing:
$ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
Main config file: /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
# minimum - Modification of targeted policy. Only selected processes are protected.
SELINUXTYPE=targeted
Copyright © SUSE 2023 17

18. Practice
Initial setup
Set the necessary boot parameter:
$ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then
sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub
fi
$ update-bootloader --refresh
Remove audit log, reboot:
$ rm /var/log/audit/audit.log
$ reboot
Copyright © SUSE 2023 18

19. Practice
Look around
Current SELinux status
$ sestatus
Have a look at the processes
$ ps auxZ
Check out the filesystem labels
$ ls -laZ /
$ ls -laZ /var
Check for mislabeled files
$ restorecon -Rvn /var
$ restorecon -Rv /var
Copyright © SUSE 2023 19

20. Practice
Look around
Check your identity
$ id -Z
Check denials:
$ grep -i avc /var/log/audit/audit.log
$ tail -f /var/log/audit/audit.log | grep -i avc
Proper way to do this:
$ ausearch -m avc,user_avc,selinux_err -ts boot -i
Copyright © SUSE 2023 20

21. Practice
Linux users to SELinux users:
$ semanage login -l
Port mappings:
$ semanage port -l
File label rules:
$ semanage fcontext -l
Copyright © SUSE 2023 21

22. Practice
Booleans:
$ semanage boolean -l
Enable a boolean:
$ semanage boolean -m --on httpd_enable_homedirs
Copyright © SUSE 2023 22

23. Practice
audit2allow
audit2allow:
– Analyzes SELinux denial messages
– Generates rules to allow necessary access
– Is aware of interfaces
– Suggests booleans that would allow the access
But don’t use it with every denial!
Copyright © SUSE 2023 23

24. Practice
audit2allow
Either pipe AVCs into audit2allow or feed into STDIN and close it:
$ audit2allow -R
Build SELinux module you can load:
$ audit2allow -R -M $NAMEMODULE
Copyright © SUSE 2023 24

25. Practice
avcs.rb
Small wrapper around auserch. Makes reading AVCs easier
$ podman run --privileged -v /var/log/audit:/var/log/audit
registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest
Copyright © SUSE 2023 25

26. Practice
Lets cause problems
Mislabel some files:
$ ls -laZ /usr/sbin/postfix
$ chcon -t postfix_map_exec_t /usr/sbin/postfix
Check it:
$ restorecon -Rvn /usr/sbin/
Restart postfix:
$ systemctl restart postfix
Copyright © SUSE 2023 26

27. Practice
Lets cause problems
Check the status:
$ systemctl status postfix
Why does it fail?
You’ll see something like
postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied
but no AVCs. How do we approach this?
Copyright © SUSE 2023 27

28. Practice
How to debug SELinux problems
Does it happen in permissive mode?
$ setenforce 0
Check for denials. If you don’t see any disable dontaudit rules with
$ semodule -DB
Enable dontaudit again with
$ semodule -B
Now give audit2allow a try with this ...
Check for mislabled files
– either because of unaware scripts/programs
– policy paths don’t match
Copyright © SUSE 2023 28

29. Practice
How to debug SELinux problems
Search engines/bugtrackers are your friends
Howto report a bug:
https://en.opensuse.org/openSUSE:Bugreport_SELinux
Copyright © SUSE 2023 29

30. Practice
How to rescue a system
In grub change boot parameters:
– Disable SELinux: selinux=0
– Make SELinux permissive: enforcing=0
Copyright © SUSE 2023 30

31. Questions?
Thank you for your attention!
Copyright © SUSE 2023 31