SlideShare uma empresa Scribd logo

SELinux workshop

J
johseg

SELinux workshop for openSUSE conference

Tecnologia
1 de 31
Baixar para ler offline
2023-05-27, NUREMBERG SELinux introduction Johannes Segitz <jsegitz@suse.com>
Whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
Outline We will cover: – Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
Ressources needed Please have an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
Expectation management As always it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
Nomenclature How to read the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
Mandatory access control Discretionary access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
Mandatory access control Discretionary access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
Mandatory access control Mandatory access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
SELinux History Security Enhanced Linux – Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
SELinux Basic idea – Type Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
SELinux SELinux expert with one character If you remember one thing: let it be this Copyright © SUSE 2023 12
SELinux Basic idea (Almost) everything has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
SELinux Basic idea – DAC comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
SELinux SELinux log messages Found in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
Practice You’ll now change an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
Practice Initial setup Install packages: $ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
Practice Initial setup Set the necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
Practice Look around Current SELinux status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
Practice Look around Check your identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
Practice Linux users to SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
Practice Booleans: $ semanage boolean -l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
Practice audit2allow audit2allow: – Analyzes SELinux denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
Practice audit2allow Either pipe AVCs into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
Practice avcs.rb Small wrapper around auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
Practice Lets cause problems Mislabel some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
Practice Lets cause problems Check the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
Practice How to debug SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
Practice How to debug SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
Practice How to rescue a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
Questions? Thank you for your attention! Copyright © SUSE 2023 31

Recomendados

Linux booting process - Linux System Administration
Linux booting process - Linux System AdministrationLinux booting process - Linux System Administration
Linux booting process - Linux System AdministrationSreenatha Reddy K R
 
RPM (LINUX)
RPM (LINUX)RPM (LINUX)
RPM (LINUX)Raghu nath
 
RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)skalaivanibutp
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linuxanandvaidya
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. GrayOVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. Grayharryvanhaaren
 
systemd
systemdsystemd
systemdnussbauml
 

Recomendados

Linux booting process - Linux System Administration
Linux booting process - Linux System AdministrationLinux booting process - Linux System Administration
Linux booting process - Linux System AdministrationSreenatha Reddy K R
 
RPM (LINUX)
RPM (LINUX)RPM (LINUX)
RPM (LINUX)Raghu nath
 
RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)skalaivanibutp
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linuxanandvaidya
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. GrayOVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. Grayharryvanhaaren
 
systemd
systemdsystemd
systemdnussbauml
 
Unix Introduction
Unix IntroductionUnix Introduction
Unix IntroductionAnanthi
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...Yasunori Goto
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 
100+ run commands for windows
100+ run commands for windows 100+ run commands for windows
100+ run commands for windows Anand Garg
 
linux kernel overview 2013
linux kernel overview 2013linux kernel overview 2013
linux kernel overview 2013Rohit Pratap Singh
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 
File System Modules
File System ModulesFile System Modules
File System ModulesAnil Kumar Pugalia
 
Linus Torvalds
Linus TorvaldsLinus Torvalds
Linus TorvaldsCullenCairns
 
History of linux
History of linuxHistory of linux
History of linuxShiwang Kalkhanda
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM VirtualizationMarcel Winandy
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 
Cat database
Cat databaseCat database
Cat databasetubbeles
 
Tim berners Lee - Text
Tim berners Lee - TextTim berners Lee - Text
Tim berners Lee - TextSebastianWeidner1
 
Linux kernel
Linux kernelLinux kernel
Linux kernelGoutam Sahoo
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMLinaro
 
Introduction to Computer System-ppt.pptx
Introduction to Computer System-ppt.pptxIntroduction to Computer System-ppt.pptx
Introduction to Computer System-ppt.pptxInfofarazMotivativeA
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 
Linux file system
Linux file systemLinux file system
Linux file systemMidaga Mengistu
 
A History of Linux
A History of LinuxA History of Linux
A History of LinuxDamian T. Gordon
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptxPandiya Rajan
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 

Mais conteúdo relacionado

Mais procurados

Unix Introduction
Unix IntroductionUnix Introduction
Unix IntroductionAnanthi
 
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...Yasunori Goto
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 
100+ run commands for windows
100+ run commands for windows 100+ run commands for windows
100+ run commands for windows Anand Garg
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM VirtualizationMarcel Winandy
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 
Cat database
Cat databaseCat database
Cat databasetubbeles
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMLinaro
 
Introduction to Computer System-ppt.pptx
Introduction to Computer System-ppt.pptxIntroduction to Computer System-ppt.pptx
Introduction to Computer System-ppt.pptxInfofarazMotivativeA
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 

Mais procurados (20)

Unix Introduction
Unix IntroductionUnix Introduction
Unix Introduction
 
Linux file system
Linux file systemLinux file system
Linux file system
 
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Tour
 
100+ run commands for windows
100+ run commands for windows 100+ run commands for windows
100+ run commands for windows
 
linux kernel overview 2013
linux kernel overview 2013linux kernel overview 2013
linux kernel overview 2013
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linux
 
File System Modules
File System ModulesFile System Modules
File System Modules
 
Linus Torvalds
Linus TorvaldsLinus Torvalds
Linus Torvalds
 
History of linux
History of linuxHistory of linux
History of linux
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM Virtualization
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 
Cat database
Cat databaseCat database
Cat database
 
Tim berners Lee - Text
Tim berners Lee - TextTim berners Lee - Text
Tim berners Lee - Text
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
 
Introduction to Computer System-ppt.pptx
Introduction to Computer System-ppt.pptxIntroduction to Computer System-ppt.pptx
Introduction to Computer System-ppt.pptx
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
 
Linux file system
Linux file systemLinux file system
Linux file system
 
A History of Linux
A History of LinuxA History of Linux
A History of Linux
 

Semelhante a SELinux workshop

selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptxPandiya Rajan
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanentlychinkshady
 
CloudStack templates with OpenVM
CloudStack templates with OpenVMCloudStack templates with OpenVM
CloudStack templates with OpenVMShapeBlue
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Alex Lau
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxAbhradipChatterjee2
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlKohei KaiGai
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsmiaemedu
 

Semelhante a SELinux workshop (20)

selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Selinux
SelinuxSelinux
Selinux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
CloudStack templates with OpenVM
CloudStack templates with OpenVMCloudStack templates with OpenVM
CloudStack templates with OpenVM
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021Aquarium introduction-asia-summit-2021
Aquarium introduction-asia-summit-2021
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15SUSE Expert Days Paris 2018 – SLE 15
SUSE Expert Days Paris 2018 – SLE 15
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsm
 

Último

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Último (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

SELinux workshop

  • 2. Whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) – code review – product pentesting – The SELinux guy (not the policy maintainer) Copyright © SUSE 2023 2
  • 3. Outline We will cover: – Basic SELinux introduction – Install it on openSUSE tumbleweed Copyright © SUSE 2023 3
  • 4. Ressources needed Please have an openSUSE Tumbleweed VM ready to play along Make sure you have internet connectivity Copyright © SUSE 2023 4
  • 5. Expectation management As always it’s not possible to cover everything in one talk, so: – Mix between – higher level concepts (∼15 minutes) – practice (∼45 minutes) – You will not become a SELinux expert in an hour – We will go as far as possible with the examples. I can stick around afterwards, but we’ll stop officially after the slot ends Copyright © SUSE 2023 5
  • 6. Nomenclature How to read the slides Shell: $ this is a root shell Default is root. If it’s a different user you’ll see it in the prompt. Listing: I'm the content of a file Copyright © SUSE 2023 6
  • 7. Mandatory access control Discretionary access control (DAC) Usual form of access control in Linux – Typical example: root@workstation ~/ $ ls -l /etc/shadow -rw-r-----. 1 root shadow 1421 /etc/shadow – Discretionary: The owner of an object can control the access of the objects he owns Copyright © SUSE 2023 7
  • 8. Mandatory access control Discretionary access control (DAC) Drawbacks: – Coarse: Basically 3 x rwx – Prone to (user) error johannes@workstation ~/ $ ls -lah ~/.ssh/id_rsa -rw-rw-rw-. 1 jsegitz users 1.7K ~/.ssh/id_rsa – Hard to analyze – root == God (- capabilities) But it’s familiar, easy to use and to understand Copyright © SUSE 2023 8
  • 9. Mandatory access control Mandatory access control (MAC) Mandatory (in this context): – Access control decisions are not made by the owner – Access control rules are managed centrally Advantages: – Access control in the hand of people who know what they’re doing – Centralized control and review is easy – Often very fine grained → compartmentalization Drawbacks: – Harder to understand – Complex to administrate – Missing experience Copyright © SUSE 2023 9
  • 10. SELinux History Security Enhanced Linux – Linux security module (LSM), developed by the National Security Agency (NSA) Don’t panic, it’s open source and reviewed thoroughly – First release 2000, since then integrated in the Linux kernel Didn’t play a big role at SUSE up to this point Will be the MAC system for ALP (and already is for SLE Micro) So very likely it’s also the future MAC system for openSUSE Copyright © SUSE 2023 10
  • 11. SELinux Basic idea – Type Enforcement (TE). Every object has a – user: unconfined_u – role: unconfined_r – type: unconfined_t – sensitivity: s0-s0 – category: c0.c1023 – These form the Security Context (SC) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – In practice the type unconfined_t is all you need Copyright © SUSE 2023 11
  • 12. SELinux SELinux expert with one character If you remember one thing: let it be this Copyright © SUSE 2023 12
  • 13. SELinux Basic idea (Almost) everything has a SC. Sockets, packets, ... 134 security classes – Files root@workstation ~/ $ ls -lZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow – Processes root@workstation ~/ $ ps axZ | grep 'postfix/master' system_u:system_r:postfix_master_t:s0 1250 ? Ss 0:00 /usr/lib/ Copyright © SUSE 2023 13
  • 14. SELinux Basic idea – DAC comes first – Then SELinux. Deny by default – Firewall for system calls Copyright © SUSE 2023 14
  • 15. SELinux SELinux log messages Found in the audit.log type=AVC msg=audit(1416499522.810:77): avc: denied { transition } for pid=1282 comm="sshd" path="/usr/bin/zsh" dev="vda2" ino=40462 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Copyright © SUSE 2023 15
  • 16. Practice You’ll now change an openSUSE installation to use SELinux. Please boot the machine Copyright © SUSE 2023 16
  • 17. Practice Initial setup Install packages: $ zypper in selinux-policy-targeted restorecond selinux-policy-devel policycoreutils setools-console policycoreutils-devel selinux-autorelabel podman Set SELinux to enforcing: $ sed -i -e 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config Main config file: /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. # minimum - Modification of targeted policy. Only selected processes are protected. SELINUXTYPE=targeted Copyright © SUSE 2023 17
  • 18. Practice Initial setup Set the necessary boot parameter: $ if ! egrep 'GRUB_CMDLINE_LINUX_DEFAULT.*security=selinux selinux=1' /etc/default/grub >/dev/null; then sed -i -E 's/(GRUB_CMDLINE_LINUX_DEFAULT=.*)"/1 security=selinux selinux=1"/' /etc/default/grub fi $ update-bootloader --refresh Remove audit log, reboot: $ rm /var/log/audit/audit.log $ reboot Copyright © SUSE 2023 18
  • 19. Practice Look around Current SELinux status $ sestatus Have a look at the processes $ ps auxZ Check out the filesystem labels $ ls -laZ / $ ls -laZ /var Check for mislabeled files $ restorecon -Rvn /var $ restorecon -Rv /var Copyright © SUSE 2023 19
  • 20. Practice Look around Check your identity $ id -Z Check denials: $ grep -i avc /var/log/audit/audit.log $ tail -f /var/log/audit/audit.log | grep -i avc Proper way to do this: $ ausearch -m avc,user_avc,selinux_err -ts boot -i Copyright © SUSE 2023 20
  • 21. Practice Linux users to SELinux users: $ semanage login -l Port mappings: $ semanage port -l File label rules: $ semanage fcontext -l Copyright © SUSE 2023 21
  • 22. Practice Booleans: $ semanage boolean -l Enable a boolean: $ semanage boolean -m --on httpd_enable_homedirs Copyright © SUSE 2023 22
  • 23. Practice audit2allow audit2allow: – Analyzes SELinux denial messages – Generates rules to allow necessary access – Is aware of interfaces – Suggests booleans that would allow the access But don’t use it with every denial! Copyright © SUSE 2023 23
  • 24. Practice audit2allow Either pipe AVCs into audit2allow or feed into STDIN and close it: $ audit2allow -R Build SELinux module you can load: $ audit2allow -R -M $NAMEMODULE Copyright © SUSE 2023 24
  • 25. Practice avcs.rb Small wrapper around auserch. Makes reading AVCs easier $ podman run --privileged -v /var/log/audit:/var/log/audit registry.opensuse.org/home/jsegitz/containers/containers/avcs:latest Copyright © SUSE 2023 25
  • 26. Practice Lets cause problems Mislabel some files: $ ls -laZ /usr/sbin/postfix $ chcon -t postfix_map_exec_t /usr/sbin/postfix Check it: $ restorecon -Rvn /usr/sbin/ Restart postfix: $ systemctl restart postfix Copyright © SUSE 2023 26
  • 27. Practice Lets cause problems Check the status: $ systemctl status postfix Why does it fail? You’ll see something like postfix[3427]: fatal: chdir(/var/spool/postfix): Permission denied but no AVCs. How do we approach this? Copyright © SUSE 2023 27
  • 28. Practice How to debug SELinux problems Does it happen in permissive mode? $ setenforce 0 Check for denials. If you don’t see any disable dontaudit rules with $ semodule -DB Enable dontaudit again with $ semodule -B Now give audit2allow a try with this ... Check for mislabled files – either because of unaware scripts/programs – policy paths don’t match Copyright © SUSE 2023 28
  • 29. Practice How to debug SELinux problems Search engines/bugtrackers are your friends Howto report a bug: https://en.opensuse.org/openSUSE:Bugreport_SELinux Copyright © SUSE 2023 29
  • 30. Practice How to rescue a system In grub change boot parameters: – Disable SELinux: selinux=0 – Make SELinux permissive: enforcing=0 Copyright © SUSE 2023 30
  • 31. Questions? Thank you for your attention! Copyright © SUSE 2023 31