How to live with SELinux
Bert Desmet Fedora Ambassador
You can find me here
Kruishoutem, Belgium
www.bdesmet.be
www.devnox.be
www.fedoraproject.org/wiki/user:biertie
www.identi.ca/bdesmet
Irc: biertie @ Freenode / Quakenet
Mail: [email protected]
Google me for more
And if you have any questions, feel free to contact me..
What I do..
I am still a student (Elektronics-IT@Ghent)President CFK
Job hunting
FedoraFedora Ambassador
Designer of the T shirt
Organise some events
Start up projects: to many
Oh, and I love to party!
How to live with SELinux
Table of contents
Introduction
Booleans and ports
Contexts and labels
Backing up and copying
Your own policies
What is SELinux?
Kernel based security system
Build by NSA
3 'functions'MLS/MCS: multi level protection
RBAC: user privilege controls
TE: application isolation
Enabled by default on RH / Fedora
MLS: Multi-Level Security RBAC: Role-based access controlTE:
Type Enforcement
MAC: mandatory acces control DAC: Discretionary acces control
Adds extra control over processes and users (what files can x or y
change)
Why would I?
Good access control
Reduces vulnerability to attacks
Confined services
Good access control, unlike DAC from normal linux system.
SELinux user, role, type, level while linux user only have a group
and user idReduces vulnerability to attacks due to access control.
Intruders can only access the files the software (like httpd)
really needConfined servers: selinux has the abitilty to confine
services and deamons so that they are more predictable and are only
allowed acces that is required for their normal operation
but
No antivirus
No firewall
....
keywords
Objects Files, devices, users, processes, ...
Everything in the operating system
Context Name for the object
Policy Defines how objects interact
Independent from normal linux ownerships blah blah
configuration
3 modesEnforcing, Permissive, Disabled
2 typesTargeted, Strict
Permanent: edit /etc/selinux/config
Until next reboot: setenforce {0|1}Only Permissive (0) or
Enforcing (1)
Check running config with sestatus
Logging
SELinux denial messages/var/log/audit/audit.log
Ausearch -m avc
If rsyslogd is running:/var/log/messages
Var/log/messages are better readable, but rsyslogd is not always
running. Chkconfig levels 2345 rsyslogd on
Booleans Changed at runtime No policy writing
Managing booleans..
List all booleans getsebool -a
semange boolean -l
Set a boolean setsebool $boolean {on|off}
setsebool -P $boolean {on|off}
Predefined policies
The semanage boolean command doesn't work yet on RH/Centos
5.x
-P flag makes it persistent over reboots
Managing ports
List services, ports they can use semanage port -l
add a portsemange port -at $type -p {tcp|udp} #port
Delete a portsemange port -dt $type -p {tcp|udp} #port
SELinux contexts
ls -Z | ps Z | id -Zunconfined_u:object_r:httpd_sys_content_t:s0
unconfined_u: user context for the object
object_r: role aspect for the context
httpd_sys_content_t: type
S0: level of security
Identity authorized for specific set of roles, and mls range.
Semange login -lEach linux user is mapped to a sel user
Role is part of the RBAC model.
Type is an attribute of type enforcement. Defines domain for
processes, and type for files.
Level of security is attribute for MLS.
For process, unconfined_t : is not checked (in targeted)
Change context
Temporary chcon -t $type ${file|dir}name
Persistent semanage fcontext -a -t $type ${file|dir}name
Restore contextrestorecon -v ${file|dir}name
semange fcontext -dv ${file|dir}name
Chcon -t httpd_sys_content_t /web
Use full path of file/dir
Restore only works with chcon semange fcontext adds rule to
file.contexts.local, chcon doesn't
After a fcontext -d run restorecon again.
Relabeling the fs
With reboot (preferred!)touch /.autorelabel
reboot
Without rebootfixfiles relabel
fixfiles -R $packagename restore
Fixfiles relabel can make system unstable Fixfiles -R relies on
rpm database
Mounting file systems
The mount commandmount server:/export /mount -t nfs -o \
context=system_u:object_r:context_t:s0
Mount /dev/sda2 /foo -o defcontext=\
system_u:object_r:context_t:s0
Works for multiple NFS mounts
Standard type: nfs_t
Context changes to the files on the mount won't work.
Chcon results in operation not supported
/dev/sda2: assumes there are no rules that define context for
/foo/ Files will keep context when changed
Persistent: fstab
Copying
cp doesn't save the context
Copy with contextAdd the '--preserve=context' flag
Copy while changing contextcp -Z system_u:object_r:context_t:s0
$file
If you copy a file over a file, original context is
preserved
Moving
The mv command doesn't move context over different
partitions
It does when you move on the same partition
Use cp command
Tarring
Tar doesn't contexts by default Use --selinux flag
Untar an archive without extended attributes Tar -xvf $archive |
restorecon -f -
Troubles?
autit2allowGives you decent tips
matchpathcon -V $dirChecks the context of a dir
semodule -DBallow all denials to be logged
matchpathcon - get the default security context for the
specified path from the file contexts configuration.
Semodule -D : disables dontaudit rules-B : rebuilds policyRun
semodule -B again after debugging
Creating policies
Grep for right error in the audit log
audit2allow -am $name > $name.te
-D flag
cat $name.te
Applying policies
audit2allow -M $name
Semodule -i $name
Semodule: import the module
So why do we enable it?
It's easy
It's secure
references
Fedora SELinux documentationhttp://docs.fedoraproject.org
Dan Walshhttp://danwalsh.livejournal.com
Fedora SELinux team#fedora-selinux @ freenode
Linux training http://linux-training.be
Questions?
E-mail: [email protected]: @biertieidenti.ca: @bdesmetWeb:
http://bdesmet.be
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird
Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline
LevelSeventh Outline LevelEighth Outline LevelNinth Outline
Level
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird
Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline
LevelSeventh Outline LevelEighth Outline LevelNinth Outline
Level
Click to edit the title text format
Click to edit the outline text format
Click to edit the title text format
Click to edit the outline text format
