How to use SELINUX (No I don't mean turn it off)

HOW TO USE SELINUX

CHUCK REEVES @MANCHUCK

NO I DON'T MEAN TURN IT OFF

ZendCon 2016

HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF

ABOUT

▸ Built using Kernel Modules

▸ More permissions than CRUD and Access

▸ Allows Multi-Level Security using BLP and Biba Models

▸ Permissions set on the inode instead of the file

▸ Mandatory Access Control (MAC)

ZendCon 2016


ZendCon 2016


WHAT YOU NEED TO KNOW

▸ Each iNode is given a single context

▸ Each context identifies a user, role, type and level

▸ SELINUX then allows (or denies) access using the context with a policy

▸ Decision is cached in the Access Vector Cache (AVC)

▸ Decisions is made after the DAC access is checked

ZendCon 2016


WHAT YOU NEED TO KNOW

▸ SELINUX manages:

▸ Users

▸ Sockets

▸ Memory

▸ Directories

▸ TCP/UDP connections

ZendCon 2016


PROCESS TYPES

▸ Confined

▸ Runs in own domain (role)

▸ Resources are limited to the roles and policy

▸ Un-Confined

▸ fallback to the DAC policies

ZendCon 2016


CONTEXTS

▸ Policy checks context of inode for access

▸ "If a process is running with <context_foo> then anything with <context_foo_type> is allowed access"

▸ Four parts: user, role, type and level (optional)

ZendCon 2016


CONTEXTS

▸ Set automatically based on the parent context (mostly)

▸ RPM

▸ Management tools (ansible, chef, puppet)

▸ When a File transitions (moving an uploaded file)

▸ By the sysadmin with chcon, restorecon

ZendCon 2016


FINDING CONTEXT

ls -alZ /home

ZendCon 2016


FINDING CONTEXT

ps -Z

ZendCon 2016


BOOLEANS

▸ On off settings for policies

▸ Allow HTTPD to make network connections

▸ Allow FTP to access home directories

▸ Overcomes issues with over labeling contexts

ZendCon 2016


TURNING IT BACK ON

▸ TARGETED

▸ PERMISSIVE

▸ DISABLED (You already know this one)

ZendCon 2016


TURNING IT BACK ON

<edit> /etc/selinux/config

ZendCon 2016


TURNING IT BACK ON

sudo yum install setroubleshoot setroubleshoot-server

sudo service auditd restart

ZendCon 2016


TURNING IT BACK ON

ls -alZ

sudo touch /.autorelabel

ZendCon 2016


TURNING IT BACK ON

ls -alZ

ZendCon 2016


ZendCon 2016


ZendCon 2016

TEXT

TROUBLESHOOTING EXAMPLE: DATABASE

tail -f /var/log/audit/audit.log

ZendCon 2016

TEXT


tail -f /var/log/messages

ZendCon 2016

TEXT


sealert -l <message id>

ZendCon 2016


BOOLEANS

setsebool -P httpd_can_network_connect 1

ZendCon 2016


BOOLEANS

semanage boolean -l | grep httpd_enable_ftp_server

ZendCon 2016


BOOLEANS

getsebool -a

getsebool <boolean>

ZendCon 2016


BOOLEANS

semanage boolean -l | grep httpd_enable_ftp_server

ZendCon 2016

TEXT

TROUBLESHOOTING EXAMPLE: FILE UPLOAD

ls -Z

ZendCon 2016

TEXT

TROUBLESHOOTING EXAMPLE: FILE UPLOAD

sealert -l <message id>

ZendCon 2016


SETTING CONTEXT

chcon -R -t httpd_sys_content_t web/

ls -Z web

ZendCon 2016


SETTING CONTEXT

mkdir web/

touch web/file{1,2,3}

ls -Z web

ZendCon 2016


ZendCon 2016


ZendCon 2016


ZendCon 2016


RESOURCES

▸ RedHat Documentation for SELINUX: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html

▸ Servers for Hackers, Batteling SELINUX: https://serversforhackers.com/video/battling-selinux-cast

▸ SELinux For Mere Mortals: https://www.youtube.com/watch?v=MxjenQ31b70

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html

https://serversforhackers.com/video/battling-selinux-cast

https://www.youtube.com/watch?v=MxjenQ31b70

THANKSCHUCK REEVES @MANCHUCK

Technology

How to use SELINUX (No I don't mean turn it off)