If you can't read please download the document
Upload
paulway
View
23.062
Download
2
Embed Size (px)
Citation preview
Default
SELinux
for everyday users
SELinux
Don't be afraid!
SELinux the bad
Developed by the NSA
SELinux the bad
Developed by the NSA
Mandatory Access Control
SELinux the bad
Developed by the NSA
Mandatory Access Control
Infested with jargonPolicies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!
SELinux the bad
Developed by the NSA
Mandatory Access Control
Infested with jargon
Breaks systemsRoot can't just do anything anymore
Applications stop working
Can't make it stop
SELinux the bad
SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.Theodore Tso (ext2/3/4 maintainer)
SELinux the bad
SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.Theodore Tso (ext2/3/4 maintainer)
Uses Debian
SELinux the bad
SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.Theodore Tso (1 Oct 2007)
Uses Debian
Not an everyday user!
SELinux
Don't be afraid!
SELinux the good
Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.Larry Loeb
SELinux the good
Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.Larry Loeb (Security author and researcher)
SELinux the good
Used in many major distributions
SELinux the good
Used in many major distributionsIn kernel since 2002
SELinux the good
Used in many major distributionsIn kernel since 2002
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
SELinux the good
Used in many major distributionsIn kernel since 2002
Fedora since Core 2 (2004)
RHEL since version 4 (2005)
Debian since Etch (2007)
Ubuntu since Hardy Heron 8.04 (2008)
SELinux
How does it work?
SELinux the basics
Compiled into the kernel
SELinux the basics
Compiled into the kernel
Packaged security policy
SELinux the basics
Compiled into the kernel
Packaged security policy
Checks database of rules on syscalls
SELinux the basics
Compiled into the kernel
Packaged security policy
Checks database of rules on syscalls
Allows or denies based on policy
SELinux
What does it really do?
SELinux what does it do?
Stops daemons going bad
tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/
SELinux what does it do?
Stops daemons going badPolicies in most distributions are applied only to system processes, not user processes.
SELinux what does it do?
Stops daemons going badPolicies in most distributions are applied only to system processes, not user processes.
Policies limit what a daemon can access and how.
SELinux what does it do?
Stops daemons going badPolicies in most distributions are applied only to system processes, not user processes.
Policies limit what a daemon can access and how.
Prevents daemon compromise affecting other files.
SELinux what does it do?
Stops daemons going badPolicies in most distributions are applied only to system processes, not user processes.
Policies limit what a daemon can access and how.
Prevents daemon compromise affecting other files / users / ports / etc.
SELinux what does it do?
Stops daemons going bad
User processes are unaffected
SELinux what does it do?
Stops daemons going bad
User processes are unaffectedroot still gets to be root
SELinux what does it do?
Stops daemons going bad
User processes are unaffectedroot still gets to be root
Firefox still gets to crash your system
SELinux what does it do?
Stops daemons going bad
User processes are unaffectedroot still gets to be root
Firefox still gets to crash your system
New policy being written to help that
SELinux demystifying
Everything has a security 'context'
SELinux demystifying
Everything has a security 'context'A process has a context
SELinux demystifying
Everything has a security 'context'A process has a context
A file has a context
SELinux demystifying
Everything has a security 'context'A process has a context
A file has a context
Database of rules
SELinux demystifying
Everything has a security 'context'A process has a context
A file has a context
Database of rulesRules allow a process in one context to do operations on an object in another context
SELinux how do I see it?
Some commands have the -Z optionls -Z
netstat -Z
ps -Z
SELinux how do I see it?
Some commands have the -Z optionls -Z
drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin
drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0
coding
netstat -Z
tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED
4243/firefox
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT
1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
ps -Z
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1
00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1
00:00:00 ps
SELinux how do I see it?
Some commands have the -Z optionls -Z
drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin
drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0
coding
netstat -Z
tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED
4243/firefox
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT
1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
ps -Z
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1
00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1
00:00:00 ps
The type_t is the only thing you need look at
SELinux how do I use it?
restorecon Restores the context of a file
Based on the rules for the directory structure
chcon
SELinux how do I use it?
restorecon
SELinux how do I use it?
restorecon Restores the default SELinux context of a file
SELinux how do I use it?
restorecon Restores the default SELinux context of a file
Looks up the database of rules and finds the correct context for that file
SELinux how do I use it?
[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
SELinux how do I use it?
[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0
/etc/group[root@tachyon ~]# cp /etc/group /tmp
[root@tachyon ~]# mv /tmp/group /etc
[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group
SELinux how do I use it?
[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0
/etc/group[root@tachyon ~]# cp /etc/group /tmp
[root@tachyon ~]# mv /tmp/group /etc
[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:user_tmp_t:s0
/etc/group[root@tachyon ~]# restorecon -R -v /etc/group
restorecon reset /etc/group context
system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0
[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group
SELinux Lessons
1: Try restorecon
SELinux demystifying
Everything has a context
Database of rulesRules allow a process in one context to do operations on an object in another context
SELinux demystifying
Everything has a context
Database of rulesRules allow a process in one context to do operations on an object in another context
Switches turn groups of rules on or off
SELinux demystifying
Everything has a context
Database of rulesRules allow a process in one context to do operations on an object in another context
Switches turn groups of rules on or offBooleans
SELinux how do I see it?
getsebool -a
SELinux how do I see it?
getsebool -a
[root@tachyon ~]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
SELinux how do I use it?
setsebool
[root@tachyon ~]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
[root@tachyon ~]# setsebool samba_enable_home_dirs on
[root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs
samba_enable_home_dirs --> on
SELinux how do I use it?
setsebool ONLY THIS SESSION!
[root@tachyon ~]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off[root@tachyon ~]# setsebool
samba_enable_home_dirs on
[root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs
samba_enable_home_dirs --> on
SELinux how do I use it?
setsebool -P
[root@tachyon ~]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off[root@tachyon ~]# setsebool -P
samba_enable_home_dirs on
[root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs
samba_enable_home_dirs --> on
SELinux Lessons
1: Try restorecon
2: getsebool and setsebool
SELinux how do I see it?
Some commands have the -Z optionls -Z
netstat -Z
ps -Z
Audit messages go to /var/log/audit/audit.log
SELinux how do I see it?
Some commands have the -Z optionls -Z
netstat -Z
ps -Z
Audit messages go to /var/log/audit/audit.logSome messages may be in /var/log/messages
SELinux how do I see it?
[root@tachyon ~]# tail -4 /var/log/audit/audit.log
SELinux how do I see it?
[root@tachyon ~]# tail -4 /var/log/audit/audit.logtype=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=filetype=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=filetype=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)
SELinux how do I use it?
[root@tachyon ~]# grep hald /var/log/audit/audit.log |
audit2whytype=AVC msg=audit(1219408127.814:63): avc: denied { read
} for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
SELinux Lessons
1: Try restorecon
2: getsebool and setsebool
3: audit2why or audit2allow
SELinux Lessons
1: Try restorecon
2: getsebool and setsebool
3: audit2why or audit2allowunless you're working on a system daemon problem.
SELinux Lessons
1: Try restorecon
2: getsebool and setsebool
3: audit2why or audit2allowMuch more, but it's not for every day.
Questions?
Questions?
Best effort only
Click to edit the title
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level
SLUG 2009-06
SELinux for everyday users