SELinux for Everyday Users

Default

SELinux
for everyday users

SELinux
Don't be afraid!

SELinux the bad

Developed by the NSA

SELinux the bad


Mandatory Access Control

SELinux the bad



Infested with jargonPolicies, contexts, labels, roles, objects, translation, types, ranges, booleans, oh my!

SELinux the bad



Infested with jargon

Breaks systemsRoot can't just do anything anymore

Applications stop working

Can't make it stop

SELinux the bad

SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.Theodore Tso (ext2/3/4 maintainer)

SELinux the bad

SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.Theodore Tso (ext2/3/4 maintainer)

Uses Debian

SELinux the bad

SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.Theodore Tso (1 Oct 2007)

Uses Debian

Not an everyday user!

SELinux
Don't be afraid!

SELinux the good

Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.Larry Loeb

SELinux the good

Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.Larry Loeb (Security author and researcher)

SELinux the good

Used in many major distributions

SELinux the good

Used in many major distributionsIn kernel since 2002

SELinux the good


Fedora since Core 2 (2004)

RHEL since version 4 (2005)

SELinux the good


Fedora since Core 2 (2004)

RHEL since version 4 (2005)

Debian since Etch (2007)

Ubuntu since Hardy Heron 8.04 (2008)

SELinux
How does it work?

SELinux the basics

Compiled into the kernel

SELinux the basics


Packaged security policy

SELinux the basics



Checks database of rules on syscalls

SELinux the basics



Checks database of rules on syscalls

Allows or denies based on policy

SELinux
What does it really do?

SELinux what does it do?

Stops daemons going bad

tchmilfan : didi! - http://www.flickr.com/photos/tchmilfan/1033216436/


Stops daemons going badPolicies in most distributions are applied only to system processes, not user processes.



Policies limit what a daemon can access and how.




Prevents daemon compromise affecting other files.




Prevents daemon compromise affecting other files / users / ports / etc.



User processes are unaffected



User processes are unaffectedroot still gets to be root




Firefox still gets to crash your system




Firefox still gets to crash your system

New policy being written to help that

SELinux demystifying

Everything has a security 'context'


Everything has a security 'context'A process has a context



A file has a context




Database of rules




Database of rulesRules allow a process in one context to do operations on an object in another context

SELinux how do I see it?

Some commands have the -Z optionls -Z

netstat -Z

ps -Z


drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin
drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding

netstat -Z
tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023

ps -Z
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps


drwxr-xr-x paulway paulway user_u:object_r:user_home_t:s0 bin
drwxrwxr-x paulway paulway user_u:object_r:user_home_t:s0 coding

netstat -Z
tcp 0 0 tachyon:54421 upload.pmtpa.wikimedia:http ESTABLISHED 4243/firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcp 1 0 tachyon.tangram.dnsal:46882 media:daap CLOSE_WAIT 1837/rhythmbox unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023

ps -Z
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5950 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6293 pts/1 00:00:00 ps

The type_t is the only thing you need look at

SELinux how do I use it?

restorecon Restores the context of a file

Based on the rules for the directory structure

chcon


restorecon


restorecon Restores the default SELinux context of a file


restorecon Restores the default SELinux context of a file

Looks up the database of rules and finds the correct context for that file


[root@tachyon ~]# ls -Z /etc/group
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group


-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group[root@tachyon ~]# cp /etc/group /tmp
[root@tachyon ~]# mv /tmp/group /etc
-rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group


-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group[root@tachyon ~]# cp /etc/group /tmp
[root@tachyon ~]# mv /tmp/group /etc
-rw-r--r-- root root system_u:object_r:user_tmp_t:s0 /etc/group[root@tachyon ~]# restorecon -R -v /etc/group
restorecon reset /etc/group context
system_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/group

SELinux Lessons

1: Try restorecon


Everything has a context





Switches turn groups of rules on or off




Switches turn groups of rules on or offBooleans


getsebool -a


getsebool -a

[root@tachyon ~]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off


setsebool

virt_use_samba --> off

[root@tachyon ~]# setsebool samba_enable_home_dirs on
[root@tachyon ~]# getsebool -a | grep samba_enable_home_dirs
samba_enable_home_dirs --> on


setsebool ONLY THIS SESSION!

virt_use_samba --> off[root@tachyon ~]# setsebool samba_enable_home_dirs on


setsebool -P

virt_use_samba --> off[root@tachyon ~]# setsebool -P samba_enable_home_dirs on

SELinux Lessons

1: Try restorecon

2: getsebool and setsebool



netstat -Z

ps -Z

Audit messages go to /var/log/audit/audit.log



netstat -Z

ps -Z

Audit messages go to /var/log/audit/audit.logSome messages may be in /var/log/messages


[root@tachyon ~]# tail -4 /var/log/audit/audit.log


[root@tachyon ~]# tail -4 /var/log/audit/audit.logtype=AVC msg=audit(1219408121.814:62): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=filetype=SYSCALL msg=audit(1219408121.814:62): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)type=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=filetype=SYSCALL msg=audit(1219408127.814:63): arch=40000003 syscall=5 success=no exit=-13 a0=119f2d a1=80000 a2=1b6 a3=80000 items=0 ppid=1 pid=2184 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)


[root@tachyon ~]# grep hald /var/log/audit/audit.log | audit2whytype=AVC msg=audit(1219408127.814:63): avc: denied { read } for pid=2184 comm="hald" name="group" dev=dm-0 ino=460208 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

SELinux Lessons

1: Try restorecon


3: audit2why or audit2allow

SELinux Lessons

1: Try restorecon


3: audit2why or audit2allowunless you're working on a system daemon problem.

SELinux Lessons

1: Try restorecon


3: audit2why or audit2allowMuch more, but it's not for every day.

Questions?

Questions?

Best effort only

Click to edit the title

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level

SLUG 2009-06

SELinux for everyday users

Technology

SELinux for Everyday Users