D e f i n i t i o n o f S E L i n u x - - PowerPoint PPT Presentation

▶

Feb 05, 2024 114 likes •603 views

D e f i n i t i o n o f S E L i n u x 80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF Mandatory Access Control ... refers to a type of access control by which the operating system constrains the ability of a subject or initiator to

SLIDE 1

SLIDE 2

D e f i n i t i

S E L i n u x

SLIDE 3

SLIDE 4

SLIDE 5

SLIDE 6

80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF

SLIDE 7

Mandatory Control Access

SLIDE 8

... refers to a type of access control by which the

perating system constrains

the ability of a subject or initiator to access or generally perform some sort

f operation on an object or

target.

SLIDE 9

var subject = [

'process', 'thread' ];

SLIDE 10

var object = [

'file', 'directory', 'port', 'shm' ];

SLIDE 11

SELinux adheres to the concept of least privilege, which gives a process exactly the rights it needs to perform it's given task.

SLIDE 12

Y e s , t h a t i n c l u d e s a l mi g h t y R

!

SLIDE 13

S h

t H i s t

y

S E L i n u x

SLIDE 14

1 9 9 2 = 2 1 = F i r s t c

c e p t s F i r s t c

c e p t s b y N S A b y N S A I n t r

t L i n u x K e r n e l S u mmi t b y t h e N S A . W

L i n u x S e c u r i t y M

u l e s b e g i n s

SLIDE 15

2 2 = 2 3 = 2 5 = I n t e g r a t i

i n t

n t e g r a t i

i n t

e r n e l 2 . 4 v i a K e r n e l 2 . 4 v i a mo d u l e . mo d u l e . R e l e a s e

L i n u x R e l e a s e

L i n u x K e r n e l 2 . 6 w i t h K e r n e l 2 . 6 w i t h L S M L S M . . I n c l u s i

I n c l u s i

S E L i n u x i n R H E L 4 S E L i n u x i n R H E L 4

SLIDE 16

A r c h i t e c t u r e O v e r v i e w

SLIDE 17

L i n u x S e c u r i t y M

u l e s

SLIDE 18

S E L i n u x C

e n t s

SLIDE 19

S e c u r i t y C

t e x t

SLIDE 20

P r e r e q u i s i t e s

SLIDE 21

SLIDE 22

# egrep "CONFIG_(.*SELINUX|AUDIT)|XATTR" \ /boot/config-2.6.18-348.4.1.el5 CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT4_FS_XATTR=y CONFIG_CIFS_XATTR=y CONFIG_SECURITY_SELINUX=y

Confirm Kernel features

SLIDE 23

SLIDE 24

# tune2fs -l /dev/sda1 | grep features: Filesystem features: ... ext_attr ...

Confirm extended attributes

SLIDE 25

E n

g h t h e

y a l r e a d y , b r i n g

t h e g

s !

SLIDE 26

/etc/selinux/config

SLIDE 27

Check current status

# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted

SLIDE 28

Mid flight mode change

Check Disarm Re-enable

# getenforce Enforcing # setenforce 0 # getenforce Permissive # setenforce 1 # getenforce Enforcing

SLIDE 29

My role in this?

# secon user: user_u role: system_r type: unconfined_t Sensitivity: s0 Clearance: s0 Mls-range: s0

SLIDE 30

T h e T h e O p t i

O p t i

SLIDE 31

SELinux enabled utilities

ls ps id netstat find -context lsof (RHEL 6)

SLIDE 32

Sample output

# ls -Z drwxr-xr-x root root system_u:object_r:default_t foo # ps -Z LABEL PID TTY TIME CMD user_u:system_r:unconfined_t 2508 pts/0 00:00:07 sudo # id -Z user_u:system_r:unconfined_t

SLIDE 33

O u t p u t t

t e x t

SLIDE 34

M a k i n g c h a n g e s

SLIDE 35

SELinux tools getsebool setsebool chcon semanage restorecon

SLIDE 36

List booleans

# getsebool -a NetworkManager_disable_trans --> off aisexec_disable_trans --> off allow_aisexec_rw_tmpfs --> off allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tty --> on

SLIDE 37

Toggle value

# setsebool NetworkManager_disable_trans on # getsebool NetworkManager_disable_trans NetworkManager_disable_trans --> on

SLIDE 38

Change context

# cd /var/tmp/foo # ls -Z bar

rw-r—r-- root root user_u:object_r:tmp_t:s0 bar

# chcon -t file_t bar # ls -Z bar

rw-r—r-- root root user_u:object_r:file_t:s0 bar

SLIDE 39

Manage context

# semanage fcontext -a -t default_t /var/tmp/foo/bar # ls -Z bar

rw-r—r-- root root user_u:object_r:file_t:s0 bar

# restorecon /var/tmp/foo/bar # ls -Z bar

rw-r—r-- root root user_u:object_r:default_t:s0 bar

SLIDE 40

Restore context

# cd /var/tmp/foo # ls -Z bar

rw-r—r-- root root user_u:object_r:file_t:s0 bar

# restorecon bar # ls -Z bar

rw-r—r-- root root user_u:object_r:tmp_t:s0 bar

SLIDE 41

T r

b l e s h

i n g

SLIDE 42

audit2allow audit2why Auditing tools

SLIDE 43

Aggregating audit log

# audit2allow -a #============= restorecon_t ============== allow restorecon_t syslogd_t:dir relabelto; allow restorecon_t syslogd_t:file relabelto; #============= syslogd_t ============== allow syslogd_t default_t:file append;

SLIDE 44

Babelfishing the log

# audit2why < /var/log/audit/audit.log type=AVC msg=audit(1355080647.280:69): avc: denied \ { relabelto } for pid=3699 comm="restorecon" \ name="log" dev=loop0 ino=7905 \ scontext=user_u:system_r:restorecon_t:s0 \ tcontext=system_u:object_r:syslogd_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. \ Allow rules may exist but be disabled \ by boolean settings; check boolean settings. \ You can see the necessary allow rules by \ running audit2allow with this audit message \ as input.

SLIDE 45

Resources

< http://selinuxproject.org > < http://en.wikipedia.org/wiki/SELinux > < https://fedoraproject.org/wiki/SELinux >

SLIDE 46

?

SLIDE 47

D e f i n i t i

S E L i n u x

Mandatory Control Access

'process', 'thread' ];

'file', 'directory', 'port', 'shm' ];

Y e s , t h a t i n c l u d e s a l mi g h t y R

!

S h

t H i s t

y

S E L i n u x

A r c h i t e c t u r e O v e r v i e w

P r e r e q u i s i t e s

E n

g h t h e

y a l r e a d y , b r i n g

t h e g

s !

T h e T h e O p t i

O p t i

M a k i n g c h a n g e s

T r

b l e s h

i n g

?

T h a n k y