hands on selinux a practical introduction
play

Hands-on SELinux: A Practical Introduction Security Training Course - PowerPoint PPT Presentation

Aug 26, 2022 •237 likes •693 views

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

  1. Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013

  2. Roadmap • Day 1:  Why SELinux?  Overview of SELinux  Using SELinux  SELinux Permissive Domains • Day 2:  SELinux Booleans  SELinux Policy Theory  SELinux Policy Praxis  SELinux audit2allow 02/13 cja 2013 2

  3. SELinux Tools • GUI  Configure SELinux sudo /usr/bin/system-config-selinux System | Administration | SELinux Management  Interpret SELinux log errors /usr/bin/sealert Applications | System Tools | SELinux Troubleshooter • Command line  semanage, setsebool, setenforce, getenforce, audit2allow, …  As always, man is your friend 02/13 cja 2013 3

  4. Command-line Hints 1. man is your friend ¡man ¡semanage ¡ 2. Use shell command history 3. Search for string foo in all files rooted in directory tree bar : ¡find ¡bar ¡-­‑print ¡| ¡xargs ¡grep ¡foo ¡ 02/13 cja 2013 4

  5. SELinux Booleans

  6. Booleans • Allow policies to be changed at runtime  Fine-tune service access  Change service port numbers  Must be pre-defined  Greatly reduces need for new policy modules  Originally Boolean values only  Now extended beyond Boolean values 02/13 cja 2013 6

  7. Example • httpd_can_network_connect_db List all Booleans getsebool –a semanage boolean –l Set a Boolean, but not across reboot setsebool httpd_can_network_connect_db on Set a Boolean permanently setsebool –P httpd_can_network_connect_db on 02/13 cja 2013 7

  8. Example • http_port_t Permit an additional port semanage port –l semanage port –a –t http_port_t –p tcp 1234 semanage port –l semanage port –d –t http_port_t –p tcp 1234 semanage port -l 02/13 cja 2013 8

  9. Booleans • Command documentation man ¡getsebool ¡ man ¡setsebool ¡ man ¡semanage ¡ 02/13 cja 2013 9

  10. Lab – httpd server Goal: Observe and remove SELinux policy violations • Start httpd if necessary service httpd status sudo service httpd start • Observe Apache 2 test page sudo service httpd stop 02/13 cja 2013 10

  11. Lab – httpd server Goal: Observe and remove SELinux policy violations • Start httpd if necessary service httpd status sudo service httpd start • Observe Apache 2 test page  Browse to “localhost” • Stop web server sudo ¡service ¡httpd ¡stop ¡ 02/13 cja 2013 11

  12. Lab – httpd server • Create a new document directory sudo ¡mkdir ¡/html ¡ sudo ¡touch ¡/html/index.html ¡ ¡ • A dd some html  vi /html/index.html • Observe labels ls ¡–ZaR ¡/html ¡ 02/13 cja 2013 12

  13. Lab – httpd server • Point DocumentRoot at the new directory sudo vi /etc/httpd/conf/httpd.conf … change DocumentRoot to /html 02/13 cja 2013 13

  14. Lab – httpd server • Start server sudo service httpd start • Navigate to /html • Observe SELinux alert  Or run sudo ¡sealert ¡-­‑a ¡/var/log/audit/audit.log ¡ 02/13 cja 2013 14

  15. Lab – httpd server • Correct labeling ls ¡–ZaR ¡/html ¡ chcon ¡-­‑Rv ¡–t ¡httpd_sys_content_t ¡/html ¡ ls ¡–ZaR ¡/html ¡ ¡ … what’s the difference? 02/13 cja 2013 15

  16. Lab – httpd server • Navigate to /html • Observe correct operation 02/13 cja 2013 16

  17. Lab – httpd server • The modified labels are not permanent  Will survive reboots  Will not survive filesystem relabels  Or portions thereof • To guarantee permanence sudo ¡semanage ¡fcontext ¡–a ¡–t ¡ httpd_sys_content_t ¡“/html(/.*)?” ¡ ¡ sudo ¡restorecon ¡–vR ¡/html ¡ 02/13 cja 2013 17

  18. Lab – httpd server • Revert DocumentRoot to the standard directory sudo vi /etc/httpd/conf/httpd.conf … change DocumentRoot to /var/www/html sudo service httpd restart 02/13 cja 2013 18

  19. SELinux Policy Theory

  20. SELinux policy Overview • Behavior of processes is controlled by policy • A base set of policy files define the system policy • Additional installed software may specify additional policy  This policy is added to the system policy on installation 02/13 cja 2013 20

  21. SELinux policy Six easy pieces • Type enforcement (TE) attributes • TE type declarations • TE transition rules • TE change rules (not used much) • TE access vector rules • File context specifications 02/13 cja 2013 21

  22. TE attributes • Files named *.te • Attributes identify sets of types with similar properties  SELinux does not interpret attributes • Format:  <attribute> <name> • Examples:  attribute ¡logfile; ¡  attribute ¡privuser; ¡ 02/13 cja 2013 22

  23. TE type declarations • Files named *.te • Defines type names, with optional aliases and attributes • Format:  type <name> [alias <aliases>] [attributes] • Examples:  type ¡mailman_log_t, ¡file_type, ¡sysadmfile, ¡logfile; ¡  type ¡man_t ¡alias ¡catman_t; ¡ 02/13 cja 2013 23

  24. TE transition rules • Files named *.te • Specifies allowed type transitions • Format:  type_transition <source> <action> <target> • Example:  type_transition ¡mysqld_t ¡mysql_db_t:sock_file ¡ mysqld_var_run_t; ¡ When a process running in the mysqld_t domain accesses a socket labeled with the mysql_db_t type, transition to the mysqld_var_run_t domain. 02/13 cja 2013 24

  25. TE change rules • Files named *.te • Specifies the new type to use when relabeling, based on process domain, object type, and object class • Format:  type_change <source> <action> <target> • Example: • type_change ¡rssh_t ¡server_ptynode:chr_file ¡ rssh_devpts_t; ¡  When running in the rssh_t domain, relabel the associated terminal device as a user terminal 02/13 cja 2013 25

  26. TE access vector rules • Files named *.te • Specifies the set of permissions based on a type pair and an object security class. • Format:  <kind> <source> <target> <securityclass> <kind> is one of:  allow – allow requested access  auditallow – allow requested access and log the access  dontaudit – don’t allow and don’t log  neverallow – stop compilation of policy 02/13 cja 2013 26

  27. TE access vector rules • Examples  allow initrc_t acct_exec_t:file { getattr read execute }; Processes running in the initrc_t domain have get-attribute, read, and execute access to files of type account_exec_t  dontaudit traceroute_t { port_type -port_t }:tcp_socket name_bind; Processes running in the traceroute_t domain do not log the denial of a request for name_bind permission on a tcp_socket for all types associated to the port_type attribute (except port_t)  auditallow ada_t self:process { execstack execmem ]; Processes running in the ada_t domain log the granting of a request to execute code located on the process stack.  neverallow ~can_read_shadow_passwords shadow_t:file read; No subsequent allow rule can permit the shadow password file to be read, except for those rules associated with the can_read_shadow_passwords attribute. Note : this rule is intended to be used during the compilation of policy files, not to protect a running system. 02/13 cja 2013 27

  28. TE access vector rules • Macros # Do not audit attempts to # get the attributes of a persistent # filesystem which has extended # attributes, such as ext3, JFS, or XFS. # Parameter $1 names the domain not to be audited. # interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` type fs_t; ') dontaudit $1 fs_t:filesystem getattr; ’) 02/13 cja 2013 28

  29. File context specifications • Files named *.fc • Defines default contexts for files • Format:  <name-re> [file-type][security-context] • Examples:  /bin/login -- system_u:object_r:login_exec_t:s0  /var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t  /etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t 02/13 cja 2013 29

  30. SELinux Policy Praxis

  31. Lab – examine policy sources • Download policy sources from web page  wget http://www.umich.edu/~cja/SEL13/supp/ INSTALL-policy-sources.sh  sh ./INSTALL-policy-sources.sh  Should end with “policy sources are in /etc/selinux/refpolicy/ src/policy/policy” 02/13 cja 2013 31

  32. Lab – examine policy sources • Raw Audit Messages : type=AVC msg=audit(1331774736.845:64): avc: denied { execheap } for pid=1989 comm="selsmash" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1331774736.845:64): arch=i386 syscall=mprotect success=no exit=EACCES a0=81fb000 a1=1000 a2=7 a3=0 items=0 ppid=1928 pid=1989 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=selsmash exe=/home/cja/selsmash/selsmash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 02/13 cja 2013 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 03/12 cja 2012 2 03/12 cja 2012 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

753 views • 53 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 02/13 cja 2013 2 02/13 cja 2013 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

1.24k views • 55 slides
What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Introduction Introduction Welcome to the course! Instructor: Dr.

678 views • 10 slides
GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1 ColPos-Mxico 2 CIMMyT-Mxico September, 2014. SLU, Sweden GENOMIC SELECTION WORKSHOP:Hands on Practical Sessions 1/11 Contents General comments 1

442 views • 11 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls &amp; VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

237 views • 22 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 1 Fundamental Tools Roadmap Review of generally useful tools

592 views • 35 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength &amp; Cracking Roadmap Password

750 views • 31 slides
GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2 1 ColPos-Mxico 2 CIMMyT-Mxico September, 2014. SLU,Sweden GENOMIC SELECTION WORKSHOP:Hands on Practical Sessions (GBLUP-RR) 1/35 Contents

976 views • 35 slides
Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel

Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel

Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel A. Martinez-Prieto 3rd KEYSTONE Training School Keyword search in Big Linked Data 23 TH AUGUST 2017 General agenda Session I (09:00 - 10:30) &quot;

935 views • 60 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Session 5: Timely Health Topics and Survey Measurement March 6th, 2020 1 Thank you to all the

Session 5: Timely Health Topics and Survey Measurement March 6th, 2020 1 Thank you to all the

National Center for Health Statistics Session 5: Timely Health Topics and Survey Measurement March 6th, 2020 1 Thank you to all the presenters! Jim Dahlhamer Eric Grau Fernanda Alvarado-Leiton Didem Bernard Alice

555 views • 9 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
Rethinking File Security Then, Now &amp; Future Presenters: Moderator: Sharon Teo Gunes

Rethinking File Security Then, Now &amp; Future Presenters: Moderator: Sharon Teo Gunes

Rethinking File Security Then, Now &amp; Future Presenters: Moderator: Sharon Teo Gunes Altungunes Ting Teck Wei CEO Product Manager Marketing Manager Development Center About Us America South Asia Middle East International HQ

617 views • 39 slides
LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem

LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem

LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem Status Update Review of IMA goals New IMA features and other changes TPM related work Possible IMA specific fixes for TPM

567 views • 17 slides
Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project

Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project

Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project EVEREST K. Butler, W. Enck, H. Hursti, S. McLaughlin, P. Traynor, P. McDaniel USENIX EVT 2008 Presented by Siddharth Murali Introduction

468 views • 14 slides
Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting

Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting

Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting sensitive information from logs Function statistics from the Eventing Service Statistics graphs for functions Auditing in Couchbase Couchbase

1.85k views • 24 slides
r t r

r t r

r t r sts trs tt tt

994 views • 9 slides
CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF WORKING HAVE CHANGED Social distancing means working from home is the norm Substantially more reliant on IT to engage internally and externally,

884 views • 17 slides

More recommend