hands on selinux a practical introduction
play

Hands-on SELinux: A Practical Introduction Security Training Course - PowerPoint PPT Presentation

Feb 10, 2024 •1.08k likes •1.71k views

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

  1. Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

  2. Roadmap • Day 1:  Why SELinux?  Overview of SELinux  Using SELinux  SELinux Permissive Domains • Day 2:  SELinux Booleans  SELinux Policy Theory  SELinux Policy Praxis  SELinux audit2allow 03/12 cja 2012 2

  3. SELinux Tools • GUI  Configure SELinux sudo /usr/bin/system-config-selinux Applications| Other| SELinux Management  Interpret SELinux log errors /usr/bin/sealert Applications | System Tools | SELinux Troubleshooter • Command line  semanage, setsebool, setenforce, getenforce, audit2allow, …  As always, man is your friend 03/12 cja 2012 3

  4. Command-line Hints 1. man is your friend ¡man ¡semanage ¡ 2. Use shell command history 3. Search for string foo in all files rooted in directory tree bar : ¡find ¡bar ¡-­‑print0 ¡| ¡xargs ¡grep ¡-­‑0 ¡foo ¡ 03/12 cja 2012 4

  5. SELinux Booleans

  6. Booleans • Allow policies to be changed at runtime  Fine-tune service access  Change service port numbers  Must be pre-defined  Greatly reduces need for new policy modules  Originally Boolean values only  Now extended beyond Boolean values 03/12 cja 2012 6

  7. Example • httpd_can_network_connect_db List all Booleans getsebool –a semanage boolean –l Set a Boolean, but not across reboot setsebool httpd_can_network_connect_db on Set a Boolean permanently setsebool –P httpd_can_network_connect_db on 03/12 cja 2012 7

  8. Example • http_port_t semanage port –l semanage port –a –t http_port_t –p tcp 1234 03/12 cja 2012 8

  9. Booleans • Command documentation man ¡getsebool ¡ man ¡setsebool ¡ man ¡semanage ¡ 03/12 cja 2012 9

  10. Lab – httpd server Goal: Observe and remove SELinux policy violations • Start and stop httpd as installed systemctl status httpd.service sudo systemctl start httpd.service … observe default page sudo systemctl stop httpd.service 03/12 cja 2012 10

  11. Lab – httpd server • Create a new document directory sudo ¡mkdir ¡/html ¡ sudo ¡touch ¡/html/index.html ¡ … maybe add some html ls ¡–ZaR ¡/html ¡ … observe types 03/12 cja 2012 11

  12. Lab – httpd server • Point DocumentRoot at the new directory sudo vi /etc/httpd/conf/httpd.conf … change DocumentRoot to /html 03/12 cja 2012 12

  13. Lab – httpd server • Start server sudo systemctl start httpd.service systemctl status httpd.service • Navigate to /html • Observe SELinux alert  Or run sudo ¡sealert ¡-­‑a ¡/var/log/audit/audit.log ¡ 03/12 cja 2012 13

  14. Lab – httpd server • Correct labeling ls ¡–ZaR ¡/html ¡ chcon ¡-­‑Rv ¡–t ¡httpd_sys_content_t ¡/html ¡ ls ¡–ZaR ¡/html ¡ … what’s the difference? 03/12 cja 2012 14

  15. Lab – httpd server • Navigate to /html • Observe correct operation 03/12 cja 2012 15

  16. Lab – httpd server • The modified labels are not permanent  Will survive reboots  Will not survive filesystem relabels • To guarantee permanence semanage ¡fcontext ¡–a ¡–t ¡ httpd_sys_content_t ¡“/html(/.*)?” ¡ 03/12 cja 2012 16

  17. Lab – vnc-server Goal: install a VNC server on your guest and establish a connection to it from your host platform • VNC allows you to access your Linux desktop from another (remote) IP address • In this lab, we’ll use your host platform as that remote IP address • Although VNC use requires a separate password, it is not a secure protocol  So we’ll use ssh to create a secure tunnel between your host and guest 03/12 cja 2012 17

  18. Terminology Guest, i.e. , VLE16 Host, e.g. , Windows http://en.wikipedia.org/wiki/Platform_virtualization 03/12 cja 2012 18

  19. Lab – vnc-server 1. Enable vnc-server on your guest  wget http://www.umich.edu/~cja/SEL12/supp/INSTALL- vnc.sh  sh ./INSTALL-vnc.sh  Should end with “vnc server running” 2. Obtain your guest’s IP address  ifconfig The IP address will be the contents of the inet addr field of the eth N entry listed, where N is a small integer 03/12 cja 2012 19

  20. Lab – vnc-server 3. Install a VNC client on your host platform  Windows: (select the 32- or 64-bit full installer) http://www.uvnc.com:8080/downloads/ultravnc/92- ultravnc-1095.html Run the downloaded installer application (install Viewer only, keep all other defaults)  Mac OS X: (select cotv4-20b4.dmg) http://sourceforge.net/projects/cotvnc/ Open the .dmg file to install.  Linux: sudo yum install -y tigervnc 03/12 cja 2012 20

  21. Lab – vnc-server 4. Install an SSH client on your host platform (This step is needed only for Windows hosts)  Windows: We’ll install PuTTY, a freely available SSH client: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.60- installer.exe Run the installer 03/12 cja 2012 21

  22. Lab – vnc-server 5. Open an ssh tunnel to your guest from your host platform: Linux & Mac OS X:  ssh –L 5901:localhost:5901 lab@ guest.ip.addr (Use your guest IP address from Step 2.) 03/12 cja 2012 22

  23. Lab – vnc-server 5. Open an ssh tunnel to your guest from your host platform: Windows:  Start PuTTY 03/12 cja 2012 23

  24. Lab – vnc-server • Enter your guest IP address from Step 2 in the Host Name field. • Then, in the Category box on the left, select Connection | SSH. • Finally, expand the SSH menu item by clicking on its + icon, and select Tunnels. 03/12 cja 2012 24

  25. Lab – vnc-server • Enter “5901” in the Source port field. • Enter your guest IP address from Step 2 in the Destination field, followed by “:5901”. • Then, click the Add button. 03/12 cja 2012 25

  26. Lab – vnc-server • Click the Open button. 03/12 cja 2012 26

  27. Lab – vnc-server • In the terminal window that appears, enter “lab”. • When prompted, enter the password for the guest lab account. • You should see a login banner and a shell prompt. • You have (1) opened an SSH shell on your guest and (2) forwarded the VNC port (5901) from your host to your guest. 03/12 cja 2012 27

  28. Lab – vnc-server 6. Connect to your guest using the VNC client on your host:  Windows: Start the application In the popup window, in the Server: box, enter: localhost:1 Connect This attempt should fail with an SELinux security alert in your guest. 03/12 cja 2012 28

  29. Lab – vnc-server 6. Connect to your guest using the VNC client on your host:  Mac OS X: Start the application Connection | New Connection In the popup window, enter: Host: localhost Display: 1 Password: vle$vnc Connect This attempt should fail with an SELinux security alert in your guest. 03/12 cja 2012 29

  30. Lab – vnc-server 6. Connect to your guest using the VNC client on your host:  Linux: vncviewer localhost:1 This attempt should fail with an SELinux security alert in your guest. 03/12 cja 2012 30

  31. Lab – vnc-server 7. Examine SELinux security alert Four ways to accomplish this : GUI:  Click the SELinux alert icon  Applications | System Tools | SELinux Troubleshooter  From the command line: sealert Plain text output:  From the command line: sudo sealert –a /var/log/audit/audit.log | less 03/12 cja 2012 31

  32. Lab – vnc-server 8. Examine Booleans Command line:  sudo semanage boolean -l  sudo semanage boolean -l | less  sudo semanage boolean –l | grep ssh GUI:  System | Administration | SELinux Management Select Boolean Filter by string, e.g., ssh Check or uncheck desired Boolean(s) 03/12 cja 2012 32

  33. Lab – vnc-server 9. Update Boolean Command line:  sudo setsebool –P sshd_forward_ports 1 GUI:  System | Administration | SELinux Management 03/12 cja 2012 33

  34. Lab – VNC server 10. Again, connect to your guest using the VNC client on your host This time you should see a popup asking for the VNC password. Enter VNC password: vle$vnc This attempt should succeed! 03/12 cja 2012 34

  35. Key points • SELinux prevented sshd on your guest from connecting port 5901 from your host to port 5901 on your guest • We told SELinux to permanently allow this connection by finding the right Boolean • Your guest never unblocked firewall port 5901 03/12 cja 2012 35

  36. SELinux Policy Theory

  37. SELinux policy Overview • Behavior of processes is controlled by policy • A base set of policy files define the system policy • Additional installed software may specify additional policy  This policy is added to the system policy on installation 03/12 cja 2012 37

  38. SELinux policy Six easy pieces • Type enforcement (TE) attributes • TE type declarations • TE transition rules • TE change rules (not used much) • TE access vector rules • File context specifications 03/12 cja 2012 38

  39. TE attributes • Files named *.te • Attributes identify sets of types with similar properties  SELinux does not interpret attributes • Format:  <attribute> <name> • Examples:  attribute ¡logfile; ¡  attribute ¡privuser; ¡ 03/12 cja 2012 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 03/12 cja 2012 2 03/12 cja 2012 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

753 views • 53 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 02/13 cja 2013 2 02/13 cja 2013 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

1.24k views • 55 slides
What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Introduction Introduction Welcome to the course! Instructor: Dr.

678 views • 10 slides
GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1 ColPos-Mxico 2 CIMMyT-Mxico September, 2014. SLU, Sweden GENOMIC SELECTION WORKSHOP:Hands on Practical Sessions 1/11 Contents General comments 1

442 views • 11 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls &amp; VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

237 views • 22 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 1 Fundamental Tools Roadmap Review of generally useful tools

592 views • 35 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength &amp; Cracking Roadmap Password

750 views • 31 slides
GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2 1 ColPos-Mxico 2 CIMMyT-Mxico September, 2014. SLU,Sweden GENOMIC SELECTION WORKSHOP:Hands on Practical Sessions (GBLUP-RR) 1/35 Contents

976 views • 35 slides
Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel

Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel

Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel A. Martinez-Prieto 3rd KEYSTONE Training School Keyword search in Big Linked Data 23 TH AUGUST 2017 General agenda Session I (09:00 - 10:30) &quot;

935 views • 60 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
ISO/IEC TS 18661 OVERVIEW 23 rd IEEE Symposium on Computer Arithmetic ARITH23 July 13, 2016

ISO/IEC TS 18661 OVERVIEW 23 rd IEEE Symposium on Computer Arithmetic ARITH23 July 13, 2016

ISO/IEC TS 18661 OVERVIEW 23 rd IEEE Symposium on Computer Arithmetic ARITH23 July 13, 2016 Jim Thomas jaswthomas@sbcglobal.net Davis, CA USA ISO/IEC Technical Specification 18661 C extensions to support IEEE 754-2008 Floating-point and

733 views • 30 slides
CS101 Lecture 03: Hexadecimal Numbers Text Representation Hexadecimal Numbers Text Encoding

CS101 Lecture 03: Hexadecimal Numbers Text Representation Hexadecimal Numbers Text Encoding

1/23/13 CS101 Lecture 03: Hexadecimal Numbers Text Representation Hexadecimal Numbers Text Encoding ASCII and Unicode Aaron Stevens (azs@bu.edu) 23 January 2013 Computer Science What Youll Learn Today Computer Science A great

560 views • 11 slides
Chapter 2 Master the skill of converting between various radix systems. Data Representation

Chapter 2 Master the skill of converting between various radix systems. Data Representation

Chapter 2 Objectives Understand the fundamentals of numerical data representation and manipulation in digital computers. Chapter 2 Master the skill of converting between various radix systems. Data Representation in Understand how

679 views • 31 slides
CPSC 121: Models of Computation Instructor: Bob Woodham woodham@cs.ubc.ca Department of Computer

CPSC 121: Models of Computation Instructor: Bob Woodham woodham@cs.ubc.ca Department of Computer

CPSC 121: Models of Computation Instructor: Bob Woodham woodham@cs.ubc.ca Department of Computer Science University of British Columbia Lecture Notes 2008/2009, Section 203 CPSC 121: Models of Computation Menu January 12, 2009 Topics:

454 views • 16 slides
Practical considerations in running simulations in NAMD James C. (JC) Gumbart Georgia Institute

Practical considerations in running simulations in NAMD James C. (JC) Gumbart Georgia Institute

Practical considerations in running simulations in NAMD James C. (JC) Gumbart Georgia Institute of Technology Computational Biophysics Workshop | DICP | July 11 2018 PDB fi les provide structure and starting positions of atoms Simulations start

469 views • 15 slides
Billing and Pool Queue Plots Albert L. Rossi Fermi Na2onal

Billing and Pool Queue Plots Albert L. Rossi Fermi Na2onal

dCache User Workshop Berlin/Wilhelminenhof 28/05/2013 Billing and Pool Queue Plots Albert L. Rossi Fermi Na2onal Accelerator Laboratory dCache User

387 views • 12 slides
The design concept for llmkLight LaT eX Make T akuto ASAKURA (wtsnjp) TUG 2020 1 / 22 The

The design concept for llmkLight LaT eX Make T akuto ASAKURA (wtsnjp) TUG 2020 1 / 22 The

The design concept for llmkLight LaT eX Make The design concept for llmkLight LaT eX Make T akuto ASAKURA (wtsnjp) TUG 2020 1 / 22 The design concept for llmkLight LaT eX Make Introduction: A demonstration $ ls duck.tex

264 views • 22 slides
Approaches for Guideline Versioning Using GLIF Mor Peleg, Ph.D. 1 , Rami Kantor, M.D. 2 1 Stanford

Approaches for Guideline Versioning Using GLIF Mor Peleg, Ph.D. 1 , Rami Kantor, M.D. 2 1 Stanford

Approaches for Guideline Versioning Using GLIF Mor Peleg, Ph.D. 1 , Rami Kantor, M.D. 2 1 Stanford Medical Informatics and 2 Division of Infectious Diseases and Center for AIDS Research, Stanford University School of Medicine, Stanford, CA

233 views • 5 slides

More recommend