selinux
play

SELinux It is all about the labels. Who am I? Open Source Advocate - PowerPoint PPT Presentation

Oct 13, 2023 •206 likes •583 views

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions Type

  1. SELinux It is all about the labels.

  2. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions

  3. Type Enforcement DOG_CHOW CAT_CHOW

  4. ALLOW ALLOW CAT DOG CAT_CHOW : FOOD DOG_CHOW : FOOD EAT EAT

  5. YUMMY! DOG not allowed = DENIED DOG_CHOW:FOOD KERNEL DOG CAT_CHOW

  6. What does this look like on a system?

  7. $ sesearch --allow -s httpd_t -t httpd_sys_content_t Found 15 semantic av rules: allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; allow daemon httpd_sys_content_t : dir { getattr search open } ; allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ; allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ; allow httpd_t httpd_content_type : dir { getattr search open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ; allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;

  8. $ ps -ZU apache LABEL PID TTY TIME CMD system_u:system_r:httpd_t:s0 4876 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 4877 ? 00:00:00 httpd $ ls -Z /var/www/html/ unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html DELICIOUS! httpd_t httpd_sys_content_t

  9. $ sesearch --allow -s httpd_t -t shadow_t Found 2 semantic av rules: allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; $ ls -Z /etc/shadow system_u:object_r:shadow_t:s0 /etc/shadow NO! BAD CAT! KERNEL DON'T EAT THAT! httpd_t shadow_t

  10. Wait! There's more.

  11. Multi Category Security (MCS) SPOT FIDO

  12. DOG_CHOW: DOG_CHOW: RANDOM1 RANDOM2 DOG:RANDOM1 DOG:RANDOM2 DOG : RANDOM1 DOG : RANDOM1 DOG_CHOW : RANDOM1 DOG_CHOW : RANDOM1

  13. DOG : FIDO KERNEL DOG_CHOW : SPOT KERNEL DOG CAT_CHOW

  14. What does MCS look like on a system? sandbox

  15. A VM can only access its own disk $ ps -ef -Z | grep qemu system_u:system_r: svirt_t:s0:c189,c390 qemu 27671 1 99 17:36 ? 00:02:44 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name AdminLocal … file=AdminLocal.raw ... $ ls -Z AdminLocal.raw system_u:object_r: svirt_image_t:s0:c189,c390 AdminLocal.raw $ ls -Z RHcurr.img system_u:object_r: svirt_image_t:s0:c290,c831 RHcurr.img

  16. Network connections have context too! $ ps -ef -Z | grep qemu system_u:system_r: svirt_t:s0:c189,c390 qemu 27671 1 99 17:36 ? 00:02:44 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name AdminLocal … file=AdminLocal.raw … # netstat -tZ | egrep '5901|5900' tcp 0 0 127.0.0.1:5901 127.0.0.1:49865 ESTABLISHED 27671/qemu-system-x system_u:system_r: svirt_t:s0:c189,c390 tcp 0 0 127.0.0.1:5900 127.0.0.1:36699 ESTABLISHED 3672/qemu-system-x8 system_u:system_r: svirt_t:s0:c290,c831

  17. Multi Level Security (MLS) DOG : GREYHOUND DOG_CHOW : DOG_CHOW FIDO GREYHOUND DOG : CHIHUAHUA DOG_CHOW : CHIHUAHUA DOG : CHIHUAHUA : CHIHUAHUA DOG_CHOW

  18. Administration Scenario Policy: default “targeted” Content: custom location

  19. Administration Scenario Add file-context for everything under /web # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" # restorecon -R -v /web $ man semanage-fcontext

  20. Administration Scenario Policy: default “targeted” Content: allow ftp dropbox

  21. Administration Scenario Add a read/write file-context for everything under /upload # semanage fcontext -a -t public_content_rw_t "/upload(/.*)?" # restorecon -R -v /upload Enable allow rules with boolean # semanage boolean -m --on ftpd_anon_write $ man semanage-boolean

  22. Administration Scenario Policy: default “targeted” Content: run service on custom port

  23. Administration Scenario Allow sshd to listen on tcp port 8991 # semanage port -a -t ssh_port_t -p tcp 8991 $ man semanage-port

  24. Administration Scenario Policy: default “targeted” Place a particular module into permissive mode.

  25. Administration Scenario List all permissive modules # semanage permissive -l Make httpd_t (Web Server) a permissive domain # semanage permissive -a httpd_t $ man semanage-permissive

  26. Logs, logs, logs (and a bit of troubleshooting) # grep avc /var/log/audit/audit.log type=AVC msg=audit(1439679445.509:7156): avc: denied { read } for pid=4878 comm="httpd" name="index.html" dev="dm-1" ino=57673974 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

  27. Got setroubleshoot? /var/log/messsages or journalctl will have a message similar to: setroubleshoot[5564]: SELinux is preventing /usr/sbin/httpd from read access on the file index.html. For complete SELinux messages. run sealert -l ad4801f3-7f10-4191-a85f-b95d9de40ac1 python[5564]: SELinux is preventing /usr/sbin/httpd from read access on the file index.html. ***** Plugin catchall_boolean (89.3 confidence) suggests ********* If you want to allow httpd to read user content Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean. Do setsebool -P httpd_read_user_content 1

  28. When all else fails... # getenforce # setenforce 0 # <test, test, test> # setenforce 1 # man audit2allow

  29. Does it really protect a system?

  30. Shellshock “SELinux does not block the exploit but it would prevent escalation of confined domains” -Dan Walsh http://danwalsh.livejournal.com/71122.html https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash- flaws/ http://cybermatters.info/2014/10/09/shellshock-selinux/ (interview with Dan) https://blog.hqcodeshop.fi/archives/243-SElinux-and-Shellshock.html CVE-2014-6271 and CVE-2014-7169 and CVE-2014-7186 and CVE-2014-7187

  31. Vemon “sVirt provides good anti-venom for this flaw” -Dan Berrange (creater of libvirt) http://danwalsh.livejournal.com/71489.html https://securityblog.redhat.com/2015/05/13/venom-dont-get-bi tten/ CVE-2015-3456

  32. Svirt to the rescue is not new! CVE-2011-1751 2011 http://danwalsh.livejournal.com/45194.html

  33. PDFs, Browsers, and more “Why we don't confine Firefox with SELinux” By Dan Walsh http://danwalsh.livejournal.com/72697.html CVE-2015-4495 Aug 2015 Consider sandbox tools to confine any application as needed.

  34. More: http://selinuxproject.org/ https://www.nsa.gov/research/selinux/ http://oss.tresys.com/ https://github.com/TresysTechnology/refpolicy/wiki https://github.com/TresysTechnology/setools3/wiki

  35. Thanks! Máirín Duffy Dan Walsh https://github.com/mairin/selinux-coloring-book http://stopdisablingselinux.com

  36. Slides available at: http://github.com/laubersm/LauberSolutions This work is licensed under a Creative Commons Attribution- ShareAlike 4.0 International License. http://creativecommons.org/licenses/by-sa/4.0/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency 1 National Information Assurance Research Laboratory Outline SELinux Background The Year

347 views • 19 slides
Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

492 views • 25 slides
Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style policy Jaunty/Karmic policy has many modules enabled Userspace looks solid Policy needs work Why? I like Ubuntu People

343 views • 11 slides
Forma&lt;on of Filamentary HI/Molecular C louds and Role of Magne&lt;c Fields Tsuyoshi Inoue

Forma&lt;on of Filamentary HI/Molecular C louds and Role of Magne&lt;c Fields Tsuyoshi Inoue

Forma&lt;on of Filamentary HI/Molecular C louds and Role of Magne&lt;c Fields Tsuyoshi Inoue Department of Physics, Nagoya Univ. Inoue &amp; Inutsuka 2016, ApJ, 833, 10 Inoue, Hennebelle, Fukui, Matsumoto, Iwasaki &amp; Inutsuka 2018, PASJ

364 views • 22 slides
Galactic Sources of VHE Gamma-Ray Emission: Highlights from VERITAS Reshmi Mukherjee 1 for

Galactic Sources of VHE Gamma-Ray Emission: Highlights from VERITAS Reshmi Mukherjee 1 for

Galactic Sources of VHE Gamma-Ray Emission: Highlights from VERITAS Reshmi Mukherjee 1 for the VERITAS Collaboration 1 Barnard College, Columbia University Reshmi Mukherjee TeVPa, Paris 2010 Outline (Quick) introduction to VERITAS

483 views • 22 slides
Data Format is Code's Destiny: Security Anti-Patterns Of Protocol Design. Sergey Bratus with

Data Format is Code's Destiny: Security Anti-Patterns Of Protocol Design. Sergey Bratus with

The Seven Turrets of Babel: Data Format is Code's Destiny: Security Anti-Patterns Of Protocol Design. Sergey Bratus with Falcon Momot Sven Hallberg Meredith L. Patterson Economics Pen test, code audit &quot;2+2&quot; : 2 persons, 2

443 views • 41 slides
Summary of this work p We study the hydrogen line emission from SNR shocks including the effects

Summary of this work p We study the hydrogen line emission from SNR shocks including the effects

On On modeling of hydrogen line emission fr from supernova remnant shocks: the effect of of Lyman an line trap apping

627 views • 37 slides
Dynamics in atmospheres and outflows of evolved stars Elvire De Beck Wouter Vlemmings, Theo

Dynamics in atmospheres and outflows of evolved stars Elvire De Beck Wouter Vlemmings, Theo

Dynamics in atmospheres and outflows of evolved stars Elvire De Beck Wouter Vlemmings, Theo Khouri, Matthias Maercker, Hans Olofsson Department of Space, Earth and Environment, Chalmers University of Technology Onsala Space Observatory The

413 views • 14 slides
The Seven Turrets of Babel: Parser anti-patterns &amp; how to expunge them Sergey Bratus

The Seven Turrets of Babel: Parser anti-patterns &amp; how to expunge them Sergey Bratus

The Seven Turrets of Babel: Parser anti-patterns &amp; how to expunge them Sergey Bratus with Falcon Momot Sven Hallberg Meredith L. Patterson Economics Pen test, code audit &quot;2+2&quot; : 2 persons, 2 weeks Attackers have

360 views • 35 slides
Astrophysical sources sources of of high high- - Astrophysical energy neutrinos neutrinos

Astrophysical sources sources of of high high- - Astrophysical energy neutrinos neutrinos

Astrophysical sources sources of of high high- - Astrophysical energy neutrinos neutrinos energy Karl Mannheim Karl Mannheim Institut fr Theoretische Physik und Astrophysik Institut fr Theoretische Physik und Astrophysik

709 views • 21 slides
Gravitational waves from first-order phase transitions: some developments in ultra-supercooled

Gravitational waves from first-order phase transitions: some developments in ultra-supercooled

Gravitational waves from first-order phase transitions: some developments in ultra-supercooled transitions Ryusuke Jinno (DESY) Based on 1707.03111 with Masahiro Takimoto (Weizmann) 1905.00899 with Hyeonseok Seong (IBS &amp; KAIST), Masahiro

1.04k views • 57 slides

More recommend