state of selinux
play

State of SELinux Paul Moore September 2017 Kernel Changes - PowerPoint PPT Presentation

Mar 05, 2024 •304 likes •482 views

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

  1. State of SELinux Paul Moore September 2017

  2. Kernel Changes

  3. Obligatory Container Slide ● Individual file labeling for cgroup, cgroup2, and tracefs ● Allows for labels unique to each container, enabling SELinux enforced separation for these filesystems ● Context mount tmpfs, ramfs, and devpts in non-init namespaces ● Allows containers running under SELinux to mount these filesystems inside the container 3

  4. “SELinux <heart emoji> KSPP” ● LSM/SELinux hooks marked read-only after boot ● Prevents hijacking/bypass of SELinux kernel hooks ● Various internal structures “constified” ● Prevents malicious tampering of data structures 4

  5. New Stuff We Can’t Claim As Container Related ● Access controls for prlimit(2) ● Control access to resource limits of other processes ● Access controls for mmap(2) ● Enable rights revocation by preventing direct memory access to resources ● Access controls for Infiniband/RDMA ● Add SELinux access controls to Infiniband traffic ● Display SELinux policy capabilities during policy load ● Helpful when trying to determine supported capabilities 5

  6. Old Stuff We Finally Got Working Correctly ● Expand the number of socket related object classes ● All the visible socket address families are supported ● Eliminate the generic “socket” object class ● Shuffle the DAC_OVERRIDE / DAC_READ_SEARCH capabilty checks ● Only check for the capabilities which are needed ● Enable domain transitions under NNP and nosuid ● New SELinux permission to enable transitions ● Plays well with the new systemd NNP protections 6

  7. Fun Stuff I Learned Using gitdm ● Change summary ● Top 10 developers by lines changed ● 102 changesets 1) Daniel Jurgens 584 (37.6%) ● 37 developers 2) Stephen Smalley 564 (36.3%) ● 1407 lines added 3) Andreas Gruenbacher 89 (5.7%) ● 613 lines removed 4) Markus Elfring 84 (5.4%) 5) Scott Mayhew 33 (2.1%) ● 6) Junil Lee 27 (1.7%) 7) Florian Westphal 24 (1.5%) 8) Kees Cook 20 (1.3%) 9) Gary Tierney 19 (1.2%) 10)Matthias Kaehlcke 17 (1.1%) 7

  8. Userspace and Policy Changes

  9. Something For Everyone ... ● New genhomedircon template additions ● Enables greater policy flexibility ● Support for ioctl(2) xperms in policy modules ● Enables the ioctl whitelisting in modular policy ● Generate CIL/policy.conf from binary policy ● Enables inspection of packaged or loaded policy ● Improved attribute handling ● Better performance, memory footprint ● Improved libsemanage’s relinking ● Better performance due to less policy relinking 9

  10. … Even Your Favorite Distribution ● Migrated to setools4 ● setools3 was deprecated/unsupported ● Improved support for Python 3 ● Added support for PCRE2 in libselinux ● Support building with PCRE1 or PCRE2 ● Split policycoreutils into individual components ● Easier for distributions to package and ship ● Similar to existing Fedora / RHEL packaging 10

  11. More Fun With gitdm ● Change summary ● Top 10 developers by lines changed ● 588 changesets 1) James Carter 10757 (29.9%) ● 37 developers 2) Stephen Smalley 9927 (27.6%) ● 26655 lines added 3) Daniel Jurgens 5439 (15.1%) ● 14816 lines removed 4) Jason Zaman 3237 (9.0%) 5) Richard Haines 1487 (4.1%) ● 6) Nicolas Iooss 1304 (3.6%) 7) Janis Danisevskis 957 (2.7%) 8) William Roberts 495 (1.4%) 9) Jeff Vander Stoep 323 (0.9%) 10)Alan Jenkins 309 (0.9%) 11

  12. SEAndroid

  13. Stats We Can Brag About ● ~92% of devices with some SELinux protection ● KitKat (v4.4) and above ● Up from 80% at LSS 2016 ● ~77% of devices with full SELinux protection ● Lollipop (v5.0) and above ● Up from 50% at LSS 2016 13

  14. Proof It All Really Works ● “Honey, I Shrunk the Attack Surface” (click for URL) ● Nick Kralevich, Google at Black Hat 2017 ● Security improvements in Android ● Demonstrated effectiveness of SEAndroid against published attacks (CVEs) ● Impact of SEAndroid on the exploit market 14

  15. More Information

  16. You Should Take A Picture Of This Slide ● Kernel ● git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git ● Userspace / Tests ● https://github.com/SELinuxProject ● Reference Policy ● https://github.com/TresysTechnology/refpolicy ● Mailing List ● https://www.nsa.gov/what-we-do/research/selinux/mailing-list.shtml ● Me ● @securepaul ● paul@paul-moore.com 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style policy Jaunty/Karmic policy has many modules enabled Userspace looks solid Policy needs work Why? I like Ubuntu People

343 views • 11 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science &amp; Engineering 1 Talk Topics Mechanism for MAC enforcement between

629 views • 24 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides
Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH)

700 views • 35 slides
Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Capability Systems Trent Jaeger

622 views • 36 slides
Set 1: Review of Key Concepts Exercise #1 Correct any invalid XHTML syntax &lt;?xml version =

Set 1: Review of Key Concepts Exercise #1 Correct any invalid XHTML syntax &lt;?xml version =

IT452 Advanced Web and Internet Systems Set 1: Review of Key Concepts Exercise #1 Correct any invalid XHTML syntax &lt;?xml version = &quot;1.0&quot; encoding=utf-8 ?&gt; &lt;!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.1//EN&quot;

402 views • 8 slides
The Review of OGE Form 450 Instructors: Cheryl L. Kane Piasecki and Patrick D. Shepherd

The Review of OGE Form 450 Instructors: Cheryl L. Kane Piasecki and Patrick D. Shepherd

The Review of OGE Form 450 Instructors: Cheryl L. Kane Piasecki and Patrick D. Shepherd Whats the process for review? What types of assignments might the employee participate Duties in? Could any interests disclosed on the Form 450 be

471 views • 26 slides
An Enhanced Ride Sharing Model Based on Human Characteristics and Machine Learning Recommender

An Enhanced Ride Sharing Model Based on Human Characteristics and Machine Learning Recommender

An Enhanced Ride Sharing Model Based on Human Characteristics and Machine Learning Recommender System Govind Yatnalkar, Husnu S. Narman, Haroon Malik The 3rd International Conference on Emerging Data and Industry 4.0 (EDI40) April 6 - 9, 2020,

622 views • 29 slides
Applications of Trigonometric Functions MCR3U: Functions Example A ferris wheel has a diameter

Applications of Trigonometric Functions MCR3U: Functions Example A ferris wheel has a diameter

t r i g o n o m e t r i c f u n c t i o n s t r i g o n o m e t r i c f u n c t i o n s Applications of Trigonometric Functions MCR3U: Functions Example A ferris wheel has a diameter of 16 m, with a minimum height of 2 m above the ground. It

416 views • 3 slides
Seesaws Unequal-weight children dont normally balance the seesaw Moving the heavier

Seesaws Unequal-weight children dont normally balance the seesaw Moving the heavier

Seesaws 1 Seesaws 2 Observations about Seesaws A balanced seesaw rocks back and forth easily Equal-weight children sitting on the seats balance a seesaw Seesaws Unequal-weight children dont normally balance the seesaw Moving

573 views • 3 slides
Evolutionary Multi-Objective Optimisation for Mens Elite Level

Evolutionary Multi-Objective Optimisation for Mens Elite Level

Evolutionary Multi-Objective Optimisation for Mens Elite Level Track Cycling A Real World Cooperative Hierarchical Optimisation Problem By Claire Diora

294 views • 16 slides

More recommend