what is selinux trying to tell me
play

What is SELinux trying to tell me? The 4 key causes of SELinux - PowerPoint PPT Presentation

Aug 16, 2022 •490 likes •611 views

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

  1. What is SELinux trying to tell me? The 4 key causes of SELinux errors.

  2. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!!

  3. SELinux == Labeling ➔ Every process and object on the machine has a label associated with it ➔ If your files are not labeled correctly access might be denied. ➔ If you use alternative paths for confined domains SELinux needs to KNOW. ➔ http files in /srv/myweb instead of /var/www/html? Tell SELinux. ➔ # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' ➔ # restorecon -R /srv/myweb

  4. SELinux == Labeling

  5. SELinux == Labeling ➔ Fedora 11 introduces equivalency labeling ➔ semanage fcontext -a -e /srv/myweb /var/www ➔ Tells SELinux to label all files directories under /srv/myweb the same as /var/www ➔ /srv/myweb/cgi-bin/mycgi.cgi will get labeled httpd_sys_script_t ➔ semanage fcontext -a -e /export/home /home ➔ Label all files under /export/home as if they were under /home ➔ /export/home/dwalsh/.ssh will get labeled ssh_home_t

  6. SELinux needs to KNOW ➔ How did you configure your apache server? Tell SELinux!! ➔ If you want httpd to send email ➔ # setsebool -P httpd_can_sendmail 1 ➔ Vsftp setup for users to login ➔ # setsebool -P ftp_home_dir 1 ➔ Http is setup to listen on port 8585 ➔ # semanage port -a -t http_port_t -p tcp 8585

  7. SELinux needs to KNOW file:///Users/Desktop/Screenshot-SELinux%20Boolean%20Lockdown.png file:///Users/Desktop/Screenshot-SELinux%20Administration.png

  8. SELinux needs to KNOW file:///Users/Desktop/Screenshot-SELinux%20Boolean%20Lockdown-1.png

  9. SELinux Policy/Apps Can Have bugs ➔ SELinux Policy might have a bug ➔ Unusual Code Paths ➔ Configurations ➔ Redirection of stdout ➔ Apps have bugs ➔ Leaked File Descriptors ➔ Executable Memory ➔ Badly built libraries ➔ Report the bugs in Bugzilla so we can fix them

  10. SELinux Policy/Apps Can Have bugs!!! ➔ You can tell SELinux to just allow ➔ Selinux is blocking postgresql ➔ Labeling is correct? No appropriate boolean? ➔ Use audit2allow to build a policy module ➔ #grep postgresql /var/log/audit/audit.log | audit2allow -M mypostgresql ➔ # semodule -i mypostsql.pp ➔ Examine mypostgresq.te ➔ Make sure you are not allowing too much? ➔ Ask for help? ➔ #fedora ➔ Fedora-selinux mail list ➔ dwalsh@redhat.com

  11. You could be COMPROMISED!!! ➔ Current tools do not do a good job of differentiating ➔ If you have a confined domain that tries to: ➔ Load a kernel module ➔ Turn off SELinux enforcing mode ➔ Write to etc_t? shadow_t ➔ Modify iptables rules ➔ Sendmail???? ➔ others ➔ You might be compromised

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba < toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba < toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz <kuliniew@purdue.edu> CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency 1 National Information Assurance Research Laboratory Outline SELinux Background The Year

347 views • 19 slides
SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions Type

583 views • 36 slides
Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

492 views • 25 slides
Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style policy Jaunty/Karmic policy has many modules enabled Userspace looks solid Policy needs work Why? I like Ubuntu People

343 views • 11 slides
Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter

Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter

Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Yoshi Kohno, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for

785 views • 35 slides
CSC 6991 Topics in Computer Security Fengwei Zhang Wayne State University CSC 6991 Topics in

CSC 6991 Topics in Computer Security Fengwei Zhang Wayne State University CSC 6991 Topics in

CSC 6991 Topics in Computer Security Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Who Am I? Fengwei Zhang Assistant Professor of Computer Science Office: Maccabees Building, Room 14109.3 Email:

453 views • 17 slides
OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

I n t ro d u c i n g OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org) ESDENERA NETWORKS GmbH Why do we need a web server in base? Serve the OpenBSD page. Why do we need a web server

264 views • 22 slides
RAMCloud: Scalable High-Perform ance Storage Entirely in DRAM John Ousterhout, David Mazires,

RAMCloud: Scalable High-Perform ance Storage Entirely in DRAM John Ousterhout, David Mazires,

RAMCloud: Scalable High-Perform ance Storage Entirely in DRAM John Ousterhout, David Mazires, and Mendel Rosenblum Stanford University http://www.stanford.edu/~ouster/cgi-bin/papers/ramcloud.pdf Motivation: Latency at Scale Traditional

646 views • 5 slides
Commission on Journals 2011 Using the Status System David Hoare Systems Developer IUCr Update

Commission on Journals 2011 Using the Status System David Hoare Systems Developer IUCr Update

Commission on Journals 2011 Using the Status System David Hoare Systems Developer IUCr Update your World Directory entry. Update your World Directory entry. Update e-mail details and alerts. Update your World Directory entry. Update

697 views • 49 slides
Rise Silver A Product Need & User $2.5B 970k 71.4% U.S. oven market Wall oven shipments,

Rise Silver A Product Need & User $2.5B 970k 71.4% U.S. oven market Wall oven shipments,

Rise Silver A Product Need & User $2.5B 970k 71.4% U.S. oven market Wall oven shipments, Percent of testers that size, 2018 [1] 2019 (predicted) [2] would potentially purchase Rise Product Benchmarking [3] [4] Regular Racks Easy

491 views • 7 slides
Procurement Overview State Agency Responsibilities Monitoring Training Guidance S

Procurement Overview State Agency Responsibilities Monitoring Training Guidance S

Procurement Overview State Agency Responsibilities Monitoring Training Guidance S tate Agency Monitoring Training Guidance State of Louisiana https:/ / cnp.doe.louisiana.gov/ index.asp USDA/ FNS https:/ / www.fns.usda.gov/

426 views • 16 slides
PPS-Design of an own WWW-Homepage SS 2003 Lecture 4: CGI Scripts and Forms Kroly Farkas

PPS-Design of an own WWW-Homepage SS 2003 Lecture 4: CGI Scripts and Forms Kroly Farkas

PPS-Design of an own WWW-Homepage SS 2003 Lecture 4: CGI Scripts and Forms Kroly Farkas (farkas@tik.ee.ethz.ch) Common Gateway Interface (CGI) Common Gateway Interface is a defined interface between information servers (eg., web

779 views • 20 slides

More recommend