an introduction to selinux
play

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh - PowerPoint PPT Presentation

May 14, 2023 •169 likes •466 views

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

  1. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba < toshaan@vantosh.com > An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 1 / 29

  2. An $ whoami Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction Toshaan Bharvani How to use it From Antwerp, Belgium SELinux states Currently self-employed : VanTosh Managing SELinux Involved with Enterprise Linux, RPM packaging Policies The End Like to keep everything secure Involved with hardware, software and conferences Twitter : @toshywoshy / Identi.ca : @toshywoshy An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 2 / 29

  3. An Table of contents Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Introduction 1 SELinux states Managing SELinux Policies How to use it 2 The End SELinux states Managing SELinux Policies An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 3 / 29

  4. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it 1 SELinux states Managing SELinux Introduction Policies The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 4 / 29

  5. An Traditional Linux Permissions Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it everything is a file SELinux states 3 x 3 file level security Managing SELinux user, group, others Policies read, write, execute The End 0/-, 4/r, 2/w, 1/x 1 1 If you didn’t notice this is binary. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 5 / 29

  6. An What is SELinux Introduction to SELinux Toshaan Bharvani - VanTosh bvba SELinux = Security-Enhanced Linux Introduction Mechanism for supporting Mandatory Access Control How to use it security policies SELinux states Linux Security Modules (LSM) run in the Linux kernel Managing SELinux Everything is a context Policies The End Several security models Type Enforcement (TE) Role Based Access Control (RBAC) Multilevel Security (MLS) Developed by the NSA An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 6 / 29

  7. An Access Control Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction Type Enforcement (TE) How to use it The primary mechanism of access control used in the SELinux states targeted policy Managing SELinux Role-Based Access Control (RBAC) Policies Based around SELinux users (not necessarily the same as The End the Linux user) Multi-Level Security (MLS) Not used and often hidden in the default targeted policy. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 7 / 29

  8. An SELinux visually Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux Policies The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 8 / 29

  9. An SELinux features Introduction to SELinux Separation of policy from enforcement Toshaan Bharvani - VanTosh Predefined policy interfaces bvba Support for applications querying the policy and enforcing Introduction access control How to use it Independent of specific policies, policy languages, security SELinux states label formats and contents Managing SELinux Caching of access decisions for efficiency Policies Policy changes are possible (!!!) The End Separate measures for protecting system integrity and data confidentiality Controls over process initialization and inheritance and program execution Controls file systems, directories, files, and open file descriptors Controls over sockets, messages, and network interfaces An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 9 / 29

  10. An SELinux hidden features (from hell) Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction Breaks systems that are not secure How to use it Disallows services of misbehaving SELinux states Annoyment tool for juniors Managing SELinux Will take over the world Policies The End Restricts the root user Cannot be disabled just like that for daemons Inappropriate processes will be excommunicated An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 10 / 29

  11. An Past, Today, Future Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux Policies The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 11 / 29

  12. An Where is SELinux Introduction to SELinux Toshaan Bharvani - VanTosh bvba In the kernel from 2.6.0 - 2002 Introduction Redhat Enterprise Linux : from v4 How to use it SELinux CentOS : from v4 states Managing Fedora : from Core 2 SELinux Policies Novel SLES, OpenSuSE The End Gentoo Debian (Etch), Ubuntu (8.04) AndroidSE . . . An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 12 / 29

  13. An Misconceptions about SELinux Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction “Life is too short for SELinux” 2 – Theodore Ts’o How to use it SELinux “SELinux is a pain in the ass” – urban legend states Managing Upstream vendors requires me to disable SELinux SELinux Policies The End 2 SELinux is so horrible to use that, after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn’t have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 13 / 29

  14. An The good of SELinux Introduction to SELinux Toshaan Bharvani - VanTosh bvba “Let me assure you that this action by the NSA was the Introduction crypto-equivalent of the Pope coming down off the balcony How to use it SELinux in Rome, working the crowd with a few loaves of bread and states some fish, and then inviting everyone to come over to his Managing SELinux place to watch the soccer game and have a few beers. Policies There are some things that one just never expects to see, The End and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” – Larry Loeb 3 3 Security author and researcher An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 14 / 29

  15. An Why use SELinux? Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction It confines processes,services,users in compartments How to use it Allows use of one compartment of a systems : SELinux states virtual machine : sVirt (qemu, lxc, . . . ) Managing user : xguest SELinux hardware : usbredir, automobile, smartphone, . . . Policies The End Stops daemons going bad Really increases security No, it isn’t difficult An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 15 / 29

  16. An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it 2 SELinux states Managing SELinux How to use it Policies The End An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 16 / 29

  17. An Changing SELinux states Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction Enforcing How to use it Enable and enforce the SELinux security policy on the SELinux states system, denying access and logging actions Managing SELinux Permissive Policies Enables, but will not enforce the security policy, only warn The End and log actions Disabled SELinux is turned off An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 17 / 29

  18. An Checking the state of SELinux Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction sestatus How to use it SELinux Enforcing states Permissive Managing SELinux - Z Policies ls -Z The End netstat -Z ps -Z An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 18 / 29

  19. An File labels Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Objects (Processes, files, inodes, superblocks etc.) in the SELinux states OS are labeled Managing SELinux Files persistently labeled via extended attributes Policies Labels are called security contexts The End Labels contain all SELinux security information An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 19 / 29

  20. An Relabelling files Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction chcon -R -t httpd sys content t /usr/srv/www How to use it semanage fcontext -a -t httpd sys content t SELinux states ”/usr/srv/www(/.*)?” Managing SELinux restorecon -Rv -n /var/www/html Policies Relabelling whole the filesystem The End genhomedircon touch /.autorelabel reboot An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 20 / 29

  21. An Enabling bools & ports Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it Managing ports SELinux states semanage port -l Managing semanage port -a -t http port t -p tcp 8181 SELinux Policies Managing predefined policies The End getsebool -a | grep samba setsebool -P samba enable home dirs on An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 21 / 29

Recommend

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 02/13 cja 2013 2 02/13 cja 2013 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

1.24k views • 55 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 03/12 cja 2012 2 03/12 cja 2012 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

753 views • 53 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency 1 National Information Assurance Research Laboratory Outline SELinux Background The Year

347 views • 19 slides
SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions Type

583 views • 36 slides
Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

492 views • 25 slides
Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style policy Jaunty/Karmic policy has many modules enabled Userspace looks solid Policy needs work Why? I like Ubuntu People

343 views • 11 slides
Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com Oops!!!! 2 Setting the record straight Example Policy - &gt; Reference Policy Base policies package used by distributions to build shipping

561 views • 12 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
ReAssure &amp; SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure

ReAssure &amp; SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure

ReAssure &amp; SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure Firewall Image Server Managed Switch Experimental boxes Deploying VLAN 1 VLAN 2 Experimenting ! VLAN 1 VM VM VLAN 2 VM https:/

406 views • 9 slides
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science &amp; Engineering 1 Talk Topics Mechanism for MAC enforcement between

629 views • 24 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides

More recommend