d e f i n i t i o n o f s e l i n u x
play

D e f i n i t i o n o f S E L i n u x - PowerPoint PPT Presentation

D e f i n i t i o n o f S E L i n u x 80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF Mandatory Access Control ... refers to a type of access control by which the operating system constrains the ability of a subject or initiator to


  1. D e f i n i t i o n o f S E L i n u x

  2. 80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF

  3. Mandatory Access Control

  4. ... refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.

  5. var subject = [ 'process', 'thread' ];

  6. var object = [ 'file', 'directory', 'port', 'shm' ];

  7. SELinux adheres to the concept of least privilege, which gives a process exactly the rights it needs to perform it's given task.

  8. Y e s , t h a t i n c l u d e s a l mi g h t y R o o t !

  9. S h o r t H i s t o r y o f S E L i n u x

  10. 1 9 9 2 = F i r s t c o n c e p t s F i r s t c o n c e p t s b y N S A b y N S A 2 0 0 1 = I n t r o a t L i n u x K e r n e l S u mmi t b y t h e N S A . W o r k o n L i n u x S e c u r i t y M o d u l e s b e g i n s

  11. 2 0 0 2 = I n t e g r a t i o n i n t o I n t e g r a t i o n i n t o K e r n e l 2 . 4 v i a K e r n e l 2 . 4 v i a mo d u l e . mo d u l e . 2 0 0 3 = R e l e a s e o f L i n u x R e l e a s e o f L i n u x K e r n e l 2 . 6 w i t h K e r n e l 2 . 6 w i t h L S M . L S M . 2 0 0 5 = I n c l u s i o n o f I n c l u s i o n o f S E L i n u x i n R H E L 4 S E L i n u x i n R H E L 4

  12. A r c h i t e c t u r e O v e r v i e w

  13. L i n u x S e c u r i t y M o d u l e s

  14. S E L i n u x C o mp o n e n t s

  15. S e c u r i t y C o n t e x t

  16. P r e r e q u i s i t e s

  17. Confirm Kernel features # egrep "CONFIG_(.*SELINUX|AUDIT)|XATTR" \ /boot/config-2.6.18-348.4.1.el5 CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT4_FS_XATTR=y CONFIG_CIFS_XATTR=y CONFIG_SECURITY_SELINUX=y

  18. Confirm extended attributes # tune2fs -l /dev/sda1 | grep features: Filesystem features: ... ext_attr ...

  19. E n o u g h t h e o r y a l r e a d y , b r i n g o n t h e g o o d s !

  20. /etc/selinux/config

  21. Check current status # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted

  22. Mid flight mode change Check # getenforce Enforcing Disarm # setenforce 0 # getenforce Permissive Re-enable # setenforce 1 # getenforce Enforcing

  23. My role in this? # secon user: user_u role: system_r type: unconfined_t Sensitivity: s0 Clearance: s0 Mls-range: s0

  24. T h e T h e O p t i o n o f O p t i o n o f

  25. SELinux enabled utilities ls ps id netstat find -context lsof (RHEL 6)

  26. Sample output # ls -Z drwxr-xr-x root root system_u:object_r:default_t foo # ps -Z LABEL PID TTY TIME CMD user_u:system_r:unconfined_t 2508 pts/0 00:00:07 sudo # id -Z user_u:system_r:unconfined_t

  27. O u t p u t t o C o n t e x t

  28. M a k i n g c h a n g e s

  29. SELinux tools getsebool setsebool chcon semanage restorecon

  30. List booleans # getsebool -a NetworkManager_disable_trans --> off aisexec_disable_trans --> off allow_aisexec_rw_tmpfs --> off allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tty --> on

  31. Toggle value # setsebool NetworkManager_disable_trans on # getsebool NetworkManager_disable_trans NetworkManager_disable_trans --> on

  32. Change context # cd /var/tmp/foo # ls -Z bar -rw-r—r-- root root user_u:object_r:tmp_t:s0 bar # chcon -t file_t bar # ls -Z bar -rw-r—r-- root root user_u:object_r:file_t:s0 bar

  33. Manage context # semanage fcontext -a -t default_t /var/tmp/foo/bar # ls -Z bar -rw-r—r-- root root user_u:object_r:file_t:s0 bar # restorecon /var/tmp/foo/bar # ls -Z bar -rw-r—r-- root root user_u:object_r:default_t:s0 bar

  34. Restore context # cd /var/tmp/foo # ls -Z bar -rw-r—r-- root root user_u:object_r:file_t:s0 bar # restorecon bar # ls -Z bar -rw-r—r-- root root user_u:object_r:tmp_t:s0 bar

  35. T r o u b l e s h o o t i n g

  36. Auditing tools audit2allow audit2why

  37. Aggregating audit log # audit2allow -a #============= restorecon_t ============== allow restorecon_t syslogd_t:dir relabelto; allow restorecon_t syslogd_t:file relabelto; #============= syslogd_t ============== allow syslogd_t default_t:file append;

  38. Babelfishing the log # audit2why < /var/log/audit/audit.log type=AVC msg=audit(1355080647.280:69): avc: denied \ { relabelto } for pid=3699 comm="restorecon" \ name="log" dev=loop0 ino=7905 \ scontext=user_u:system_r:restorecon_t:s0 \ tcontext=system_u:object_r:syslogd_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. \ Allow rules may exist but be disabled \ by boolean settings; check boolean settings. \ You can see the necessary allow rules by \ running audit2allow with this audit message \ as input.

  39. Resources < http://selinuxproject.org > < http://en.wikipedia.org/wiki/SELinux > < https://fedoraproject.org/wiki/SELinux >

  40. ?

  41. T h a n k y o u

Recommend


More recommend