D e f i n i t i o n o f S E L i n u x
80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF
Mandatory Access Control
... refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.
var subject = [ 'process', 'thread' ];
var object = [ 'file', 'directory', 'port', 'shm' ];
SELinux adheres to the concept of least privilege, which gives a process exactly the rights it needs to perform it's given task.
Y e s , t h a t i n c l u d e s a l mi g h t y R o o t !
S h o r t H i s t o r y o f S E L i n u x
1 9 9 2 = F i r s t c o n c e p t s F i r s t c o n c e p t s b y N S A b y N S A 2 0 0 1 = I n t r o a t L i n u x K e r n e l S u mmi t b y t h e N S A . W o r k o n L i n u x S e c u r i t y M o d u l e s b e g i n s
2 0 0 2 = I n t e g r a t i o n i n t o I n t e g r a t i o n i n t o K e r n e l 2 . 4 v i a K e r n e l 2 . 4 v i a mo d u l e . mo d u l e . 2 0 0 3 = R e l e a s e o f L i n u x R e l e a s e o f L i n u x K e r n e l 2 . 6 w i t h K e r n e l 2 . 6 w i t h L S M . L S M . 2 0 0 5 = I n c l u s i o n o f I n c l u s i o n o f S E L i n u x i n R H E L 4 S E L i n u x i n R H E L 4
A r c h i t e c t u r e O v e r v i e w
L i n u x S e c u r i t y M o d u l e s
S E L i n u x C o mp o n e n t s
S e c u r i t y C o n t e x t
P r e r e q u i s i t e s
Confirm Kernel features # egrep "CONFIG_(.*SELINUX|AUDIT)|XATTR" \ /boot/config-2.6.18-348.4.1.el5 CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT4_FS_XATTR=y CONFIG_CIFS_XATTR=y CONFIG_SECURITY_SELINUX=y
Confirm extended attributes # tune2fs -l /dev/sda1 | grep features: Filesystem features: ... ext_attr ...
E n o u g h t h e o r y a l r e a d y , b r i n g o n t h e g o o d s !
/etc/selinux/config
Check current status # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted
Mid flight mode change Check # getenforce Enforcing Disarm # setenforce 0 # getenforce Permissive Re-enable # setenforce 1 # getenforce Enforcing
My role in this? # secon user: user_u role: system_r type: unconfined_t Sensitivity: s0 Clearance: s0 Mls-range: s0
T h e T h e O p t i o n o f O p t i o n o f
SELinux enabled utilities ls ps id netstat find -context lsof (RHEL 6)
Sample output # ls -Z drwxr-xr-x root root system_u:object_r:default_t foo # ps -Z LABEL PID TTY TIME CMD user_u:system_r:unconfined_t 2508 pts/0 00:00:07 sudo # id -Z user_u:system_r:unconfined_t
O u t p u t t o C o n t e x t
M a k i n g c h a n g e s
SELinux tools getsebool setsebool chcon semanage restorecon
List booleans # getsebool -a NetworkManager_disable_trans --> off aisexec_disable_trans --> off allow_aisexec_rw_tmpfs --> off allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tty --> on
Toggle value # setsebool NetworkManager_disable_trans on # getsebool NetworkManager_disable_trans NetworkManager_disable_trans --> on
Change context # cd /var/tmp/foo # ls -Z bar -rw-r—r-- root root user_u:object_r:tmp_t:s0 bar # chcon -t file_t bar # ls -Z bar -rw-r—r-- root root user_u:object_r:file_t:s0 bar
Manage context # semanage fcontext -a -t default_t /var/tmp/foo/bar # ls -Z bar -rw-r—r-- root root user_u:object_r:file_t:s0 bar # restorecon /var/tmp/foo/bar # ls -Z bar -rw-r—r-- root root user_u:object_r:default_t:s0 bar
Restore context # cd /var/tmp/foo # ls -Z bar -rw-r—r-- root root user_u:object_r:file_t:s0 bar # restorecon bar # ls -Z bar -rw-r—r-- root root user_u:object_r:tmp_t:s0 bar
T r o u b l e s h o o t i n g
Auditing tools audit2allow audit2why
Aggregating audit log # audit2allow -a #============= restorecon_t ============== allow restorecon_t syslogd_t:dir relabelto; allow restorecon_t syslogd_t:file relabelto; #============= syslogd_t ============== allow syslogd_t default_t:file append;
Babelfishing the log # audit2why < /var/log/audit/audit.log type=AVC msg=audit(1355080647.280:69): avc: denied \ { relabelto } for pid=3699 comm="restorecon" \ name="log" dev=loop0 ino=7905 \ scontext=user_u:system_r:restorecon_t:s0 \ tcontext=system_u:object_r:syslogd_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. \ Allow rules may exist but be disabled \ by boolean settings; check boolean settings. \ You can see the necessary allow rules by \ running audit2allow with this audit message \ as input.
Resources < http://selinuxproject.org > < http://en.wikipedia.org/wiki/SELinux > < https://fedoraproject.org/wiki/SELinux >
?
T h a n k y o u
Recommend
More recommend