hands on selinux a practical introduction
play

Hands-on SELinux: A Practical Introduction Security Training Course - PowerPoint PPT Presentation

Feb 10, 2024 •1.08k likes •1.71k views

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

  1. Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

  2. Roadmap • Day 1:  Why SELinux?  Overview of SELinux  Using SELinux  SELinux Permissive Domains • Day 2:  SELinux Booleans  SELinux Policy Theory  SELinux Policy Praxis  SELinux audit2allow 03/12 cja 2012 2

  3. SELinux Tools • GUI  Configure SELinux sudo /usr/bin/system-config-selinux Applications| Other| SELinux Management  Interpret SELinux log errors /usr/bin/sealert Applications | System Tools | SELinux Troubleshooter • Command line  semanage, setsebool, setenforce, getenforce, audit2allow, …  As always, man is your friend 03/12 cja 2012 3

  4. Command-line Hints 1. man is your friend ¡man ¡semanage ¡ 2. Use shell command history 3. Search for string foo in all files rooted in directory tree bar : ¡find ¡bar ¡-­‑print0 ¡| ¡xargs ¡grep ¡-­‑0 ¡foo ¡ 03/12 cja 2012 4

  5. SELinux Booleans

  6. Booleans • Allow policies to be changed at runtime  Fine-tune service access  Change service port numbers  Must be pre-defined  Greatly reduces need for new policy modules  Originally Boolean values only  Now extended beyond Boolean values 03/12 cja 2012 6

  7. Example • httpd_can_network_connect_db List all Booleans getsebool –a semanage boolean –l Set a Boolean, but not across reboot setsebool httpd_can_network_connect_db on Set a Boolean permanently setsebool –P httpd_can_network_connect_db on 03/12 cja 2012 7

  8. Example • http_port_t semanage port –l semanage port –a –t http_port_t –p tcp 1234 03/12 cja 2012 8

  9. Booleans • Command documentation man ¡getsebool ¡ man ¡setsebool ¡ man ¡semanage ¡ 03/12 cja 2012 9

  10. Lab – httpd server Goal: Observe and remove SELinux policy violations • Start and stop httpd as installed systemctl status httpd.service sudo systemctl start httpd.service … observe default page sudo systemctl stop httpd.service 03/12 cja 2012 10

  11. Lab – httpd server • Create a new document directory sudo ¡mkdir ¡/html ¡ sudo ¡touch ¡/html/index.html ¡ … maybe add some html ls ¡–ZaR ¡/html ¡ … observe types 03/12 cja 2012 11

  12. Lab – httpd server • Point DocumentRoot at the new directory sudo vi /etc/httpd/conf/httpd.conf … change DocumentRoot to /html 03/12 cja 2012 12

  13. Lab – httpd server • Start server sudo systemctl start httpd.service systemctl status httpd.service • Navigate to /html • Observe SELinux alert  Or run sudo ¡sealert ¡-­‑a ¡/var/log/audit/audit.log ¡ 03/12 cja 2012 13

  14. Lab – httpd server • Correct labeling ls ¡–ZaR ¡/html ¡ chcon ¡-­‑Rv ¡–t ¡httpd_sys_content_t ¡/html ¡ ls ¡–ZaR ¡/html ¡ … what’s the difference? 03/12 cja 2012 14

  15. Lab – httpd server • Navigate to /html • Observe correct operation 03/12 cja 2012 15

  16. Lab – httpd server • The modified labels are not permanent  Will survive reboots  Will not survive filesystem relabels • To guarantee permanence semanage ¡fcontext ¡–a ¡–t ¡ httpd_sys_content_t ¡“/html(/.*)?” ¡ 03/12 cja 2012 16

  17. Lab – vnc-server Goal: install a VNC server on your guest and establish a connection to it from your host platform • VNC allows you to access your Linux desktop from another (remote) IP address • In this lab, we’ll use your host platform as that remote IP address • Although VNC use requires a separate password, it is not a secure protocol  So we’ll use ssh to create a secure tunnel between your host and guest 03/12 cja 2012 17

  18. Terminology Guest, i.e. , VLE16 Host, e.g. , Windows http://en.wikipedia.org/wiki/Platform_virtualization 03/12 cja 2012 18

  19. Lab – vnc-server 1. Enable vnc-server on your guest  wget http://www.umich.edu/~cja/SEL12/supp/INSTALL- vnc.sh  sh ./INSTALL-vnc.sh  Should end with “vnc server running” 2. Obtain your guest’s IP address  ifconfig The IP address will be the contents of the inet addr field of the eth N entry listed, where N is a small integer 03/12 cja 2012 19

  20. Lab – vnc-server 3. Install a VNC client on your host platform  Windows: (select the 32- or 64-bit full installer) http://www.uvnc.com:8080/downloads/ultravnc/92- ultravnc-1095.html Run the downloaded installer application (install Viewer only, keep all other defaults)  Mac OS X: (select cotv4-20b4.dmg) http://sourceforge.net/projects/cotvnc/ Open the .dmg file to install.  Linux: sudo yum install -y tigervnc 03/12 cja 2012 20

  21. Lab – vnc-server 4. Install an SSH client on your host platform (This step is needed only for Windows hosts)  Windows: We’ll install PuTTY, a freely available SSH client: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.60- installer.exe Run the installer 03/12 cja 2012 21

  22. Lab – vnc-server 5. Open an ssh tunnel to your guest from your host platform: Linux & Mac OS X:  ssh –L 5901:localhost:5901 lab@ guest.ip.addr (Use your guest IP address from Step 2.) 03/12 cja 2012 22

  23. Lab – vnc-server 5. Open an ssh tunnel to your guest from your host platform: Windows:  Start PuTTY 03/12 cja 2012 23

  24. Lab – vnc-server • Enter your guest IP address from Step 2 in the Host Name field. • Then, in the Category box on the left, select Connection | SSH. • Finally, expand the SSH menu item by clicking on its + icon, and select Tunnels. 03/12 cja 2012 24

  25. Lab – vnc-server • Enter “5901” in the Source port field. • Enter your guest IP address from Step 2 in the Destination field, followed by “:5901”. • Then, click the Add button. 03/12 cja 2012 25

  26. Lab – vnc-server • Click the Open button. 03/12 cja 2012 26

  27. Lab – vnc-server • In the terminal window that appears, enter “lab”. • When prompted, enter the password for the guest lab account. • You should see a login banner and a shell prompt. • You have (1) opened an SSH shell on your guest and (2) forwarded the VNC port (5901) from your host to your guest. 03/12 cja 2012 27

  28. Lab – vnc-server 6. Connect to your guest using the VNC client on your host:  Windows: Start the application In the popup window, in the Server: box, enter: localhost:1 Connect This attempt should fail with an SELinux security alert in your guest. 03/12 cja 2012 28

  29. Lab – vnc-server 6. Connect to your guest using the VNC client on your host:  Mac OS X: Start the application Connection | New Connection In the popup window, enter: Host: localhost Display: 1 Password: vle$vnc Connect This attempt should fail with an SELinux security alert in your guest. 03/12 cja 2012 29

  30. Lab – vnc-server 6. Connect to your guest using the VNC client on your host:  Linux: vncviewer localhost:1 This attempt should fail with an SELinux security alert in your guest. 03/12 cja 2012 30

  31. Lab – vnc-server 7. Examine SELinux security alert Four ways to accomplish this : GUI:  Click the SELinux alert icon  Applications | System Tools | SELinux Troubleshooter  From the command line: sealert Plain text output:  From the command line: sudo sealert –a /var/log/audit/audit.log | less 03/12 cja 2012 31

  32. Lab – vnc-server 8. Examine Booleans Command line:  sudo semanage boolean -l  sudo semanage boolean -l | less  sudo semanage boolean –l | grep ssh GUI:  System | Administration | SELinux Management Select Boolean Filter by string, e.g., ssh Check or uncheck desired Boolean(s) 03/12 cja 2012 32

  33. Lab – vnc-server 9. Update Boolean Command line:  sudo setsebool –P sshd_forward_ports 1 GUI:  System | Administration | SELinux Management 03/12 cja 2012 33

  34. Lab – VNC server 10. Again, connect to your guest using the VNC client on your host This time you should see a popup asking for the VNC password. Enter VNC password: vle$vnc This attempt should succeed! 03/12 cja 2012 34

  35. Key points • SELinux prevented sshd on your guest from connecting port 5901 from your host to port 5901 on your guest • We told SELinux to permanently allow this connection by finding the right Boolean • Your guest never unblocked firewall port 5901 03/12 cja 2012 35

  36. SELinux Policy Theory

  37. SELinux policy Overview • Behavior of processes is controlled by policy • A base set of policy files define the system policy • Additional installed software may specify additional policy  This policy is added to the system policy on installation 03/12 cja 2012 37

  38. SELinux policy Six easy pieces • Type enforcement (TE) attributes • TE type declarations • TE transition rules • TE change rules (not used much) • TE access vector rules • File context specifications 03/12 cja 2012 38

  39. TE attributes • Files named *.te • Attributes identify sets of types with similar properties  SELinux does not interpret attributes • Format:  <attribute> <name> • Examples:  attribute ¡logfile; ¡  attribute ¡privuser; ¡ 03/12 cja 2012 39

Recommend

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

694 views • 45 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 03/12 cja 2012 2 03/12 cja 2012 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

753 views • 53 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 02/13 cja 2013 2 02/13 cja 2013 3 Introduction Welcome to the course! Instructor: Dr. Charles J.

1.24k views • 55 slides
What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Introduction Introduction Welcome to the course! Instructor: Dr.

678 views • 10 slides
GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions Paulino Prez 1 Jos Crossa 1 1 ColPos-Mxico 2 CIMMyT-Mxico September, 2014. SLU, Sweden GENOMIC SELECTION WORKSHOP:Hands on Practical Sessions 1/11 Contents General comments 1

442 views • 11 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls &amp; VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

238 views • 22 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 1 Fundamental Tools Roadmap Review of generally useful tools

592 views • 35 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength &amp; Cracking Roadmap Password

750 views • 31 slides
GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2

GENOMIC SELECTION WORKSHOP: Hands on Practical Sessions (GBLUP-RR) Paulino Prez 1 Jos Crossa 2 1 ColPos-Mxico 2 CIMMyT-Mxico September, 2014. SLU,Sweden GENOMIC SELECTION WORKSHOP:Hands on Practical Sessions (GBLUP-RR) 1/35 Contents

976 views • 35 slides
Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel

Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel

Compressed RDF: Practical Uses &amp; Hands-on Antonio Faria, Javier D. Fernndez and Miguel A. Martinez-Prieto 3rd KEYSTONE Training School Keyword search in Big Linked Data 23 TH AUGUST 2017 General agenda Session I (09:00 - 10:30) &quot;

935 views • 60 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them

Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them

Introduction Graph Theory City Colouring Facebook Friends Villages and Canals Parting Thoughts Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them shake exactly two peoples hands. How many people

878 views • 45 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Statistical Analysis of Genetic and Phenotypic Data for Breeders: Hands on Practical Sessions

Statistical Analysis of Genetic and Phenotypic Data for Breeders: Hands on Practical Sessions

Statistical Analysis of Genetic and Phenotypic Data for Breeders: Hands on Practical Sessions (BayesB) Paulino Prez 1 perpdgo@gmail.com Jos Crossa 2 j.crossa@CGIAR.org 1 ColPos-Mxico 2 CIMMyT-Mxico June, 2015. CIMMYT, Mxico-SAGPDB

162 views • 15 slides
Planning and Optimization X1. Hands-On and Repetition Florian Pommerening Universit at Basel

Planning and Optimization X1. Hands-On and Repetition Florian Pommerening Universit at Basel

Planning and Optimization X1. Hands-On and Repetition Florian Pommerening Universit at Basel September 18, 2019 Outline Hands-On: Outline for this and next week Setting up your machine for practical exercises. Vagrant + VirtualBox

592 views • 7 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides

More recommend