selinux
play

SELinux It is all about the labels. Who am I? Open Source Advocate - PowerPoint PPT Presentation

Oct 13, 2023 •206 likes •583 views

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions Type

  1. SELinux It is all about the labels.

  2. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions

  3. Type Enforcement DOG_CHOW CAT_CHOW

  4. ALLOW ALLOW CAT DOG CAT_CHOW : FOOD DOG_CHOW : FOOD EAT EAT

  5. YUMMY! DOG not allowed = DENIED DOG_CHOW:FOOD KERNEL DOG CAT_CHOW

  6. What does this look like on a system?

  7. $ sesearch --allow -s httpd_t -t httpd_sys_content_t Found 15 semantic av rules: allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; allow daemon httpd_sys_content_t : dir { getattr search open } ; allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ; allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ; allow httpd_t httpd_content_type : dir { getattr search open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ; allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;

  8. $ ps -ZU apache LABEL PID TTY TIME CMD system_u:system_r:httpd_t:s0 4876 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 4877 ? 00:00:00 httpd $ ls -Z /var/www/html/ unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html DELICIOUS! httpd_t httpd_sys_content_t

  9. $ sesearch --allow -s httpd_t -t shadow_t Found 2 semantic av rules: allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; $ ls -Z /etc/shadow system_u:object_r:shadow_t:s0 /etc/shadow NO! BAD CAT! KERNEL DON'T EAT THAT! httpd_t shadow_t

  10. Wait! There's more.

  11. Multi Category Security (MCS) SPOT FIDO

  12. DOG_CHOW: DOG_CHOW: RANDOM1 RANDOM2 DOG:RANDOM1 DOG:RANDOM2 DOG : RANDOM1 DOG : RANDOM1 DOG_CHOW : RANDOM1 DOG_CHOW : RANDOM1

  13. DOG : FIDO KERNEL DOG_CHOW : SPOT KERNEL DOG CAT_CHOW

  14. What does MCS look like on a system? sandbox

  15. A VM can only access its own disk $ ps -ef -Z | grep qemu system_u:system_r: svirt_t:s0:c189,c390 qemu 27671 1 99 17:36 ? 00:02:44 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name AdminLocal … file=AdminLocal.raw ... $ ls -Z AdminLocal.raw system_u:object_r: svirt_image_t:s0:c189,c390 AdminLocal.raw $ ls -Z RHcurr.img system_u:object_r: svirt_image_t:s0:c290,c831 RHcurr.img

  16. Network connections have context too! $ ps -ef -Z | grep qemu system_u:system_r: svirt_t:s0:c189,c390 qemu 27671 1 99 17:36 ? 00:02:44 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name AdminLocal … file=AdminLocal.raw … # netstat -tZ | egrep '5901|5900' tcp 0 0 127.0.0.1:5901 127.0.0.1:49865 ESTABLISHED 27671/qemu-system-x system_u:system_r: svirt_t:s0:c189,c390 tcp 0 0 127.0.0.1:5900 127.0.0.1:36699 ESTABLISHED 3672/qemu-system-x8 system_u:system_r: svirt_t:s0:c290,c831

  17. Multi Level Security (MLS) DOG : GREYHOUND DOG_CHOW : DOG_CHOW FIDO GREYHOUND DOG : CHIHUAHUA DOG_CHOW : CHIHUAHUA DOG : CHIHUAHUA : CHIHUAHUA DOG_CHOW

  18. Administration Scenario Policy: default “targeted” Content: custom location

  19. Administration Scenario Add file-context for everything under /web # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" # restorecon -R -v /web $ man semanage-fcontext

  20. Administration Scenario Policy: default “targeted” Content: allow ftp dropbox

  21. Administration Scenario Add a read/write file-context for everything under /upload # semanage fcontext -a -t public_content_rw_t "/upload(/.*)?" # restorecon -R -v /upload Enable allow rules with boolean # semanage boolean -m --on ftpd_anon_write $ man semanage-boolean

  22. Administration Scenario Policy: default “targeted” Content: run service on custom port

  23. Administration Scenario Allow sshd to listen on tcp port 8991 # semanage port -a -t ssh_port_t -p tcp 8991 $ man semanage-port

  24. Administration Scenario Policy: default “targeted” Place a particular module into permissive mode.

  25. Administration Scenario List all permissive modules # semanage permissive -l Make httpd_t (Web Server) a permissive domain # semanage permissive -a httpd_t $ man semanage-permissive

  26. Logs, logs, logs (and a bit of troubleshooting) # grep avc /var/log/audit/audit.log type=AVC msg=audit(1439679445.509:7156): avc: denied { read } for pid=4878 comm="httpd" name="index.html" dev="dm-1" ino=57673974 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

  27. Got setroubleshoot? /var/log/messsages or journalctl will have a message similar to: setroubleshoot[5564]: SELinux is preventing /usr/sbin/httpd from read access on the file index.html. For complete SELinux messages. run sealert -l ad4801f3-7f10-4191-a85f-b95d9de40ac1 python[5564]: SELinux is preventing /usr/sbin/httpd from read access on the file index.html. ***** Plugin catchall_boolean (89.3 confidence) suggests ********* If you want to allow httpd to read user content Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean. Do setsebool -P httpd_read_user_content 1

  28. When all else fails... # getenforce # setenforce 0 # <test, test, test> # setenforce 1 # man audit2allow

  29. Does it really protect a system?

  30. Shellshock “SELinux does not block the exploit but it would prevent escalation of confined domains” -Dan Walsh http://danwalsh.livejournal.com/71122.html https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash- flaws/ http://cybermatters.info/2014/10/09/shellshock-selinux/ (interview with Dan) https://blog.hqcodeshop.fi/archives/243-SElinux-and-Shellshock.html CVE-2014-6271 and CVE-2014-7169 and CVE-2014-7186 and CVE-2014-7187

  31. Vemon “sVirt provides good anti-venom for this flaw” -Dan Berrange (creater of libvirt) http://danwalsh.livejournal.com/71489.html https://securityblog.redhat.com/2015/05/13/venom-dont-get-bi tten/ CVE-2015-3456

  32. Svirt to the rescue is not new! CVE-2011-1751 2011 http://danwalsh.livejournal.com/45194.html

  33. PDFs, Browsers, and more “Why we don't confine Firefox with SELinux” By Dan Walsh http://danwalsh.livejournal.com/72697.html CVE-2015-4495 Aug 2015 Consider sandbox tools to confine any application as needed.

  34. More: http://selinuxproject.org/ https://www.nsa.gov/research/selinux/ http://oss.tresys.com/ https://github.com/TresysTechnology/refpolicy/wiki https://github.com/TresysTechnology/setools3/wiki

  35. Thanks! Máirín Duffy Dan Walsh https://github.com/mairin/selinux-coloring-book http://stopdisablingselinux.com

  36. Slides available at: http://github.com/laubersm/LauberSolutions This work is licensed under a Creative Commons Attribution- ShareAlike 4.0 International License. http://creativecommons.org/licenses/by-sa/4.0/

Recommend

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba &lt; toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz &lt;kuliniew@purdue.edu&gt; CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency 1 National Information Assurance Research Laboratory Outline SELinux Background The Year

347 views • 19 slides
Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

492 views • 25 slides
Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style policy Jaunty/Karmic policy has many modules enabled Userspace looks solid Policy needs work Why? I like Ubuntu People

343 views • 11 slides
Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com Oops!!!! 2 Setting the record straight Example Policy - &gt; Reference Policy Base policies package used by distributions to build shipping

561 views • 12 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
ReAssure &amp; SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure

ReAssure &amp; SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure

ReAssure &amp; SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure Firewall Image Server Managed Switch Experimental boxes Deploying VLAN 1 VLAN 2 Experimenting ! VLAN 1 VM VM VLAN 2 VM https:/

406 views • 9 slides
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science &amp; Engineering 1 Talk Topics Mechanism for MAC enforcement between

629 views • 24 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides

More recommend