what is selinux trying to tell me
play

What is SELinux trying to tell me? The 4 key causes of SELinux - PowerPoint PPT Presentation

Aug 16, 2022 •490 likes •611 views

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

  1. What is SELinux trying to tell me? The 4 key causes of SELinux errors.

  2. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!!

  3. SELinux == Labeling ➔ Every process and object on the machine has a label associated with it ➔ If your files are not labeled correctly access might be denied. ➔ If you use alternative paths for confined domains SELinux needs to KNOW. ➔ http files in /srv/myweb instead of /var/www/html? Tell SELinux. ➔ # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' ➔ # restorecon -R /srv/myweb

  4. SELinux == Labeling

  5. SELinux == Labeling ➔ Fedora 11 introduces equivalency labeling ➔ semanage fcontext -a -e /srv/myweb /var/www ➔ Tells SELinux to label all files directories under /srv/myweb the same as /var/www ➔ /srv/myweb/cgi-bin/mycgi.cgi will get labeled httpd_sys_script_t ➔ semanage fcontext -a -e /export/home /home ➔ Label all files under /export/home as if they were under /home ➔ /export/home/dwalsh/.ssh will get labeled ssh_home_t

  6. SELinux needs to KNOW ➔ How did you configure your apache server? Tell SELinux!! ➔ If you want httpd to send email ➔ # setsebool -P httpd_can_sendmail 1 ➔ Vsftp setup for users to login ➔ # setsebool -P ftp_home_dir 1 ➔ Http is setup to listen on port 8585 ➔ # semanage port -a -t http_port_t -p tcp 8585

  7. SELinux needs to KNOW file:///Users/Desktop/Screenshot-SELinux%20Boolean%20Lockdown.png file:///Users/Desktop/Screenshot-SELinux%20Administration.png

  8. SELinux needs to KNOW file:///Users/Desktop/Screenshot-SELinux%20Boolean%20Lockdown-1.png

  9. SELinux Policy/Apps Can Have bugs ➔ SELinux Policy might have a bug ➔ Unusual Code Paths ➔ Configurations ➔ Redirection of stdout ➔ Apps have bugs ➔ Leaked File Descriptors ➔ Executable Memory ➔ Badly built libraries ➔ Report the bugs in Bugzilla so we can fix them

  10. SELinux Policy/Apps Can Have bugs!!! ➔ You can tell SELinux to just allow ➔ Selinux is blocking postgresql ➔ Labeling is correct? No appropriate boolean? ➔ Use audit2allow to build a policy module ➔ #grep postgresql /var/log/audit/audit.log | audit2allow -M mypostgresql ➔ # semodule -i mypostsql.pp ➔ Examine mypostgresq.te ➔ Make sure you are not allowing too much? ➔ Ask for help? ➔ #fedora ➔ Fedora-selinux mail list ➔ dwalsh@redhat.com

  11. You could be COMPROMISED!!! ➔ Current tools do not do a good job of differentiating ➔ If you have a confined domain that tries to: ➔ Load a kernel module ➔ Turn off SELinux enforcing mode ➔ Write to etc_t? shadow_t ➔ Modify iptables rules ➔ Sendmail???? ➔ others ➔ You might be compromised

Recommend

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba < toshaan@vantosh.com

An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh bvba < toshaan@vantosh.com

An Introduction to SELinux Toshaan Bharvani - VanTosh bvba Introduction How to use it SELinux states Managing SELinux FroSCon 2012 Policies 25 August 2012 The End An Introduction to SELinux Presentation Toshaan Bharvani - VanTosh

466 views • 29 slides
SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux

SENG: An Enhanced Policy SENG: An Enhanced Policy Language for SELinux Language for SELinux Paul Kuliniewicz <kuliniew@purdue.edu> CERIAS, Purdue University Overview Overview What's wrong with macros? Can we do better?

947 views • 60 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

SELinux Year in Review Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency 1 National Information Assurance Research Laboratory Outline SELinux Background The Year

347 views • 19 slides
SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant

SELinux It is all about the labels. Who am I? Open Source Advocate Instructor Consultant Student, Tester, Volunteer laubersm (twitter, freenode, fedoraproject) sml@laubersolutions.com https://github.com/laubersm/LauberSolutions Type

583 views • 36 slides
Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

492 views • 25 slides
Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style

Status of SELinux in Ubuntu State of the Art Available in since Hardy Targeted/MCS style policy Jaunty/Karmic policy has many modules enabled Userspace looks solid Policy needs work Why? I like Ubuntu People

343 views • 11 slides
Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com Oops!!!! 2 Setting the record straight Example Policy - > Reference Policy Base policies package used by distributions to build shipping

561 views • 12 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
ReAssure & SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure

ReAssure & SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure

ReAssure & SELinux Jacques Thomas, Pascal Meunier, Patrick Eugster, and Jan Vitek ReAssure Firewall Image Server Managed Switch Experimental boxes Deploying VLAN 1 VLAN 2 Experimenting ! VLAN 1 VM VM VLAN 2 VM https:/

406 views • 9 slides
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science & Engineering 1 Talk Topics Mechanism for MAC enforcement between

629 views • 24 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides

More recommend