SlideShare une entreprise Scribd logo

SELinux basics

Lubomir Rintel
Lubomir Rintel

Practical SELinux basics

Technologie
1  sur  22
Télécharger pour lire hors ligne
SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
SELinux introduction Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context

Recommandé

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
Michael Nazzareno Trimarchi
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
Shawn Wells
 
Selinux
SelinuxSelinux
Selinux
Mohitgupta8560
 

Recommandé

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
Michael Nazzareno Trimarchi
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
Shawn Wells
 
Selinux
SelinuxSelinux
Selinux
Mohitgupta8560
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
Chuck Reeves
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
Atul Jha
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
Shawn Wells
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
Shay Cohen
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
Rémy Gottschalk
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
Shawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
faraz hussain
 

Contenu connexe

Tendances

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
Atul Jha
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 

Tendances (20)

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux security
Linux securityLinux security
Linux security
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 

En vedette

Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
Operating system security
Operating system securityOperating system security
Operating system security
Rachel Jeewa
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpo
webuploader
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014
chanhduy
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
Dayal Dilli
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
lincolng
 

En vedette (20)

Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
 
Operating system security
Operating system securityOperating system security
Operating system security
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating System
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
FreeBSD ports
FreeBSD portsFreeBSD ports
FreeBSD ports
 
Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0Introduction to FreeBSD 7.0
Introduction to FreeBSD 7.0
 
FreeBSD - LinuxExpo
FreeBSD - LinuxExpoFreeBSD - LinuxExpo
FreeBSD - LinuxExpo
 
Webmail
WebmailWebmail
Webmail
 
Dovecot
DovecotDovecot
Dovecot
 
FreeBSD Document Project
FreeBSD Document ProjectFreeBSD Document Project
FreeBSD Document Project
 
Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511Dovecot & Postfix バージョンアップ動向 201506-201511
Dovecot & Postfix バージョンアップ動向 201506-201511
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorial
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to Prod
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
 
Protection in Operating System Layer
Protection in Operating System LayerProtection in Operating System Layer
Protection in Operating System Layer
 

Similaire à SELinux basics

GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxGMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
AhmedWasiu
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 

Similaire à SELinux basics (20)

SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Get Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic KnowledgeGet Started with Linux Management Command line Basic Knowledge
Get Started with Linux Management Command line Basic Knowledge
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting Started
 
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptxGMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
GMES_FOR_006_EN_TPZ - Linux - Start-v1.0.pptx
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Unix system protection and history features
Unix system protection and history featuresUnix system protection and history features
Unix system protection and history features
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Linux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.comLinux application regular and Summer Training Programme in waayoo.com
Linux application regular and Summer Training Programme in waayoo.com
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
When ACLs Attack
When ACLs AttackWhen ACLs Attack
When ACLs Attack
 
101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership101 4.5 manage file permissions and ownership
101 4.5 manage file permissions and ownership
 
Linux: Everyting-as-a-service
Linux: Everyting-as-a-serviceLinux: Everyting-as-a-service
Linux: Everyting-as-a-service
 
Host security
Host securityHost security
Host security
 
Host security
Host securityHost security
Host security
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Prog ii
Prog iiProg ii
Prog ii
 
Linux training
Linux trainingLinux training
Linux training
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 

Plus de Lubomir Rintel

Plus de Lubomir Rintel (8)

Namespaces for Kazimir
Namespaces for KazimirNamespaces for Kazimir
Namespaces for Kazimir
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in Linux
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
A journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service managementA journey through the years of UNIX and Linux service management
A journey through the years of UNIX and Linux service management
 
Practical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profilingPractical SystemTAP basics: Perl memory profiling
Practical SystemTAP basics: Perl memory profiling
 
Reverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown deviceReverse Engineering: Writing a Linux driver for an unknown device
Reverse Engineering: Writing a Linux driver for an unknown device
 
Brno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPMBrno meetr: Packaging Ruby Gems into RPM
Brno meetr: Packaging Ruby Gems into RPM
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

SELinux basics

  • 2. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  • 3. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  • 4. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  • 5. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  • 6. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  • 7. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  • 8. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  • 9. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  • 10. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  • 11. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
  • 13. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
  • 14. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
  • 15. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
  • 16. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
  • 17. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
  • 18. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
  • 19. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
  • 20. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
  • 21. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
  • 22. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context