Scribd
Upload
39 views

07 - SELinux

SELinux

Uploaded by

rida
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
39 views

07 - SELinux

SELinux

Uploaded by

rida
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 46

SELinux

The syscall firewall

www.supinfo.com
Copyright © SUPINFO. All rights reserved
SELinux

Course objectives
By completing this course, you will:

 Talk about SELinux. What it


does? How?
 Configure SELinux. Active or
inactive? Permissive or
enforcing?
 Tune the default policy. Using
booleans.
 Custom rules. Learn how to use
audit2allow.
 Write policies. Confine
processes with your very own
rules.
SELinux

Course topics
Course’s plan:

 Introduction. SELinux concepts.


 Policies. Walk in, see this, what
to?
 Working with SELinux.
Operating modes and common
commands.
 Working with policies. Custom
and create.
SELinux

Introduction

SELinux concepts
Introduction

How it works
Software firewalling.
 Lives in the kernel
 Traps all syscalls
 denies them by default
 SELinux active with no
allow rules
 can’t do anything
 Must allow each individual
syscalls
 Complex part
 who is concerned by
allow rules
Introduction

Security Context
Allow who to what: Who?
 Security context
 SELinux decision
basis
 Files
 Users
 Processes
 Special -Z option for
 ls
 id
 ps
 ...
Introduction

Security Context
Attached to system objects

SELinux user != Unix user. Type for files, domain for processes.
Authorized to roles and for a Rules defines interaction between
level range types.
user type

system_u:object_r:bin_t:s0

role level
Roles are authorized MLS access
for domains. level/classification. Not
used by default.
Introduction

System objects & Context


How system objects get their context?

 Users
 During login
 Mapping Unix users 
SELinux users.
 Files
 Labels
 extended attributes
 Processes
 Inherits parent’s
 Process transition
Introduction

Process transitions
Domain selection
 Default
 inherit parent domain
 From shell: shell
domain
 shell: default user
domain
 Process transitions rules
 A domain
 Executing a file having
“type”
 Will create a process of
“type”
Introduction

Process transitions
Example
 Default
 shell unconfined_t
 Execute bin_t binary
 Process runs as
unconfined_t
 Transition rule
 unconfined_t ->
httpd_exec_t -> httpd_t

 Execute a
httpd_exec_t binary
 Process runs as
httpd_t
Introduction

Interactions
Accessing other objects (processes, files, ...)

 Default
 Everything denied for
everyone
 Interactions
 Positive rules for
everything
 Rules often allow for a
domain/type
 Rule set
 Policy
Introduction

Stop-and-think

Do you have any questions ?


Introduction

Stop-and-think
Select SELinux context members

user

group

role

type
Introduction

Stop-and-think
Select SELinux context members

user

group

role

type
SELinux

Policies

Walk in, see this. What to?


Policies

What’s a policy?
Label and allow

 File contexts
 Which file get what
context
 TE Rules
 Which domain can do
what (mostly syscalls,
transitions)
 Modular
 Per service/process
 Default
 Targeted/Default
Policies

The default policy


Targeted/Default

 Targets specific processes


 confined domains
 Can only do what’s
explicitly allowed
 per-service
 Unconfined domain
 for users
 unconfined
 Tweakable
 booleans
Policies

Working with booleans


Booleans ?
 Tweak the default policy
behavior
 More or less restrictive
 getsebool
 Get current settings
 setsebool
 tweak booleans
 Examples
 users can(not) ping
 users can(not) dmesg
 ...
Policies

Stop-and-think

Do you have any questions ?


Policies

Stop-and-think
Using the default policy, users are bound to strict rules

True

False
Policies

Stop-and-think
Using the default policy, users are bound to strict rules

True

False
SELinux

Working with SELinux

Operating modes and common commands


Working with SELinux

States
SELinux builtin? Always here!

 Enabled or disabled
 selinux=0|1 kparam
 sestatus command
 Enable
 permissive
 Log denials
 Don’t enforce them
 enforcing
 Log denials & deny
 setenforce
Working with SELinux

User mapping
SELinux <-> Unix user

semanage login -l
semanage login -m -S policy -r s0 -s seuser luser

Argument Definitions

-m Modify mode

-s SELinux user

luser Unix user to map. __default__ special value.

Example:
semanage login -m -S default -r s0 -s “user_u”
__default__
Working with SELinux

Contexts
Change the security context of a file

chcon [-R] context file


chcon [-R] [-u user] [-r role] [-t type] file

Argument Definitions

-R Recursive on directories

context user:role:type formatted context

-u,-r, -t Alter individual parts of the security context

Example:

chcon -t apache2_exec_t /usr/sbin/apache2


Working with SELinux

Contexts
Restore/Relabel a file according to policy settings

restorecon [-vR] file

Argument Definitions

-R Recursive on directories

file File or directory to operate on.

-v Verbose

Example:

restorecon –v -R /usr/sbin/apache2
Working with SELinux

Stop-and-think

Do you have any questions ?


Working with SELinux

Stop-and-think
Each Unix user has his SELinux counterpart

True

False
Working with SELinux

Stop-and-think
Each Unix user has his SELinux counterpart.

True

False
SELinux

Working with policies

Custom and create.


Working with policies

Policy customization
Using audit2allow

1 Disable dontaudit rules

2 Run the process

3 Feed audit2allow with deny


messages.
4 Redirect audit2allow output to
a file
5 Compile the file to a module

6 Package the module.

7 Load the package


Working with policies

Generate rules
Using audit2allow

audit2allow -m name -i read-from > file.te

Argument Definitions

name Module name to create

read-from Where are the deny messages ?

file.te Redirect Type Enforcement rules to this file.

Example:

audit2allow -m local -i /var/log/audit/audit.log >


local.te
Working with policies

Create a module
Compile TE rules using checkmodule

checkmodule -M -m -o output input

Argument Definitions
Enable MLS/MCS. Required if the policy also has this
-M
enabled.

-m Generate a module that inserts in an existing policy

input Read TE rules from that file

Example:

checkmodule -M -m -o local.mod local.te


Working with policies

Create a package
From module and file contexts

semodule_package -o out.pp -m inmod [-f infc]

Argument Definitions

out.pp The package to be created.

inmod The compiled TE module to package

infc The File Context rules to package

Example:

semodule_package -o local.pp -m local.mod


Working with policies

Work with modules


The semodule command

semodule [-D] [-B] [-i pkg_file] [-d|-e|-r module-name]

Argument Definitions

-D,-B Disable dontaudit / Rebuild policy

-i Install the specified package file

-d,-e,-r Disable, enable, remove the named package.

Example:

semodule -DB
semodule -i local.pp
Working with policies

audit2allow sample
Generated rules:

module local 1.0;

require {
type init_exec_t;
[...]
class dir { write remove_name };
[...]
}

#============= user_t ==============


allow user_t devlog_t:sock_file write;
allow user_t init_exec_t:file { read execute open
getattr execute_no_trans };
[...]
Working with policies

Creating a policy
Confine a process

 audit2allow
 Customize existing
 policygentool binary
 Create from scratch
 Policy module
 TE Rules
 module.te
 File contexts
 module.fc
Working with policies

File contexts
Setting the file labels in module.fc

The security
Concerned files. context as
Supports regexes user:role:type

File context

/var/www(/.*)? gencontext(ctx, level)

keyword Level
Assigns the Sensitivity of
ctx/level to the the file for
file(s) MLS/MCS. s0.
Working with policies

How to create a policy?

1 Create a directory for the policy files

2 Run the binary with policygentool in that dir

3 Copy/link the SELinux-supplied Makefile in it

4 Use “make” to compile your files into a module

5 Insert the module and try to run the binary.

6 Watch the log for denied actions

7 Edit TE/FC as needed and go to 4 (as needed)


Working with policies

Stop-and-think

Do you have any questions ?


Working with policies

Stop-and-think
For a process to run, you must allow all its attempted
actions.

True

False
Working with policies

Stop-and-think
For a process to run, you must allow all its attempted
actions.

True

False
SELinux

Course summary

Confine
processes:
Customize a
SELinux: How Create a
policy
it works policy

Policies, SELinux
denials and commands
booleans
SELinux

For more
If you want to go into these subjects more deeply, …

Publications Courses
Cisco CCNA

Web sites Conferences

www.supinfo.com RMLL
www.labo-linux.org FOSDEM
www.selinuxproject.org Solution Linux
Congratulations
You have successfully completed
the SUPINFO course module n°07
SELinux
SELinux

The end

 semodule -BD
 audit2allow

You might also like