SlideShare a Scribd company logo

Understanding SELinux For the Win

B
bmbouter

An intro talk on why SELinux is important, a bit about how it works, and some info on how to administrate it.

Technology
1 of 39
Download to read offline
Understanding SELinux for the Win Brian Bouterse Principle Software Engineer, Red Hat.
2 Introduction ● Disabling SELinux since 2002 – 2015 ● Love Free and Open Source ● Principle Software Engineer with Red Hat since 2015 ● Work on Pulp ( http://pulpproject.org/ ) ● In 2015 I started working with SELinux ● Wrote three SELinux policies for Pulp ● Contribute to several Open Source projects (Kombu, Celery)
3 Agenda ● Why do we care about SELinux? ● How SELinux Works ● What is an SELinux Policy ● SELinux Tooling ● CIL Language ● Troubleshooting SELinux
4 Motivation What is the most common query that has the term “SELinux”?
5 Motivation What is the most common query that has the term “SELinux”? “Disabling SELinux” https://trends.google.com/trends/explore?q=selinux
6 Unix Permissions ● User / Group Models ● Permissions Mask (rwxs) ● Discretionary Access Control (DAC) ● Kernel enforces DAC ● All powerful root user https://www.slideshare.net/gottsc_r/how-to-not-disable-selinux
7 Linux Kernel Permissions ● Lots of fine-grained permissions ● CAP_SYS_BOOT – allows reboot ● CAP_DAC_READ_SEARCH – bypass file permissions https://www.slideshare.net/gottsc_r/how-to-not-disable-selinux
8 What is wrong with root? ● You have to trust root ● root bypasses file/user/group security controls ● Multi-user systems have no privacy guarantee ● All-or-nothing security model ● No granularity to leverage kernel permissions ● Improved some with find-grained sudo controls
9 Problem: Application Trust Issues ● Trust apps are secure ● CVEs happen, 0-days happen ● Trust apps are configured correctly ● Gartner reports 75% of mobile data breaches are configuration problems[0] ● Trust apps aren’t malware or nefarious ● SELinux does not address this ● Open source FTW ● Signed packages ● Reproducible Builds are important ● Open build systems [0] http://www.gartner.com/newsroom/id/2753017?nicam=prsm13
10 When Applications get Compromised ● Steal/Expose/Modify/Corrupt application data ● CVE-2011-1717: chmod 666 all Skype application data ● Privilege Escalation (Kernel exploits) ● CVE-2010-EASY: Drops into a shell as root ● Install backdoor ● Make network connections (DDoS slave) ● If your app is root, game over
11 Public Service Announcement
12 Don’t run apps as root Public Service Announcement
13 SECURITY ENHANCED LINUX IS A SECURITY MECHANISM BRINGING PROACTIVE SECURITY FOR YOUR SYSTEM http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/4
14 http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/6
15 SELinux Security – File Contexts ● Stored as extended attributes system_u:object_r:passwd_file_t:s0
16 SELinux Security – Domains ● Tracked by SELinux per process ● Called a Domain when applied to a process system_u:system_r:syslogd_t:s0
17 SELinux Security Context Anatomy http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/11 system_u:object_r:passwd_file_t:s0 SELinux User SELinux Role SELinux Type [sensitivity]
18 SELinux “Targeted” Rule Anatomy allow user_t bin_t:file read; Action Process Label Filesystem Type Permission
19 Rule Example `sesearch` is used to find any rule on a system http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/14
20 Where do rules come from? ● SELinux module defines rules ● SELinux modules are compiled ● OS brings a lot of system modules ● Some applications bring modules too ● SELinux policy is the collection of all modules
21 Listing Modules with `semodule -l`
22 How do file contexts get assigned? ● Policies have .fc files which have paths and labels ● Conflicting label resolution ● More specific rules override less specific rules ● New files are automatically labeled ● Moved files are not automatically relabeled ● On Fedora big list: /usr/share/selinux/targeted/default/active
23 Managing File Security Contexts ● restorecon ● Restore file(s) default SELinux security context ● restorecon -v some_file ● chcon ● Change file SELinux security context ● chcon -R -t httpd_sys_content_t /web/ ● fixfiles ● fixfiles -R <packagename> restore ● fixfiles relabel ● Full auto-relabel ● touch /.autorelabel; reboot ● Allows init to do the relabeling
24 SELinux Enforcement ● Enforcing – SELinux policy is enforced ● setenforce 1 ● Permissive – Not enforcing but denials are logged ● setenforce 0 ● `getenforce` - reports on if SELinux is enforcing, permissive, or disabled
25 Targeted Mode ● Everything is allowed. Use deny rules. ● By default processes run in unconfined _t domain. ● unconfined_t processes have same access they would have without SELinux running. ● Daemons or Applications transition to a locked down domain as defined by the SELinux policy. ● httpd starts as unconfined_t and transitions to httpd_t “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
26 Where are the logs? ● /var/log/audit/audit.log ● Allowed and denied are logged here ● See denials with `ausearch -m AVC`
27 Anatomy of an AVC denial avc: denied { getattr } for pid=7604 comm="firefox" path="/usr/lib64/firefox-3.5.3/firefox" dev=dm-2 ino=1311607 scontext=dgrift_u:dgrift_r:gwibber_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file ● What process was denied access? ● What domain type did the source process operate in when it was denied access? ● What object or subject was the source process denied access to? ● What was the object/subject type of the target? ● What permission was denied? ● What is the class of the target? ● What was the process identity of the source? ● What was the inode number of the target object? ● What happened? http://selinux-mac.blogspot.com/2009/09/avc-denials-example.html
28 SELinux Utilities ● “Z” is your friend ● Core Utilities ● ls -Z ● cp/mv/install ● Each handles file_context differently ● find / -context= ● id -Z ● ps auxZ “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
29 Backup and Disc Management ● tar ● --selinux or –xattrs ● tar -xvf archive.tar | restorecon -f - ● zip ● rsync ● -X or –xattrs ● star “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
30 CIL Language ● Higher level, domain specific languages are being created ● Common Intermediate Language (CIL) ● Decompiling a local policy into CIL ● sudo semodule -c -E <module name> ● Allows policies to be compared using diff
31 SELinux Booleans ● Parts of a policy to be enabled/disabled by an administrator at runtime. ● No recompilation necessary ● List all booleans and their current state ● getsebool -a ● Enable/disable a boolean ● setsebool -P httpd_can_network_connect on ● setsebool -P httpd_can_network_connect off
32 Troubleshooting ● Check the booleans for the application. Maybe one needs to be enabled. ● Look using CIL ● Temporarily turn it into Permissive mode ● Check three things: ● Verify the expected policy is installed using `sudo semodule -l` ● Verify the process is running in the expected domain (ps -eafZ | <your_app>) ● Verify the file contexts are correctly set (use CIL)
33 App fails with no AVC denials ● Setting setenforce 0 causes an app to work ● donaudit rules ● Dontaudits ignore specific AVC denials ● Not logged by default ● You can see them with `sudo semodule --disable_dontaudit --build` “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
34 Working Around Problems ● Report issues upstream to your project ● Helps resolve if an issue is environmental, a code defect, or a policy defect ● If it’s a legit incompatibility with the application and its own policy you should apply a workaround 1. Cause a selinux reload using `sudo semodule -R` 2. Set into permissive mode and restart application 3. Trigger AVC denial again 4. Use `audit2allow -al` to show you the rules you are missing
35 audit2allow ~]# audit2allow -a #============= certwatch_t ============== allow certwatch_t var_t:dir write; https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security- Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
36 Applying audit2allow Recommendations ~]# audit2allow -a -M mycertwatch ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mycertwatch.pp ~]# ls mycertwatch.pp mycertwatch.te https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security- Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
37 What about if AVC denials from 2+ processes ~]# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2 ******************** IMPORTANT *********************** To make this policy package active, execute: ~]# semodule -i mycertwatch2.pp https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security- Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
38 Applying using CIL ● Extract the .pp file from the running system ● sudo semodule -H -E ● Convert to a CIL file ● sudo /usr/libexec/selinux/hll/pp /root/example.pp > /tmp/root-example.cil ● Edit the CIL file as necessary ● semodule -i /tmp/root-example.cil https://plautrba.fedorapeople.org/blok/How-to-compare-two-SELinux-modules.html
39 Slides -> Brian Bouterse @bmbouter bmbouter on freenode http://www.slideshare.net/bmbouter/

Recommended

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
Rémy Gottschalk
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
Lubomir Rintel
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
Chuck Reeves
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 

Recommended

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
Rémy Gottschalk
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
Lubomir Rintel
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)
Chuck Reeves
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
 
Selinux
SelinuxSelinux
Selinux
Mohitgupta8560
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
Shawn Wells
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
Michael Nazzareno Trimarchi
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
Atul Jha
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
Shay Cohen
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for Enterprise
Consulthinkspa
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
Shawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
Mohamed Gad
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 

More Related Content

What's hot

Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
Atul Jha
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for Enterprise
Consulthinkspa
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 

What's hot (20)

Selinux
SelinuxSelinux
Selinux
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to Selinux
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for Enterprise
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 

Similar to Understanding SELinux For the Win

Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 

Similar to Understanding SELinux For the Win (20)

OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
OWASP Brisbane - SDN Security
OWASP Brisbane - SDN SecurityOWASP Brisbane - SDN Security
OWASP Brisbane - SDN Security
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
 
How to build a self-documenting application
How to build a self-documenting applicationHow to build a self-documenting application
How to build a self-documenting application
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
Understanding Plone Security
Understanding Plone SecurityUnderstanding Plone Security
Understanding Plone Security
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Understanding SELinux For the Win

  • 1. Understanding SELinux for the Win Brian Bouterse Principle Software Engineer, Red Hat.
  • 2. 2 Introduction ● Disabling SELinux since 2002 – 2015 ● Love Free and Open Source ● Principle Software Engineer with Red Hat since 2015 ● Work on Pulp ( http://pulpproject.org/ ) ● In 2015 I started working with SELinux ● Wrote three SELinux policies for Pulp ● Contribute to several Open Source projects (Kombu, Celery)
  • 3. 3 Agenda ● Why do we care about SELinux? ● How SELinux Works ● What is an SELinux Policy ● SELinux Tooling ● CIL Language ● Troubleshooting SELinux
  • 4. 4 Motivation What is the most common query that has the term “SELinux”?
  • 5. 5 Motivation What is the most common query that has the term “SELinux”? “Disabling SELinux” https://trends.google.com/trends/explore?q=selinux
  • 6. 6 Unix Permissions ● User / Group Models ● Permissions Mask (rwxs) ● Discretionary Access Control (DAC) ● Kernel enforces DAC ● All powerful root user https://www.slideshare.net/gottsc_r/how-to-not-disable-selinux
  • 7. 7 Linux Kernel Permissions ● Lots of fine-grained permissions ● CAP_SYS_BOOT – allows reboot ● CAP_DAC_READ_SEARCH – bypass file permissions https://www.slideshare.net/gottsc_r/how-to-not-disable-selinux
  • 8. 8 What is wrong with root? ● You have to trust root ● root bypasses file/user/group security controls ● Multi-user systems have no privacy guarantee ● All-or-nothing security model ● No granularity to leverage kernel permissions ● Improved some with find-grained sudo controls
  • 9. 9 Problem: Application Trust Issues ● Trust apps are secure ● CVEs happen, 0-days happen ● Trust apps are configured correctly ● Gartner reports 75% of mobile data breaches are configuration problems[0] ● Trust apps aren’t malware or nefarious ● SELinux does not address this ● Open source FTW ● Signed packages ● Reproducible Builds are important ● Open build systems [0] http://www.gartner.com/newsroom/id/2753017?nicam=prsm13
  • 10. 10 When Applications get Compromised ● Steal/Expose/Modify/Corrupt application data ● CVE-2011-1717: chmod 666 all Skype application data ● Privilege Escalation (Kernel exploits) ● CVE-2010-EASY: Drops into a shell as root ● Install backdoor ● Make network connections (DDoS slave) ● If your app is root, game over
  • 12. 12 Don’t run apps as root Public Service Announcement
  • 13. 13 SECURITY ENHANCED LINUX IS A SECURITY MECHANISM BRINGING PROACTIVE SECURITY FOR YOUR SYSTEM http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/4
  • 15. 15 SELinux Security – File Contexts ● Stored as extended attributes system_u:object_r:passwd_file_t:s0
  • 16. 16 SELinux Security – Domains ● Tracked by SELinux per process ● Called a Domain when applied to a process system_u:system_r:syslogd_t:s0
  • 17. 17 SELinux Security Context Anatomy http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/11 system_u:object_r:passwd_file_t:s0 SELinux User SELinux Role SELinux Type [sensitivity]
  • 18. 18 SELinux “Targeted” Rule Anatomy allow user_t bin_t:file read; Action Process Label Filesystem Type Permission
  • 19. 19 Rule Example `sesearch` is used to find any rule on a system http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/14
  • 20. 20 Where do rules come from? ● SELinux module defines rules ● SELinux modules are compiled ● OS brings a lot of system modules ● Some applications bring modules too ● SELinux policy is the collection of all modules
  • 21. 21 Listing Modules with `semodule -l`
  • 22. 22 How do file contexts get assigned? ● Policies have .fc files which have paths and labels ● Conflicting label resolution ● More specific rules override less specific rules ● New files are automatically labeled ● Moved files are not automatically relabeled ● On Fedora big list: /usr/share/selinux/targeted/default/active
  • 23. 23 Managing File Security Contexts ● restorecon ● Restore file(s) default SELinux security context ● restorecon -v some_file ● chcon ● Change file SELinux security context ● chcon -R -t httpd_sys_content_t /web/ ● fixfiles ● fixfiles -R <packagename> restore ● fixfiles relabel ● Full auto-relabel ● touch /.autorelabel; reboot ● Allows init to do the relabeling
  • 24. 24 SELinux Enforcement ● Enforcing – SELinux policy is enforced ● setenforce 1 ● Permissive – Not enforcing but denials are logged ● setenforce 0 ● `getenforce` - reports on if SELinux is enforcing, permissive, or disabled
  • 25. 25 Targeted Mode ● Everything is allowed. Use deny rules. ● By default processes run in unconfined _t domain. ● unconfined_t processes have same access they would have without SELinux running. ● Daemons or Applications transition to a locked down domain as defined by the SELinux policy. ● httpd starts as unconfined_t and transitions to httpd_t “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
  • 26. 26 Where are the logs? ● /var/log/audit/audit.log ● Allowed and denied are logged here ● See denials with `ausearch -m AVC`
  • 27. 27 Anatomy of an AVC denial avc: denied { getattr } for pid=7604 comm="firefox" path="/usr/lib64/firefox-3.5.3/firefox" dev=dm-2 ino=1311607 scontext=dgrift_u:dgrift_r:gwibber_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file ● What process was denied access? ● What domain type did the source process operate in when it was denied access? ● What object or subject was the source process denied access to? ● What was the object/subject type of the target? ● What permission was denied? ● What is the class of the target? ● What was the process identity of the source? ● What was the inode number of the target object? ● What happened? http://selinux-mac.blogspot.com/2009/09/avc-denials-example.html
  • 28. 28 SELinux Utilities ● “Z” is your friend ● Core Utilities ● ls -Z ● cp/mv/install ● Each handles file_context differently ● find / -context= ● id -Z ● ps auxZ “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
  • 29. 29 Backup and Disc Management ● tar ● --selinux or –xattrs ● tar -xvf archive.tar | restorecon -f - ● zip ● rsync ● -X or –xattrs ● star “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
  • 30. 30 CIL Language ● Higher level, domain specific languages are being created ● Common Intermediate Language (CIL) ● Decompiling a local policy into CIL ● sudo semodule -c -E <module name> ● Allows policies to be compared using diff
  • 31. 31 SELinux Booleans ● Parts of a policy to be enabled/disabled by an administrator at runtime. ● No recompilation necessary ● List all booleans and their current state ● getsebool -a ● Enable/disable a boolean ● setsebool -P httpd_can_network_connect on ● setsebool -P httpd_can_network_connect off
  • 32. 32 Troubleshooting ● Check the booleans for the application. Maybe one needs to be enabled. ● Look using CIL ● Temporarily turn it into Permissive mode ● Check three things: ● Verify the expected policy is installed using `sudo semodule -l` ● Verify the process is running in the expected domain (ps -eafZ | <your_app>) ● Verify the file contexts are correctly set (use CIL)
  • 33. 33 App fails with no AVC denials ● Setting setenforce 0 causes an app to work ● donaudit rules ● Dontaudits ignore specific AVC denials ● Not logged by default ● You can see them with `sudo semodule --disable_dontaudit --build` “SELinux for Dummies” - http://slideplayer.com/slide/11222578/
  • 34. 34 Working Around Problems ● Report issues upstream to your project ● Helps resolve if an issue is environmental, a code defect, or a policy defect ● If it’s a legit incompatibility with the application and its own policy you should apply a workaround 1. Cause a selinux reload using `sudo semodule -R` 2. Set into permissive mode and restart application 3. Trigger AVC denial again 4. Use `audit2allow -al` to show you the rules you are missing
  • 35. 35 audit2allow ~]# audit2allow -a #============= certwatch_t ============== allow certwatch_t var_t:dir write; https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security- Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
  • 36. 36 Applying audit2allow Recommendations ~]# audit2allow -a -M mycertwatch ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mycertwatch.pp ~]# ls mycertwatch.pp mycertwatch.te https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security- Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
  • 37. 37 What about if AVC denials from 2+ processes ~]# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2 ******************** IMPORTANT *********************** To make this policy package active, execute: ~]# semodule -i mycertwatch2.pp https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security- Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
  • 38. 38 Applying using CIL ● Extract the .pp file from the running system ● sudo semodule -H -E ● Convert to a CIL file ● sudo /usr/libexec/selinux/hll/pp /root/example.pp > /tmp/root-example.cil ● Edit the CIL file as necessary ● semodule -i /tmp/root-example.cil https://plautrba.fedorapeople.org/blok/How-to-compare-two-SELinux-modules.html
  • 39. 39 Slides -> Brian Bouterse @bmbouter bmbouter on freenode http://www.slideshare.net/bmbouter/