SlideShare una empresa de Scribd logo

SELinux Johannesburg Linux User Group (JoziJUg)

Jumping Bean
Jumping Bean

SELinux presentation given at the Jozi Lug in March. If you are in Johannesburg, South Africa and want to join us see our page on meetup.com. Search for JLug. http://www.meetup.com/Jozi-Linux-User-Group-JLUG/

Tecnología
1 de 26
Descargar para leer sin conexión
Jozi LUG - SELinux Introduction to Security Enhanced Linux 26th March 2012 Sponsored by LPI South Africa
Topics ● What is SELinux? ● Computer Security Models ● Mandatory Access Control & Discretionary Access Control ● SELinux Policy ● Object Classes and actions/permissions
Topics ● Security Context ● File Security Context ● Troubleshooting & Tools ● SELinux Booleans ● SELinux Managing Ports ● SELinux Writing Policy
What is SELinux ● A mechanism for supporting mandatory access control (mac),role based access control (rbac) & multi-level security (msl/mcs) ● Implemented as a Linux Security Module(LSM) ● LSM allows kernel to support different security models used by: ● AppArmor,Smack,SELinux
Computer Security Models ● Three security models possible with SELinux ● MLS/MCS – multilevel security, multi category security. Mainly about file access. Every subject must have clearance level and also every file (not covered) Top Secret, Secret, Confidential and Unclassified ● RBAC – role base access control, how users transition between roles and domains to which roles have rights, roles aggregate permissions
Computer Security Models ● Mandatory Access Control via Type Enforcement – First step before MLS/MCS. Good for daemons, services ● This presentations focuses on MAC via TE in SELinux. Although other security models can be used they are too restrictive for most situation there limited TE used. MAC mainly useful for daemons and processes not users
Mandatory Access Control Definition ● Mandatory Access Control (MAC) – security policy sets access controls and cannot be changed by system users or processes, ● Discretionary Access Control (DAC) – underlying unix permissions can be changed at the discretion of the file owner
Mandatory/Discretionary Access Control ● DAC makes system vulnerable, users can change permissions and no protection from broken software, i.e. process has complete control over all resources owned by user, ● MAC - provides control over interactions of software by defined policies and does not allow users to do anything that breaks these policies. Prevents compromised processes from affecting other processes and files
Mandatory Access Control ● Subject performs actions on an object ● Subject always a process ● Object can be file, device,users, processes,sockets,x_cursor.. ● Action is a system function call, i.e permissions
How is MAC Implemented? ● How is MAC implemented? ● Security context given to objects and processes aka labeling for file system ● A Security context just free format strings “label” ● By policy file which contain rules about what domains/type enforcements subject and object must have to allow requested action. I.e provides meaning to security context strings. Policies limit what a daemon can access and how
SELinux Policy ● Rules for how source context of subject evaluated against target security context of object ● By default if not defined, then deny action. Difficult for general purpose computing. To improve use less restrictive policy provided,
SELinux Policy ● Two policies packages – ● Targeted – doesn't use users & roles, only restricts certain services, uses type enforcement only. Unaffected subjects and objects run in unconfined_t domain ● Strict – deny all by default lots of tweaking ● We will look at a policy file later
Objects Classes ● Object classes (categories) – more then 70@ ● Object classes have set of permissions (actions) – dir, – socket – tcp_socket – filesystem – node – x_cursor
Object Class Permissions (Actions) ● Each object class has its list of permissions or actions e.g. dir: (see slide on seinfo later) ● getattr/setattr, ● unlink ● execute ● read ● search ● rmdir
Security Context ● Security Context or labels set of security attributes associated with a subject or an object ● <user>:<role>:<type> ● e.g system_u:object_r:httpd_exec_t ● system_u – standard for system daemon ● object_r standard for system objects such as devices and files ● Targets policy – unrestricted_u, unrestricted_r
Security Context ● User – individual or process, SELinux maintains own list of users. For subjects the user is the user the process is run as, for objects its the owner of the object, ● Role – similar to group, but user can only have 1 role at a time, can switch roles if authorised to do so ● Type/Domain -Type used for files, domain used for processes. Manages access control
Security Context ● Standard command come with add -Z option to see security context ● ls -Z ● ps -Z ● netstat -Z
File Security Context ● Most common SELinux problem – file labels ● restorecon – restores defined context for a file ● chcon -t $tye ${file|dir} name – temporary ● semanage fcontext -a -t $type ${file|dir} name ● /etc/selinux/targeted/contexts/files/files_contexts
Troubleshooting & Tools ● /var/log/audit/audit.log ● Create policy files from audit2allow ● avc = access vector cache
SELinux Tools ● setroubleshooter – can help with friendlier error messages and suggestions of how to fix the problem ● “cat /var/log/audit/audit.log | sedispatch” → will send the error messages to setroubleshooter for lookup & formatting
SELinux Tools ● Seinfo ● List all classes “seinfo -c” ● List all permissions for a class “seinfo -cdir -x” for dir premissions/actions ● List all types with permissions “seinfo -txx -x” ● List all users/roles with permissions “seinfo -{u| r}xx -x” ● List all port context “seinfo --portcon”
SELinux - Booleans ● Booleans ● getsebool -a ● semanage boolean -l ● setsebool xxx on| off ● setsebool -P xxx on|off
Manage Ports ● semanage port -l ● Add a port ● semanage port -at [-p proto] port |port-range ● Delete a port ● semanage port -dt [-p proto] port|port-range
Writing SELinux Policy ● The policy is compiled in user space ● The m4 macro preprocessor is used prior to compilation (optional) ● The initial policy binary is loaded by init at boot ● Policy modules (binaries) can be loaded and unloaded at any time
Writing SELinux Policy ● “cat /var/log/audit/audit.log | audit2allow -m mymod > mymod.te ● checkmodule -M -m -o mymod.mod mymod.te ● semodule package -o mymod.pp -m mymod.mod ● semodule -i mymod.p
Questions? ● Visit us at – www.JumpingBean.co.za – www.LinuxCertification.co.za

Recomendados

Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Introduction to Embedded Systems
Introduction to Embedded Systems Introduction to Embedded Systems
Introduction to Embedded Systems
Emertxe Information Technologies Pvt Ltd
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
Emertxe Information Technologies Pvt Ltd
 
Google Glass in a Programmer's View
Google Glass in a Programmer's ViewGoogle Glass in a Programmer's View
Google Glass in a Programmer's View
Amalan Dhananjayan
 
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South AfricaSecrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Jumping Bean
 
Google Glass What Is it
Google Glass What Is itGoogle Glass What Is it
Google Glass What Is it
Amalan Dhananjayan
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 Lan
Jumping Bean
 

Recomendados

Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Introduction to Embedded Systems
Introduction to Embedded Systems Introduction to Embedded Systems
Introduction to Embedded Systems
Emertxe Information Technologies Pvt Ltd
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
Emertxe Information Technologies Pvt Ltd
 
Google Glass in a Programmer's View
Google Glass in a Programmer's ViewGoogle Glass in a Programmer's View
Google Glass in a Programmer's View
Amalan Dhananjayan
 
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South AfricaSecrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Jumping Bean
 
Google Glass What Is it
Google Glass What Is itGoogle Glass What Is it
Google Glass What Is it
Amalan Dhananjayan
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 Lan
Jumping Bean
 
Selinux
SelinuxSelinux
Selinux
Ankit Raj
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
OWASP (Open Web Application Security Project)
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
Shay Cohen
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
Shawn Wells
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
Emre Can Kucukoglu
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
Shawn Wells
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
OperatingSystem.ppt
OperatingSystem.pptOperatingSystem.ppt
OperatingSystem.ppt
RAJESHKUMARMANEPALLI
 
OperatingSystem.ppt
OperatingSystem.pptOperatingSystem.ppt
OperatingSystem.ppt
KaivanParikh
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
jemtallon
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
Rémy Gottschalk
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
Pandiya Rajan
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
SE Linux
SE LinuxSE Linux
SE Linux
primeteacher32
 
DevOpsDaysCPT Ansible Infrastrucutre as Code 2017
DevOpsDaysCPT Ansible Infrastrucutre as Code 2017DevOpsDaysCPT Ansible Infrastrucutre as Code 2017
DevOpsDaysCPT Ansible Infrastrucutre as Code 2017
Jumping Bean
 
Postgrtesql as a NoSQL Document Store - The JSON/JSONB data type
Postgrtesql as a NoSQL Document Store - The JSON/JSONB data typePostgrtesql as a NoSQL Document Store - The JSON/JSONB data type
Postgrtesql as a NoSQL Document Store - The JSON/JSONB data type
Jumping Bean
 

Más contenido relacionado

Similar a SELinux Johannesburg Linux User Group (JoziJUg)

Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
jemtallon
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
Jayant Chutke
 

Similar a SELinux Johannesburg Linux User Group (JoziJUg) (20)

Selinux
SelinuxSelinux
Selinux
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
OperatingSystem.ppt
OperatingSystem.pptOperatingSystem.ppt
OperatingSystem.ppt
 
OperatingSystem.ppt
OperatingSystem.pptOperatingSystem.ppt
OperatingSystem.ppt
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
SE Linux
SE LinuxSE Linux
SE Linux
 

Más de Jumping Bean

IPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationIPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group Presentation
Jumping Bean
 

Más de Jumping Bean (13)

DevOpsDaysCPT Ansible Infrastrucutre as Code 2017
DevOpsDaysCPT Ansible Infrastrucutre as Code 2017DevOpsDaysCPT Ansible Infrastrucutre as Code 2017
DevOpsDaysCPT Ansible Infrastrucutre as Code 2017
 
Postgrtesql as a NoSQL Document Store - The JSON/JSONB data type
Postgrtesql as a NoSQL Document Store - The JSON/JSONB data typePostgrtesql as a NoSQL Document Store - The JSON/JSONB data type
Postgrtesql as a NoSQL Document Store - The JSON/JSONB data type
 
React - The JavaScript Library for User Interfaces
React - The JavaScript Library for User InterfacesReact - The JavaScript Library for User Interfaces
React - The JavaScript Library for User Interfaces
 
HTML 5 & The Modern Web
HTML 5 & The Modern WebHTML 5 & The Modern Web
HTML 5 & The Modern Web
 
Building games-with-libgdx
Building games-with-libgdxBuilding games-with-libgdx
Building games-with-libgdx
 
Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & Docker
 
Introduction to Web Sockets
Introduction to Web SocketsIntroduction to Web Sockets
Introduction to Web Sockets
 
M-Learning application development with open source
M-Learning application development with open sourceM-Learning application development with open source
M-Learning application development with open source
 
Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJS
 
Introduction to Android Development
Introduction to Android DevelopmentIntroduction to Android Development
Introduction to Android Development
 
Glassfish An Introduction
Glassfish An IntroductionGlassfish An Introduction
Glassfish An Introduction
 
Java logging
Java loggingJava logging
Java logging
 
IPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationIPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group Presentation
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

SELinux Johannesburg Linux User Group (JoziJUg)

  • 1. Jozi LUG - SELinux Introduction to Security Enhanced Linux 26th March 2012 Sponsored by LPI South Africa
  • 2. Topics ● What is SELinux? ● Computer Security Models ● Mandatory Access Control & Discretionary Access Control ● SELinux Policy ● Object Classes and actions/permissions
  • 3. Topics ● Security Context ● File Security Context ● Troubleshooting & Tools ● SELinux Booleans ● SELinux Managing Ports ● SELinux Writing Policy
  • 4. What is SELinux ● A mechanism for supporting mandatory access control (mac),role based access control (rbac) & multi-level security (msl/mcs) ● Implemented as a Linux Security Module(LSM) ● LSM allows kernel to support different security models used by: ● AppArmor,Smack,SELinux
  • 5. Computer Security Models ● Three security models possible with SELinux ● MLS/MCS – multilevel security, multi category security. Mainly about file access. Every subject must have clearance level and also every file (not covered) Top Secret, Secret, Confidential and Unclassified ● RBAC – role base access control, how users transition between roles and domains to which roles have rights, roles aggregate permissions
  • 6. Computer Security Models ● Mandatory Access Control via Type Enforcement – First step before MLS/MCS. Good for daemons, services ● This presentations focuses on MAC via TE in SELinux. Although other security models can be used they are too restrictive for most situation there limited TE used. MAC mainly useful for daemons and processes not users
  • 7. Mandatory Access Control Definition ● Mandatory Access Control (MAC) – security policy sets access controls and cannot be changed by system users or processes, ● Discretionary Access Control (DAC) – underlying unix permissions can be changed at the discretion of the file owner
  • 8. Mandatory/Discretionary Access Control ● DAC makes system vulnerable, users can change permissions and no protection from broken software, i.e. process has complete control over all resources owned by user, ● MAC - provides control over interactions of software by defined policies and does not allow users to do anything that breaks these policies. Prevents compromised processes from affecting other processes and files
  • 9. Mandatory Access Control ● Subject performs actions on an object ● Subject always a process ● Object can be file, device,users, processes,sockets,x_cursor.. ● Action is a system function call, i.e permissions
  • 10. How is MAC Implemented? ● How is MAC implemented? ● Security context given to objects and processes aka labeling for file system ● A Security context just free format strings “label” ● By policy file which contain rules about what domains/type enforcements subject and object must have to allow requested action. I.e provides meaning to security context strings. Policies limit what a daemon can access and how
  • 11. SELinux Policy ● Rules for how source context of subject evaluated against target security context of object ● By default if not defined, then deny action. Difficult for general purpose computing. To improve use less restrictive policy provided,
  • 12. SELinux Policy ● Two policies packages – ● Targeted – doesn't use users & roles, only restricts certain services, uses type enforcement only. Unaffected subjects and objects run in unconfined_t domain ● Strict – deny all by default lots of tweaking ● We will look at a policy file later
  • 13. Objects Classes ● Object classes (categories) – more then 70@ ● Object classes have set of permissions (actions) – dir, – socket – tcp_socket – filesystem – node – x_cursor
  • 14. Object Class Permissions (Actions) ● Each object class has its list of permissions or actions e.g. dir: (see slide on seinfo later) ● getattr/setattr, ● unlink ● execute ● read ● search ● rmdir
  • 15. Security Context ● Security Context or labels set of security attributes associated with a subject or an object ● <user>:<role>:<type> ● e.g system_u:object_r:httpd_exec_t ● system_u – standard for system daemon ● object_r standard for system objects such as devices and files ● Targets policy – unrestricted_u, unrestricted_r
  • 16. Security Context ● User – individual or process, SELinux maintains own list of users. For subjects the user is the user the process is run as, for objects its the owner of the object, ● Role – similar to group, but user can only have 1 role at a time, can switch roles if authorised to do so ● Type/Domain -Type used for files, domain used for processes. Manages access control
  • 17. Security Context ● Standard command come with add -Z option to see security context ● ls -Z ● ps -Z ● netstat -Z
  • 18. File Security Context ● Most common SELinux problem – file labels ● restorecon – restores defined context for a file ● chcon -t $tye ${file|dir} name – temporary ● semanage fcontext -a -t $type ${file|dir} name ● /etc/selinux/targeted/contexts/files/files_contexts
  • 19. Troubleshooting & Tools ● /var/log/audit/audit.log ● Create policy files from audit2allow ● avc = access vector cache
  • 20. SELinux Tools ● setroubleshooter – can help with friendlier error messages and suggestions of how to fix the problem ● “cat /var/log/audit/audit.log | sedispatch” → will send the error messages to setroubleshooter for lookup & formatting
  • 21. SELinux Tools ● Seinfo ● List all classes “seinfo -c” ● List all permissions for a class “seinfo -cdir -x” for dir premissions/actions ● List all types with permissions “seinfo -txx -x” ● List all users/roles with permissions “seinfo -{u| r}xx -x” ● List all port context “seinfo --portcon”
  • 22. SELinux - Booleans ● Booleans ● getsebool -a ● semanage boolean -l ● setsebool xxx on| off ● setsebool -P xxx on|off
  • 23. Manage Ports ● semanage port -l ● Add a port ● semanage port -at [-p proto] port |port-range ● Delete a port ● semanage port -dt [-p proto] port|port-range
  • 24. Writing SELinux Policy ● The policy is compiled in user space ● The m4 macro preprocessor is used prior to compilation (optional) ● The initial policy binary is loaded by init at boot ● Policy modules (binaries) can be loaded and unloaded at any time
  • 25. Writing SELinux Policy ● “cat /var/log/audit/audit.log | audit2allow -m mymod > mymod.te ● checkmodule -M -m -o mymod.mod mymod.te ● semodule package -o mymod.pp -m mymod.mod ● semodule -i mymod.p
  • 26. Questions? ● Visit us at – www.JumpingBean.co.za – www.LinuxCertification.co.za