How to live with SELinux Bert Desmet – Fedora Ambassador

You can find me here Kruishoutem, Belgium www.bdesmet.be www.devnox.be www.fedoraproject.org/wiki/user:biertie www.identi.ca/bdesmet Irc: biertie @ Freenode / Quakenet Mail: biertie@fedoraproject.org Google me for more And if you have any questions, feel free to contact me..

What I do.. I am still a student (Elektronics-IT@Ghent) President CFK Job hunting Fedora Fedora Ambassador Designer of the T shirt Organise some events Start up projects: to many Oh, and I love to party!

How to live with SELinux

Table of contents Introduction Booleans and ports Contexts and labels Backing up and copying Your own policies

What is SELinux? Kernel based security system Build by NSA 3 'functions' MLS/MCS: multi level protection RBAC: user privilege controls TE: application isolation Enabled by default on RH / Fedora MLS: Multi-Level Security RBAC: Role-based access control TE: Type Enforcement MAC: mandatory acces control <-> DAC: Discretionary acces control Adds extra control over processes and users (what files can x or y change)

Why would I? Good access control Reduces vulnerability to attacks Confined services Good access control, unlike DAC from normal linux system. SELinux user, role, type, level while linux user only have a group and user id Reduces vulnerability to attacks due to access control. Intruders can only access the files the software (like httpd) really need Confined servers: selinux has the abitilty to confine services and deamons so that they are more predictable and are only allowed acces that is required for their normal operation

but No antivirus No firewall ....

keywords Objects Files, devices, users, processes, ... Everything in the operating system Context Name for the object Policy Defines how objects interact Independent from normal linux ownerships blah blah

configuration 3 modes Enforcing, Permissive, Disabled 2 types Targeted, Strict Permanent: edit /etc/selinux/config Until next reboot: setenforce {0|1} Only Permissive (0) or Enforcing (1) Check running config with sestatus

Logging SELinux denial messages /var/log/audit/audit.log Ausearch -m avc If rsyslogd is running: /var/log/messages Var/log/messages are better readable, but rsyslogd is not always running. Chkconfig –levels 2345 rsyslogd on

Booleans Changed at runtime No policy writing

Managing booleans.. List all booleans getsebool -a semange boolean -l Set a boolean setsebool $boolean {on|off} setsebool -P $boolean {on|off} Predefined policies The semanage boolean command doesn't work yet on RH/Centos 5.x -P flag makes it persistent over reboots

Managing ports List services, ports they can use semanage port -l add a port semange port -at $type -p {tcp|udp} #port Delete a port semange port -dt $type -p {tcp|udp} #port

SELinux contexts ls -Z | ps Z | id -Z unconfined_u:object_r:httpd_sys_content_t:s 0 unconfined_u: user context for the object object_r: role aspect for the context httpd_sys_content_t: type S0: level of security Identity authorized for specific set of roles, and mls range. Semange login -l Each linux user is mapped to a sel user Role is part of the RBAC model. Type is an attribute of type enforcement. Defines domain for processes, and type for files. Level of security is attribute for MLS. For process, unconfined_t : is not checked (in targeted)

Change context Temporary chcon -t $type ${file|dir}name Persistent semanage fcontext -a -t $type ${file|dir}name Restore context restorecon -v ${file|dir}name semange fcontext -dv ${file|dir}name Chcon -t httpd_sys_content_t /web Use full path of file/dir Restore only works with chcon semange fcontext adds rule to file.contexts.local, chcon doesn't After a fcontext -d run restorecon again.

Relabeling the fs With reboot (preferred!) touch /.autorelabel reboot Without reboot fixfiles relabel fixfiles -R $packagename restore Fixfiles relabel can make system unstable Fixfiles -R relies on rpm database

Mounting file systems The mount command mount server:/export /mount -t nfs -o \ context=”system_u:object_r:context_t:s0” Mount /dev/sda2 /foo -o defcontext=\ “system_u:object_r:context_t:s0” Works for multiple NFS mounts Standard type: nfs_t Context changes to the files on the mount won't work. Chcon results in “operation not supported” /dev/sda2: assumes there are no rules that define context for /foo/ Files will keep context when changed Persistent: fstab

Copying cp doesn't save the context Copy with context Add the '--preserve=context' flag Copy while changing context cp -Z system_u:object_r:context_t:s0 $file If you copy a file over a file, original context is preserved

Moving The mv command doesn't move context over different partitions It does when you move on the same partition Use cp command

Tarring Tar doesn't contexts by default Use --selinux flag Untar an archive without extended attributes Tar -xvf $archive | restorecon -f -

Troubles? autit2allow Gives you decent tips matchpathcon -V $dir Checks the context of a dir semodule -DB allow all denials to be logged matchpathcon - get the default security context for the specified path from the file contexts configuration. Semodule -D : disables dontaudit rules -B : rebuilds policy Run semodule -B again after debugging

Creating policies Grep for right error in the audit log audit2allow -am $name > $name.te -D flag cat $name.te

Applying policies audit2allow -M $name Semodule -i $name Semodule: import the module

So why do we enable it? It's easy It's secure

references Fedora SELinux documentation http://docs.fedoraproject.org Dan Walsh http://danwalsh.livejournal.com Fedora SELinux team #fedora-selinux @ freenode Linux training http://linux-training.be

Questions? E-mail: bert@bdesmet.be Twitter: @biertie identi.ca: @bdesmet Web: http://bdesmet.be