Presentation is loading. Please wait.

Presentation is loading. Please wait.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

Published byRosa Dennis Modified over 7 years ago

Similar presentations

Presentation on theme: "SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh"— Presentation transcript:

1 SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh
SELinux Lead Engineer Red Hat Dan Walsh

2 What is SELinux? Mandatory Method (MAC)
Current systems use DAC (Discretionary Access Control) Ability to confine applications based on least privilege Define rules about how an application is supposed to run Enforcement by the kernel MAC History defined in 1970's Belle and LaPadula Roles Based Access Control Type Enforcement

3 What is SELinux? Type Enforcement
Define policy on what an application is supposed to do. Enforce it with the kernel Least Privilege Access based on Subjects and Objects Every process, file, directory, device labeled with Security Context Process Labels – Domains File Labels – File Context

4 Developed by the NSA NSA’s OS security research
Cleanly separates policy from enforcement using well-defined policy interfaces Fine-grained controls over kernel services Transparent to applications and users Removes power of root, several machines running root as guest account

5 Where should you run SELinux?
Corporate Network Internet Intranet Red Hat Enterprise Linux ES Red Hat Enterprise Linux ES DNS Web FTP NFS NIS Red Hat Enterprise Linux AS Firewall VPN Database CRM ERP DNS Web FTP Red Hat Enterprise Linux ES Red Hat Enterprise Linux WS Red Hat Enterprise Linux ES DMZ App Server Farm

6 SELinux History at Red Hat
Introduced with Fedora 2 Excellent example of Open Source principals First policy “Strict” not very supportable Not Ready for prime time Redesigned for Fedora 3 Targeted Policy Target domains we want to confine Allow other domains to run “unconfined”

7 SELinux History at Red Hat
Red Hat Enterprise Linux 4 First Main line Operating System with Type Enforcement 15 Targets Confined (apache, bind, syslog, dhcpd, ...) Fedora 4, 5, 6 Redesigned SELinux policy to support Modules Expand Number Targets Lock down all of System Space. Improved Usability GUI audit2allow policy generation

8 SELinux History at Red Hat
Red Hat Enterprise Linux 5 Over 200 domains locked down MLS Policy EAL4+, LSPP, RBAC Easy Policy Generation Labeled Networking support CIPSO IPSEC

9 SELinux History at Red Hat
Fedora 9 Introduction of X Windows controls Permissive Domain Confinement of users guest_t xguest_t user_t staff_t unconfined_t

10 SELinux History at Red Hat
Fedora 7, 8, Begin confining the user Introduction of guest and xguest user combine targeted/strict policy Policy generation tools

11 Easier - Troubleshooting What the H**L is going on????
tail /var/log/audit/audit.log type=AVC msg=audit( :2036): avc: denied { getattr } for pid=6705 comm="httpd" name="index.html" dev=dm-0 ino= scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

12

13 Easier Management

14 Easier Policy Generation

15 How does SELinux enforce policy?
Every process and file tagged with a security context Files tagged via extended attributes New files context assigned via policy New files get assigned container directories security context Policy can override. Files created in /var/log by named_t get named_log_t Certain Applications, such as login, are allowed by policy to set the context of the next executed program Kernel assigns context to processes via policy

16 SELinux Key Components Kernel
Patch implementing security hooks Uses Linux Security Module (LSM) Framework for security enhancements to Linux

17 SELinux Key Components Applications
Most user applications and server applications unchanged SELinux aware applications Applications used to view or manipulate security contexts Programs required to set user session security context Examples: login/sshd, ls, cp, ps, setfilecon, logrotate, cron ... Covered in Section 2

18 SELinux Key Components Policy
Targeted policy By default processes run in unconfined_t unconfined processes have the same access they would have without SELinux running Daemons with defined policy transition to locked down domains httpd started from initrc_t transitions to httpd_t which has limited access.

19 SELinux Key Components

20 Open Source in Action

21 Ultra Trusted Standards
Controlled Access Protection Profile - EAL4/CAPP Labeled Security Protection Profile - EAL4+/LSPP Multi Level Security (MLS) SELinux is the only mainstream OS in the world with MLS AND Type Enforcement. SELinux used all over Department of Defense including War Zones. Unlike All other Trusted OS's SELinux == Red Hat Enterprise Linux

Download ppt "SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh"

Similar presentations

JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.

1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
Chapter 8 Case Study: Solaris Trusted Extensions.

Chapter 8 Case Study: Solaris Trusted Extensions.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
Secure Operating Systems

Secure Operating Systems
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:

Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:

Similar presentations

Ads by Google