Presentation is loading. Please wait.

Presentation is loading. Please wait.

Demystifying SELinux: WTF is it saying?

Published byShonda Webb Modified over 6 years ago

Similar presentations

Presentation on theme: "Demystifying SELinux: WTF is it saying?"— Presentation transcript:

1 Demystifying SELinux: WTF is it saying?
Dave Quigley SELinux Ninja/Linux Kernel Developer

2 Access Controls determine who/what can access system resources
What is Access Control? Access Controls determine who/what can access system resources

3 What You're Use To Web Content Home Directory Files Sensitive
Credit Card Data Dave (Apache) Dave (Firefox)

4 A “New” Type of Access Controls
Web Content TCP Port 80 Sensitive Credit Card Data Database Socket Apache Logs Dave (Apache) Dave (PostgreSQL) Database Files

5 What is SELinux? SELinux is a label based security system
Every process has a label, every object on the system has a label Files, Directories, network ports … The SELinux policy controls how process labels interact with other labels on the system The kernel enforces the policy rules

6 All information needed for SELinux to make an access control decision
What is a Label? -rw-r--r-- root root system_u:object_r:etc_t:s /etc/passwd DAC Components Security Label system_u:object_r:etc_t:s0 User Role Type MLS All information needed for SELinux to make an access control decision

7 How do I see Labels? Files Processes Ports ls -Z ps -Z, pstree -Z
netstat -Z, semanage ports -l

8 How to tell if something is wrong?
Logged to /var/log/messages if no auditd or during early boot before auditd. grep avc /var/log/messages Logged to /var/log/audit/audit.log if running auditd. /sbin/ausearch -mAVC,SELINUX_ERR -i Notification via setroubleshoot if running. /var/log/audit/audit.log, desktop pop-up

9 Most Common SELinux Problems
Incorrect Labeling Non-Default Config of a Confined Program Bug in Policy or an Application Your machine may have been compromised

10 Labeling Problems Every process and object on the system is labeled
If labels are not correct access may be denied Causes Alternative paths (semanage fcontext) Files created in wrong context (restorecon) Processes started in wrong context

11 Usecase: Move instead of copy
Administrator uploads and extracts a tarball of static web content to his home directory Administrator moves the files into the document root for Administrator tries to access site Access fails, why?

12 Non-Default Configuration
SELinux needs to know how a confined daemon is configured Non-default directories Need to ensure files are labeled properly Booleans Allow optional functionality to be enabled Non-default ports Need to ensure ports labeled properly

13 Usecase: Non Default Location
Administrator decides to setup a website with the location of /opt/www Administrator creates the directory and copies files into it. Administrator tries to access site Page access fails, why?

14 Usecase: Web content in user home directories
Administrator decides to setup a website to allow users to host personal webpages. Administrator enables Userdirs to public_html. Administrator tries to access site userhome.com/~sedemo Page access fails, why?

15 Usecase: Apache on a non-standard port
Administrator decides to change the port his apache server at to to heighten security. Administrator changes the listening port in the config. Administrator tries start httpd. Server fails to start, why?

16 Bugs in Policy/Apps SELinux policy bugs
Incomplete policy (unusual code path) Unknown application configuration Application bugs Leaked File Descriptors Executable Memory (execmem) Badly built libraries (execmem and others)

17 Bugs in Policy/Apps (2) Options
Report bugs in bugzilla (Best long term solution) Create a policy module (Temporary fix) Labeling is correct? No appropriate booleans? Use audit2allow to create a policy module Examine resulting policy Make sure it's safe Ask for help (#fedora-selinux and mailing lists)

18 Your machine may have been compromised
Current tools not good at differentiating Warning signs: a confined domain tries to: Load a kernel module Turn off SELinux enforcing mode Write to etc_t or shadow_t Modify iptables rules Sendmail others You may be compromised

19 Resources Google+ SELinux SELinux Community Websites
g Mailing Lists Fedora SELinux NSA SELinux IRC #selinux on FreeNode Presentation files uigl/demystifying- selinux

20 Questions?

21 Survey Thank you for listening to me talk. Please help improve the talk by filling out a quick survey at

Download ppt "Demystifying SELinux: WTF is it saying?"

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Cosc 4750 Configuring httpd, Mysql, And Samba. defaults By default httpd demean will startup and work User directories are turned off Default directory.

Cosc 4750 Configuring httpd, Mysql, And Samba. defaults By default httpd demean will startup and work User directories are turned off Default directory.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Similar presentations

Ads by Google