Presentation is loading. Please wait.

Presentation is loading. Please wait.

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

Published byLucy Poole Modified over 5 years ago

Similar presentations

Presentation on theme: "SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU"— Presentation transcript:

1 SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

2 Who's talking? Sander van Vugt
Author, technical trainer and consultant High Availability, Performance and trying to understand SELinux Check my SELinux article on ew&topic=88

3 Who's listening? This talk is for sysadmins that normally would just switch off SELinux because they don't know how to handle it

4 Without SELinux How are you going to ensure that a web server that's running hundreds of scripts is secure? Intruders just could break in through a script, get shell access and do nasty things from there

5 The purpose of SELinux Block all syscalls
Allow only those syscalls that have been specifically allowed Which probably blocks many services that you actually need

6 The core element: the Policy
Used to define which object gets access to which other object Implemented by working with contexts User Role Type Rules define which source objects get access to which target objects Different policies for different environments

7 The modular policy Input files are in /etc/selinux/refpolicy/policy
.te files contain everything a module should have .if files define how other modules get access to this module .fc files contain labeling instructions Compiled policy files have the .pp extension and can be managed with semodule

8 Managing SELinux Use sestatus [-v] to see if it's alive
Set permissive mode to start from scratch Use semanage to set context Use setsebool to switch on/off specific rules Use semodule to work with modules Switch on auditing and check the /var/log/audit/audit.log Use audit2allow to convert denials into something that works

9 And do not use setenforce to turn it off!

10 Just use audit2allow instead
audit2allow -w -a presents the audit information in a more readable way audit2allow -a shows the type enforcement rule that allows the denied access audit2allow -a -M blah creates a .te file and a compiled .pp file that will allow the denied access Use semodule -i to enable this module

11 Common admin commands semanage -a -t httpd_sys_content_t “/web/(.*)?”
restorecon -Rv /web getsebool -a | grep something setsebool -P something_setting = on

12 Installing SELinux Easy on distributions that have it by default
A bit complicated on distributions that don't do SELinux by default A generic policy cannot set context for all objects on an unknown distribution

13 Enabling SELinux on OpenSUSE 12.2
Switch on kernel options: security=selinux selinux=1 enforcing=0 Download and install the source policy Compile the source policy Modify /etc/selinux/refpolicy/build.conf Don't forget /etc/selinux/config

14 Continuing the configuration
Use the selinux-ready command Relabel the file system Start analyzing and modifying to make it match (audit2why is useful!) Once it all works, use setenforce 1 to enable SELinux protection Tip: use unconfined_t on services that you want to run without selinux protection

15 Mail me at mail@sander.fr
Additional questions? Mail me at

Download ppt "SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU"

Similar presentations

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.
Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.

Similar presentations

Ads by Google