Professional Documents
Culture Documents
Agenda
1)IntroductiontoSELinux Concepts 2)Policiesand ConfigurationFiles 3)ModifiedOSCommands 4)SELinuxUtilities 5)UnderstandingAudit Messages 6)ManagingFileLabeling
2
IntroductiontoSELinuxConcepts
LinuxAccessControlIntroduction
Linuxaccesscontrolinvolvesthe
Forexample:
webserverprocessescanreadwebfiles butnot/etc/shadow
Howarethesedecisionsmade?
StandardLinuxAccessControl
Processesandfileshavesecurityproperties
process:userandgroup(realandeffective) resources:userandgroup+accessbits
read,write,andexecuteforuser,group,other
Kernelhashardcodedpolicy Example:
Canfirefoxreadmysshprivatekey?
kmacmill 21375 1 35 11:38 ? 00:00:01 firefox-bin -rw------- 1 kmacmill kmacmill 1743 2006-07-10 id_rsa
ImportantConcepts
Securityproperties:securityrelevantdata
associatedwithprocessesandresources usedtomakeaccesscontroldecisions
Policy:rulesforaccesscontroldecisions Kernelenforcesaccesscontroldecisions
calledreferencevalidationmechanism processesalsoenforceaccesscontrol
databaseserver,dbus,X,etc.
StandardLinuxSecurityProblems
Accessisbasedonusers'access Example:Firefoxcanreadsshkeys
generallyhasnoreasontoreadthem,but ifcompromisedcanpotentiallydisastrous
Fundamentalproblem:
securitypropertiesnotspecificenough kernelcan'tdistinguishapplicationsfromusers
StandardLinuxSecurityProblems
Processescanchangesecurityproperties Example:mailfilesreadableonlybyme
evolutioncanmakethemworldreadable
Fundamentalproblem:
StandardLinuxSecurityProblems
Onlytwoprivilegelevels:userandroot Example:apacheprivilegeescalation
apachebugallowsobtainingrootshell entiresystemiscompromised
Fundamentalproblem:
simplisticsecuritypolicy nowaytoenforceleastprivilege
SELinuxIntroduction
SELinuxaddsadditionalaccesscontrol
newsecuritypropertiesonprocesses/resources flexiblesecuritypolicythatcanbechanged
Kernelandapplicationbasedenforcement Designedtoaddresssecurityproblems
mandatory,leastprivilege,andfinegrained noallpowerfulroot
10
Transparenttomostapplications
SELinuxAccessControl
SELinuxhasthreeformsofaccesscontrol
Configurableviapolicylanguage
centralconfigurationfilescontrolallaccess Severalpoliciesavailable(targeted,strict,mls)
11
Allaccessisdeniedbydefault
SELinuxSecurityProperties
Processesandfileshaveasecuritycontext
Thekeyfieldistype
usedtoimplementTypeEnforcement
OtherfieldsusedforRBACandMLS
moreontheselater
12
Exercise:SecurityContexts
psaeZ>viewcontextsofprocesses lsZ>viewcontextsoffilesanddirectories
Exercises:
Whatisthesecuritycontextof/etc/shadow? Whatisthesecuritycontextofudevd?
13
SolvingLinuxSecurityChallenges
Securitypropertiesneedtoidentify
allrelevantsecurityinformation,e.g.,
processisawebserver(apache) thatwasstartedbyinit
consistentacrossallprocessandresources
Securitypolicyneedstobeflexible
noassumptions(e.g.,noroot) capableofenforcingintegrity,confidentiality,etc.
14
IntroductiontoTypeEnforcement
Basedonasinglesecuritypropertytype
Typesareassignedtoprocessesandresources
Accessisallowedbetweentypes
15
IntroductiontoObjectClasses
Objectclassesspecifythedetailsofaccess Resourcesdividedintoclasses
e.g.,file,dir,socket,process
Eachclasshaspermissions
e.g.,file:read,write,execute,getattr
FullaccessinTypeEnforcement:
allowhttpd_thttpd_sys_content_t:fileread;
16
TypeEnforcementOverview
Apache
(httpd_t)
read
/var/www/html
(httpd_sys_content_t)
/etc/shadow
(shadow_t)
ad re
~/public_html
Apache Policy:
allow httpd_t httpd_sys_content_t : file read;
17
(httpd_sys_content_t)
TypeEnforcementConcepts
Accessisallowedsolelybytype
manyprocessesandresourceshavesametype
simplifiespolicybygrouping
processeswithsametypehavesameaccess
sameforresources(files)
Processtypescalleddomains
sometimesappliedtoresources(e.g.,sockets)
18
Differenceresourcescanhavesametype
AssigningInitialTypes
Filesanddirectories:
configurationfilespecifiesdefaultcontext
calledfilecontexts usespathregex:^/usr/bin/>bin_t
Inheritedfromcontainingdirectoryatruntime
Applicationscanexplicitlysetcontext
chcon:utilitytosetcontexts(thinkchown) passwd:maintainscontexton/etc/shadow
19
AssigningProcessTypes
Processtypesare:
Examples:
20
TypeTransitionRules
Typetransitionrulessetprocesstypesusing:
parentprocesstypeandexecutablefiletype similartosetuid
Example:startingnameserver
Rule:domain_auto_trans(initrc_t, parentprocess(initrc_t)
named_exec_t, named_t)
executablefiletype(named_exec_t) result>named_t
21
TypeTransitionRules
22
TypeTransitionNotes
Primarymeansforsettingprocesstype
ensuresapplicationsrunincorrectdomain doesnotrequireapplicationmodification
Mustbeallowedbypolicy
e.g.,apachecannotstartprocessesininit_t preventsapplicationsfromgainingprivilege
Bindsspecificexecutabletodomain
e.g.,only/usr/bin/passwdcanruninpasswd_t
23
UserFieldDetails
userinheritedfromprocess systemprocess>filescreatedwithsystem_u
24
RoleFieldDetails
kmacmill:user_r:user_mozilla_t:s0 UsedforRBAC
rolefurtherrestrictsavailabletypetransitions incooperationwithTE(e.g.,user_r/user_t)
25
user_r,staff_r,secadm_r
MLSLevelFieldDetails
singlelevel:s0 range:sos15:c0.c1023
Usuallytranslated
26
s15:c0.c1023>SystemHigh
SELinuxSecurityBenefits
Typescaptureimportantsecurityinformation
accessisbasedonuserandapplicationfunction transitionscaptureprocesscallchains
Processesrunwithleastprivilege
onlywhatisallowedforthetype e.g.,httpd_tcanonlyreadwebpages
Privilegeescalationtightlycontrolled
acompromiseofApachelimitedbypolicy
27
SELinuxConfiguration
StrictPolicy
Asystemwhereeverythingisdeniedbydefault
Youmustspecifyallowrulestograntprivileges
SELinuxdesignedtobeastrictpolicy.
Difficulttoenforceingeneralpurposeoperatingsystem NotSupportedinRHEL
29
MLSPolicy
NoXwindowssupport limitedpackageset
HP/IBMworkingtowardsgettingEAL4+/LSPPcertification
30
TargetedPolicy
Systemwhereprocessesbydefaultareunconfined.
Onlytargetedprocessesareconfined
UnconfinedDomains
31
TargetedDomains
InRHEL4
InRHEL5
200targetsdefined
EveryprogramshippedbyRedHatandstartedonbootshould haveadomaindefined
32
WhereshouldyourunSELinux?
Internet Corporate Network
RedHatEnterprise LinuxES
Firewall VPN DNS Web FTP
Intranet
RedHatEnterprise LinuxES
DNS Web FTP NFS NIS
RedHatEnterprise LinuxAS
DatabaseCRMERP
RedHatEnterprise LinuxES
DMZ
33
RedHatEnterprise LinuxWS
RedHatEnterprise LinuxES
AppServerFarm
Configfiles
SELinuxstoresitsconfigfilesin/etc/selinux
/etc/selinux/configidentifiespolicyandenforcingmode
more/etc/selinux/config #ThisfilecontrolsthestateofSELinuxonthesystem. #SELINUX=cantakeoneofthesethreevalues: #enforcingSELinuxsecuritypolicyisenforced. #permissiveSELinuxprintswarningsinsteadofenforcing. #disabledNoSELinuxpolicyisloaded. SELINUX=enforcing #SELINUXTYPE=cantakeoneofthesetwovalues: #targetedOnlytargetednetworkdaemonsareprotected. #strictFullSELinuxprotection. SELINUXTYPE=targeted
34
Configfiles
Directoryunderpolicytypefollowsameformat
35
Configfiles
/etc/selinux/targeted/contexts/files/
36
KernelBootParameters
Kernelparametersoverride/etc/selinux/configsettings selinux=0
BootsthekernelwithSELinuxturnedoff
enforcing=0
37
TargetPolicyManPages
Targetmanpagesexplaincustomfeaturesof thepolicybooleansandfilecontext
httpd_selinux(8)httpdSELinuxPolicydocumentationhttpd_selinux(8) NAME httpd_selinuxSecurityEnhancedLinuxPolicyforthehttpddaemon DESCRIPTION SecurityEnhancedLinuxsecuresthehttpdserverviaflexiblemandatory accesscontrol. FILE_CONTEXTS SELinuxrequiresfilestohaveanextendedattributetodefinethefile type.Policygovernstheaccessdaemonshavetothesefiles.SELinux httpdpolicyisveryflexibleallowinguserstosetuptheirwebser vicesinassecureamethodaspossible. Thefollowingfilecontextstypesaredefinedforhttpd: httpd_sys_content_t Setfileswithhttpd_sys_content_tforcontentwhichisavail ablefromallhttpdscriptsandthedaemon. httpd_sys_script_exec_t Setcgiscriptswithhttpd_sys_script_exec_ttoallowthemto
38
Exercises
DoyouseeadditionalAVCmessages?
39
ModifiedOperatingSystemCommands
ModifiedUtilities
Zisyourfriend
41
ModifiedUtilities
cp
Adoptsdestinationdirectoryorfilessecuritycontext aproblems
mv
MaintainsSourcesDestinationSecuritycontext
install
Setsdefaultsecuritycontextbasedonsystemdefaults
42
ModifiedPrograms
LoginProgramsPAM
sshd,login,xdm passwd,useradd,groupadd
Passwordutilities
rpm
43
Backupanddiscmanagement
tar,zip
Bothnowhaveextendedattributesupport
rsync
X,xattrs
star
starxattrH=exustarcfoutput.tar[files]
amanda tarxv|restoreconf;stillmightbebestoption
44
Exercises:ModifiedLinuxUtilities
Whatisthesecuritycontextonthefile? Isthisaproblem?
Createanewaccountonyourmachine
Whatisthesecuritycontexton/etc/passwd?/etc/shadow? Whydoyousupposetheyaredifferent?
45
SELinuxUtilities
SELinuxUtilities
libselinuxpython
Pythonbindingstolibselinux
47
SELinuxUtilitiesPolicycoreutils
genhomedircon,fixfiles,restorecon,restorecond,setfiles,chcon,chcat audit2allow,audit2why(SeeUnderstandingSELinuxlogmessages) seconSeeanSELinuxcontext,fromafile,programoruserinput. semodule,semodule_deps,semodule_expand,semodule_link, semodule_package(SeeManaginganSELinuxPolicyModules) load_policyloadanewSELinuxpolicyintothekernel run_initRunainitscriptintheproperSELinuxcontext(mls,strict) semanage,systemconfigselinux(SeeManaginganSELinuxsystem) sestatusSELinuxstatustool setsebool,getsebool(SeeCustomizingthepolicywithbooleans) newroleRunashellwithanewSELinuxrole/level(mls,Strict)
48
Exercises:SELinuxUtilities
Isyourmachineinenforcingmode?
Changeitscontexttypetohttpd_exec_t Howwouldyougetthisapplicationtorunashttpd_t?
Correctthecontextofallthefilesinetc
49
UnderstandingAuditMessages
UnderstandingSELinuxlogmessages
AVCAccessVectorCache
messagesin/var/log/messagesor/var/log/audit/audit.log
51
UnderstandingSELinuxlogmessages
AVCMessagescangetcreatedforavarietyofreasons.
Anintruder
52
UnderstandingSELinuxlogmessages
audit2allow
Toolthatgeneratespolicyallowrulesfromlogsofdeniedoperations audit2allowi/var/log/audit/audit.log
allowhttpd_tuser_home_t:filegettattr;
audit2why
53
AnalyzingSELinuxAVCMessages
AVCMessagesreferingtofileslabeled*:file_t
AVCMessagescontainingdefault_t
Probablyalabelingproblem
54
AnalyzingSELinuxAVCMessages
Manysimilarmessagesaboutthesamefile
Thisusuallyindicatesalabelingproblem Forexample:
55
SELinuxTroubleshootTool
setroubleshoot
ServicelistenstoauditdaemonforAVCmessages Thenprocessesplugindatabaseforknownissues
/usr/share/setroubleshoot/plugins
56
57
MissingAVCmessages
SometimesapplicationsfailwithnoAVCmessages
Settingsetenforce0andtheapplicationworks??? dontauditrules
ExpectedAVCsthatcauseappstotakedifferentcodepaths. SometimescoverupRealerrors
RHEL4
Installselinuxpolicytargetedsources makeC/etc/selinux/targeted/src/policyenableauditload
RHEL5
semoduleb/usr/share/selinux/targeted/enableaudit.pp semoduleb/usr/share/selinux/targeted/base.pp
58
Exercises:SELinuxUtilities
Letscreatesomeavcmessages?
WhatauditrulescouldyouaddtosolvetheseAVC? Whydidpolicyrefusethisaccess?
59
ManagingFileLabeling
Managingfilelabeling
Changingafilescontext chcon
Fundamentalutilityusedtochangeafilescontext
chconRthttpd_sys_script_rw_t/var/www/myapp/data chconthttpd_sys_script_t/var/www/cgibin/myapp
/etc/selinux/targeted/contexts/customizable_types
61
Managingfilelabeling
restorecon
Usedtosetafilebacktothesystemdefaults
setfiles
Usedtoinitializeasystem.UsedattheFilesystemlevel Requiresyoutospecifyfile_contextfile
fixfiles
touch/.autorelabel;reboot
62
Managingfilelabeling
Genhomedircon
Usedtogeneratefile_contexts.homedir Sometimeshasproblemswithhomedirlocations.
/etc/selinux/targeted/contexts/files/file_context.local systemconfigsecuritylevel
63
Exercises:Managingfilelabeling
Modify/etc/resolv.conf
Homedirs
64
CustomizingPolicyWithBooleans
Customizingpolicywithbooleans
Booleansareif/then/elsestatementsinpolicy
Configurepolicywithouteditingpolicy getsebool
getseboola
setsebool
setseboolPallow=[1|0]
systemconfigselinux(systemconfigsecuritylevelRHEL4) Turnon/offsectionsofpolicy
setseboolPallow_nfs_home_dirs1 /etc/selinux/targeted/booleans
66
67
ConfiguringPolicy
ApacheExample
Systemadministratorhasmultiplechoicesofpolicy
Booleans
httpd_disable_trans,httpd_enable_cgihttpd_enable_homedirs httpd_tty_comm,httpd_unified
http://fedora.redhat.com/docs/selinuxapachefc3/ manhttpd_selinux
68
Exercises:ManagingBooleans
69
ManagingSELinuxModules
SELinuxModules
ModularPolicy
InRHEL5/FedoraCore5andlater,theconceptofPolicyModules wasintroduced
Thesemodulecommand
71
SELinuxPolicyModules
semodulecommand
72
73
Generatingpolicymodules
Policymodulesconsistsofthreefiles.
TypeEnforcementFile(te)
FileContextFile(fc)
InterfaceFile(if)
DOMAIN_domtrans,DOMAIN_read_config
74
CreatingPolicymoduleswithaudit2allow
Makingsmallcustomizationstopolicy InRHEL4
InRHEL5
grephttp_t/var/log/audit/audit.log|audit2allowMmypolicy
Thiscommandwillgenerateatefileandcompileitintoappfile.
semoduleimypolicy.pp
75
Buildingpolicymodules
Installselinuxpolicydevel
Includesinterfacesforallinstalledpolicymodules /usr/share/selinux/devel
policygentoolhelperapptobeginconstructionofte,if,fcfile include/...directoryhasinterfaces
kernel,services,system,apps,admin
Makefile(usedtocompilepolicymodules).
76
Exercises:ManagingPolicyModules.
using/usr/share/selinux/devel/policygentooltryto generatepcscdpolicy
77
ManagingSELinuxSystems
ManagingSELinuxsystems
allowingapachetolistenonport81 requiredpolicysourcesandtools
InRHEL5
semanageportathttp_port_tPtcp81
79
SemanageCommands
SELinuxUsers
semanageuserl semanageuseraguest_u
LinuxUsertoSELinuxusermapping
semanageloginasguest_udwalsh
FileContext
80
81
82
Exercises:ManagingSELinux
83
ConfiguringAudit
Auditing
AuditsystemreceivesSELinuxEvents
Noauditdrunning
AVCin/var/log/messagesanddmesg
auditdrunning
AVCsin/var/log/audit/audit.log
audit=1Commandrequiredforfullauditing
85
AuditingCAPP/EAL4+
CAPPControlledAccessProtectionProfile
DACProfile Securityfeaturesselection
eal4+.EAssuranceLevel
Leveloftestinganddocumentation
cp/usr/share/doc/audit1.0.12/capp.rules /etc/audit.rules
86
auditctl
Utilitytocontrolthekernelsauditsystem
e[0|1]Disable,Enableaudit SEESteveGrubbAuditBOF...
87
aureport
Generatesummaryreportsofauditlogs
aureportats1:00:00
Generateaavcreportsince1AM
success/failed(Bothifyouselectneither.) summary(Totalsofevents)
88
ausearch
SearchAuditDaemonLogs
89
Exercises:Audit
90
CustomizingApache
CustomizingApachePolicy
httpdmostcomplexdaemoninRHEL4 MostcomplexandconfigurableofanyoftheSELinuxpolicies.
PreventingacompromisedwikiCGIscriptfromcorruptingablog installationownedbythesameperson
92
Exercises:Apache
Ishttpdrunningunderaconfineddomain?
93
Q/A
MoreInformationRedHatEnterpriseLinuxResource
http://www.redhat.com/software/rhel/
SELinuxResources
MailingLists
selinux@tycho.nsa.govNSAList fedoraselinuxlist@redhat.comFedoraSELinuxList
94