Professional Documents
Culture Documents
www.supinfo.com
Copyright © SUPINFO. All rights reserved
SELinux
Course objectives
By completing this course, you will:
Course topics
Course’s plan:
Introduction
SELinux concepts
Introduction
How it works
Software firewalling.
Lives in the kernel
Traps all syscalls
denies them by default
SELinux active with no
allow rules
can’t do anything
Must allow each individual
syscalls
Complex part
who is concerned by
allow rules
Introduction
Security Context
Allow who to what: Who?
Security context
SELinux decision
basis
Files
Users
Processes
Special -Z option for
ls
id
ps
...
Introduction
Security Context
Attached to system objects
SELinux user != Unix user. Type for files, domain for processes.
Authorized to roles and for a Rules defines interaction between
level range types.
user type
system_u:object_r:bin_t:s0
role level
Roles are authorized MLS access
for domains. level/classification. Not
used by default.
Introduction
Users
During login
Mapping Unix users
SELinux users.
Files
Labels
extended attributes
Processes
Inherits parent’s
Process transition
Introduction
Process transitions
Domain selection
Default
inherit parent domain
From shell: shell
domain
shell: default user
domain
Process transitions rules
A domain
Executing a file having
“type”
Will create a process of
“type”
Introduction
Process transitions
Example
Default
shell unconfined_t
Execute bin_t binary
Process runs as
unconfined_t
Transition rule
unconfined_t ->
httpd_exec_t -> httpd_t
Execute a
httpd_exec_t binary
Process runs as
httpd_t
Introduction
Interactions
Accessing other objects (processes, files, ...)
Default
Everything denied for
everyone
Interactions
Positive rules for
everything
Rules often allow for a
domain/type
Rule set
Policy
Introduction
Stop-and-think
Stop-and-think
Select SELinux context members
user
group
role
type
Introduction
Stop-and-think
Select SELinux context members
user
group
role
type
SELinux
Policies
What’s a policy?
Label and allow
File contexts
Which file get what
context
TE Rules
Which domain can do
what (mostly syscalls,
transitions)
Modular
Per service/process
Default
Targeted/Default
Policies
Stop-and-think
Stop-and-think
Using the default policy, users are bound to strict rules
True
False
Policies
Stop-and-think
Using the default policy, users are bound to strict rules
True
False
SELinux
States
SELinux builtin? Always here!
Enabled or disabled
selinux=0|1 kparam
sestatus command
Enable
permissive
Log denials
Don’t enforce them
enforcing
Log denials & deny
setenforce
Working with SELinux
User mapping
SELinux <-> Unix user
semanage login -l
semanage login -m -S policy -r s0 -s seuser luser
Argument Definitions
-m Modify mode
-s SELinux user
Example:
semanage login -m -S default -r s0 -s “user_u”
__default__
Working with SELinux
Contexts
Change the security context of a file
Argument Definitions
-R Recursive on directories
Example:
Contexts
Restore/Relabel a file according to policy settings
Argument Definitions
-R Recursive on directories
-v Verbose
Example:
restorecon –v -R /usr/sbin/apache2
Working with SELinux
Stop-and-think
Stop-and-think
Each Unix user has his SELinux counterpart
True
False
Working with SELinux
Stop-and-think
Each Unix user has his SELinux counterpart.
True
False
SELinux
Policy customization
Using audit2allow
Generate rules
Using audit2allow
Argument Definitions
Example:
Create a module
Compile TE rules using checkmodule
Argument Definitions
Enable MLS/MCS. Required if the policy also has this
-M
enabled.
Example:
Create a package
From module and file contexts
Argument Definitions
Example:
Argument Definitions
Example:
semodule -DB
semodule -i local.pp
Working with policies
audit2allow sample
Generated rules:
require {
type init_exec_t;
[...]
class dir { write remove_name };
[...]
}
Creating a policy
Confine a process
audit2allow
Customize existing
policygentool binary
Create from scratch
Policy module
TE Rules
module.te
File contexts
module.fc
Working with policies
File contexts
Setting the file labels in module.fc
The security
Concerned files. context as
Supports regexes user:role:type
File context
keyword Level
Assigns the Sensitivity of
ctx/level to the the file for
file(s) MLS/MCS. s0.
Working with policies
Stop-and-think
Stop-and-think
For a process to run, you must allow all its attempted
actions.
True
False
Working with policies
Stop-and-think
For a process to run, you must allow all its attempted
actions.
True
False
SELinux
Course summary
Confine
processes:
Customize a
SELinux: How Create a
policy
it works policy
Policies, SELinux
denials and commands
booleans
SELinux
For more
If you want to go into these subjects more deeply, …
Publications Courses
Cisco CCNA
www.supinfo.com RMLL
www.labo-linux.org FOSDEM
www.selinuxproject.org Solution Linux
Congratulations
You have successfully completed
the SUPINFO course module n°07
SELinux
SELinux
The end
semodule -BD
audit2allow