07 - SELinux

SELinux
The syscall firewall
www.supinfo.com
Copyright © SUPINFO. All rights reserved
SELinux
Course objectives
By completing this course, you will:
 Talk about SELinux. What it

does? How?
 Configure SELinux. Active or
inactive? Permissive or
enforcing?
 Tune the default policy. Using
booleans.
 Custom rules. Learn how to use
audit2allow.
 Write policies. Confine
processes with your very own
rules.
SELinux
Course topics
Course’s plan:
 Introduction. SELinux concepts.

 Policies. Walk in, see this, what
to?
 Working with SELinux.
Operating modes and common
commands.
 Working with policies. Custom
and create.
SELinux
Introduction
SELinux concepts
Introduction
How it works
Software firewalling.
 Lives in the kernel
 Traps all syscalls
 denies them by default
 SELinux active with no
allow rules
 can’t do anything
 Must allow each individual
syscalls
 Complex part
 who is concerned by
allow rules
Introduction
Security Context
Allow who to what: Who?
 Security context
 SELinux decision
basis
 Files
 Users
 Processes
 Special -Z option for
 ls
 id
 ps
 ...
Introduction
Security Context
Attached to system objects
SELinux user != Unix user. Type for files, domain for processes.
Authorized to roles and for a Rules defines interaction between
level range types.
user type
system_u:object_r:bin_t:s0
role level
Roles are authorized MLS access
for domains. level/classification. Not
used by default.
Introduction
System objects & Context

How system objects get their context?
 Users
 During login
 Mapping Unix users 
SELinux users.
 Files
 Labels
 extended attributes
 Processes
 Inherits parent’s
 Process transition
Introduction
Process transitions
Domain selection
 Default
 inherit parent domain
 From shell: shell
domain
 shell: default user
domain
 Process transitions rules
 A domain
 Executing a file having
“type”
 Will create a process of
“type”
Introduction
Process transitions
Example
 Default
 shell unconfined_t
 Execute bin_t binary
 Process runs as
unconfined_t
 Transition rule
 unconfined_t ->
httpd_exec_t -> httpd_t
 Execute a
httpd_exec_t binary
 Process runs as
httpd_t
Introduction
Interactions
Accessing other objects (processes, files, ...)
 Default
 Everything denied for
everyone
 Interactions
 Positive rules for
everything
 Rules often allow for a
domain/type
 Rule set
 Policy
Introduction
Stop-and-think
Do you have any questions ?

Introduction
Stop-and-think
Select SELinux context members
user
group
role
type
Introduction
Stop-and-think
Select SELinux context members
user
group
role
type
SELinux
Policies
Walk in, see this. What to?

Policies
What’s a policy?
Label and allow
 File contexts
 Which file get what
context
 TE Rules
 Which domain can do
what (mostly syscalls,
transitions)
 Modular
 Per service/process
 Default
 Targeted/Default
Policies
The default policy

Targeted/Default
 Targets specific processes

 confined domains
 Can only do what’s
explicitly allowed
 per-service
 Unconfined domain
 for users
 unconfined
 Tweakable
 booleans
Policies
Working with booleans

Booleans ?
 Tweak the default policy
behavior
 More or less restrictive
 getsebool
 Get current settings
 setsebool
 tweak booleans
 Examples
 users can(not) ping
 users can(not) dmesg
 ...
Policies
Stop-and-think

Policies
Stop-and-think
Using the default policy, users are bound to strict rules
True
False
Policies
Stop-and-think
Using the default policy, users are bound to strict rules
True
False
SELinux
Working with SELinux
Operating modes and common commands

States
SELinux builtin? Always here!
 Enabled or disabled
 selinux=0|1 kparam
 sestatus command
 Enable
 permissive
 Log denials
 Don’t enforce them
 enforcing
 Log denials & deny
 setenforce
User mapping
SELinux <-> Unix user
semanage login -l
semanage login -m -S policy -r s0 -s seuser luser
Argument Definitions
-m Modify mode
-s SELinux user
luser Unix user to map. __default__ special value.
Example:
semanage login -m -S default -r s0 -s “user_u”
__default__
Contexts
Change the security context of a file
chcon [-R] context file

chcon [-R] [-u user] [-r role] [-t type] file
-R Recursive on directories
context user:role:type formatted context
-u,-r, -t Alter individual parts of the security context
Example:
chcon -t apache2_exec_t /usr/sbin/apache2

Contexts
Restore/Relabel a file according to policy settings
restorecon [-vR] file
-R Recursive on directories
file File or directory to operate on.
-v Verbose
Example:
restorecon –v -R /usr/sbin/apache2
Stop-and-think

Stop-and-think
Each Unix user has his SELinux counterpart
True
False
Stop-and-think
Each Unix user has his SELinux counterpart.
True
False
SELinux
Working with policies
Custom and create.

Policy customization
Using audit2allow
1 Disable dontaudit rules
2 Run the process
3 Feed audit2allow with deny

messages.
4 Redirect audit2allow output to
a file
5 Compile the file to a module
6 Package the module.
7 Load the package

Generate rules
Using audit2allow
audit2allow -m name -i read-from > file.te
name Module name to create
read-from Where are the deny messages ?
file.te Redirect Type Enforcement rules to this file.
Example:
audit2allow -m local -i /var/log/audit/audit.log >

local.te
Create a module
Compile TE rules using checkmodule
checkmodule -M -m -o output input
Enable MLS/MCS. Required if the policy also has this
-M
enabled.
-m Generate a module that inserts in an existing policy
input Read TE rules from that file
Example:
checkmodule -M -m -o local.mod local.te

Create a package
From module and file contexts
semodule_package -o out.pp -m inmod [-f infc]
out.pp The package to be created.
inmod The compiled TE module to package
infc The File Context rules to package
Example:
semodule_package -o local.pp -m local.mod

Work with modules

The semodule command
semodule [-D] [-B] [-i pkg_file] [-d|-e|-r module-name]
-D,-B Disable dontaudit / Rebuild policy
-i Install the specified package file
-d,-e,-r Disable, enable, remove the named package.
Example:
semodule -DB
semodule -i local.pp
audit2allow sample
Generated rules:
module local 1.0;
require {
type init_exec_t;
[...]
class dir { write remove_name };
[...]
}
#============= user_t ==============

allow user_t devlog_t:sock_file write;
allow user_t init_exec_t:file { read execute open
getattr execute_no_trans };
[...]
Creating a policy
Confine a process
 audit2allow
 Customize existing
 policygentool binary
 Create from scratch
 Policy module
 TE Rules
 module.te
 File contexts
 module.fc
File contexts
Setting the file labels in module.fc
The security
Concerned files. context as
Supports regexes user:role:type
File context
/var/www(/.*)? gencontext(ctx, level)
keyword Level
Assigns the Sensitivity of
ctx/level to the the file for
file(s) MLS/MCS. s0.
How to create a policy?
1 Create a directory for the policy files
2 Run the binary with policygentool in that dir
3 Copy/link the SELinux-supplied Makefile in it
4 Use “make” to compile your files into a module
5 Insert the module and try to run the binary.
6 Watch the log for denied actions
7 Edit TE/FC as needed and go to 4 (as needed)

Stop-and-think

Stop-and-think
For a process to run, you must allow all its attempted
actions.
True
False
Stop-and-think
For a process to run, you must allow all its attempted
actions.
True
False
SELinux
Course summary
Confine
processes:
Customize a
SELinux: How Create a
policy
it works policy
Policies, SELinux
denials and commands
booleans
SELinux
For more
If you want to go into these subjects more deeply, …
Publications Courses
Cisco CCNA
Web sites Conferences
www.supinfo.com RMLL
www.labo-linux.org FOSDEM
www.selinuxproject.org Solution Linux
Congratulations
You have successfully completed
the SUPINFO course module n°07
SELinux
SELinux
The end
 semodule -BD
 audit2allow

07 - SELinux

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

07 - SELinux

Uploaded by

Copyright:

Available Formats

SELinux

The syscall firewall

 Talk about SELinux. What it

 Introduction. SELinux concepts.

System objects & Context

Do you have any questions ?

Walk in, see this. What to?

The default policy

 Targets specific processes

Working with booleans

Do you have any questions ?

Working with SELinux

Operating modes and common commands

luser Unix user to map. __default__ special value.

chcon [-R] context file

context user:role:type formatted context

-u,-r, -t Alter individual parts of the security context

chcon -t apache2_exec_t /usr/sbin/apache2

restorecon [-vR] file

file File or directory to operate on.

Do you have any questions ?

Working with policies

Custom and create.

1 Disable dontaudit rules

2 Run the process

3 Feed audit2allow with deny

6 Package the module.

7 Load the package

audit2allow -m name -i read-from > file.te

name Module name to create

read-from Where are the deny messages ?

file.te Redirect Type Enforcement rules to this file.

audit2allow -m local -i /var/log/audit/audit.log >

checkmodule -M -m -o output input

-m Generate a module that inserts in an existing policy

input Read TE rules from that file

checkmodule -M -m -o local.mod local.te

semodule_package -o out.pp -m inmod [-f infc]

out.pp The package to be created.

inmod The compiled TE module to package

infc The File Context rules to package

semodule_package -o local.pp -m local.mod

Work with modules

semodule [-D] [-B] [-i pkg_file] [-d|-e|-r module-name]

-D,-B Disable dontaudit / Rebuild policy

-i Install the specified package file

-d,-e,-r Disable, enable, remove the named package.

module local 1.0;

#============= user_t ==============

/var/www(/.*)? gencontext(ctx, level)

How to create a policy?

1 Create a directory for the policy files

2 Run the binary with policygentool in that dir

3 Copy/link the SELinux-supplied Makefile in it

4 Use “make” to compile your files into a module

5 Insert the module and try to run the binary.

6 Watch the log for denied actions

7 Edit TE/FC as needed and go to 4 (as needed)

Do you have any questions ?

Web sites Conferences

You might also like

luser Unix user to map. default special value.