SlideShare ist ein Scribd-Unternehmen logo

SELinux Security: An Introduction

•Als PPTX, PDF herunterladen•
•
Emre Can Kucukoglu
Emre Can Kucukoglu

SELinux (Security Enhanced Linux) is an internal firewall that confines processes and protects the operating system through mandatory access controls. It prevents processes from accessing files or resources without permission. SELinux enforces a security policy that defines what subjects (users and programs) can access which objects (files, devices, ports). It provides confinement for untrusted programs and limits the damage that can be caused by malicious software.

Software
1 von 36
Security Enhanced Linux: SELinux Emre Can Kucukoglu eckucukoglu@gmail.com Research & Development Engineer 05.02.2015
Outline What is SELinux What can SELinux do What can not SELinux do Why should SELinux be used Getting SELinux SELinux modes Basic concepts Linux user mapping Logging MLS and MCS SELinux policies Userland tools Performance License SELinux demo on Fedora Questions about SELinux References 2
What is SELinux (1/1) Internal firewall between programs. Linux security module (LSM) Others are smack, tomoyo, apparmor. Mandatory Access Control (MAC) What subjects can access which objects. Subjects: users, programs. Objects: files, devices, sockets, etc. 3
What can SELinux do (1/2) Prevents processes from reading data and programs, bypassing application security mechanisms, executing untrustworthy programs, interfering with other processes in violation of the system security policy. Confine the potential damage that can be caused by malicious or flawed programs. 4
What can SELinux do (2/2) Type enforcement focuses on the SELinux type within a SELinux security context. Role-based access control decides which types (for processes) a role is allowed to have. Multi-level security classification of data. 5
What can not SELinux do (1/1) Resource limits are outside the scope of an access control systems. grsecurity, cgroups, pam are recommended. 6
Why should SELinux be used (1/1) In multifunctional systems, to seperate functionalities e.g. For webserver, email and dns server, e.g. For Arcelik smart tv, money transaction and entertainment processes. e.g. For Arcelik yazarkasa, aygaz app. and yapikredi app. 7
Getting SELinux (1/5) SELinux support is already included in the mainline Linux 2.6 kernel available from kernel.org 8
Getting SELinux (2/5) SE-enabled Linux kernel CONFIG_SECURITY_SELINUX NSA SELinux support. DEFAULT_SECURITY_SELINUX Set default security mode as SELinux. SECURITY_SELINUX_AVC_STATS Collect access vector caches. CONFIG_SECURITY_SELINUX_BOOTPARAM Allows SELinux to be disabled at boot. SECURITY_SELINUX_DEVELOP Experiment with SELinux and develop policies. CONFIG_SECURITY_SELINUX_DISABLE Allows SELinux to be disabled at runtime. 9
Getting SELinux (3/5) SELinux userland packages [gse] checkpolicy policy compiler. uses libsepol. libselinux library for security-aware applications. uses libsepol. libsemanage library for policy management tools. uses libsepol, libselinux. 10
Getting SELinux (4/5) SELinux userland packages [gse] libsepol library for binary policy manipulation. no dependency. policycoreutils several policy-related utilities. uses libselinux, libsepol, libsemanage. sepolgen python library that forms the core of modern audit2allow. 11
Getting SELinux (5/5) Policy SELinux reference policy project [rpp] 12
SELinux modes (1/2) Permissive Log warnings instead of enforcing. CONFIG_SECURITY_SELINUX_DEVELOP extra: Permissive domain recipe [pdr] Enforced Security policy is enforced. Disabled Do not load security policy. CONFIG_SECURITY_SELINUX_BOOTPARAM Add selinux=0 to kernel bootline. 13
SELinux modes (2/2) Temporarily switch: # setenforce 1 /* Enforcing */ # setenforce 0 /* Permissive */ Permanently: edit /etc/selinux/config SELINUX=enforcing SELINUX=permissive SELINUX=disabled edit boot parameters (overrides configuration file) enforcing=0 /* Permissive */ enforcing=1 /* Enforcing */ 14
Basic concepts (1/5) Security context Every process and object has a context. Syntax: user:role:type[:range] MLS range is optional. Inherited from processes (on fork) or parent files/directories. Users Diff. from linux users* SELinux users do not change during a user session, whereas a Linux user might change via su or sudo. suffix: *_u. e.g. user_u associated to one or more roles that the SELinux user is allowed to use. 15
Basic concepts (2/5) Roles A SELinux user may be allowed to take on one or more roles. suffix: *_r. e.g. user_r associated to one or more types the SELinux user is allowed to access. Types Determine access permission. suffix: *_t. e.g. music_t associated with processes or objects. Attributes Group types with similar properties. 16
Basic concepts (3/5) 17 Ranges Security level. if policy supports MCS / MLS. Object classes Categories of objects. # ls /sys/fs/selinux/class Each class has a set of permissions. [ocp] # ls /sys/fs/selinux/class/tcp_socket/perms/ Rules Specified using the type of the process and object. e.g. allow user_t user_home_t:file { create read write };
Basic concepts (4/5) 18 Booleans are used to enable/disable policies. # getsebool -a # sesearch -b selinuxuser_execheap -AC ET allow user_t kernel_t : system syslog_read ; [ user_dmesg ] Rule will be allowed if corresponding boolean is true (T). And boolean is now enabled. (E) Constraints under which circumstances an operation is allowed. circumstances that don't match are disallowed. # seinfo --constrain e.g. constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity );
Basic concepts (5/5) 19 Type transition for objects (files): # sesearch -T type_transition [Creating Subject type] [Parent Object/Subject Type] : [Class of new Object/Subject] [New Object/Subject Type] for subjects (process): # pstree -Z # sesearch -T -c process type_transtion [Parent process type] [Type of process] : process [New type of the process created]
Linux user mapping (1/1) 20 Map a linux user to only one SELinux user. [ual] Multiple linux users can be mapped to same SELinux user. # semanage login -l # semanage login -a -s staff_u emrecan
Logging (1/1) Denials are logged in the audit subsystem. /var/log/audit/audit.log Permissive mode generates more log messages. # cat /var/log/audit/audit.log | audit2allow -r 21
Multi-level security and MCS (1/2) 22 based on the Bell-La Padula model “no write down” and “no read up” user:role:type:sensitivity [:category,...] - sensitivity [:category,...] | LEVEL | - | LEVEL | | RANGE | sensitivity: s0 lowest, s15 maximum category: optional, c0.c255. unordered and unrelated lists of "compartments". level: combination of sensitivity and category. translate to human readable form in setrans.conf s0 = unclassified, s15 = top secret c0 = finance, c100 = commercial, c255 = book
Multi-level security and MCS (2/2) 23 utilization for android: app running on behalf of one user cannot read or write files created by the same app running on behalf of another user. in fact, MLS reference policy does not allow write-up, read- down. default is to use equal levels.
SELinux policies (1/3) Compiled in a binary format. smaller memory requirements. Type enforcement file (*.te) mandatory. name, version of the module. types, rules, booleans, etc. File contexts file (*.fc) contains the default security contexts to be provided for files created/used by the application for which we are creating the policy module. Interface file (*.if) generally would contain macro definitions that assist in creating type enforcement rules. 24
SELinux policies (2/3) 3 steps to configure policy for embedded devices: obtain reference policy, remove unnecessary rules, have to remove too many rules. add necessary rules. 25
SELinux policies (3/3) Reference policy project [rpp] basis for creating other policies. well-written and good enough for PC distros. many dependencies: checkpolicy policycoreutils libsepol libsemanage python 26
Userland tools (1/4) id, ls, ps, netstat -Z display context of shell, file, process, network. audit2allow read SELinux denials, show corresponding rules. audit2why determine why a denial occured. chcon change context of a file. chcon -t user_home_t /tmp/osman chcat change categories of a file. change authorized categories for a user. 27
Userland tools (2/4) getenforce return status of SELinux. newrole change role, type or level. newrole -r system_r -t unconfined_t semanage change boolean settings, change roles and levels for SELinux users, change context of a file persistently (restorecon) semanage fcontext -a -t user_home_t /tmp/osman semodule insert, delete and list SELinux policy modules on the running system. 28
Userland tools (3/4) setenforce modify the mode. seinfo policy query tool. setsebool set the state of an SELinux boolean either temporarily or persistently. sestatus status tool. 29
Userland tools (4/4) restorecon, restorecond* restores default context of a file. customizable types [wct] context is not reset during a standard relabel operation. # cat /etc/selinux/targeted/contexts/customizable_types runcon change context of a program when started (temporary) runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash run_init [gs] start services in the correct domain run_init /etc/init.d/ssh start 30
Performance (1/1) Hard to measure. Overhead app~ 7% for completely untuned code. [faq] [ffq] 31
License (1/1) GNU General Public License (GPL) [sel] 32
SELinux demo on Fedora (1/1) 33
Questions about SELinux (1/1) Can I use SELinux with grsecurity (and PaX)? Yes, even recommended. However grsecurity’s ACL support is not used together w/ SELinux. [gfq] If root user can change, for example booleans, how is selinux more secure than DAC of linux? i.e. setsebool -P allow_execheap on/off We don't need to have conditional policy. If we do, the enabled/disabled rules are defined in the policy. DAC doesn't have predefined conditions like that. Can we write a policy that doesn’t allow setenforce? Yes, moreover we can even compile the kernel so permissive mode is disabled no matter what the policy says. 34
References (1/2) [faq] http://www.crypt.gen.nz/selinux/faq.html [gse] https://github.com/SELinuxProject/selinux [gs] http://selinuxproject.org/page/Guide/Services [rpp] https://github.com/TresysTechnology/… [ocp] http://selinuxproject.org/page/ObjectCl… [pdr] http://selinuxproject.org/page/Permissi… [sqp] http://www.cs.virginia.edu/~jcg8f/SELi… 35
References (2/2) [sel] https://www.nsa.gov/research/selinux/l... [ual] http://wiki.gentoo.org/wiki/SELinux/Use... [wct] http://wiki.gentoo.org/wiki/SELinux/Tuto... [gfq] http://wiki.gentoo.org/wiki/SELinux/FAQ [ffq] http://docs.fedoraproject.org/en-US/Fed… [use] http://www.fosteringlinux.com/category/… [nb4] http://taiga.selinuxproject.org/~rhaines/ [mls] http://selinuxproject.org/page/MLSStat... 36

Empfohlen

Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 
RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)skalaivanibutp
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 

Empfohlen

Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Slug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsSlug 2009 06 SELinux For Sysadmins
Slug 2009 06 SELinux For SysadminsPaulWay
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 
RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)RPM (Red Hat Package Manager)
RPM (Red Hat Package Manager)skalaivanibutp
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Flask: Flux Advanced Security Kernel
Flask: Flux Advanced Security KernelFlask: Flux Advanced Security Kernel
Flask: Flux Advanced Security KernelLuis Espinal
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestSandeep Patil
 
Linux System Monitoring basic commands
Linux System Monitoring basic commandsLinux System Monitoring basic commands
Linux System Monitoring basic commandsMohammad Rafiee
 
Linux
LinuxLinux
LinuxGouthaman V
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentationnishantsri
 
File permission in linux
File permission in linuxFile permission in linux
File permission in linuxPrakash Poudel
 
RPM (LINUX)
RPM (LINUX)RPM (LINUX)
RPM (LINUX)Raghu nath
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...xKinAnx
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-In|u - The Open Security Community
 
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...xKinAnx
 
System Administration
System AdministrationSystem Administration
System AdministrationFree Open Source Software Technology Lab
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Edureka!
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...The Linux Foundation
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10Jo Hoon
 
Gluster for sysadmins
Gluster for sysadminsGluster for sysadmins
Gluster for sysadminsGluster.org
 
Linux file system
Linux file systemLinux file system
Linux file systemMidaga Mengistu
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsSandeep Patil
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 

Weitere ähnliche Inhalte

Was ist angesagt?

Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Flask: Flux Advanced Security Kernel
Flask: Flux Advanced Security KernelFlask: Flux Advanced Security Kernel
Flask: Flux Advanced Security KernelLuis Espinal
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestSandeep Patil
 
Linux System Monitoring basic commands
Linux System Monitoring basic commandsLinux System Monitoring basic commands
Linux System Monitoring basic commandsMohammad Rafiee
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentationnishantsri
 
File permission in linux
File permission in linuxFile permission in linux
File permission in linuxPrakash Poudel
 
RPM (LINUX)
RPM (LINUX)RPM (LINUX)
RPM (LINUX)Raghu nath
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...xKinAnx
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Edureka!
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...The Linux Foundation
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10Jo Hoon
 
Gluster for sysadmins
Gluster for sysadminsGluster for sysadmins
Gluster for sysadminsGluster.org
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsSandeep Patil
 

Was ist angesagt? (20)

Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file system
 
Flask: Flux Advanced Security Kernel
Flask: Flux Advanced Security KernelFlask: Flux Advanced Security Kernel
Flask: Flux Advanced Security Kernel
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
 
Linux System Monitoring basic commands
Linux System Monitoring basic commandsLinux System Monitoring basic commands
Linux System Monitoring basic commands
 
Linux
LinuxLinux
Linux
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
File permission in linux
File permission in linuxFile permission in linux
File permission in linux
 
RPM (LINUX)
RPM (LINUX)RPM (LINUX)
RPM (LINUX)
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-I
 
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
 
System Administration
System AdministrationSystem Administration
System Administration
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10
 
Gluster for sysadmins
Gluster for sysadminsGluster for sysadmins
Gluster for sysadmins
 
Linux file system
Linux file systemLinux file system
Linux file system
 
Linux file system
Linux file systemLinux file system
Linux file system
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 

Ă„hnlich wie SELinux Security: An Introduction

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxAbhradipChatterjee2
 
46 customizing se linux policy
46 customizing se linux policy46 customizing se linux policy
46 customizing se linux policyAprende Viendo
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinuxRĂ©my Gottschalk
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptxPandiya Rajan
 
Chapter 09
Chapter 09Chapter 09
Chapter 09cclay3
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsmiaemedu
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in KubernetesFibonalabs
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanentlychinkshady
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
unit 4 Se linux.docx
unit 4 Se linux.docxunit 4 Se linux.docx
unit 4 Se linux.docxthdc
 
SELinux workshop
SELinux workshopSELinux workshop
SELinux workshopjohseg
 

Ă„hnlich wie SELinux Security: An Introduction (20)

MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
SELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptxSELinux concept in rhel_Linux_today.pptx
SELinux concept in rhel_Linux_today.pptx
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
46 customizing se linux policy
46 customizing se linux policy46 customizing se linux policy
46 customizing se linux policy
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
selinuxbasicusage.pptx
selinuxbasicusage.pptxselinuxbasicusage.pptx
selinuxbasicusage.pptx
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsm
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
unit 4 Se linux.docx
unit 4 Se linux.docxunit 4 Se linux.docx
unit 4 Se linux.docx
 
SELinux workshop
SELinux workshopSELinux workshop
SELinux workshop
 

KĂĽrzlich hochgeladen

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

KĂĽrzlich hochgeladen (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

SELinux Security: An Introduction

  • 1. Security Enhanced Linux: SELinux Emre Can Kucukoglu eckucukoglu@gmail.com Research & Development Engineer 05.02.2015
  • 2. Outline What is SELinux What can SELinux do What can not SELinux do Why should SELinux be used Getting SELinux SELinux modes Basic concepts Linux user mapping Logging MLS and MCS SELinux policies Userland tools Performance License SELinux demo on Fedora Questions about SELinux References 2
  • 3. What is SELinux (1/1) Internal firewall between programs. Linux security module (LSM) Others are smack, tomoyo, apparmor. Mandatory Access Control (MAC) What subjects can access which objects. Subjects: users, programs. Objects: files, devices, sockets, etc. 3
  • 4. What can SELinux do (1/2) Prevents processes from reading data and programs, bypassing application security mechanisms, executing untrustworthy programs, interfering with other processes in violation of the system security policy. Confine the potential damage that can be caused by malicious or flawed programs. 4
  • 5. What can SELinux do (2/2) Type enforcement focuses on the SELinux type within a SELinux security context. Role-based access control decides which types (for processes) a role is allowed to have. Multi-level security classification of data. 5
  • 6. What can not SELinux do (1/1) Resource limits are outside the scope of an access control systems. grsecurity, cgroups, pam are recommended. 6
  • 7. Why should SELinux be used (1/1) In multifunctional systems, to seperate functionalities e.g. For webserver, email and dns server, e.g. For Arcelik smart tv, money transaction and entertainment processes. e.g. For Arcelik yazarkasa, aygaz app. and yapikredi app. 7
  • 8. Getting SELinux (1/5) SELinux support is already included in the mainline Linux 2.6 kernel available from kernel.org 8
  • 9. Getting SELinux (2/5) SE-enabled Linux kernel CONFIG_SECURITY_SELINUX NSA SELinux support. DEFAULT_SECURITY_SELINUX Set default security mode as SELinux. SECURITY_SELINUX_AVC_STATS Collect access vector caches. CONFIG_SECURITY_SELINUX_BOOTPARAM Allows SELinux to be disabled at boot. SECURITY_SELINUX_DEVELOP Experiment with SELinux and develop policies. CONFIG_SECURITY_SELINUX_DISABLE Allows SELinux to be disabled at runtime. 9
  • 10. Getting SELinux (3/5) SELinux userland packages [gse] checkpolicy policy compiler. uses libsepol. libselinux library for security-aware applications. uses libsepol. libsemanage library for policy management tools. uses libsepol, libselinux. 10
  • 11. Getting SELinux (4/5) SELinux userland packages [gse] libsepol library for binary policy manipulation. no dependency. policycoreutils several policy-related utilities. uses libselinux, libsepol, libsemanage. sepolgen python library that forms the core of modern audit2allow. 11
  • 12. Getting SELinux (5/5) Policy SELinux reference policy project [rpp] 12
  • 13. SELinux modes (1/2) Permissive Log warnings instead of enforcing. CONFIG_SECURITY_SELINUX_DEVELOP extra: Permissive domain recipe [pdr] Enforced Security policy is enforced. Disabled Do not load security policy. CONFIG_SECURITY_SELINUX_BOOTPARAM Add selinux=0 to kernel bootline. 13
  • 14. SELinux modes (2/2) Temporarily switch: # setenforce 1 /* Enforcing */ # setenforce 0 /* Permissive */ Permanently: edit /etc/selinux/config SELINUX=enforcing SELINUX=permissive SELINUX=disabled edit boot parameters (overrides configuration file) enforcing=0 /* Permissive */ enforcing=1 /* Enforcing */ 14
  • 15. Basic concepts (1/5) Security context Every process and object has a context. Syntax: user:role:type[:range] MLS range is optional. Inherited from processes (on fork) or parent files/directories. Users Diff. from linux users* SELinux users do not change during a user session, whereas a Linux user might change via su or sudo. suffix: *_u. e.g. user_u associated to one or more roles that the SELinux user is allowed to use. 15
  • 16. Basic concepts (2/5) Roles A SELinux user may be allowed to take on one or more roles. suffix: *_r. e.g. user_r associated to one or more types the SELinux user is allowed to access. Types Determine access permission. suffix: *_t. e.g. music_t associated with processes or objects. Attributes Group types with similar properties. 16
  • 17. Basic concepts (3/5) 17 Ranges Security level. if policy supports MCS / MLS. Object classes Categories of objects. # ls /sys/fs/selinux/class Each class has a set of permissions. [ocp] # ls /sys/fs/selinux/class/tcp_socket/perms/ Rules Specified using the type of the process and object. e.g. allow user_t user_home_t:file { create read write };
  • 18. Basic concepts (4/5) 18 Booleans are used to enable/disable policies. # getsebool -a # sesearch -b selinuxuser_execheap -AC ET allow user_t kernel_t : system syslog_read ; [ user_dmesg ] Rule will be allowed if corresponding boolean is true (T). And boolean is now enabled. (E) Constraints under which circumstances an operation is allowed. circumstances that don't match are disallowed. # seinfo --constrain e.g. constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity );
  • 19. Basic concepts (5/5) 19 Type transition for objects (files): # sesearch -T type_transition [Creating Subject type] [Parent Object/Subject Type] : [Class of new Object/Subject] [New Object/Subject Type] for subjects (process): # pstree -Z # sesearch -T -c process type_transtion [Parent process type] [Type of process] : process [New type of the process created]
  • 20. Linux user mapping (1/1) 20 Map a linux user to only one SELinux user. [ual] Multiple linux users can be mapped to same SELinux user. # semanage login -l # semanage login -a -s staff_u emrecan
  • 21. Logging (1/1) Denials are logged in the audit subsystem. /var/log/audit/audit.log Permissive mode generates more log messages. # cat /var/log/audit/audit.log | audit2allow -r 21
  • 22. Multi-level security and MCS (1/2) 22 based on the Bell-La Padula model “no write down” and “no read up” user:role:type:sensitivity [:category,...] - sensitivity [:category,...] | LEVEL | - | LEVEL | | RANGE | sensitivity: s0 lowest, s15 maximum category: optional, c0.c255. unordered and unrelated lists of "compartments". level: combination of sensitivity and category. translate to human readable form in setrans.conf s0 = unclassified, s15 = top secret c0 = finance, c100 = commercial, c255 = book
  • 23. Multi-level security and MCS (2/2) 23 utilization for android: app running on behalf of one user cannot read or write files created by the same app running on behalf of another user. in fact, MLS reference policy does not allow write-up, read- down. default is to use equal levels.
  • 24. SELinux policies (1/3) Compiled in a binary format. smaller memory requirements. Type enforcement file (*.te) mandatory. name, version of the module. types, rules, booleans, etc. File contexts file (*.fc) contains the default security contexts to be provided for files created/used by the application for which we are creating the policy module. Interface file (*.if) generally would contain macro definitions that assist in creating type enforcement rules. 24
  • 25. SELinux policies (2/3) 3 steps to configure policy for embedded devices: obtain reference policy, remove unnecessary rules, have to remove too many rules. add necessary rules. 25
  • 26. SELinux policies (3/3) Reference policy project [rpp] basis for creating other policies. well-written and good enough for PC distros. many dependencies: checkpolicy policycoreutils libsepol libsemanage python 26
  • 27. Userland tools (1/4) id, ls, ps, netstat -Z display context of shell, file, process, network. audit2allow read SELinux denials, show corresponding rules. audit2why determine why a denial occured. chcon change context of a file. chcon -t user_home_t /tmp/osman chcat change categories of a file. change authorized categories for a user. 27
  • 28. Userland tools (2/4) getenforce return status of SELinux. newrole change role, type or level. newrole -r system_r -t unconfined_t semanage change boolean settings, change roles and levels for SELinux users, change context of a file persistently (restorecon) semanage fcontext -a -t user_home_t /tmp/osman semodule insert, delete and list SELinux policy modules on the running system. 28
  • 29. Userland tools (3/4) setenforce modify the mode. seinfo policy query tool. setsebool set the state of an SELinux boolean either temporarily or persistently. sestatus status tool. 29
  • 30. Userland tools (4/4) restorecon, restorecond* restores default context of a file. customizable types [wct] context is not reset during a standard relabel operation. # cat /etc/selinux/targeted/contexts/customizable_types runcon change context of a program when started (temporary) runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash run_init [gs] start services in the correct domain run_init /etc/init.d/ssh start 30
  • 31. Performance (1/1) Hard to measure. Overhead app~ 7% for completely untuned code. [faq] [ffq] 31
  • 32. License (1/1) GNU General Public License (GPL) [sel] 32
  • 33. SELinux demo on Fedora (1/1) 33
  • 34. Questions about SELinux (1/1) Can I use SELinux with grsecurity (and PaX)? Yes, even recommended. However grsecurity’s ACL support is not used together w/ SELinux. [gfq] If root user can change, for example booleans, how is selinux more secure than DAC of linux? i.e. setsebool -P allow_execheap on/off We don't need to have conditional policy. If we do, the enabled/disabled rules are defined in the policy. DAC doesn't have predefined conditions like that. Can we write a policy that doesn’t allow setenforce? Yes, moreover we can even compile the kernel so permissive mode is disabled no matter what the policy says. 34
  • 35. References (1/2) [faq] http://www.crypt.gen.nz/selinux/faq.html [gse] https://github.com/SELinuxProject/selinux [gs] http://selinuxproject.org/page/Guide/Services [rpp] https://github.com/TresysTechnology/… [ocp] http://selinuxproject.org/page/ObjectCl… [pdr] http://selinuxproject.org/page/Permissi… [sqp] http://www.cs.virginia.edu/~jcg8f/SELi… 35
  • 36. References (2/2) [sel] https://www.nsa.gov/research/selinux/l... [ual] http://wiki.gentoo.org/wiki/SELinux/Use... [wct] http://wiki.gentoo.org/wiki/SELinux/Tuto... [gfq] http://wiki.gentoo.org/wiki/SELinux/FAQ [ffq] http://docs.fedoraproject.org/en-US/Fed… [use] http://www.fosteringlinux.com/category/… [nb4] http://taiga.selinuxproject.org/~rhaines/ [mls] http://selinuxproject.org/page/MLSStat... 36

Hinweis der Redaktion

  1. An SELinux user id is not the same as the GNU / Linux user id. The GNU / Linux user id is mapped to the SELinux user id by configuration files.
  2. restorecond: first copy a file and then move a file to see difference of running deamon.