IAC 2024 - IA Fast Track to Search Focused AI Solutions
Load2010 Se Linux Presentation
1. An
Introduction
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
An Introduction to SELinux
Introduction
How to use it Toshaan Bharvani - VanTosh bvba
SELinux
states <toshaan@vantosh.com>
Managing
SELinux
Policies
The End
Linux Open Administration Days
10 April 2010
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 1 / 18
2. An
Introduction $ whoami
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux Toshaan Bharvani
states
Managing Currently working at VanTosh
SELinux
Policies Has been involved with CentOS
The End Like to keep everything secure
Involved with hardware and software
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 2 / 18
3. An
Introduction Table of contents
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it 1 Introduction
SELinux
states
Managing
SELinux
Policies
2 How to use it
The End
SELinux states
Managing SELinux
Policies
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 3 / 18
4. An
Introduction
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
1
Managing
SELinux
Policies
Introduction
The End
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 4 / 18
5. An
Introduction What is SELinux
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states SELinux = Security-Enhanced Linux
Managing
SELinux Mechanism for supporting mandatory access control
Policies security policies
The End
Linux Security Modules (LSM) run in the Linux kernel
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 5 / 18
6. An
Introduction SELinux features
to SELinux
Toshaan Separation of policy from enforcement
Bharvani -
VanTosh
bvba
Predefined policy interfaces
Introduction
Support for applications querying the policy and enforcing
How to use it
access control
SELinux
states
Independent of specific policies, policy languages, security
Managing label formats and contents
SELinux
Policies Caching of access decisions for efficiency
The End Policy changes are possible (!!!)
Separate measures for protecting system integrity and data
confidentiality
Controls over process initialization and inheritance and
program execution
Controls file systems, directories, files, and open file
descriptors
Controls over sockets, messages, and network interfaces
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 6 / 18
7. An
Introduction Where is SELinux
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
Redhat Enterprise Linux v4 / v5
SELinux
states CentOS v4 / v5
Managing
SELinux Novel SLES, OpenSuSE
Policies
The End
Gentoo
Debian
...
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 7 / 18
8. An
Introduction Misconceptions about SELinux
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
Managing
SELinux
“Life is too short for SELinux” – Theodore Ts’o
Policies
Upstream vendors requires me to disable SELinux
The End
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 8 / 18
9. An
Introduction Why use SELinux?
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
Managing
It confines services in compartments
SELinux
Policies
No, it isn’t difficult
The End Increases security
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 9 / 18
10. An
Introduction
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
2
Managing
SELinux
Policies
How to use it
The End
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 10 / 18
11. An
Introduction Changing SELinux states
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it Enforcing
SELinux
states
Enable and enforce the SELinux security policy on the
Managing system, denying access and logging actions
SELinux
Policies
Permissive
The End
Enables, but will not enforce the security policy, only warn
and log actions
Disabled
SELinux is turned off
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 11 / 18
12. An
Introduction Checking the state of SELinux
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
Managing sestatus
SELinux
Policies
Enforcing
The End
Permissive
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 12 / 18
13. An
Introduction Access Control
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
Type Enforcement (TE)
SELinux The primary mechanism of access control used in the
states
Managing
targeted policy
SELinux
Role-Based Access Control (RBAC)
Policies
Based around SELinux users (not necessarily the same as
The End
the Linux user)
Multi-Level Security (MLS)
Not used and often hidden in the default targeted policy.
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 13 / 18
14. An
Introduction Relabbeling files
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it chcon -R -t httpd sys content t /usr/srv/www
SELinux
states semanage fcontext -a -t httpd sys content t
Managing ”/usr/srv/www(/.*)?”
SELinux
Policies restorecon -Rv -n /var/www/html
The End
Relabelling whole the filesystem
genhomedircon
touch /.autorelabel
reboot
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 14 / 18
15. An
Introduction Enabling bools & ports
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux Managing ports
states
Managing semanage port -l
SELinux semanage port -a -t http port t -p tcp 8181
Policies
The End
Managing predefined policies
getsebool -a — grep samba
setsebool -P samba enable home dirs on
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 15 / 18
16. An
Introduction Generating policies
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
Managing less /var/log/audit/audit.log
SELinux
Policies grep zarafa /var/log/audit/audit.log — audit2allow -m
The End zarafa > zarafa.te
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 16 / 18
17. An
Introduction Some Policy
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
Managing
Dovecot Policy
SELinux
Policies
Zarafa Policy
The End Spamassassin Policy
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 17 / 18
18. An
Introduction The End
to SELinux
Toshaan
Bharvani -
VanTosh
bvba
Introduction
How to use it
SELinux
states
Thank You
Managing
SELinux
Policies
The End
Toshaan Bharvani - VanTosh bvba <toshaan@vantosh.com>
http://www.vantosh.com/publications
A
Made with Beamer L TEX
a TEXbased Presentation program
An Introduction to SELinux Toshaan Bharvani - VanTosh bvba 18 / 18