Top Banner
 SELINUX
9

Selinux - Basics

Oct 07, 2015

Download

Documents

pcastronet

Selinux basics on RHEL7. All the information to understand SELINUX basics.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript

  • SELINUX

  • BEFORE SELINUX

    TRADITIONAL LINUX SECURITY IS BASED ON A DISCRETIONARY ACCESS CONTROL (DAC) POLICY, WHICH PROVIDES MINIMAL PROTECTION FROM BROKEN SOFTWARE OR FROMMALWARE THAT IS RUNNING AS A NORMAL USER OR AS ROOT.

    ACCESS TO FILES AND DEVICES IS BASED SOLELY ON USER IDENTITY AND OWNERSHIP.

    MALWARE OR BROKEN SOFTWARE CAN DO ANYTHING WITH FILES AND RESOURCES THATTHE USER THAT STARTED THE PROCESS CAN DO.

    RedHat 2

  • INTRODUCING SELINUX

    THE NATIONAL SECURITY AGENCY CREATED SECURITY ENHANCED LINUX (SELINUX) TOPROVIDE A FINER-GRAINED LEVEL OF CONTROL OVER FILES, PROCESSES, USERS ANDAPPLICATIONS IN THE LINUX OPERATING SYSTEM.

    THE SELINUX ENHANCEMENT TO THE LINUX KERNEL IMPLEMENTS THE MANDATORYACCESS CONTROL (MAC) POLICY

    THE KERNEL'S ACCESS CONTROL DECISIONS ARE BASED ON ALL THE SECURITY RELEVANTINFORMATION AVAILABLE, AND NOT SOLELY ON THE AUTHENTICATED USER IDENTITY

    RedHat 3

  • HOW IT WORKS?

    WHEN SECURITY-RELEVANT ACCESS OCCURS, SUCH AS WHEN A PROCESS ATTEMPTS TOOPEN A FILE, SELINUX INTERCEPTS THE OPERATION IN THE KERNEL.

    IF A MAC POLICY RULE ALLOWS THE OPERATION, IT CONTINUES; OTHERWISE, SELINUXBLOCKS THE OPERATION AND RETURNS AN ERROR TO THE PROCESS.

    THE KERNEL CHECKS AND ENFORCES DAC POLICY RULES BEFORE MAC RULES, SO IT DOESNOT CHECK SELINUX POLICY RULES IF DAC RULES HAVE ALREADY DENIED ACCESS TO ARESOURCE.

    RedHat 4

  • SELINUX MODES

    DISABLED

    ENFORCING

    PERMISSIVE

    RedHat 5

  • SELINUX MODES

    GETENFORCE GIVES US THE ACTUAL MODE

    SETENFORCE PERMISSIVE|ENFORCING DEFINES MODE UNTIL REBOOT

    /ETC/SYSCONFIG/SELINUX CONFIGURATION FILE

    RedHat 6

  • SELINUX POLICIES

    AN SELINUX POLICY DESCRIBES THE ACCESS PERMISSIONS FOR ALL USERS, PROGRAMS, PROCESSES, AND FILES, AND FOR THE DEVICES UPON WHICH THEY ACT. YOU CANCONFIGURE SELINUX TO IMPLEMENT EITHER TARGETED POLICY OR MULTILEVEL SECURITY(MLS) POLICY.

    RedHat 7

  • TARGETED POLICY

    APPLIES ACCESS CONTROLS TO A LIMITED NUMBER OF PROCESSES THAT ARE BELIEVED TOBE MOST LIKELY TO BE THE TARGETS OF AN ATTACK ON THE SYSTEM.

    TARGETED PROCESSES RUN IN THEIR OWN SELINUX DOMAIN, KNOWN AS A CONFINEDDOMAIN, WHICH RESTRICTS ACCESS TO FILES THAT AN ATTACKER COULD EXPLOIT.

    IF SELINUX DETECTS THAT A TARGETED PROCESS IS TRYING TO ACCESS RESOURCES OUTSIDETHE CONFINED DOMAIN, IT DENIES ACCESS TO THOSE RESOURCES AND LOGS THE DENIAL. ONLY SPECIFIC SERVICES RUN IN CONFINED DOMAINS.

    RedHat 8

  • TARGETED POLICY - EXAMPLES

    EXAMPLES ARE SERVICES THAT LISTEN ON A NETWORK FOR CLIENT REQUESTS, SUCH ASHTTPD, NAMED, AND SSHD, AND PROCESSES THAT RUN AS ROOT TO PERFORM TASKS ONBEHALF OF USERS, SUCH AS PASSWD.

    OTHER PROCESSES, INCLUDING MOST USER PROCESSES, RUN IN AN UNCONFINED DOMAINWHERE ONLY DAC RULES APPLY. IF AN ATTACK COMPROMISES AN UNCONFINED PROCESS, SELINUX DOES NOT PREVENT ACCESS TO SYSTEM RESOURCES AND DATA.

    RedHat 9

  • MLS (NOT USED ON THIS COURSE)

    APPLIES ACCESS CONTROLS TO MULTIPLE LEVELS OF PROCESSES WITH EACH LEVEL HAVINGDIFFERENT RULES FOR USER ACCESS. USERS CANNOT OBTAIN ACCESS TO INFORMATION IFTHEY DO NOT HAVE THE CORRECT AUTHORIZATION TO RUN A PROCESS AT A SPECIFIC LEVEL. IN SELINUX, MLS IMPLEMENTS THE BELLLAPADULA (BLP) MODEL FOR SYSTEMSECURITY, WHICH APPLIES LABELS TO FILES, PROCESSES AND OTHER SYSTEM OBJECTS TOCONTROL THE FLOW OF INFORMATION BETWEEN SECURITY LEVELS.

    RedHat 10

  • CUSTOMIZING SELINUX POLICIES

    YOU CAN CUSTOMIZE AN SELINUX POLICY BY ENABLING OR DISABLING THE MEMBERS OF ASET OF BOOLEAN VALUES. ANY CHANGES THAT YOU MAKE TAKE EFFECT IMMEDIATELY ANDDO NOT REQUIRE A REBOOT.

    RedHat 11

  • CUSTOMIZING SELINUX POLICIES

    YOU CAN USE THE GETSEBOOL AND SETSEBOOL COMMANDS TO DISPLAY AND SET THEVALUE OF A SPECIFIC BOOLEAN.

    RedHat 12

  • CUSTOMIZING SELINUX POLICIES

    FOR EXAMPLE, TO DISPLAY AND SET THE VALUE OF THE FTP_HOME_DIR BOOLEAN:

    TO TOGGLE THE VALUE OF A BOOLEAN, USE THE TOGGLESEBOOL COMMAND

    RedHat 13

  • CUSTOMIZING SELINUX POLICIES

    TO MAKE THE VALUE OF A BOOLEAN PERSIST ACROSS REBOOTS, SPECIFY THE -P OPTION TOSETSEBOOL, FOR EXAMPLE:

    RedHat 14

  • ABOUT SELINUX CONTEXT

    UNDER SELINUX, ALL FILE SYSTEMS, FILES, DIRECTORIES, DEVICES, AND PROCESSES HAVEAN ASSOCIATED SECURITY CONTEXT. FOR FILES, SELINUX STORES A CONTEXT LABEL IN THEEXTENDED ATTRIBUTES OF THE FILE SYSTEM. THE CONTEXT CONTAINS ADDITIONALINFORMATION ABOUT A SYSTEM OBJECT: THE SELINUX USER, THEIR ROLE, THEIR TYPE, AND THE SECURITY LEVEL. SELINUX USES THIS CONTEXT INFORMATION TO CONTROLACCESS BY PROCESSES, LINUX USERS, AND FILES.

    YOU CAN SPECIFY THE -Z OPTION TO CERTAIN COMMANDS (LS, PS, AND ID) TO DISPLAYTHE SELINUX CONTEXT WITH THE FOLLOWING SYNTAX:

    RedHat 15

  • RedHat 16


Related Documents
The SELinux Notebook - The Foundations - FreeTechBooks€¦ · The SELinux Notebook - The Foundations The SELinux Notebook The ... 160 3.4.28 users/local ... 4.4.1 default_user Rule

The SELinux Notebook - The Foundations -...

Category: Documents
SELinux - Red Hatpeople.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf · SELinux COLORING BOOK written by DAN WALSH illustrated by "It's raining cats and dogs!" the

SELinux - Red...

Category: Documents
Configuring the SELinux Policy - NSA.gov · Configuring the SELinux Policy greater efficiency, the policy enforcement code of SELinux typically handles security identifiers (SIDs)

Configuring the SELinux Policy - NSA.gov · Configuring.....

Category: Documents
SELinux - DEINF/UFMA › ~geraldo › soii › 9.SELinux.pdf · SELinux O arquivo de configuração do SELinux é o /etc/selinux/config, e é lido somente em tempo de boot (algumas

SELinux - DEINF/UFMA › ~geraldo › soii ›...

Category: Documents
SELinux Guide

SELinux Guide

Category: Documents
Sécurisation SELinux

Sécurisation SELinux

Category: Documents
SELinux grsecurity paper

SELinux grsecurity paper

Category: Documents
Monthly Research SELinux in Virtualization and Containers · FFRI,Inc. SELinux in Virtualization and Containers • Virtualization security with SELinux – Threat model of operating

Monthly Research SELinux in Virtualization and...

Category: Documents
Secure Virtualization Using SELinux - Fedoradwalsh/SELinux/Presentations/svirt.pdf · Enter SELinux.. SELinux is all about labeling Processes get labels Virtual machines are processes!!!

Secure Virtualization Using SELinux -...

Category: Documents
SELinux tutorial Hardening web servers with SELinux · SELinux history II. Originally, the SELinux implementation used persistent security IDs (PSIDs) stored in an unused field of

SELinux tutorial Hardening web servers with SELinux ·...

Category: Documents
SELinux User's and Administrator's Guide Fedora 21 · SELinux User's and Administrator's Guide Fedora 21 SELinux User's and Administrator's Guide Basic and advanced configuration

SELinux User's and Administrator's Guide Fedora 21 ·...

Category: Documents
LAPP/SELinux - A secure web application stack powered by SELinux

LAPP/SELinux - A secure web application stack powered by...

Category: Technology