[Wroclaw #3] SELinux 101

SELinux 101

Mateusz Stahl [email protected]

Some observations about SELinux

•  People talk about SELinux •  People know it’s powerful •  People remember how complicated it was •  People in many cases don’t use it

What is SELinux

•  Is a Linux kernel security module that provides a mechanism for supporting access control

•  Created by NSA & Red Hat • Developed by Red Hat •  Initial release 01.01.1998 (18 years old) • MAC mechanism

DAC vs MAC

• Discretionary Access Control

lrwxr-xr-x 1 root wheel 49B Mar 6 2014 User Data

l – stands for link rwx – read/write/execute (user) r-x – read/-/execute (group) r-x – read/-/execute (other)

DAC vs MAC

• Mandatory Access Control

drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 SETest d – stands for directory rwx – read/write/execute (user) r-x – read/-/execute (group) r-x – read/-/execute (other)

unconfined_u – user label object_r – role label httpd_sys_content_t – type label s0 – level label

DAC vs MAC

• Mandatory Access Control

Allows to protect access between: –  Users –  Files –  Memory –  Sockets –  tcp/udp Ports –  etc..

How does SELinux work

How does SELinux work

How does SELinux work

Policy

•  targeted –  Only targeted processes are protected –  Everything else is unconfined

• mls – multi-level/multi-category security –  Out of scope for today –  Very complex

Command Line Tools

•  You should remember one –Z switch –  ls –  netstat –  ps –  etc..

SELinux Command Line Tools

•  sestatus •  semanage •  setenforce •  getenforce •  setsebool •  sealert

SELinux – important files

•  /etc/selinux/config •  /var/log/audit/audit.log •  /var/log/messages •  /var/log/secure

Targeted policy for web servers

•  Live DEMO

Typical problems of the SELinux on today’s Linux Distros

SELinux 101

Mateusz Stahl [email protected]