SELinux 101
Mateusz Stahl [email protected]
Some observations about SELinux
• People talk about SELinux • People know it’s powerful • People remember how complicated it was • People in many cases don’t use it
What is SELinux
• Is a Linux kernel security module that provides a mechanism for supporting access control
• Created by NSA & Red Hat • Developed by Red Hat • Initial release 01.01.1998 (18 years old) • MAC mechanism
DAC vs MAC
• Discretionary Access Control
lrwxr-xr-x 1 root wheel 49B Mar 6 2014 User Data
l – stands for link rwx – read/write/execute (user) r-x – read/-/execute (group) r-x – read/-/execute (other)
DAC vs MAC
• Mandatory Access Control
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 SETest d – stands for directory rwx – read/write/execute (user) r-x – read/-/execute (group) r-x – read/-/execute (other)
unconfined_u – user label object_r – role label httpd_sys_content_t – type label s0 – level label
DAC vs MAC
• Mandatory Access Control
Allows to protect access between: – Users – Files – Memory – Sockets – tcp/udp Ports – etc..
How does SELinux work
How does SELinux work
How does SELinux work
Policy
• targeted – Only targeted processes are protected – Everything else is unconfined
• mls – multi-level/multi-category security – Out of scope for today – Very complex
Command Line Tools
• You should remember one –Z switch – ls – netstat – ps – etc..
SELinux Command Line Tools
• sestatus • semanage • setenforce • getenforce • setsebool • sealert
SELinux – important files
• /etc/selinux/config • /var/log/audit/audit.log • /var/log/messages • /var/log/secure
Targeted policy for web servers
• Live DEMO
Typical problems of the SELinux on today’s Linux Distros
SELinux 101
Mateusz Stahl [email protected]