Professional Documents
Culture Documents
DanielJWalsh
SELinuxLeadEngineer
dwalsh@redhat.com
KarlMacMillan
kmacmill@redhat.com
PrincipalSoftwareEngineer
Agenda
1)IntroductiontoSELinux 7)CustomizingPolicyWith
Concepts Booleans
2)Policiesand 8)ManagingSELinux
ConfigurationFiles Modules
3)ModifiedOSCommands 9)ManagingSELinux
Systems
4)SELinuxUtilities
10)ConfiguringAuditing
5)UnderstandingAudit
Messages 11)CustomizingApache
6)ManagingFileLabeling
2
IntroductiontoSELinuxConcepts
LinuxAccessControlIntroduction
Linuxaccesscontrolinvolvesthe
kernelcontrolling
processes(runningprograms)accessto
resources(files,directories,sockets,etc.)
Forexample:
webserverprocessescanreadwebfiles
butnot/etc/shadow
Howarethesedecisionsmade?
4
StandardLinuxAccessControl
Processesandfileshavesecurityproperties
process:userandgroup(realandeffective)
resources:userandgroup+accessbits
read,write,andexecuteforuser,group,other
Kernelhashardcodedpolicy
Example:
Canfirefoxreadmysshprivatekey?
kmacmill 21375 1 35 11:38 ? 00:00:01 firefox-bin
-rw------- 1 kmacmill kmacmill 1743 2006-07-10 id_rsa
5
ImportantConcepts
Securityproperties:securityrelevantdata
associatedwithprocessesandresources
usedtomakeaccesscontroldecisions
Policy:rulesforaccesscontroldecisions
Kernelenforcesaccesscontroldecisions
calledreferencevalidationmechanism
processesalsoenforceaccesscontrol
databaseserver,dbus,X,etc.
6
StandardLinuxSecurityProblems
Accessisbasedonusers'access
Example:Firefoxcanreadsshkeys
generallyhasnoreasontoreadthem,but
ifcompromisedcanpotentiallydisastrous
Fundamentalproblem:
securitypropertiesnotspecificenough
kernelcan'tdistinguishapplicationsfromusers
7
StandardLinuxSecurityProblems
Processescanchangesecurityproperties
Example:mailfilesreadableonlybyme
evolutioncanmakethemworldreadable
Fundamentalproblem:
standardaccesscontrolisdiscretionary
includesconceptofresourceownership
processescanescapesecuritypolicy
8
StandardLinuxSecurityProblems
Onlytwoprivilegelevels:userandroot
Example:apacheprivilegeescalation
apachebugallowsobtainingrootshell
entiresystemiscompromised
Fundamentalproblem:
simplisticsecuritypolicy
nowaytoenforceleastprivilege
9
SELinuxIntroduction
SELinuxaddsadditionalaccesscontrol
newsecuritypropertiesonprocesses/resources
flexiblesecuritypolicythatcanbechanged
Kernelandapplicationbasedenforcement
Designedtoaddresssecurityproblems
mandatory,leastprivilege,andfinegrained
noallpowerfulroot
Transparenttomostapplications
10
SELinuxAccessControl
SELinuxhasthreeformsofaccesscontrol
TypeEnforcement(TE)primarymechanism
RoleBasedAccessControl(RBAC)
MultiLevelSecurity(MLS)
Configurableviapolicylanguage
centralconfigurationfilescontrolallaccess
Severalpoliciesavailable(targeted,strict,mls)
Allaccessisdeniedbydefault
11
SELinuxSecurityProperties
Processesandfileshaveasecuritycontext
kmacmill:staff_r:firefox_t:s0
kmacmill:object_r:user_home_t:s0
user:role:type:level
Thekeyfieldistype
usedtoimplementTypeEnforcement
OtherfieldsusedforRBACandMLS
moreontheselater
12
Exercise:SecurityContexts
SeveralutilitiesmodifiedforSELinux
TheZoptionusuallyusedtoviewcontexts
Examples:
psaeZ>viewcontextsofprocesses
lsZ>viewcontextsoffilesanddirectories
Exercises:
Whatisthesecuritycontextof/etc/shadow?
Whatisthesecuritycontextofudevd?
13
SolvingLinuxSecurityChallenges
Securitypropertiesneedtoidentify
allrelevantsecurityinformation,e.g.,
processisawebserver(apache)
thatwasstartedbyinit
consistentacrossallprocessandresources
Securitypolicyneedstobeflexible
noassumptions(e.g.,noroot)
capableofenforcingintegrity,confidentiality,etc.
14
IntroductiontoTypeEnforcement
Basedonasinglesecuritypropertytype
appliedtoprocessesandresources
representsallsecurityrelevantinformation
Typesareassignedtoprocessesandresources
Apacheprocesses>httpd_t
/var/www/html/index.html>httpd_sys_content_t
Accessisallowedbetweentypes
e.g.,httpd_tcanreadhttpd_sys_content_t
15
IntroductiontoObjectClasses
Objectclassesspecifythedetailsofaccess
Resourcesdividedintoclasses
e.g.,file,dir,socket,process
Eachclasshaspermissions
e.g.,file:read,write,execute,getattr
FullaccessinTypeEnforcement:
allowhttpd_thttpd_sys_content_t:fileread;
16
TypeEnforcementOverview
/var/www/html
Apache
read (httpd_sys_content_t)
(httpd_t)
/etc/shadow
(shadow_t)
re
ad
~/public_html
Apache Policy: (httpd_sys_content_t)
19
AssigningProcessTypes
Processtypesare:
(default)inheritedfromparentprocess
setbypolicy(typetransitionrule)
setbyapplication(e.g.,login)
Examples:
bash(user_t)>ls(user_t)
init(init_t)>httpdinitscript(initrc_t)>httpd(httpd_t)
login(login_t)>bash(user_t)
20
TypeTransitionRules
Typetransitionrulessetprocesstypesusing:
parentprocesstypeandexecutablefiletype
similartosetuid
Example:startingnameserver
Rule:domain_auto_trans(initrc_t, named_exec_t, named_t)
parentprocess(initrc_t)
executablefiletype(named_exec_t)
result>named_t
21
TypeTransitionRules
22
TypeTransitionNotes
Primarymeansforsettingprocesstype
ensuresapplicationsrunincorrectdomain
doesnotrequireapplicationmodification
Mustbeallowedbypolicy
e.g.,apachecannotstartprocessesininit_t
preventsapplicationsfromgainingprivilege
Bindsspecificexecutabletodomain
e.g.,only/usr/bin/passwdcanruninpasswd_t
23
UserFieldDetails
kmacmill:user_r:user_mozilla_t:s0
NotnecessarilythesameastheLinuxuser
Oftenendsin_u:system_u,user_u
Notcurrentlyusedinthetargetedpolicy
Filesanddirectories:
userinheritedfromprocess
systemprocess>filescreatedwithsystem_u
24
RoleFieldDetails
kmacmill:user_r:user_mozilla_t:s0
UsedforRBAC
rolefurtherrestrictsavailabletypetransitions
incooperationwithTE(e.g.,user_r/user_t)
Usuallyendswith_r
Resourceshavedefaultobject_rrole
UsedinstrictandMLSpolicies
user_r,staff_r,secadm_r
25
MLSLevelFieldDetails
kmacmill:user_r:user_mozilla_t:s0
UsedforMLS(orMCS)
Oftenhiddenintargetedandstrict(MCS)
Identifiesonelevelorrange
singlelevel:s0
range:sos15:c0.c1023
Usuallytranslated
s15:c0.c1023>SystemHigh
26
SELinuxSecurityBenefits
Typescaptureimportantsecurityinformation
accessisbasedonuserandapplicationfunction
transitionscaptureprocesscallchains
Processesrunwithleastprivilege
onlywhatisallowedforthetype
e.g.,httpd_tcanonlyreadwebpages
Privilegeescalationtightlycontrolled
acompromiseofApachelimitedbypolicy
27
SELinuxConfiguration
StrictPolicy
Asystemwhereeverythingisdeniedbydefault
Youmustspecifyallowrulestograntprivileges
SELinuxdesignedtobeastrictpolicy.
Thepolicyrulesonlyhaveallows,nodenies
Minimalprivilege'sforeverydaemon
separateuserdomainsforprogramslikeGPG,X,ssh,etc
Difficulttoenforceingeneralpurposeoperatingsystem
NotSupportedinRHEL
29
MLSPolicy
StrictpolicywithBellLaPadulaSupport
SupportedinRHEL5withspeciallicense.
Serveronlyoperatingsystem
NoXwindowssupport
limitedpackageset
HP/IBMworkingtowardsgettingEAL4+/LSPPcertification
30
TargetedPolicy
Systemwhereprocessesbydefaultareunconfined.
Onlytargetedprocessesareconfined
UnconfinedDomains
Bydefaultuserprocessesruninunconfined_t
Systemprocessesrunininitrc_t
Unconfinedprocesseshavethesameaccesstheywouldhave
withoutSELinuxrunning
Daemonswithdefinedpolicytransitiontoconfineddomains
httpdstartedfromunconfined_ttransitionstohttpd_twhich
haslimitedaccess.
31
TargetedDomains
InRHEL4
15targetsdefined
httpd,squid,pegasus,Mailman,Named,dhcpd,mysqld,nscd,ntpd.
portmap,postgresql,snmpd,syslogd,winbindd
InRHEL5
200targetsdefined
EveryprogramshippedbyRedHatandstartedonbootshould
haveadomaindefined
Allsystemspaceisconfined
Limitedconfinementforuserspace
20unconfineddomains
32
WhereshouldyourunSELinux?
Internet Corporate
Intranet
Network RedHatEnterprise
RedHatEnterprise LinuxES
DNS RedHatEnterprise
LinuxES Web LinuxAS
Firewall FTP
VPN NFS
NIS DatabaseCRMERP
DNS
Web
FTP
RedHatEnterprise
LinuxES
RedHatEnterprise RedHatEnterprise
LinuxWS LinuxES
DMZ
AppServerFarm
33
Configfiles
SELinuxstoresitsconfigfilesin/etc/selinux
lsl/etc/selinux
rwrr1rootroot515Jan1811:46config
drwxrxrx7rootroot4096Jan2314:06strict
drwxrxrx7rootroot4096Jan2314:06targeted
/etc/selinux/configidentifiespolicyandenforcingmode
more/etc/selinux/config
#ThisfilecontrolsthestateofSELinuxonthesystem.
#SELINUX=cantakeoneofthesethreevalues:
#enforcingSELinuxsecuritypolicyisenforced.
#permissiveSELinuxprintswarningsinsteadofenforcing.
#disabledNoSELinuxpolicyisloaded.
SELINUX=enforcing
#SELINUXTYPE=cantakeoneofthesetwovalues:
#targetedOnlytargetednetworkdaemonsareprotected.
#strictFullSELinuxprotection.
SELINUXTYPE=targeted
34
Configfiles
Directoryunderpolicytypefollowsameformat
contextsdirectorycontainsdefaultcontextsfilesusedbySELinux
awareapplications
policydircontainscompiledpolicyfile
seuserscontainsLinuxUsertoSELinuxusersmappingfile
setrans.confcontainsMLS/MCStranslations
Modulesdirectoryincludescurrentmodulesusedtobuildpolicy
lsl/etc/selinux/targeted/
total40
drwxrxrx4rootroot4096Jan2909:00contexts
drwxrxrx4rootroot4096Jan2909:00modules
drwxrxrx2rootroot4096Jan2909:00policy
rwrr1rootroot598Jan2317:24setrans.conf
rwrr1rootroot143Jan2909:00seusers
35
Configfiles
/etc/selinux/targeted/contexts/files/
file_contexts
file_contexts.local
file_contexts.homedir
homedir_template
36
KernelBootParameters
Kernelparametersoverride/etc/selinux/configsettings
selinux=0
BootsthekernelwithSELinuxturnedoff
Allfileswillnolongergetcreatedwithfilecontext.
Willrequirearelabelifthemachinegetsbootedagainwith
selinuxturnedon.
enforcing=0
Bootsthekernelinpermissivemode
Filelabelingcontinues
MayNOTgivethesameerrormessagesasinenforcingmode.
37
TargetPolicyManPages
Targetmanpagesexplaincustomfeaturesof
thepolicybooleansandfilecontext
httpd_selinux(8)httpdSELinuxPolicydocumentationhttpd_selinux(8)
NAME
httpd_selinuxSecurityEnhancedLinuxPolicyforthehttpddaemon
DESCRIPTION
SecurityEnhancedLinuxsecuresthehttpdserverviaflexiblemandatory
accesscontrol.
FILE_CONTEXTS
SELinuxrequiresfilestohaveanextendedattributetodefinethefile
type.Policygovernstheaccessdaemonshavetothesefiles.SELinux
httpdpolicyisveryflexibleallowinguserstosetuptheirwebser
vicesinassecureamethodaspossible.
Thefollowingfilecontextstypesaredefinedforhttpd:
httpd_sys_content_t
Setfileswithhttpd_sys_content_tforcontentwhichisavail
ablefromallhttpdscriptsandthedaemon.
httpd_sys_script_exec_t
Setcgiscriptswithhttpd_sys_script_exec_ttoallowthemto
38
Exercises
ReadthroughacoupleofSELinuxPolicymanpages
Whichpolicyisthesystemcurrentlyrunning?
Rebootinpermissivemode
DoyouseeadditionalAVCmessages?
39
ModifiedOperatingSystemCommands
ModifiedUtilities
Zisyourfriend
lsZ
idZ
psauxZ
lsofZ
netstatZ
find/context=
41
ModifiedUtilities
cp
Adoptsdestinationdirectoryorfilessecuritycontext
aproblems
mv
MaintainsSourcesDestinationSecuritycontext
install
Setsdefaultsecuritycontextbasedonsystemdefaults
42
ModifiedPrograms
LoginProgramsPAM
sshd,login,xdm
Passwordutilities
passwd,useradd,groupadd
rpm
43
Backupanddiscmanagement
tar,zip
Bothnowhaveextendedattributesupport
rsync
X,xattrs
star
starxattrH=exustarcfoutput.tar[files]
amanda
tarxv|restoreconf;stillmightbebestoption
44
Exercises:ModifiedLinuxUtilities
Whatsecuritycontextison/etc/resolv.conf?
Exploreothersecuritycontextin/etc
Whatisthecontextistheapacheprocessrunningwith?
Whatisyoursecuritycontext?
Createafilein/tmpandmvittoetc
Whatisthesecuritycontextonthefile?
Isthisaproblem?
Createanewaccountonyourmachine
Whatisthesecuritycontexton/etc/passwd?/etc/shadow?
Whydoyousupposetheyaredifferent?
45
SELinuxUtilities
SELinuxUtilities
libselinuxrpm
libselinuxisthedefaultSELinuxlibraryusedbySELinuxaware
applications
libselinuxutilities
getenforceTellwhethermachineisinenforcing/permissive/disabled
setenforce1/0Setsthemachineinenforcing/permissive
selinuxenabledUsedbyscriptstotellwhetherSELinuxenabled.
matchpathconTellsyouthedefaultcontextoffile/directory
avcstatDisplaySELinuxAVCstatistics
libselinuxpython
Pythonbindingstolibselinux
47
SELinuxUtilitiesPolicycoreutils
genhomedircon,fixfiles,restorecon,restorecond,setfiles,chcon,chcat
audit2allow,audit2why(SeeUnderstandingSELinuxlogmessages)
seconSeeanSELinuxcontext,fromafile,programoruserinput.
semodule,semodule_deps,semodule_expand,semodule_link,
semodule_package(SeeManaginganSELinuxPolicyModules)
load_policyloadanewSELinuxpolicyintothekernel
run_initRunainitscriptintheproperSELinuxcontext(mls,strict)
semanage,systemconfigselinux(SeeManaginganSELinuxsystem)
sestatusSELinuxstatustool
setsebool,getsebool(SeeCustomizingthepolicywithbooleans)
newroleRunashellwithanewSELinuxrole/level(mls,Strict)
48
Exercises:SELinuxUtilities
Isyourmachineinenforcingmode?
Turnonpermissivemode
WhatAVCmessagewasgenerated?
Returnmachinetoenforcingmode.
WhatistheSELinuxstatusofyourmachine?
Usesestatustocheckthefilecontexton/etc/shadow
Createthefile/etc/apache
Changeitscontexttypetohttpd_exec_t
Howwouldyougetthisapplicationtorunashttpd_t?
Correctthecontextofallthefilesinetc
49
UnderstandingAuditMessages
UnderstandingSELinuxlogmessages
AVCAccessVectorCache
messagesin/var/log/messagesor/var/log/audit/audit.log
type=AVCmsg=audit(1140184056.443:78):avc:denied{use}forpid=2185
comm="mingetty"name="ptmx"dev=tmpfsino=699scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:kernel_t:s0tclass=fd
type=AVCmsg=audit(1166017682.366:876):avc:denied{getattr}forpid=23768
comm="httpd"name="index.html"dev=dm0ino=7996439
scontext=user_u:system_r:httpd_t:s0tcontext=user_u:object_r:user_home_t:s0tclass=file
51
UnderstandingSELinuxlogmessages
AVCMessagescangetcreatedforavarietyofreasons.
Amislabeledfile
Aprocessrunningunderthewrongcontext
Abuginpolicy.
Basicallyanapplicationgoesdownacodepaththat
wasnevertestedbythepolicywriterandgetsan
unexpectedAVC.
Anintruder
52
UnderstandingSELinuxlogmessages
audit2allow
Toolthatgeneratespolicyallowrulesfromlogsofdeniedoperations
audit2allowi/var/log/audit/audit.log
allowhttpd_tuser_home_t:filegettattr;
audit2why
TranslatesSELinuxauditmessagesintoadescriptionofwhythe
accesswasdenied
Notveryhelpfultonoviceusers,usedbypolicydevelopers
53
AnalyzingSELinuxAVCMessages
AVCMessagesreferingtofileslabeled*:file_t
MajorLabelingproblem,allfilesprobablyrequirelabels
SELinuxkernellabelsfileswithnosecuritycontextfile_t
Filewascreatedwhenrunningwithselinux=0oranewdisk.
Itissafesttorelabelthesystemtouch/.autorelabel;reboot
OnanewdiskyoucanrestoreconRv/MOUNTPOINT
AVCMessagescontainingdefault_t
Probablyalabelingproblem
Ifnotin/youprobablyneedtorelabel
Ifin/andyouwantconfineddomainstohaveaccess.Youneed
torelabelthefile/directoryusingchcon
54
AnalyzingSELinuxAVCMessages
Manysimilarmessagesaboutthesamefile
Thisusuallyindicatesalabelingproblem
Forexample:
Create/home/dwalsh/resolv.conf
mv/home/dwalsh/resolv.conf/etc
lslZ/etc/resolv.conf
Confineddomainswillreporterrorsaccessinguser_home_t
restorecon/etc/resolv.conf
55
SELinuxTroubleshootTool
setroubleshoot
ServicelistenstoauditdaemonforAVCmessages
Thenprocessesplugindatabaseforknownissues
/usr/share/setroubleshoot/plugins
Displaysknowledgebaseofhowtohandleavcmessage
sealertcommandcanlaunchbrowseroranalyzelogfiles
Configure/etc/setroubleshoot/setroubleshoot.cfgtosend
mail
56
57
MissingAVCmessages
SometimesapplicationsfailwithnoAVCmessages
Settingsetenforce0andtheapplicationworks???
dontauditrules
ExpectedAVCsthatcauseappstotakedifferentcodepaths.
SometimescoverupRealerrors
RHEL4
Installselinuxpolicytargetedsources
makeC/etc/selinux/targeted/src/policyenableauditload
RHEL5
semoduleb/usr/share/selinux/targeted/enableaudit.pp
58
semoduleb/usr/share/selinux/targeted/base.pp
Exercises:SELinuxUtilities
Letscreatesomeavcmessages?
touch/var/www/html/index.html
chcontuser_home_t/var/www/html/index.html
servicehttpdstart
firefoxlocalhost
whathappens?
CheckthelogfilesforAVCmessages.
WhatauditrulescouldyouaddtosolvetheseAVC?
Whydidpolicyrefusethisaccess?
59
ManagingFileLabeling
Managingfilelabeling
Changingafilescontext
chcon
Fundamentalutilityusedtochangeafilescontext
chconRthttpd_sys_script_rw_t/var/www/myapp/data
chconthttpd_sys_script_t/var/www/cgibin/myapp
Modeledafterchmodcommand
ttypequalifier
customizable_types
/etc/selinux/targeted/contexts/customizable_types
61
Managingfilelabeling
restorecon
Usedtosetafilebacktothesystemdefaults
setfiles
Usedtoinitializeasystem.UsedattheFilesystemlevel
Requiresyoutospecifyfile_contextfile
fixfiles
Scriptthatwrapssetfiles/restoreconwithseveralusefulfeatures
Userpmtolistfileswithinspecifiedpackagestorestorefilecontexts
restoreconchangesbetweenpreviousfilecontextandnewone
touch/.autorelabel;reboot
62
Managingfilelabeling
Genhomedircon
Usedtogeneratefile_contexts.homedir
Sometimeshasproblemswithhomedirlocations.
/etc/selinux/targeted/contexts/files/file_context.local
systemconfigsecuritylevel
63
Exercises:Managingfilelabeling
Modify/etc/resolv.conf
cp/etc/resolv.confto/tmp
Makesomechangestothesearchstring
mvitbackthe/etc
Fixitssecuritycontext
Homedirs
Createananewdirectory/export/homes
Addauseraccounttothatdirectory
Addauseraccounttothe/vardirectory
RungenhomedirconWhathappens?
Fixthecontextonthesedirectories
64
CustomizingPolicyWithBooleans
Customizingpolicywithbooleans
Booleansareif/then/elsestatementsinpolicy
Configurepolicywithouteditingpolicy
getsebool
getseboola
setsebool
setseboolPallow=[1|0]
systemconfigselinux(systemconfigsecuritylevelRHEL4)
Turnon/offsectionsofpolicy
setseboolPallow_nfs_home_dirs1
/etc/selinux/targeted/booleans
66
67
ConfiguringPolicy
ApacheExample
Systemadministratorhasmultiplechoicesofpolicy
Booleans
httpd_disable_trans,httpd_enable_cgihttpd_enable_homedirs
httpd_tty_comm,httpd_unified
http://fedora.redhat.com/docs/selinuxapachefc3/
manhttpd_selinux
68
Exercises:ManagingBooleans
Listallbooleansonyourmachine
Checkthecontentsof/etc/selinux/targeted/booleans
Temporarilychangeabooleansstate
Didthe/etc/selinux/targeted/booleansfilechange?
Ifyouhavetimetrythepreviousexercisesafteryouturnon
thehttpd_tty_commboolean
69
ManagingSELinuxModules
SELinuxModules
ModularPolicy
InRHEL5/FedoraCore5andlater,theconceptofPolicyModules
wasintroduced
Thesemodulecommand
Copiesthepolicypackage(pp)filesto
/etc/selinux/targeted/modules/active/modules
Compilesallinstalledppfilesintonewpolicyfile
/etc/selinux/targeted/policy/policy.21
Createsnewfile_contextfileandfile_context.homedirs
Loadsnewpolicy
71
SELinuxPolicyModules
semodulecommand
semodulel;Listallmodulescurrentlyloaded
semoduleb/usr/share/selinux/targeted/enableaudit.pp
semoduleb/usr/share/selinux/targeted/base.pp
semoduleimyapache.pp
semodulermyapache
72
73
Generatingpolicymodules
Policymodulesconsistsofthreefiles.
TypeEnforcementFile(te)
Containstheallowrulesandinterfacecallsassociatedwiththe
confineddomain
FileContextFile(fc)
Containsallofthelabelingfilecontextforthepolicymodule.
InterfaceFile(if)
Containsallinterfacesusedbyotherdomainstointeractwiththis
confineddomain.
DOMAIN_domtrans,DOMAIN_read_config
74
CreatingPolicymoduleswithaudit2allow
Makingsmallcustomizationstopolicy
InRHEL4
Youneededtoinstallselinuxpolicysourcestomodifypolicy
cd/etc/selinux/targeted/src/policy
grephttp_t/var/log/messages|audit2allow>>domain/misc/local.te
makeinstall
InRHEL5
grephttp_t/var/log/audit/audit.log|audit2allowMmypolicy
Thiscommandwillgenerateatefileandcompileitintoappfile.
semoduleimypolicy.pp
75
Buildingpolicymodules
Installselinuxpolicydevel
Includesinterfacesforallinstalledpolicymodules
/usr/share/selinux/devel
policygentoolhelperapptobeginconstructionofte,if,fcfile
include/...directoryhasinterfaces
kernel,services,system,apps,admin
Makefile(usedtocompilepolicymodules).
76
Exercises:ManagingPolicyModules.
Listallmodulesonyourmachine
Removethepcscdpolicymodule.
Whatisthelabeloftherunningprocess?
Why?
servicepcscdstop
restoreconRv/usr/sbin/pcscd/var/run
AdvancedTopic:
using/usr/share/selinux/devel/policygentooltryto
generatepcscdpolicy
77
ManagingSELinuxSystems
ManagingSELinuxsystems
InRHEL5/FedoraCore5andbeyondanew
semanageframeworkwasadded
InRHEL4oftenrequiredcustompolicy
allowingapachetolistenonport81
requiredpolicysourcesandtools
InRHEL5
semanageportathttp_port_tPtcp81
79
SemanageCommands
SELinuxUsers
semanageuserl
semanageuseraguest_u
LinuxUsertoSELinuxusermapping
semanageloginasguest_udwalsh
FileContext
semanagefcontextat
httpd_bugzilla_script_exec_t
80
/usr/share/bugzilla/cgi(/.*)?
81
82
Exercises:ManagingSELinux
ListallSELinuxUsers
AddanSELinuxusertoyourmachine
Createadirectory/opt/www/html
Labelitsothatapachecanreadit.
Makeapermanentchangetothefilecontextsothat
relabelingthefilesystemwillnotchangethis.
83
ConfiguringAudit
Auditing
AuditsystemreceivesSELinuxEvents
Noauditdrunning
AVCin/var/log/messagesanddmesg
auditdrunning
AVCsin/var/log/audit/audit.log
audit=1Commandrequiredforfullauditing
85
AuditingCAPP/EAL4+
CAPPControlledAccessProtectionProfile
DACProfile
Securityfeaturesselection
eal4+.EAssuranceLevel
Leveloftestinganddocumentation
cp/usr/share/doc/audit1.0.12/capp.rules
/etc/audit.rules
86
auditctl
Utilitytocontrolthekernelsauditsystem
e[0|1]Disable,Enableaudit
SEESteveGrubbAuditBOF...
87
aureport
Generatesummaryreportsofauditlogs
aReportaboutAVCmessages
iinterpretnumericfieldsforhumanconsumption
tsTimeStartteTimeEnd
aureportats1:00:00
Generateaavcreportsince1AM
success/failed(Bothifyouselectneither.)
summary(Totalsofevents)
88
ausearch
SearchAuditDaemonLogs
mavc
ts
xexecutable
ausearchmavcts1:00:00xnamed
89
Exercises:Audit
Useaureportonauditmessagesonthe
system
Searchforapacheavcmessages
Turnoffauditing?WheretotheAVC
messageendup?
90
CustomizingApache
CustomizingApachePolicy
httpdmostcomplexdaemoninRHEL4
MostcomplexandconfigurableofanyoftheSELinuxpolicies.
ConfinecompromisedApachewebserverfromdamagingtherestof
thesystem
Finergrainedgoals
PreventingacompromisedwikiCGIscriptfromcorruptingablog
installationownedbythesameperson
92
Exercises:Apache
Ishttpdrunningunderaconfineddomain?
Stophttpd
Startapachedirectly/usr/sbin/httpd
Whichcontextisitrunningunder?
Why?
Killhttpdandstartitwithinaconfineddomain
Setupanapachewebsitewhichsupportscgiscriptswherethedatais
locatedin/src/www/datadirectory
Setupapachetouseusershomedirectoriesandplaceahtmlfilethere
Advanced:Addacgiscriptthatneedstowritetoaparticulardirectory,
turnoffhttpd_unifiedandmakethescriptworkinenforcingmode.
93
Q/A
MoreInformationRedHatEnterpriseLinuxResource
http://www.redhat.com/software/rhel/
SELinuxResources
http://www.nsa.gov/selinux
http://fedora.redhat.com/projects/selinux/
http://fedoraproject.org/wiki/SELinux
MailingLists
selinux@tycho.nsa.govNSAList
fedoraselinuxlist@redhat.comFedoraSELinuxList
94