how to use selinux (no i don't mean turn it off)
TRANSCRIPT
![Page 1: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/1.jpg)
HOW TO USE SELINUX
CHUCK REEVES @MANCHUCK
NO I DON'T MEAN TURN IT OFF
![Page 2: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/2.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ABOUT
▸ Built using Kernel Modules
▸ More permissions than CRUD and Access
▸ Allows Multi-Level Security using BLP and Biba Models
▸ Permissions set on the inode instead of the file
▸ Mandatory Access Control (MAC)
![Page 3: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/3.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
![Page 4: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/4.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
WHAT YOU NEED TO KNOW
▸ Each iNode is given a single context
▸ Each context identifies a user, role, type and level
▸ SELINUX then allows (or denies) access using the context with a policy
▸ Decision is cached in the Access Vector Cache (AVC)
▸ Decisions is made after the DAC access is checked
![Page 5: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/5.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
WHAT YOU NEED TO KNOW
▸ SELINUX manages:
▸ Users
▸ Sockets
▸ Memory
▸ Directories
▸ TCP/UDP connections
![Page 6: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/6.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
PROCESS TYPES
▸ Confined
▸ Runs in own domain (role)
▸ Resources are limited to the roles and policy
▸ Un-Confined
▸ fallback to the DAC policies
![Page 7: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/7.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
CONTEXTS
▸ Policy checks context of inode for access
▸ "If a process is running with <context_foo> then anything with <context_foo_type> is allowed access"
▸ Four parts: user, role, type and level (optional)
![Page 8: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/8.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
CONTEXTS
▸ Set automatically based on the parent context (mostly)
▸ RPM
▸ Management tools (ansible, chef, puppet)
▸ When a File transitions (moving an uploaded file)
▸ By the sysadmin with chcon, restorecon
![Page 9: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/9.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
FINDING CONTEXT
ls -alZ /home
![Page 10: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/10.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
FINDING CONTEXT
ps -Z
![Page 11: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/11.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
BOOLEANS
▸ On off settings for policies
▸ Allow HTTPD to make network connections
▸ Allow FTP to access home directories
▸ Overcomes issues with over labeling contexts
![Page 12: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/12.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
▸ TARGETED
▸ PERMISSIVE
▸ DISABLED (You already know this one)
![Page 13: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/13.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
<edit> /etc/selinux/config
![Page 14: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/14.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
sudo yum install setroubleshoot setroubleshoot-server
sudo service auditd restart
![Page 15: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/15.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
ls -alZ
sudo touch /.autorelabel
![Page 16: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/16.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
ls -alZ
![Page 17: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/17.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
![Page 18: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/18.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
![Page 19: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/19.jpg)
ZendCon 2016
TEXT
TROUBLESHOOTING EXAMPLE: DATABASE
tail -f /var/log/audit/audit.log
![Page 20: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/20.jpg)
ZendCon 2016
TEXT
TROUBLESHOOTING EXAMPLE: DATABASE
tail -f /var/log/messages
![Page 21: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/21.jpg)
ZendCon 2016
TEXT
TROUBLESHOOTING EXAMPLE: DATABASE
sealert -l <message id>
![Page 22: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/22.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
BOOLEANS
setsebool -P httpd_can_network_connect 1
![Page 23: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/23.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
BOOLEANS
semanage boolean -l | grep httpd_enable_ftp_server
![Page 24: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/24.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
BOOLEANS
getsebool -a
getsebool <boolean>
![Page 25: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/25.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
BOOLEANS
semanage boolean -l | grep httpd_enable_ftp_server
![Page 26: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/26.jpg)
ZendCon 2016
TEXT
TROUBLESHOOTING EXAMPLE: FILE UPLOAD
ls -Z
![Page 27: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/27.jpg)
ZendCon 2016
TEXT
TROUBLESHOOTING EXAMPLE: FILE UPLOAD
sealert -l <message id>
![Page 28: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/28.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
SETTING CONTEXT
chcon -R -t httpd_sys_content_t web/
ls -Z web
![Page 29: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/29.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
SETTING CONTEXT
mkdir web/
touch web/file{1,2,3}
ls -Z web
![Page 30: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/30.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
![Page 31: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/31.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
![Page 32: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/32.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
![Page 33: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/33.jpg)
ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
RESOURCES
▸ RedHat Documentation for SELINUX: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html
▸ Servers for Hackers, Batteling SELINUX: https://serversforhackers.com/video/battling-selinux-cast
▸ SELinux For Mere Mortals: https://www.youtube.com/watch?v=MxjenQ31b70
![Page 34: How to use SELINUX (No I don't mean turn it off)](https://reader031.vdocument.in/reader031/viewer/2022021813/58886f4c1a28ab34788b4681/html5/thumbnails/34.jpg)
THANKSCHUCK REEVES @MANCHUCK