Understanding SELinux for the Win

Brian Bouterse

Principle Software Engineer, Red Hat.

2

Introduction● Disabling SELinux since 2002 – 2015

● Love Free and Open Source

● Principle Software Engineer with Red Hat since 2015

● Work on Pulp ( http://pulpproject.org/ )

● In 2015 I started working with SELinux

● Wrote three SELinux policies for Pulp

● Contribute to several Open Source projects (Kombu, Celery)

3

Agenda

● Why do we care about SELinux?

● How SELinux Works

● What is an SELinux Policy

● SELinux Tooling

● CIL Language

● Troubleshooting SELinux

4

Motivation

What is the most common query that has the term “SELinux”?

5

Motivation

What is the most common query that has the term “SELinux”?

“Disabling SELinux”

https://trends.google.com/trends/explore?q=selinux

6

Unix Permissions

● User / Group Models

● Permissions Mask (rwxs)

● Discretionary Access Control (DAC)

● Kernel enforces DAC

● All powerful root user

https://www.slideshare.net/gottsc_r/how-to-not-disable-selinux

7

Linux Kernel Permissions

● Lots of fine-grained permissions

● CAP_SYS_BOOT – allows reboot● CAP_DAC_READ_SEARCH – bypass file permissions

https://www.slideshare.net/gottsc_r/how-to-not-disable-selinux

8

What is wrong with root?

● You have to trust root

● root bypasses file/user/group security controls● Multi-user systems have no privacy guarantee

● All-or-nothing security model

● No granularity to leverage kernel permissions● Improved some with find-grained sudo controls

9

Problem: Application Trust Issues● Trust apps are secure

● CVEs happen, 0-days happen

● Trust apps are configured correctly● Gartner reports 75% of mobile data breaches are configuration problems[0]

● Trust apps aren’t malware or nefarious● SELinux does not address this● Open source FTW● Signed packages● Reproducible Builds are important● Open build systems

[0] http://www.gartner.com/newsroom/id/2753017?nicam=prsm13

10

When Applications get Compromised

● Steal/Expose/Modify/Corrupt application data● CVE-2011-1717: chmod 666 all Skype application data

● Privilege Escalation (Kernel exploits)● CVE-2010-EASY: Drops into a shell as root

● Install backdoor

● Make network connections (DDoS slave)

● If your app is root, game over

11

Public Service Announcement

12

Don’t run apps as root

Public Service Announcement

13

SECURITY ENHANCED LINUX IS A SECURITY MECHANISM BRINGING PROACTIVE SECURITY FOR YOUR SYSTEM

http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/4

14 http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/6

15

SELinux Security – File Contexts

● Stored as extended attributes

system_u:object_r:passwd_file_t:s0

16

SELinux Security – Domains

● Tracked by SELinux per process

● Called a Domain when applied to a process

system_u:system_r:syslogd_t:s0

17

SELinux Security Context Anatomy

http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/11

system_u:object_r:passwd_file_t:s0

SELinux User

SELinux Role

SELinux Type

[sensitivity]

18

SELinux “Targeted” Rule Anatomy

allow user_t bin_t:file read;

Action

Process Label

Filesystem Type

Permission

19

Rule Example

`sesearch` is used to find any rule on a system

http://lvrabec-selinux.rhcloud.com/wp-content/uploads/2017/01/selinux-workshop.html#/0/14

20

Where do rules come from?

● SELinux module defines rules

● SELinux modules are compiled

● OS brings a lot of system modules

● Some applications bring modules too

● SELinux policy is the collection of all modules

21

Listing Modules with `semodule -l`

22

How do file contexts get assigned?● Policies have .fc files which have paths and labels

● Conflicting label resolution● More specific rules override less specific rules

● New files are automatically labeled

● Moved files are not automatically relabeled

● On Fedora big list: /usr/share/selinux/targeted/default/active

23

Managing File Security Contexts● restorecon

● Restore file(s) default SELinux security context● restorecon -v some_file

● chcon● Change file SELinux security context● chcon -R -t httpd_sys_content_t /web/

● fixfiles● fixfiles -R <packagename> restore● fixfiles relabel

● Full auto-relabel● touch /.autorelabel; reboot● Allows init to do the relabeling

24

SELinux Enforcement

● Enforcing – SELinux policy is enforced

● setenforce 1

● Permissive – Not enforcing but denials are logged

● setenforce 0

● `getenforce` - reports on if SELinux is enforcing, permissive, or disabled

25

Targeted Mode

● Everything is allowed. Use deny rules.

● By default processes run in unconfined _t domain.

● unconfined_t processes have same access they would have without SELinux running.

● Daemons or Applications transition to a locked down domain as defined by the SELinux policy.

● httpd starts as unconfined_t and transitions to httpd_t

“SELinux for Dummies” - http://slideplayer.com/slide/11222578/

26

Where are the logs?

● /var/log/audit/audit.log

● Allowed and denied are logged here

● See denials with `ausearch -m AVC`

27

Anatomy of an AVC denialavc: denied { getattr } for pid=7604 comm="firefox" path="/usr/lib64/firefox-3.5.3/firefox" dev=dm-2 ino=1311607 scontext=dgrift_u:dgrift_r:gwibber_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_exec_t:s0 tclass=file

● What process was denied access?● What domain type did the source process operate in when it was

denied access?● What object or subject was the source process denied access to?● What was the object/subject type of the target?● What permission was denied?● What is the class of the target?● What was the process identity of the source?● What was the inode number of the target object?● What happened?

http://selinux-mac.blogspot.com/2009/09/avc-denials-example.html

28

SELinux Utilities

● “Z” is your friend

● Core Utilities● ls -Z● cp/mv/install

● Each handles file_context differently● find / -context=● id -Z● ps auxZ

“SELinux for Dummies” - http://slideplayer.com/slide/11222578/

29

Backup and Disc Management

● tar● --selinux or –xattrs● tar -xvf archive.tar | restorecon -f -

● zip

● rsync● -X or –xattrs

● star

“SELinux for Dummies” - http://slideplayer.com/slide/11222578/

30

CIL Language

● Higher level, domain specific languages are being created

● Common Intermediate Language (CIL)

● Decompiling a local policy into CIL● sudo semodule -c -E <module name>

● Allows policies to be compared using diff

31

SELinux Booleans

● Parts of a policy to be enabled/disabled by an administrator at runtime.

● No recompilation necessary

● List all booleans and their current state● getsebool -a

● Enable/disable a boolean● setsebool -P httpd_can_network_connect on● setsebool -P httpd_can_network_connect off

32

Troubleshooting

● Check the booleans for the application. Maybe one needs to be enabled.

● Look using CIL

● Temporarily turn it into Permissive mode

● Check three things:● Verify the expected policy is installed using `sudo semodule -l`● Verify the process is running in the expected domain (ps -eafZ | <your_app>)● Verify the file contexts are correctly set (use CIL)

33

App fails with no AVC denials

● Setting setenforce 0 causes an app to work

● donaudit rules● Dontaudits ignore specific AVC denials● Not logged by default● You can see them with `sudo semodule --disable_dontaudit --build`

“SELinux for Dummies” - http://slideplayer.com/slide/11222578/

34

Working Around Problems

● Report issues upstream to your project● Helps resolve if an issue is environmental, a code defect, or a policy defect

● If it’s a legit incompatibility with the application and its own policy you should apply a workaround

1. Cause a selinux reload using `sudo semodule -R`

2. Set into permissive mode and restart application

3. Trigger AVC denial again

4. Use `audit2allow -al` to show you the rules you are missing

35

audit2allow

~]# audit2allow -a

#============= certwatch_t ==============

allow certwatch_t var_t:dir write;

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

36

Applying audit2allow Recommendations

~]# audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************

To make this policy package active, execute:

semodule -i mycertwatch.pp

~]# ls

mycertwatch.pp mycertwatch.te

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

37

What about if AVC denials from 2+ processes

~]# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2

******************** IMPORTANT ***********************

To make this policy package active, execute:

~]# semodule -i mycertwatch2.pp

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

38

Applying using CIL

● Extract the .pp file from the running system● sudo semodule -H -E

● Convert to a CIL file● sudo /usr/libexec/selinux/hll/pp /root/example.pp > /tmp/root-example.cil

● Edit the CIL file as necessary

● semodule -i /tmp/root-example.cil

https://plautrba.fedorapeople.org/blok/How-to-compare-two-SELinux-modules.html

39

Slides ->

Brian Bouterse

@bmbouter

bmbouter on freenode

http://www.slideshare.net/bmbouter/