Skip to content

meetup - attraktor - selinux

Just arrived at home from back to hack selinux. I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.

Big thanks to the presenter. I turned my fear into anticipation for using it!


  • 1976 LaPadula paper released
  • DTMach as construction idea released
  • Based on FLASK, first patches to linux kernel
  • 2002 implemented as linux security module (LSM)
  • Since 2003 part of the mainline kernel
  • Fedora core was first distribution (shipped with policy)
  • Since 2007 shipped with RHEL5 EAL4+

Bell LaPadula

  • MAC
  • TE
  • RBAC
  • No read up, no write down


  • Extends DAC (directory access control)
  • mode at runtime changeable (enforcing vs permissive)
  • flexible policy
  • AVC (access vector cache)
  • root is not god anymore
  • process running in own security domain

Discretionary Access Control

  • classical security concept
  • object based access control
  • unflexible
  • rights per user
  • user can ship rights
  • uid can be changed by using suid


  • access control by using policy

TE - Type Enforcement

  • all resources have a typ/domain
  • whitelisting ruleset

Security Context

  • securityarea
  • object (user:role:domain:level)
  • subject


  • heart of selinux
  • common policis are targeted, strict and MLS
  • defines rules for access from subject of object
  • defines domain transition of a subject (when can a subject change its domain)



  • default policy
  • contains a understandable complexity
  • well choosen processes running in own domain
  • you can tweak the policy by using booleans
  • this policy should be enough for daily work
  • if you use the filesystem hirachy standard you are quite save
  • Unknown software is stored in context "unconfined"

Multi Level Security (mls)

  • everything is running under selinux policies
  • tweakable by booleans
  • only for high risk security aspects


  • enables tweaking the policy without reload
  • no knowledge about policy needed
  • booleans can set permanent
  • semanage boolean -l lists a lot of informations


  • -Z is selinux switch (ls -Z, netstat -Z)
  • cp, mkdir and so on are linked against selinux to support setting needed bytes
  • getenforec/setenforce - switching selinux mode
  • restorecon/fixfiles/chcon - changing context of subjects
  • sestatus - status
  • avcstat - status about avc
  • libselinux - the selinux
  • libsepol - all binaries linked against

Policy Management

  • setsebool/getsebool - show and set of selinux booleans
  • semanage - policy management
  • semodule -

Policy Development

  • audit2allow - builds selinux rules based on audit log
  • checkmodule - transforms rulse into binary
  • semodule_package -
  • audit2why - analyse selinux

Linux Audit Framework (LAF)

  • should be used for logging


  • you are loosing the context if your backup software does
  • tar and rsync supports :)


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Markdown format allowed
Form options