meetup - attraktor - selinux
Just arrived at home from back to hack selinux. I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.
Big thanks to the presenter. I turned my fear into anticipation for using it!
History
- 1976 LaPadula paper released
- DTMach as construction idea released
- Based on FLASK, first patches to linux kernel
- 2002 implemented as linux security module (LSM)
- Since 2003 part of the mainline kernel
- Fedora core was first distribution (shipped with policy)
- Since 2007 shipped with RHEL5 EAL4+
Bell LaPadula
- MAC
- TE
- RBAC
- No read up, no write down
Features
- Extends DAC (directory access control)
- mode at runtime changeable (enforcing vs permissive)
- flexible policy
- AVC (access vector cache)
- root is not god anymore
- process running in own security domain
Discretionary Access Control
- classical security concept
- object based access control
- unflexible
- rights per user
- user can ship rights
- uid can be changed by using suid
MAC
- access control by using policy
TE - Type Enforcement
- all resources have a typ/domain
- whitelisting ruleset
Security Context
- securityarea
- object (user:role:domain:level)
- subject
Policy
- heart of selinux
- common policis are targeted, strict and MLS
- defines rules for access from subject of object
- defines domain transition of a subject (when can a subject change its domain)
Policies
Targeted
- default policy
- contains a understandable complexity
- well choosen processes running in own domain
- you can tweak the policy by using booleans
- this policy should be enough for daily work
- if you use the filesystem hirachy standard you are quite save
- Unknown software is stored in context "unconfined"
Multi Level Security (mls)
- everything is running under selinux policies
- tweakable by booleans
- only for high risk security aspects
Booleans
- enables tweaking the policy without reload
- no knowledge about policy needed
- booleans can set permanent
- semanage boolean -l lists a lot of informations
Userlandtools
- -Z is selinux switch (ls -Z, netstat -Z)
- cp, mkdir and so on are linked against selinux to support setting needed bytes
- getenforec/setenforce - switching selinux mode
- restorecon/fixfiles/chcon - changing context of subjects
- sestatus - status
- avcstat - status about avc
- libselinux - the selinux
- libsepol - all binaries linked against
Policy Management
- setsebool/getsebool - show and set of selinux booleans
- semanage - policy management
- semodule -
Policy Development
- audit2allow - builds selinux rules based on audit log
- checkmodule - transforms rulse into binary
- semodule_package -
- audit2why - analyse selinux
Linux Audit Framework (LAF)
- should be used for logging
Backup
- you are loosing the context if your backup software does
- tar and rsync supports :)