Skip to content

Entries tagged as linux

Related tags

fedora 19 - add multimedia capability

Posted by artodeto on

Thanks to usa law, fedora is not allowed to ship their distributions with full media support.

But is is not that hard to fix this issue (nevertheless, it is annoying.

Thanks to the german freiesmagazin, i quickly found the magic hint to use or search for something called rpmfusion. All you have to do is, to install rpm fusion to you local machine and call "yum install rpmfusion-*", "yum install vlc" and "yum install gstreamer".

I did some additional search and thanks to a german blog post, i was browsed to a project called korora project.

Korora is a Fedora Remix that aims to make Linux easier for new users, while still being useful for experts. We provide a complete, easy to use computing system that “just works” out of the box.

meetup - attraktor - selinux

Posted by artodeto on

Just arrived at home from back to hack selinux. I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.

Big thanks to the presenter. I turned my fear into anticipation for using it!

History

  • 1976 LaPadula paper released
  • DTMach as construction idea released
  • Based on FLASK, first patches to linux kernel
  • 2002 implemented as linux security module (LSM)
  • Since 2003 part of the mainline kernel
  • Fedora core was first distribution (shipped with policy)
  • Since 2007 shipped with RHEL5 EAL4+

Bell LaPadula

  • MAC
  • TE
  • RBAC
  • No read up, no write down

Features

  • Extends DAC (directory access control)
  • mode at runtime changeable (enforcing vs permissive)
  • flexible policy
  • AVC (access vector cache)
  • root is not god anymore
  • process running in own security domain

Discretionary Access Control

  • classical security concept
  • object based access control
  • unflexible
  • rights per user
  • user can ship rights
  • uid can be changed by using suid

MAC

  • access control by using policy

TE - Type Enforcement

  • all resources have a typ/domain
  • whitelisting ruleset

Security Context

  • securityarea
  • object (user:role:domain:level)
  • subject

Policy

  • heart of selinux
  • common policis are targeted, strict and MLS
  • defines rules for access from subject of object
  • defines domain transition of a subject (when can a subject change its domain)

Policies

Targeted

  • default policy
  • contains a understandable complexity
  • well choosen processes running in own domain
  • you can tweak the policy by using booleans
  • this policy should be enough for daily work
  • if you use the filesystem hirachy standard you are quite save
  • Unknown software is stored in context "unconfined"

Multi Level Security (mls)

  • everything is running under selinux policies
  • tweakable by booleans
  • only for high risk security aspects

Booleans

  • enables tweaking the policy without reload
  • no knowledge about policy needed
  • booleans can set permanent
  • semanage boolean -l lists a lot of informations

Userlandtools

  • -Z is selinux switch (ls -Z, netstat -Z)
  • cp, mkdir and so on are linked against selinux to support setting needed bytes
  • getenforec/setenforce - switching selinux mode
  • restorecon/fixfiles/chcon - changing context of subjects
  • sestatus - status
  • avcstat - status about avc
  • libselinux - the selinux
  • libsepol - all binaries linked against

Policy Management

  • setsebool/getsebool - show and set of selinux booleans
  • semanage - policy management
  • semodule -

Policy Development

  • audit2allow - builds selinux rules based on audit log
  • checkmodule - transforms rulse into binary
  • semodule_package -
  • audit2why - analyse selinux

Linux Audit Framework (LAF)

  • should be used for logging

Backup

  • you are loosing the context if your backup software does
  • tar and rsync supports :)