Post on 30-Nov-2014
description
transcript
SELinux introduction
Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach
● Owner controls access to object● File owner/group● Process with effective UID/GID● File mode● Almighty root user above the rules
SELinux MAC approach
● Policy controls access to objects● Labeled objects (files, sockets, …)● Labeled processes (domains)● Policy rules● Concept of “almighty” unconfined processes is
defined within policy
…
DAC and MAC at the same time
● Allows for tighter privilege control
UNIX SELinux
File owner/group: UID/GID File context (FC): label
Process effective user/group: UID/GID
Process domain: label
File mode Type Enforcement (TE) rules
setuid() Domain transition
Setuid bit File context + implicit domain transition rule
Labels
$ ls -Z /var/spool/anacron/cron.daily-rw-------. root root
system_u:object_r:system_cron_spool_t:s0/var/spool/anacron/cron.daily
$ ps uxZ |grep /usr/sbin/atdsystem_u:system_r:crond_t:s0-s0:c0.c1023
root 4371 0.0 0.0 21448 212 ?Ss 2012 0:00 /usr/sbin/atd
Policy
● Delivered via RPM packages● selinux-policy, selinux-policy-targeted
● Reference policy, multiple available● Modular
● File contexts (*.fc)● Type enforcement rules (*.te)● M4 macros, "interfaces" (*.if)
File Contexts
● Labeling rules delivered with policy packages● RPM applies labels upon package installation● Files inherit labels otherwise
cron.fc:/etc/cron\.d(/.*)?
gen_context(system_u:object_r:system_cron_spool_t,s0)/etc/crontab --
gen_context(system_u:object_r:system_cron_spool_t,s0)/var/spool/anacron(/.*)?
gen_context(system_u:object_r:system_cron_spool_t,s0)⋮/var/spool/fcron/systab --
gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules
● Specified in custom DSL + M4● Compiled & loaded into kernel at runtime
cron.te:allow system_cronjob_t cron_log_t:file
manage_file_perms;⋮list_dirs_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)read_files_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)
Domains
● TE rules control domain transition● Transitioned into upon execution of labeled file
● Remember the setuid bit?
● "unconfined" domains
cron.te:init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools
● getenforce 1; getenforce● /var/sysconfig/selinux● UNIX tools with -Z argument● semanage
# semanage fcontext -l |grep /var/spool/anacron/var/spool/anacron(/.*)?
all files system_u:object_r:system_cron_spool_t:s0# chcon -t etc_t /var/spool/anacron# restorecon -v /var/spool/anacronrestorecon reset /var/spool/anacron context
system_u:object_r:etc_t:s0->system_u:object_r:system_cron_spool_t:s0
What if things don't work?
● audit2why, audit2allow to analyze
● restorecon to fix context
SELinux introduction
Ľubomír Rintel <lubo.rintel@gooddata.com>
Traditional UNIX DAC approach
● Owner controls access to object● File owner/group● Process with effective UID/GID● File mode● Almighty root user above the rules
SELinux MAC approach
● Policy controls access to objects● Labeled objects (files, sockets, …)● Labeled processes (domains)● Policy rules● Concept of “almighty” unconfined processes is
defined within policy
…
DAC and MAC at the same time
● Allows for tighter privilege control
UNIX SELinux
File owner/group: UID/GID File context (FC): label
Process effective user/group: UID/GID
Process domain: label
File mode Type Enforcement (TE) rules
setuid() Domain transition
Setuid bit File context + implicit domain transition rule
Labels
$ ls -Z /var/spool/anacron/cron.daily-rw-------. root root
system_u:object_r:system_cron_spool_t:s0/var/spool/anacron/cron.daily
$ ps uxZ |grep /usr/sbin/atdsystem_u:system_r:crond_t:s0-s0:c0.c1023
root 4371 0.0 0.0 21448 212 ?Ss 2012 0:00 /usr/sbin/atd
Policy
● Delivered via RPM packages● selinux-policy, selinux-policy-targeted
● Reference policy, multiple available● Modular
● File contexts (*.fc)● Type enforcement rules (*.te)● M4 macros, "interfaces" (*.if)
File Contexts
● Labeling rules delivered with policy packages● RPM applies labels upon package installation● Files inherit labels otherwise
cron.fc:/etc/cron\.d(/.*)?
gen_context(system_u:object_r:system_cron_spool_t,s0)/etc/crontab --
gen_context(system_u:object_r:system_cron_spool_t,s0)/var/spool/anacron(/.*)?
gen_context(system_u:object_r:system_cron_spool_t,s0)⋮/var/spool/fcron/systab --
gen_context(system_u:object_r:system_cron_spool_t,s0)
Type Enforcement rules
● Specified in custom DSL + M4● Compiled & loaded into kernel at runtime
cron.te:allow system_cronjob_t cron_log_t:file
manage_file_perms;⋮list_dirs_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)read_files_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)
Domains
● TE rules control domain transition● Transitioned into upon execution of labeled file
● Remember the setuid bit?
● "unconfined" domains
cron.te:init_daemon_domain(system_cronjob_t, anacron_exec_t)
Management Tools
● getenforce 1; getenforce● /var/sysconfig/selinux● UNIX tools with -Z argument● semanage
# semanage fcontext -l |grep /var/spool/anacron/var/spool/anacron(/.*)?
all files system_u:object_r:system_cron_spool_t:s0# chcon -t etc_t /var/spool/anacron# restorecon -v /var/spool/anacronrestorecon reset /var/spool/anacron context
system_u:object_r:etc_t:s0->system_u:object_r:system_cron_spool_t:s0
What if things don't work?
● audit2why, audit2allow to analyze
● restorecon to fix context