THREE BIG - Fedora...SELinux improvements from 2016? Summary Discussion SELINUX IMPROVEMENTS FROM...

THREE BIGUSABILITY IMPROVEMENTS

in SELinux tooling

AGENDAAGENDA

SELinux improvements from 2015

AGENDAAGENDA

SELinux improvements from 2015SELinux team at Red Hat

AGENDAAGENDA

SELinux improvements from 2015SELinux team at Red HatWhat can SELinux do for you?

AGENDAAGENDA

SELinux improvements from 2015SELinux team at Red HatWhat can SELinux do for you?SELinux improvements from 2016?

AGENDAAGENDA

SELinux improvements from 2015SELinux team at Red HatWhat can SELinux do for you?SELinux improvements from 2016?Summary

AGENDAAGENDA

SELinux improvements from 2015SELinux team at Red HatWhat can SELinux do for you?SELinux improvements from 2016?SummaryDiscussion

SELINUX IMPROVEMENTS FROM 2015SELINUX IMPROVEMENTS FROM 2015

performance gains

# dnf install selinux-policy-targeted# semodule -d docker# semodule -e docker



~ 15 seconds for

dockah, dockah, dockah



performance gains75% speed-up of tools that perform SELinuxpolicy management



easier to provide your own SELinuxpolicies


# dnf install docker-selinux


libsepol.scope_copy_callback:docker Duplicatedeclaration in module



# semodule --list=full | grep docker400 docker100 docker





assigning priorities to modules





new Common Intermediate Language - CIL


HLL vs. CIL

# cat mysandbox.te

policy_module(mysandbox,1.0)

require{ type sandbox_web_t; attribute userdomain; }

allow sandbox_web_t userdomain:unix_stream_socket connectto;


HLL vs. CIL

# make -f ../Makefile mysandbox.pp

# semodule -i mysandbox.pp


HLL vs. CIL


CIL

# cat mysandbox.cil

(allow sandbox_web_t unconfined_t (unix_stream_socket (connectto)))

# semodule -i mysandbox.cil





new Common Intermidiate Language - CILreadable intermediate policy language





new Common Intermidiate Language - CILreadable intermediate policy languagepotential for new High Level Languages (in JavaScript?)


new Common Intermidiate LevelLanguage - CIL

lolpolicy (HLL) from Joshua Brindle

I iz logwatch in ur webserver reading ur logs


It is HERE.FEDORA 23.

SELINUX TEAM AT RED HATSELINUX TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool


Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool


Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool


Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool


Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool


Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool


Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse

Tool

WHAT SELINUX CAN DO FOR YOU?WHAT SELINUX CAN DO FOR YOU?

protect your system from consequences ofexploited apps



CVE-2015-5602 aka Unauthorized PrivilegeEscalation in sudo


[usr@localhost ~]$ ln -s /etc/shadow ~/temp/test.txt

[usr@localhost ~]$ sudo -e ~/temp/test.txt

root:$6$0m2y//leQIKDW0cg$f0wGcz/4NhfJo8VEe66SRHz9p8QaaTq8Ldby66692uO04ouqn9D93ECQVlO62Cer3ar2z.ef.365SSlnyja3T.::0:99999:7:::

bin:*:16489:0:99999:7:::

daemon:*:16489:0:99999:7:::

adm:*:16489:0:99999:7:::

lp:*:16489:0:99999:7:::

sync:*:16489:0:99999:7:::

shutdown:*:16489:0:99999:7:::


[usr@localhost ~]$ ln -s /etc/shadow ~/temp/test.txt

[usr@localhost ~]$ sudo -e ~/temp/test.txt

sudoedit: /home/usr/temp/test.txt: Permission denied

[usr@localhost ~]$ getenforce

Enforcing







protect your virtual machines




protect your virtual machinesCVE-2015-3456 aka Venom



keeps your container in its own space


container_t:MCS1 container_t:MCS2 container_t:MCS3


keeps your container in its own spaceadvanced security for MultitenantEnvironments


keeps your container in its own spaceadvanced security for MultitenantEnvironments

running thousands processesgears in OpenShiftcontainers in OpenShift v3


Security WINSwith SELINUX

SELINUX IMPROVEMENTS IN 2016?SELINUX IMPROVEMENTS IN 2016?

"a new SELinux" on Atomic - seatomic


"a new SELinux" on Atomic - seatomicsupport for "factory reset"



distribution default policy modules

admin customizations

/var/lib/selinux



admincustomizations

/var/lib/selinux

distributiondefault policy

modules

/usr/lib/selinux


seatomic "SELinux on Atomic"policy reflecting Atomic Host requirements



containers with services around containers



containers with services around containersthe current huge "workstation" policy - Targeted


$ sestatusLoaded policy name: targeted$ seinfoTypes: 4665 Allow: 100393



containers with services around containersthe current huge "workstation" policy - Targeteda new concept of policy - "lightweight" policy




reduction of process/file types - thousands vs.tens




reduction of process/file types - thousands vs.tensreduction of policy rules - tens thousands vs.thousands




reduction of process/file types - thousands vs.tensreduction of policy rules - tens thousands vs.thousandssimplified and understandable policy




reduction of process/file types - thousands vs.tensreduction of policy rules - tens thousands vs.thousandssimplified and understandable policysignificant speed-up of tools that performsSELinux policy management


SELinux troubleshooting



SELinux troubleshootingimproved best practises suggested by SEAlertSELinux troubleshooting in Cockpit



SELinux policy analysis tool



SELinux policy analysis toolhuman readable big picture of policy



SELinux troubleshootingimproved best practises by SEAlertSELinux troubleshooting in Cockpit

SELinux policy analysis toolhuman readable big picture of policySELinux policy integrity

SUMMARYSUMMARY

75% speed of tools that perform SELinux policymanagement

SUMMARYSUMMARY

75% speed of tools that perform SELinux policymanagementeasier to provide your own SELinux policies

SUMMARYSUMMARY

75% speed of tools that perform SELinux policymanagementeasier to provide your own SELinux policiesCIL as a new Intermediate Language

SUMMARYSUMMARY

75% speed of tools that perform SELinux policymanagementeasier to provide your own SELinux policiesCIL as a new Intermediate LanguageSELinux helps mitigate consequences ofexploits

SUMMARYSUMMARY

75% speed of tools that perform SELinux policymanagementeasier to provide your own SELinux policiesCIL as a new Intermediate LanguageSELinux helps mitigate consequences ofexploitsnew SELinux for Atomic Hosts aka seatomic iscoming soon

SUMMARYSUMMARY

SELinux troubleshooting integrated withCockpit

SUMMARYSUMMARY

SELinux troubleshooting integrated withCockpitVisualization of policy

DISCUSSION AND Q&ADISCUSSION AND Q&A

and THANK YOU!

[email protected]

Date post:	02-Oct-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

THREE BIG - Fedora...SELinux improvements from 2016? Summary Discussion SELINUX IMPROVEMENTS FROM...

Documents