Slug 2009 06 SELinux For Sysadmins

50 %
50 %
Information about Slug 2009 06 SELinux For Sysadmins
Technology

Published on June 29, 2009

Author: PaulWay

Source: slideshare.net

Description

In his previous talk, Paul talked about getting your system to work with SELinux. This involved setting the security on your files and directories so that they worked with SELinux. However, many people have customised their Linux installs and want SELinux to do what they say, not the other way around. Sysadmins in particular are not 'run of the mill' users, and they have different requirements to what typically comes out of the box. Situations such as serving web pages from NFS shares or non-standard directories, or installing applications in custom locations, need specialised configuration of SELinux in order to make it work with your needs.

This talk will deal with those situations. Fortunately for Sysadmins, much of the work in developing SELinux policies for Linux has focussed on their requirements. Paul will show you a few of the things behind
the scenes that make your job as a Sysadmin much easier and safer with SELinux.

SELinux for Sysadmins

SELinux for Sysadmins Beyond 'restorecon'

SELinux for Sysadmins Principles for using SELinux

Principles for using SELinux

SELinux for Sysadmins Principles for using SELinux Through real world examples

Principles for using SELinux

Through real world examples

Real world example 1 Share home directories through NFS

Share home directories through NFS

Real world example 1 Share home directories through NFS [server]# cat /etc/exports /home 192.168.0.0/24(rw,soft) [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...

Share home directories through NFS

[server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)

[client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...

Real world example 1 Share home directories through NFS [server]# cat /etc/exports /home 192.168.0.0/24(rw,soft) [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ... [client]# mount /home Permission denied

Share home directories through NFS

[server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)

[client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...

[client]# mount /home Permission denied

SELinux for Sysadmins Share home directories through NFS Is this a SELinux problem?

Share home directories through NFS

Is this a SELinux problem?

SELinux for Sysadmins Share home directories through NFS Is this a SELinux problem? Check /var/log/audit/audit.log

Share home directories through NFS

Is this a SELinux problem?

Check /var/log/audit/audit.log

SELinux for Sysadmins Share home directories through NFS Is this a SELinux problem? Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log

Share home directories through NFS

Is this a SELinux problem?

Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log

SELinux for Sysadmins Share home directories through NFS If it is a SELinux problem: getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

Share home directories through NFS

If it is a SELinux problem:

getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

SELinux for Sysadmins Share home directories through NFS If it is a SELinux problem: getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

Share home directories through NFS

If it is a SELinux problem:

getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

SELinux for Sysadmins Share home directories through NFS If it is a SELinux problem: setsebool use_nfs_home_dirs on

Share home directories through NFS

If it is a SELinux problem:

setsebool use_nfs_home_dirs on

SELinux for Sysadmins Share home directories through NFS If it is a SELinux problem: setsebool -P use_nfs_home_dirs on

Share home directories through NFS

If it is a SELinux problem:

setsebool -P use_nfs_home_dirs on

Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on

Share home directories through NFS

setsebool -P use_nfs_home_dirs on

Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa

Share home directories through NFS

setsebool -P use_nfs_home_dirs on

Share home directories through SaMBa

Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa setsebool -P use_samba_home_dirs on

Share home directories through NFS

setsebool -P use_nfs_home_dirs on

Share home directories through SaMBa

setsebool -P use_samba_home_dirs on

Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa setsebool -P use_samba_home_dirs on setsebool -P samba_enable_home_dirs on

Share home directories through NFS

setsebool -P use_nfs_home_dirs on

Share home directories through SaMBa

setsebool -P use_samba_home_dirs on

setsebool -P samba_enable_home_dirs on

Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa setsebool -P use_samba_home_dirs on Mount SaMBa home dirs on client setsebool -P samba_enable_home_dirs on Share home dirs on SaMBa server

Share home directories through NFS

setsebool -P use_nfs_home_dirs on

Share home directories through SaMBa

setsebool -P use_samba_home_dirs on

Mount SaMBa home dirs on client

setsebool -P samba_enable_home_dirs on

Share home dirs on SaMBa server

Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa setsebool -P use_samba_home_dirs on setsebool -P samba_enable_home_dirs on Share ~/public_html through Apache setsebool -P apache_enable_homedirs on

Share home directories through NFS

setsebool -P use_nfs_home_dirs on

Share home directories through SaMBa

setsebool -P use_samba_home_dirs on

setsebool -P samba_enable_home_dirs on

Share ~/public_html through Apache

setsebool -P apache_enable_homedirs on

SELinux for Sysadmins Principles for using SELinux Use booleans where possible

Principles for using SELinux

Use booleans where possible

Real world example 2 Sharing /data through SaMBa

Sharing /data through SaMBa

Real world example 2 Sharing /data through SaMBa getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

Sharing /data through SaMBa

getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

SELinux for Sysadmins File contexts

File contexts

SELinux for Sysadmins File contexts [root@tachyon ~]# ls -laZ /var drwxr-xr-x root root system_u:object_r:var_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account drwxr-xr-x root root system_u:object_r:var_t:s0 cache drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs drwxr-xr-x root root system_u:object_r:var_t:s0 db drwxr-xr-x root root system_u:object_r:var_t:s0 empty drwxr-xr-x root root system_u:object_r:games_data_t:s0 games drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib drwxr-xr-x root root system_u:object_r:var_t:s0 local drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock drwxr-xr-x root root system_u:object_r:var_log_t:s0 log lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail drwxr-xr-x root root system_u:object_r:var_t:s0 nis drwxr-xr-x root root system_u:object_r:var_t:s0 opt drwxr-xr-x root root system_u:object_r:var_t:s0 preserve ...

File contexts

SELinux for Sysadmins File contexts Specify the context in which it is to be used

File contexts

Specify the context in which it is to be used

SELinux for Sysadmins File contexts Specify the context in which it is to be used Inherited like permissions

File contexts

Specify the context in which it is to be used

Inherited like permissions

Real world example 2 Sharing /data through SaMBa [root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..

Sharing /data through SaMBa

Real world example 2 Sharing /data through SaMBa [root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. [root@tachyon ~]# chcon -R -t samba_share_t /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r: samba_share_t :s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..

Sharing /data through SaMBa

SELinux for Sysadmins Principles for using SELinux Use booleans where possible Use the right file context man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Principles for using SELinux

Use booleans where possible

Use the right file context

man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Real world example 3 Sharing /data with SaMBa and VSFTPD

Sharing /data with SaMBa and VSFTPD

Real world example 3 Sharing /data with SaMBa and VSFTPD Gotcha!

Sharing /data with SaMBa and VSFTPD

Gotcha!

Real world example 3 Sharing /data with SaMBa and VSFTPD Files can only have one security context!

Sharing /data with SaMBa and VSFTPD

Files can only have one security context!

Real world example 3 Sharing /data with SaMBa and VSFTPD Files can only have one security context! getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off

Sharing /data with SaMBa and VSFTPD

Files can only have one security context!

getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off

Real world example 3 Sharing /data with SaMBa and VSFTPD Files can only have one security context! allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

Sharing /data with SaMBa and VSFTPD

Files can only have one security context!

allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

Real world example 3 Sharing /data with SaMBa and VSFTPD Files can only have one security context! allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server! What to do?

Sharing /data with SaMBa and VSFTPD

Files can only have one security context!

allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

What to do?

Real world example 3 # setenforce off

# setenforce off

Real world example 3 # setenforce off # selinuxenabled && echo yes #

# setenforce off

# selinuxenabled && echo yes

#

Real world example 3 # setenforce off # run service, exercise functionality

# setenforce off

# run service, exercise functionality

Real world example 3 # setenforce off # run service, exercise functionality # setenforce on

# setenforce off

# run service, exercise functionality

# setenforce on

Real world example 3 # setenforce off # run service, exercise functionality # setenforce on # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd

# setenforce off

# run service, exercise functionality

# setenforce on

# grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd

Real world example 3 # setenforce off # run service, exercise functionality # setenforce on # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd # ls vsftpd.* vsftpd.pp vsftpd.te

# setenforce off

# run service, exercise functionality

# setenforce on

# grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd

# ls vsftpd.* vsftpd.pp vsftpd.te

Real world example 3 cat vsftpd.te module vsftpd 1.0; require { type samba_share_t; type vsftpd_t; class dir { rename write search read remove_name getattr add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow vsftpd_t samba_share_t:dir { rename write search read remove_name getattr add_name }; allow vsftpd_t samba_share_t:file { rename setattr read lock create write getattr unlink };

cat vsftpd.te module vsftpd 1.0; require { type samba_share_t; type vsftpd_t; class dir { rename write search read remove_name getattr add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow vsftpd_t samba_share_t:dir { rename write search read remove_name getattr add_name }; allow vsftpd_t samba_share_t:file { rename setattr read lock create write getattr unlink };

Real world example 3 # setenforce off # run service, exercise functionality # setenforce on # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd # semodule -i vsftpd.pp

# setenforce off

# run service, exercise functionality

# setenforce on

# grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd

# semodule -i vsftpd.pp

SELinux for Sysadmins Principles for using SELinux Use booleans where possible Use the right file context man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend! Create policy where necessary

Principles for using SELinux

Use booleans where possible

Use the right file context

man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Create policy where necessary

SELinux for Sysadmins Principles for using SELinux Use booleans where possible Use the right file context man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend! Create policy where necessary Policy must be conservative

Principles for using SELinux

Use booleans where possible

Use the right file context

man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Create policy where necessary

Policy must be conservative

SELinux for Sysadmins Principles for using SELinux Use booleans where possible Use the right file context man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend! Create policy where necessary Policy must be conservative

Principles for using SELinux

Use booleans where possible

Use the right file context

man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Create policy where necessary

Policy must be conservative

SELinux for Sysadmins Principles for using SELinux Use booleans where possible Use the right file context man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend! Create policy where necessary Policy must be conservative system-config-selinux

Principles for using SELinux

Use booleans where possible

Use the right file context

man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

Create policy where necessary

Policy must be conservative

system-config-selinux

Questions?

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Selinux For Sysadmins - Securitytube

Slug 2009 06 SELinux For Sysadmins. ... This is the video of the talk titled "SELinux for Sysadmins" given by Paul Wayper at SLUG 09.
Read more

SELinux for Sysadmins - Paul Wayper - YouTube

SLUG - June 09 - In ... http://slug.org.au Paul's slides are linked from his blog at http://www.mabula.net/tbfw/2009/06/29#20 ... SELinux for ...
Read more

[ubuntu] Ping! [Archive] - Ubuntu Forums

June 29th, 2009, 06:14 PM. what decoherence said, ... Slug 2009 06 SELinux For Sysadmins (http://www.slideshare.net/PaulWay/slug-2009-06-selinux-for-sysadmins)
Read more

luglio 2009 ~ dgrossato.101

Slug 2009 06 SELinux For Sysadmins. View more documents from PaulWay. SELinux non è banale da usare, ma neanche trascendentale e nel bilancio costi ...
Read more

SELinux for Everyone - Paul Wayper - YouTube

... slides are linked from his blog at http://www.mabula.net/tbfw/2009/06/29#200 ... SLUG - June 09 - General ... SELinux for Sysadmins - Paul ...
Read more

James Morris

James Morris [Recent Entries] ... SELinux for SysAdmins; ... The date for the 2009 SELinux Developer Summit has been set for Sunday 20th September, ...
Read more

The Docker Book - scribd.com

Ruth Brown. sysadmins ... Development roles. scientist wrangler. and configuration management. from talking about Agile Infrastructure at Agile 2009 ... 06 ...
Read more

Factoid statistics on factoids containing URLs - Debian

IRC bots ‹ Factoid statistics ‹ Stats on factoids containing URLs. ... origins of sysadmins C: ... 2009-06-09 Scanner ...
Read more