2012 devday lab selinux hacker
DESCRIPTION
este documento habla de selinux sacado de la página de redhat.TRANSCRIPT
Using SELinux on RHEL 6
George HackerCurriculum Manager, Red Hat06.26.12
What Is SELinux?
● A security feature of the Linux kernel● Originally developed by the NSA● Initially used to secure services● All system objects (files, ports, processes) are labeled● The policy defines the rules that affect how various
system objects can interact with each other● The policy is loaded into the kernel at boot time
CLI Support for SELinux
● SELinux activation state● getenforce(8), setenforce(8)
● Display file/process context information● -Z option to ls(1) and ps(1)
● Manipulate file contexts● chcon(8), restorecon(8), setfiles(8)
● Display and adjust policy booleans● getsebool(8), setsebool(8), togglesebool(8)
CLI Support for SELinux (cont.)
● Examples● getenforce● setenforce 0● ls -Z● ps -eZ● chcon -t tmp_t tempdir● restorecon /var/www/html/index.html● getsebool -a● setsebool httpd_enable_homedirs 1
Introducing libselinux
● Provided by libselinux and libselinux-devel packages● libselinux provides run-time support● libselinux-devel required for building SELinux programs
● C source code must include selinux.h header file● #include <selinux/selinux.h>
● Link with the libselinux library● gcc -o program program.c -lselinux
Provided Header Files
● Primary header file● #include <selinux/selinux.h>
● Additional header files● #include <selinux/avc.h>● #include <selinux/context.h>● #include <selinux/flask.h>● #include <selinux/get_context_list.h>● #include <selinux/label.h>
libselinux – SELinux Status Functions
● Get current SELinux status● security_getenforce()
● Get boot-time SELinux configuration● selinux_getenforcemode(int *mode)
● Set current SELinux status● security_setenforce(int enforce)
libselinux – File Context Functions
● Data type: security_context_t● Get the SELinux context of a file
● getfilecon(char *path, security_context_t *context)● Free an allocated context
● freecon(security_context_t context)
libselinux – File Context Functions (cont.)
● Set the SELinux context of a file● setfilecon(char *path, security_context_t context)● fsetfilecon(int fd, security_context_t context)● lsetfilecon(char *path, security_context_tcontext)
● Get/set the default SELinux context of a program● getfscreatecon(security_context_t *context)● setfscreatecon(security_context_t context)
libselinux – Context Functions
● Manipulate fields of security_context_t strings● Header file
● #include <selinux/context.h>● Data type: context_t● Functions to allocate/free context_t variables
● context_new(security_context_t context)● context_free(context_t ct_context)
● Conversion to security_context_t● context_str(context_t ct_context)
libselinux – Context Functions (cont.)
● Functions to extract context elements● context_user_get(context_t ct_context)● context_role_get(context_t ct_context)● context_type_get(context_t ct_context)● context_range_get(context_t ct_context)
● Functions to assign context elements● context_user_set(context_t ct_context, char *user)● context_role_set(context_t ct_context, char *role)● context_type_set(context_t ct_context, char *type)● context_range_set(context_t ct_context, char *range)
libselinux – Process Context Functions
● Get the SELinux context of the current process● getcon(security_context_t *context)
● Get the SELinux context of another process● getpidcon(int pid, security_context_t *context)
● Use freecon(3) when finished
libselinux – Process Context Functions (cont.)
● Set the SELinux context of the current process● setcon(security_context_t *context)
● Set the SELinux context of a spawned process● setexeccon(security_context_t *context)● Sets the SELinux context for the next process created
with the execve(2) system call
libselinux – Boolean Functions
● Get the value of a boolean● security_get_boolean_active(char *bool_name)● security_get_boolean_pending(char *bool_name)
● Set the value of a boolean● security_set_ boolean(char *bool_name, int value)
● Commit all pending boolean changes● security_commit_booleans()
libselinux – Boolean Functions (cont.)
● Data type: SELboolean● A structure with two fields: char *name, int value
● Set multiple boolean values● security_set_boolean_list(size_t nbools, SELboolean
*boolean_list, int permanent)
For Further Study
● Overview of SELinux● Red Hat Summit 2010 - SELinux for Mere Mortals,
Thomas Cameron and Dan Walsh● Red Hat Enterprise Linux 6 SELinux Features
● Red Hat Summit 2010 - Not Your Grandfather's SELinux, Dan Walsh
● RHS429 – Red Hat Enterprise SELinux Policy Administration
● http://www.redhat.com/training/courses/rhs429