proactive security in linux - univerzita karlova · 2019-05-13 · security enhanced linux is a...
TRANSCRIPT
![Page 1: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/1.jpg)
Proactive Security in Linux
Lukas Vrabec
![Page 2: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/2.jpg)
About me
● Lukas Vrabec
● Software Engineer
● Member of Security Technologies team at Red Hat
● Fedora Contributor (selinux-policy, xguest, udica, netlabel_tools)
● https://lukas-vrabec.com
● https://github.com/wrabcak
● https://twitter.com/mynamewrabcak
![Page 3: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/3.jpg)
Agenda
● Proactive Security
● Traditional Linux Security
● SELinux Security Policy
● Updated Userspace with Easier Policy Customization
● SELinux and Containers
● AVC Messages
![Page 4: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/4.jpg)
Proactive Security
![Page 5: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/5.jpg)
WHEN DO PEOPLE CARE ABOUT SECURITY?
![Page 6: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/6.jpg)
![Page 7: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/7.jpg)
WHERE DO SECURITY ISSUES COME FROM?
![Page 8: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/8.jpg)
![Page 9: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/9.jpg)
HOW ARE THEY FIXED?
![Page 10: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/10.jpg)
REACTIVE SECURITY
![Page 11: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/11.jpg)
![Page 12: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/12.jpg)
YOUR SYSTEM IS NOT PROTECTED DURING THE WINDOW OF VULNERABILITY!
![Page 13: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/13.jpg)
PROACTIVE SECURITY
![Page 14: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/14.jpg)
![Page 15: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/15.jpg)
PROACTIVE SECURITY HELPS TO PROTECT YOUR SYSTEM DURING THE WINDOW OF VULNERABILITY!
![Page 16: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/16.jpg)
SECURITY ENHANCED LINUX IS A SECURITY MECHANISM BRINGING PROACTIVE SECURITY FOR
YOUR SYSTEM.
![Page 17: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/17.jpg)
TECHNOLOGY FOR PROCESS ISOLATION TO MITIGATE ATTACKS VIA PRIVILEGE ESCALATION
![Page 18: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/18.jpg)
EXPLOIT EXAMPLES WHERE SELINUX HELPED TO PROTECT YOUR SYSTEM
![Page 19: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/19.jpg)
VENOM
![Page 20: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/20.jpg)
VENOM
DOCKER CVE-2016-9962
![Page 21: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/21.jpg)
VENOM
DOCKER CVE-2016-9962
SHELLSHOCK
![Page 22: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/22.jpg)
HACKING TIME!
![Page 23: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/23.jpg)
![Page 24: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/24.jpg)
DEMO TIME!
![Page 26: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/26.jpg)
CONCLUSION?
![Page 27: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/27.jpg)
![Page 28: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/28.jpg)
Traditional Linux Security
![Page 29: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/29.jpg)
$ ls -dl /var/www/html/
drwx r-x r-x. 2 root root /var/www/html/
USER GROUP ALL
![Page 30: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/30.jpg)
$ ps -ef | grep NetworkManager
root 11781 1 0 Feb27 00:01:24 /usr/sbin/NetworkManager --no-daemon
![Page 31: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/31.jpg)
PROBLEMS
ROOT BYPASSING THIS SECURITY
SETUID BIT
![Page 32: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/32.jpg)
SELinux Security Policy
![Page 33: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/33.jpg)
CORE COMPONENT OF SELINUX
![Page 34: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/34.jpg)
CORE COMPONENT OF SELINUX
COLLECTION OF SELINUX POLICY RULES
![Page 35: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/35.jpg)
CORE COMPONENT OF SELINUX
COLLECTION OF SELINUX POLICY RULES
LOADED INTO THE KERNEL BY SELINUX USERSPACE TOOLS
![Page 36: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/36.jpg)
![Page 37: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/37.jpg)
ENFORCED BY THE KERNEL
![Page 38: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/38.jpg)
ENFORCED BY THE KERNEL
USED TO AUTHORIZE ACCESS REQUESTS ON THE SYSTEM
![Page 39: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/39.jpg)
![Page 40: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/40.jpg)
BY DEFAULT EVERYTHING IS DENIED AND YOU DEFINE POLICY RULES TO ALLOW CERTAIN
REQUESTS.
![Page 41: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/41.jpg)
SELINUX POLICY RULES
![Page 42: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/42.jpg)
DESCRIBE AN INTERACTION BETWEEN PROCESSES AND SYSTEM RESOURCES
![Page 43: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/43.jpg)
SELINUX POLICY RULE IN HUMAN LANGUAGE
![Page 44: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/44.jpg)
"APACHE process can READ its LOGGING FILE"
![Page 45: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/45.jpg)
SELINUX VIEW OF THAT INTERACTION
![Page 46: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/46.jpg)
ALLOW apache_process apache_log:FILE READ;
![Page 47: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/47.jpg)
apache_process apache_log
ARE LABELS
![Page 48: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/48.jpg)
LABELS
![Page 49: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/49.jpg)
ASSIGNED TO PROCESSES
![Page 50: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/50.jpg)
ASSIGNED TO PROCESSES
ASSIGNED TO SYSTEM RESOURCES
![Page 51: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/51.jpg)
ASSIGNED TO PROCESSES
ASSIGNED TO SYSTEM RESOURCES
BY SELINUX SECURITY POLICY
![Page 52: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/52.jpg)
ASSIGNED TO PROCESSES
ASSIGNED TO SYSTEM RESOURCES
BY SELINUX SECURITY POLICY
MAP REAL SYSTEM ENTITIES INTO THE SELINUX WORLD
![Page 53: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/53.jpg)
LABELS IN REALITY
![Page 54: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/54.jpg)
STORED IN EXTENDED ATTRIBUTES OF FILE SYSTEMS - EXT2,EXT3, EXT4 ...
![Page 55: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/55.jpg)
# getfattr -n security.selinux /etc/passwdgetfattr: Removing leading '/' from absolute path
names# file: etc/passwd
security.selinux="system_u:object_r:passwd_file_t:s0"
# ls -Z /etc/passwdsystem_u:object_r:passwd_file_t:s0 /etc/passwd
![Page 56: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/56.jpg)
SELINUX LABELS CONSIST OF FOUR PARTS
![Page 57: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/57.jpg)
<user>:<role>:<type>:<MLS/MCS>
![Page 58: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/58.jpg)
![Page 59: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/59.jpg)
Not the same as Linux users
Several Linux users can be mapped to a single SELinux user
object_u is a placeholder for Linux system resources
system_u is a placeholder for Linux processes
Can be limited to a set of SELinux roles
<user>:<role>:<type>:<MLS/MCS>
![Page 60: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/60.jpg)
<user>:<role>:<type>:<MLS/MCS>
<user>:<role>:<type>:<MLS/MCS>
![Page 61: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/61.jpg)
<user>:<role>:<type>:<MLS/MCS>
SELinux users can have multiple roles but only one can be active
object_r is a placeholder for Linux system resources
system_r is a placeholder for system processes
Can be limited to a set of SELinux types
![Page 62: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/62.jpg)
<user>:<role>:<type>:<MLS/MCS>
<user>:<role>:<type>:<MLS/MCS>
![Page 63: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/63.jpg)
<user>:<role>:<type>:<MLS/MCS>
Security model known as TYPE ENFORCEMENT
In 99% you care only about TYPES
policy rules and interactions between types
![Page 64: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/64.jpg)
<user>:<role>:<type>:<MLS/MCS>
Multi Level Security
Only the MCS part is used in Targeted Policy with the default s0 level
Allow users to mark resources with compartment tags (MCS1, MCS2)
Used for RHEL virtualization and for container security
s0:c1 can not access s0:c2
![Page 65: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/65.jpg)
![Page 66: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/66.jpg)
IN RHEL7 WE SHIP THE TARGETED SELINUX POLICY BY DEFAULT
![Page 67: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/67.jpg)
WE MOSTLY CARE ONLY ABOUT TYPES
![Page 68: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/68.jpg)
SELINUX ALLOW RULE SYNTAX WITH TYPES
![Page 69: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/69.jpg)
ALLOW TYPE1 TYPE2:OBJECT_CLASS PERMISSION;
![Page 70: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/70.jpg)
ALLOW APACHE_T APACHE_LOG_T:FILE READ;
![Page 71: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/71.jpg)
DOMAIN TRANSITION RULES
![Page 72: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/72.jpg)
TYPE_TRANSITION TYPE1 TYPE2:PROCESS NEW_DOMAIN;
![Page 73: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/73.jpg)
TYPE_TRANSITION INIT_T HTTPD_EXEC_T:PROCESS HTTPD_T;
![Page 74: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/74.jpg)
FILE TRANSITION RULES
![Page 75: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/75.jpg)
TYPE_TRANSITION TYPE1 TYPE2:OBJECT_CLASS NEW_TYPE;
![Page 76: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/76.jpg)
TYPE_TRANSITION HTTPD_T VAR_LOG_T:FILE HTTPD_LOG_T;
![Page 77: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/77.jpg)
SELINUX MODES
![Page 78: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/78.jpg)
ENFORCING
![Page 79: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/79.jpg)
ENFORCINGSELINUX SECURITY POLICY IS ENFORCED BY
KERNEL
![Page 80: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/80.jpg)
PERMISSIVE
![Page 81: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/81.jpg)
PERMISSIVESELINUX SECURITY POLICY IS NOT ENFORCED BY
KERNEL
![Page 82: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/82.jpg)
PERMISSIVESELINUX SECURITY POLICY IS NOT ENFORCED BY
KERNELACCESSES ARE LOGGED
![Page 83: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/83.jpg)
UPDATED USERSPACE WITH
EASIER POLICY CUSTOMIZATION
![Page 84: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/84.jpg)
NEW COMMON INTERMEDIATE LANGUAGE - CIL
![Page 85: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/85.jpg)
”M4+COMPILATION” VS. CIL
![Page 86: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/86.jpg)
![Page 87: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/87.jpg)
PERFORMANCE IMPROVEMENTS
![Page 88: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/88.jpg)
PERFORMANCE IMPROVEMENTS
NEW POSSIBILITY FOR HLL
![Page 89: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/89.jpg)
PERFORMANCE IMPROVEMENTS
NEW POSSIBILITY FOR HLL
USABILITY
![Page 90: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/90.jpg)
LOCAL POLICY IN TWO STEPS
![Page 91: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/91.jpg)
# cat myapache.cil
(allow httpd_t httpd_log_t (file (open read getattr)))
![Page 92: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/92.jpg)
# semodule -i myapache.cil
![Page 93: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/93.jpg)
HOW DO WE DO IT WITH M4 + COMPILATION?
![Page 94: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/94.jpg)
# cat myapache.te
require {
type httpd_t;
type httpd_log_t;
}
allow httpd_t httpd_log_t:file { open read getattr };
![Page 95: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/95.jpg)
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapache.pp
![Page 96: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/96.jpg)
SELINUX VS. CONTAINERS
![Page 97: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/97.jpg)
APPLIES MAC TO IMPROVE SECURITY WHEN USING VIRTUAL MACHINES
![Page 98: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/98.jpg)
container_t:s0:c1,c2
container_file_t:s0:c1
container_t:s0:c2,c3
container_file_t:s0:c2 container_file_t:s0:c3
![Page 99: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/99.jpg)
container_t:s0:c1,c2
container_file_t:s0:c1
container_t:s0:c2,c3
container_file_t:s0:c2 container_file_t:s0:c3
![Page 100: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/100.jpg)
● container_t:s0:c1,c2 ○ container_file_t:s0○ container_file_t:s0:c1○ container_file_t:s0:c2○ container_file_t:s0:c1,c2
● container_t:s0:c2,c3○ container_file_t:s0○ container_file_t:s0:c2○ container_file_t:s0:c3○ container_file_t:s0:c2,c3
Granted access:
![Page 101: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/101.jpg)
![Page 102: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/102.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
![Page 103: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/103.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
system_u:object_r:svirt_t:c306,c536
![Page 104: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/104.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
system_u:object_r:svirt_t:c306,c536
system_u:object_r:svirt_t:c206,c636
![Page 105: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/105.jpg)
SELINUX KEEPS YOUR CONTAINER IN ITS OWN SPACE
![Page 106: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/106.jpg)
container:MCS1 container:MCS2 container:MCS3
![Page 107: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/107.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
![Page 108: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/108.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
system_u:object_r:container_t:c306,c536
![Page 109: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/109.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
system_u:object_r:container_t:c306,c536
system_u:object_r:container_t:c206,c636
![Page 110: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/110.jpg)
SELinux user:SELinux role:SELinux type:SELinux category
system_u:object_r:container_t:c306,c536
system_u:object_r:container_t:c206,c636
system_u:object_r:container_t:c406,c736
![Page 111: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/111.jpg)
AVC MESSAGES
![Page 112: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/112.jpg)
WHERE CAN WE FIND LOGS?
![Page 113: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/113.jpg)
# cat /var/log/audit/audit.log
![Page 114: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/114.jpg)
# cat /var/log/audit/audit.log
# ausearch -m AVC
![Page 115: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/115.jpg)
type=AVC msg=audit(1226882925.714:136): avc: denied { read } for pid=2512 comm="httpd" name="file1"
dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:shadow_t:s0
tclass=file
![Page 116: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/116.jpg)
HOW TO PARSE AVC MESSAGES?
![Page 117: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/117.jpg)
# ausearch
![Page 118: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/118.jpg)
# ausearch
# audit2allow
![Page 119: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/119.jpg)
# ausearch -m AVC -ts recent
type=AVC msg=audit(1226882925.714:136): avc: denied { read } for pid=2512 comm="httpd" name="shadow" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
# ausearch -m AVC -ts recent | audit2allow
#============= httpd_t ==============
allow httpd_t shadow_t:file read;
![Page 120: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/120.jpg)
● # semanage fcontext -> manage SELinux contexts
● # semanage boolean -> manage SELinux booleans
● # semanage port -> manage SELinux ports
● # semanage permissive -> put SELinux domain to permissive mode
● # sesearch -> search for present SELinux rules
● # ausearch -> search for SELinux denials
● # sealert -> SELinux troubleshooter
● # audit2allow -> Parse SELinux denials / create local SELinux module
● # semodule -DB / # semodule -B -> SELinux policy rebuild
![Page 121: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/121.jpg)
ARE YOU USING SELINUX IN ENFORCING?
![Page 122: Proactive Security in Linux - Univerzita Karlova · 2019-05-13 · security enhanced linux is a security mechanism bringing proactive security for your system. technology for process](https://reader033.vdocuments.us/reader033/viewer/2022052408/5f078b8c7e708231d41d83c9/html5/thumbnails/122.jpg)
Lukas Vrabec’s blog https://lukas-vrabec.com/Dan Walsh’s blog http://danwalsh.livejournal.com/Miroslav Grepl’s blog https://mgrepl.wordpress.com/Paul Moore’s blog http://www.paul-moore.com/Petr Lautrbach’s blog https://plautrba.fedorapeople.org/
BLOGS