|
|
(11 intermediate revisions by one other user not shown) |
Line 3: |
Line 3: |
| Feel free to add any suggestions or corrections here. Thanks :) | | Feel free to add any suggestions or corrections here. Thanks :) |
|
| |
|
| * Is SELinux enabled by default on Debian? If not, link to appropriate information (probably found on http://wiki.debian.org/) | | * Is SELinux enabled by default on Debian? If not, link to appropriate information (<http://wiki.debian.org/SELinux>) |
| | * Is <code>system_u:object_r:httpd_sys_content_t</code> required for all SugarCRM files? |
| | * A section on setroubleshoot. |
| | * SELinux open permission: <http://james-morris.livejournal.com/31714.html> |
| | * Can users control where SELinux logs are written to? |
|
| |
|
| Suggestions from domg472:
| | [[Category:SELinux docs]] |
| <pre>
| |
| Basic access control models ( DAC , MAC ) ( not so basic MDAC )
| |
| | |
| | |
| | |
| explain discretionary
| |
| | |
| explain the dac model attributes: user group permission bits
| |
| | |
| explain why dac acl is not sufficient. example privilege escalation
| |
| | |
| explain the mac model attributes: security context
| |
| | |
| explain mandatory
| |
| | |
| explain that MAC is ACL layer on top of the DAC ACL layer
| |
| | |
| explain Type enforcement
| |
| | |
| explain Role Based AC
| |
| | |
| explain Multi Level Security
| |
| | |
| Explain Multi Category/Compartment Security
| |
| | |
| | |
| | |
| compare a selinux system to a submarine with compartments. if one compartment has a leak, the water will be contained to that compartment and will not be able to spread ( escalate) . submarine will not sink
| |
| | |
| | |
| | |
| Security context / SELinux attributes
| |
| | |
| | |
| | |
| explain the security context tuple and how to read it (explain the fields)
| |
| | |
| explain user ( which SELinux user (group) created the object? )
| |
| | |
| explain type is the attribute for type enforcement (TE)
| |
| | |
| explain role is the attribute for role enforcement (RBAC)
| |
| | |
| explain security level is the attribute for security level enforcement (MLS)
| |
| | |
| explain categories/compartments is the attribute for security level enforcement or category/compartment enforcement (MLS or MCS)
| |
| | |
| | |
| | |
| Subjects and objects ( processes and "files" )
| |
| | |
| | |
| | |
| explain that everything in a system is a object
| |
| | |
| explain that even subjects in a system are represented as objects in proc mountpoint
| |
| | |
| explain subjects and objects
| |
| | |
| explain subjects are processes (ps auxZ)
| |
| | |
| explain objects are "files" (ls -alZ)
| |
| | |
| - file objects ( files , lnk files, dirs, fifo files, sock files etc)
| |
| | |
| - port objects
| |
| | |
| - interface objects
| |
| | |
| - node objects
| |
| | |
| - objects available by other programs ACE access control extension: XACE, sepostgesql, SEDBUS, mscd, etc.
| |
| | |
| - explain object is a class defined in kernel :process :file :tcp_socket
| |
| | |
| example of a class: process. example of a class: file
| |
| | |
| explain domain type is the attribute of a process ( user_t is (user) domain type/attribute of "user"
| |
| | |
| explain object type is the attribute of a object or "file". do not mistake files with file objects/file types. a "file" is
| |
| any object
| |
| | |
| explain that a object type can never be a scontext ( source context ) in a avc denail
| |
| | |
| explain that processes (subjects) generally operate on files (objects)
| |
| | |
| explain that processes (subjects) also operate on other processes (subjects) example: process ( sigchld ) if a user
| |
| processes spawns a program process.
| |
| | |
| explain that "files" ( objects ) do not operate. they get operated on by subjects ( processes )
| |
| | |
| explain permissions that define how to operate on subjects and objects ( classes ) are defined in the kernel and are attributes of classes
| |
| | |
| explain classes and their attributes are static defined in kernel:
| |
| | |
| - example of a file object class and its attributes:
| |
| | |
| + file read
| |
| | |
| + dir write
| |
| | |
| + lnk_file getattr
| |
| | |
| - example of a subject class and its attributes:
| |
| | |
| + process sigchld
| |
| | |
| - example of a object available by other programs ACL
| |
| | |
| + dbus send_msg
| |
| | |
| explain that although classes and their attributes are defined in the kernel, that one can assign "types" to
| |
| subjects and objects, and that one can define policy for these types can interact using the object classes
| |
| and their attributes supplied by the kernel.
| |
| | |
| | |
| | |
| example:
| |
| | |
| | |
| | |
| scontext/domain type/subject | tcontext/file type/object | "object" class | "object" permissions/attributes
| |
| | |
| ___________________________________________________________________________________________________________________________
| |
| | |
| user_t | user_home_t | dir | getattr
| |
| | |
| httpd_t | httpd_sys_content_ra_t | file | read
| |
| | |
| user_t | mozilla_t | process | sigchld
| |
| | |
| user_t | self | process | transition
| |
| | |
| mozilla_t | httpd_port_t | tcp_socket | connect
| |
| | |
| unconfined_t | cupsd_t | dbus | send_msg
| |
| | |
| | |
| | |
| | |
| | |
| How to find out if selinux is supported /enabled:
| |
| | |
| supported?: http://domg444.blogspot.com/2007/11/how-to-determine-if-our-system-supports.html
| |
| | |
| enabled?: getenforce /selinux/config sestatus
| |
| | |
| | |
| | |
| explain selinux framework and selinux policy. explain the selinux framework is responsible for enforcing policy.
| |
| | |
| explain the access vector cache.
| |
| | |
| perruse selinux packages ( rpm -ql ) and discuss important locations : /etc/selinux , /selinux
| |
| | |
| | |
| | |
| How to disable SELinux: i refer to dwalsh blog. some highlights selinux=0 , enforcing=0, setenforce 0,
| |
| system-config-selinux, semanage
| |
| | |
| | |
| | |
| system-config-selinux is a GUI for semanage. semanage is THE central managing point for SELinux administration:
| |
| | |
| label file objects ( semanage fcontect -a)
| |
| | |
| label port objects ( semanage port -a) etc
| |
| | |
| explain each optipn of semanage and system-config-selinux: label interfaces, set booleans, add , modify, delete selinux user (groups) and SELinux logins.
| |
| | |
| explain translation ( requires mcstransd )
| |
| | |
| explain what mcstransd does
| |
| | |
| explain what restorecond does
| |
| | |
| explain auditd connection to selinux ( explain ausearch /auctl )
| |
| | |
| | |
| | |
| show some pratical examples for managing users. add a unconfined user , add a confined user ,
| |
| add a staff users, assign mcs categories to user (ranges)
| |
| | |
| create custom selinux user groups
| |
| | |
| create custom selinux logins
| |
| | |
| | |
| | |
| explain booleans
| |
| | |
| explain customizable types
| |
| | |
| mention manual pages for targeted daemons.
| |
| | |
| | |
| | |
| explain audit2allow
| |
| | |
| explain audit2why
| |
| | |
| explain sesearch and how you can use this to make decisions
| |
| | |
| explain semodule, sestatus , restorecon , semanage, setenforce , getenforce
| |
| | |
| explain limitations of chcon
| |
| | |
| explain advantage of chcon
| |
| | |
| explain chcat
| |
| | |
| | |
| | |
| explain selinux-policy-devel ( /usr/share/selinux/devel/Makefile )
| |
| | |
| show example how to make a custom policy module
| |
| | |
| explain the limitations of a policy module package
| |
| | |
| explain the advantages of a policy module package
| |
| | |
| | |
| | |
| explain role base access control and derrived types.
| |
| | |
| | |
| | |
| explain star and selinux tar support (exmaples)
| |
| | |
| | |
| | |
| important: Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
| |
| | |
| important: Copying Vs moving files.
| |
| | |
| | |
| | |
| explain avc denials field by field.
| |
| | |
| explain advantage and limitation of sealert/setroublehoot and how this relates to audit.
| |
| | |
| | |
| | |
| explain file_t, unlabeled_t
| |
| | |
| explain initrc_t
| |
| | |
| explain unconfined_t
| |
| | |
| explain sepolgen and gui
| |
| | |
| | |
| | |
| explain why /tmp will not be relabled: http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html
| |
| | |
| | |
| | |
| read selinux by example book
| |
| | |
| | |
| | |
| explain the MLS vs TARGETED
| |
| | |
| explain mcs role in targetted versus mcs role in mls
| |
| </pre>
| |