From Fedora Project Wiki

m (modifying the formatting a little)
(No difference)

Revision as of 21:04, 7 December 2008

Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008

IRC Log of the Class

 20:00 -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - 
 See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info
 20:01 <@nirik> A few general guidelines: Please try to keep on topic... if you have general fedora questions, #fedora is open for business as usual.
 20:01 <@nirik> If you want some more social chatting, #fedora-social is open for that.
 20:01 <@nirik> Some teachers may want you to hold questions, and some will want you to just chime in... they will say when they start their session.
 20:02 < Guest86715> nick brunowolff
 20:02 < Guest86715> \nick brunowolff
 20:02 <@nirik> Also, note that I will be logging the classes for posting on the wiki.
 20:02 <@nirik> So, our first class up today is SElinux Basics. Without further jabbering, I will hand things off to herlo...
 20:02 < herlo> Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region.  
 I work for a small Linux training company in Utah called Guru Labs. People online call me herlo
 20:02 < herlo> thanks nirik 
 20:03 < herlo> so for those of you who might have missed it, I have slides up 
 20:03 < herlo> https://fedoraproject.org/wiki/Classroom/SELinux_Basics
 20:03 < herlo> from that link you can get either pdf or odp
 20:03 -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - 
 See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info
 20:03 < herlo> I'll be pretty much following the flow there.  If you have questions, please feel free to jump in. 
 20:04 < herlo> SELinux Basics
 20:04 < herlo> What is SELinux?  
 20:05 < linuxguru> Security Enhanced Linux
 20:05 < herlo> Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe.  
 One fo the major functionalities that came out of this was SELinux
 20:05 < herlo> linuxguru: right, Security Enhanced Linux
 20:06 < herlo> one of the things that is interesting about security in Linux is the many ways to protect your boxen
 20:06 < herlo> Firewalls, acls, etc.
 20:06 < herlo> iptables has been around for some time and does a great job on the network
 20:07 < herlo> thing is, it's really intended for network security
 20:07 < herlo> so that's one layer
 20:07 < herlo> but we want more layers
 20:07 < herlo> In Unix we've always had the rwx permissions, which has been pretty good to us
 20:08 < herlo> processes check the permissions of a file and make sure they have rights to access the file.
 20:08 < herlo> SELinux is just a layer above.
 20:09 < herlo> SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without 
 fear of attacks on the system
 20:09 < herlo> So two terms came about DAC and MAC
 20:09 < herlo> I have two slides describing both
 20:09 < herlo> DAC - Discretionary Access Control
 20:09 < VileGent> ! when you change page say page please
 20:09 < thomasj> :D
 20:09 < herlo> This is traditional Linux/Unix type file perms
 20:10 < herlo> VileGent: k, that was the first change, and thank you
 20:10 < JamesB192_thekky> and ACLs?
 20:10 < herlo> the simple rwx permissions, SUID SGID, etc
 20:10 < herlo> JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems
 20:11 < herlo> as well as many other applications too
 20:11 < herlo> the thing about DAC is that it's really what we've been using for 20+ years
 20:11 < herlo> nothing has inherently changed about it
 20:11 < herlo> it's pretty much the same it was back then and will continue to do a good job of protecting our boxen
 20:11  * nirik notes that this is page 3 on the pdf. 
 20:12 < herlo> but here's the thing
 20:12 < herlo> What about processes accessing thing that while they have permissions to access, shouldn't be accessing
 20:12 < herlo> ?
 20:12 < koolhead1> ?
 20:12 < bomama> what?
 20:13 < domg472_> privilege escalation
 20:13 < herlo> For instance, should the named (DNS daemon) be accessing files within apache?
 20:13 < Abd4llA> nop
 20:13 < linuxguru> naw.
 20:13 < herlo> domg472_: right, something we don't want to happen
 20:13 < herlo> next page
 20:13 < herlo> this is where MAC - Mandatory Access Control comes in...
 20:13 < brunowolff> I think the main point is that without selinux any process you run has all of your access rights. You don't always 
 want to have that.
 20:13 < herlo> brunowolff: correct
 20:14 < herlo> brunowolff: many processes, not all
 20:14 < LinuxCode> shouldnt questions/comments be directed at the end ?
 20:14 < herlo> and it's possible that the process could perform an exploit on an unsecured application
 20:14 < LinuxCode> wont get through the class otherwise
 20:14 < herlo> LinuxCode: it's fine, questions are good...
 20:14 < herlo> LinuxCode: we will...
 20:14 < LinuxCode> k ;-]
 20:14 < herlo> we're doing fine right now
 20:14 < herlo> so MAC
 20:14 < koolhead1> +1
 20:15 < herlo> provides this functionality where instead of standard permissions, we have what's typically called a security context
 20:15 < herlo> this security context is part of a policy
 20:15 < herlo> and the policy defines the rules as to which processes can access which files 
 20:16 < linuxguru> one question here. regarding unconfined processes (server stuff) running on the system
 20:16 < herlo> this also goes for ports, links, and many other elements in a Linux system
 20:16 < herlo> linuxguru: we'll get to that in a minute
 20:16 < linuxguru> okay
 20:16 < herlo> so the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply
 20:17 < herlo> if, however, that process is not allowed by policy it is denied
 20:17 < herlo> also, if there is no policy rule for that particular process/file, the action is denied 
 20:17 < herlo> next page
 20:17 < herlo> in comes security contexts
 20:18 < herlo> this is page 5, btw
 20:18 < herlo> each process has a context and each file has a context
 20:18 < herlo> in general, we can think of each of the components as another layer where the policy can enforce rules
 20:18 < herlo> user:role:type:sensitivity:category
 20:19 < herlo> the policy can look at any one fo these component parts of the context and evaluate whether the process 
 can access the file based upon user, a specific role, type, sensitivity or some category definition
 20:20 < herlo> you might note that if you run 'ls -Z' on your home directory you'd see something like this
 20:20 < herlo> $ ls -Z
 20:20 < herlo> -rw-r--r--  clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout
 20:20 < herlo> -rw-rw-r--  clints clints unconfined_u:object_r:user_home_t:s0 attendees-200808200.odb
 20:20 < herlo> -rw-rw-r--  clints clints unconfined_u:object_r:user_home_t:s0 attendees-20080820.odb
 20:20 < herlo> drwxr-xr-x  clints clints unconfined_u:object_r:user_home_t:s0 bin
 20:20 < herlo> lrwxrwxrwx  clints clints system_u:object_r:user_home_t:s0 Books -> /data/books
 20:21 < domg472_> .bash_logout seems mislabeled
 20:21 < herlo> Fedora has implemented everything but the category, but older systems slowly built up from the 
 first three components and are adding slowly
 20:21 < daMaestro> .bash_logout is ok
 20:21 < herlo> domg472_: probably not, but we'll talk about how to change that shortly...
 20:21 < daMaestro> ;-)
 20:21 < herlo> processes can also be looked at similarly
 20:22 < herlo> ps -ef -Z | grep httpd
 20:22 < herlo> unconfined_u:system_r:httpd_t:s0 root     6740     1  0 09:30 ?        00:00:00 /usr/sbin/httpd
 20:22 < herlo> unconfined_u:system_r:httpd_t:s0 apache   6742  6740  0 09:30 ?        00:00:00 /usr/sbin/httpd
 20:22 < herlo> unconfined_u:system_r:httpd_t:s0 apache   6743  6740  0 09:30 ?        00:00:00 /usr/sbin/httpd
 20:22 < herlo> adding the -Z in either case can provide the context information.
 20:22 < herlo> let me do one more listing of files here
 20:23 < herlo> ls -Z /var/www/html/
 20:23 < herlo> -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 darkice-ubuntu.cfg
 20:23 < herlo> -rw-------  apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks
 20:23 < herlo> -rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t:s0 F8VM.ks
 20:23 < herlo> the ubuntu file is there because I record my local user groups... :)
 20:23 < herlo> anyway, 
 20:23 < herlo> one thing you'll notice is the similarity in a couple areas between the processes adn the files...
 20:23 < Abd4llA> will we get to the meanings for the differents tags ?
 20:23 < herlo> Abd4llA: which tags?
 20:24 < Abd4llA> object_r , system_r ..etc
 20:24 < Abd4llA> in the context
 20:24 < daMaestro> unconfined_u:system_r:httpd_t:s0 -> chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE
 20:24 < herlo> Abd4llA: yes, we will
 20:24 < herlo> daMaestro: we'll get to that soon
 20:24 < daMaestro> k
 20:25 < herlo> Abd4llA: essentially, the _r stuff implies it's a role component
 20:25 < herlo> the _u is for users
 20:25 < herlo> _t is for type, etc...
 20:25 < herlo> and it has to do with which policy is affecting what parts of the SELinux context
 20:26 < herlo> next slide - Default Policy: Targeted
 20:26 < Abd4llA> k
 20:26 < herlo> when policies are in force, you can look through them in the /selinux virtual filesystem
 20:26 < herlo> as I recall, these are read-only
 20:27 < herlo> sorry, having a bit of network issues, bear with me
 20:27 < herlo> but the /selinux dir is fun to peruse and can teach you a lot about the policy
 20:27 < herlo> the policy Fedora installs by default is called the 'Targeted' policy
 20:28 < herlo> and primarily uses _t (or type) enforcement
 20:28 < domg472_> and rbac
 20:28 < herlo> going back a bit to my example of the apache DocumentRoot /var/ww/html and the httpd process, 
 one might now notice that the processes and files have very similar types
 20:29 < herlo>  unconfined_u:system_r:httpd_t:s0 root     6740     1  0 09:30 ?        00:00:00 /usr/sbin/httpd
 20:29 < herlo> -rw-------  apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks
 20:29 < herlo> in the policy it says, httpd_t processes can access httpd_sys_content_t type files...
 20:30 < herlo> next slide: Manipulating Contexts
 20:30 < herlo> but sometimes, the contexts are incorrect in the files
 20:31 < herlo> and thus the proper process cannot access the file even though its permissions are correct and its in the correct directory
 20:31 < herlo> this is where chcon and restorecon come in
 20:31 < domg472_> run it on .bash_logout for example
 20:31 < herlo> chcon can modify user, role, type, sensitivity, category on a particular file.  Kind of think of it as the chown/chmod for SELinux
 20:32 < herlo> domg472_: right
 20:32 < herlo> domg472_: in that case, what I'd want to do is run restorecon, because it would follow the policy rules
 20:32 < domg472_> chcon is for unprivileged users, prifileged user should use semanage
 20:32 < domg472_> chcon is not persistent
 20:32 < jds2001> domg472_: it is.
 20:32 < domg472_> restorecon will override
 20:32 < jds2001> oh yes.
 20:33 < jds2001> or a filesystem relabel
 20:33 < herlo> # restorecon .bash_logout
 20:33 < herlo> [root@herlo-lap clints]# ls -Z .bash_logout
 20:33 < herlo> -rw-r--r--  clints clints unconfined_u:object_r:user_home_t:s0 .bash_logout
 20:33 < herlo> do	please don't get ahead of where wwe are
 20:33 < domg472_> ok
 20:33 < herlo> semanage will work too, but we're not there yet
 20:34 < herlo> this is SELinux Basics.. semanage can be used for much more advanced stuffs
 20:34 < herlo> domg472_: however, you are right about chcon vs restorecon for who can use it...
 20:35 < herlo> next slide: Manage/Modify the Policy
 20:36 < nuonguy> herlo: question: how does restorecon know what the context for .bash_logout should be?
 20:36 < herlo> essentially, the policy can be in one of three states
 20:36 < herlo> nuonguy: the policy knows
 20:36 < herlo> nuonguy: I'll show where you can get that information in a short bit
 20:36 < nuonguy> k, thanks
 20:36 < herlo> nuonguy: but to be honest, you don't actually need to know the policy to be effective with SELinux
 20:37 < herlo> which sounds strange, but it's true
 20:37 < herlo> however, we show it here shortly
 20:37 < nuonguy> even if I need to install an app that provides no selinux/conext info?
 20:37 < herlo> the first command 'getenforce' will show you the state of enforcement SELinux is currently in
 20:37 < herlo> nuonguy: sure, but we're not going to broach that today
 20:38 < herlo> nuonguy: however, I will show you where you can set those rules
 20:38 < nuonguy> awesome, thanks
 20:38 < herlo> # getenforce
 20:38 < herlo> Permissive
 20:39 < herlo> to toggle between Permissive and Enforcing, one could use setenforce 
 20:39 < herlo> # setenforce 1
 20:39 < herlo> [root@herlo-lap ~]# getenforce
 20:39 < herlo> Enforcing
 20:39 < herlo> However, Disabled can also appear 
 20:40 < herlo> when getenforce is run
 20:40 < herlo> but it must be set and then a reboot will remove the labels (security contexts) from the system...
 20:40 < herlo> next slide: making the policy persist
 20:41 < herlo> this is where everyone has been jumping to
 20:41 < herlo> system-config-selinux is a very nice gui that can manage much of what you'd like to see in an SELinux policy
 20:41 < herlo> it can set enforcing, Permissive, Disabled for boot, 
 20:42 < herlo> it can modify booleans, or small parts of the policy
 20:42 < herlo> it can also show you what contexts files/ports/links/etc will have when restorecon is run
 20:43 < herlo> as well as allow you to modify the policy rules right there
 20:43 < herlo> that's under File Labeling / User Mapping / Network Ports and probably a few others
 20:44 < jMCg> I suppose it already has some sensible templates for often used services.
 20:44 < herlo> in addition, you can modify /etc/sysconfig/selinux and set the policy and/or Enforcement
 20:44 < herlo> jMCg: it does, for type enforcement only
 20:44 < herlo> but there are other policies, including strict (which most others are based upon) and Multi-Layer Security (MLS)
 20:44 < brunowolff> nuonguy, part of the policy is a set of patterns used be restorecon to decide which is the correct label. 
 The patterns aren't used when creating files normally.
 20:44 < herlo> which you can import and install.  These use more of the tags of the context..
 20:45 < herlo> brunowolff: yes, correct.  Thanks
 20:45 < herlo> you can also relabel the system according to the changes made here 
 20:45 < herlo> another tool listed on this page is semanage
 20:46 < herlo> semanage can do many things including many of hte things that system-config-selinux does
 20:46 < herlo> it's the command line tool to make policy components stick, including context changes
 20:46 < herlo> the best thing I can say about semanage is that it has an excellent man page and shows examples of many things you can do to your system...
 20:47 < herlo> getsebool/setsebool are also useful tools if you know the boolean you'd like to change
 20:47 < herlo> next slide: Troubleshooting
 20:47 < herlo> this is my favorite part
 20:48 < herlo> as it says in the slide, many people turn SELinux off because they can't understand the avc messages in the logs
 20:49 < herlo> /var/log/audit/audit.log shows many of these messages and an experienced SELinux user can learn what these things mean
 20:49 < fengshaun> excuse me, where can we get the slides?
 20:49 < herlo> but most people have a hard time reading them...
 20:49 < herlo> fengshaun: https://fedoraproject.org/wiki/Classroom/SELinux_Basics
 20:49 < fengshaun> thank you
 20:49 < herlo> np
 20:49 < herlo> so here's the tool that will make it easier than ever to read those messages
 20:49 < herlo> setroubleshoot
 20:50 < herlo> the daemon /usr/sbin/setroubleshootd, available in the setroubleshoot-server rpm
 20:50 < herlo> is my favorite friend
 20:50 < herlo> it's a sysV service that provides clear text solutions for allowing access when something doesn't work right
 20:50 -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo 
 (slides at: https://fedoraproject.org/wiki/Classroom/SELinux_Basics) - See https://fedoraproject.org/wiki/Communicate/IRC/Classroom 
 for more info
 20:51 < herlo> because odds are, the user's permissions are correct, but SELinux is causing some sort of issue
 20:51 < herlo> so I install setroubleshoot-server
 20:51 < herlo> next slide: troubleshooting cont'd
 20:51 < herlo> page 11
 20:52 < herlo> and then run
 20:52 < herlo> /etc/init.d/setroubleshoot start
 20:52 < herlo> all of the sudden, I get clear messages in /var/log/messages
 20:52 < domg472_> setroubleshoot is enabled by default
 20:52 < herlo> domg472_: setroubleshoot is the client tools
 20:52 < herlo> setroubleshoot-server might be enabled by default, I hadn't checked
 20:53  * thomasj reminds domg472_ that this is herlo's class. So please let him teach, he's doing a great job.
 20:53 < domg472_> ok
 20:53 < herlo> but it's going to tell you to look at a specific sealert message
 20:53 < herlo> copying the sealert command along with ath ugly long string...
 20:53 < herlo> and voila, you have a solution as to how to allow access.
 20:54 < herlo> for those of you who like gui's try sealert -b
 20:54 < herlo> that's the sealert browser and it can also be launched from the Notification Area (the little star) in GNOME
 20:54 < herlo> NOW
 20:54 < herlo> here's the onlyt thing I want to warn you on
 20:55 < herlo> don't by any circumstances take 'Allowing Access' to mean that you *should* perform the task listed there
 20:55 < herlo> instead, you should use your critical minds and make a smart decision regarding whether allowing access is the right thing to do
 20:56 < herlo> so I'm out of material and it looks like out of time
 20:56 < herlo> any questions about this process?
 20:56 < jMCg> Ad troubleshooting.
 20:56 < kdn> Great job; thanks.
 20:56 < jMCg> What troubles me most, is to remember that there's SELinux, and it could be responsible.
 20:56  * VileGent gives herlo a hand and thanks
 20:56 < thomasj> +1
 20:57  * erinlea80 applauds!
 20:57 < kdn> +1
 20:57 < poti> +1
 20:57 < djohngo> herlo: Thanks!
 20:57 < domg472_> thanks
 20:57  * fengshaun applauds too!
 20:57 < jds2001> great job herlo :)
 20:57 < brunowolff> The resources didn't include Dan Walsh's journal (http://danwalsh.livejournal.com/) which has up to date info about selinux.
 20:57 < thomasj> herlo, awesome, thank you very much
 20:57 < SSlater> +1
 20:57 < herlo> jMCg: yes, I understand that, but it will become much more normal as you get used to it
 20:57  * JMakey thanks herlo
 20:57 < herlo> brunowolff: oh, yes, I should add that
 20:57 < jMCg> When you get an EACCESS, you think of permissions, it'd be great if there was some different class of error to be used...
 20:57 < Bugz> herlo: Very good, thanks
 20:57 < linuxguru> yeah i had this doubt about unconfined processes running on my system. if a attacker is able to compromise my system 
 using those processes (which have ports opened) will he be able to access stuff which is managed by selinux like confined processes such apache/samba etc.
 20:57 < herlo> I'm glad you all liked it
 20:57 < zless> thanks herlo.
 20:57 < domg472_> if anyone has questions about selinux join #fedora-selinux and/or #selinux
 20:57 < fengshaun> but date -u gives me 19:58!  is my clock wrong?
 20:57 < Ineluctable> thank you
 20:58 < jds2001> fengshaun: an hour off.
 20:58 < fengshaun> jds2001, oh god!
 20:58 < herlo> linuxguru: right, so I'd consider a tighter policy or modify the policy to adjust the unconfined processes
 20:58 <@nirik> thanks herlo !
 20:58 < herlo> linuxguru: so they aren't unconfined
 20:58 < SSlater> ?
 20:58 < herlo> SSlater: go
 20:58 < zless> i'd just like to say that selinux has be "in the background" in f9 (for the desktop) much more than previously. 
 the #1 thing i need to tweak is allowing firefox to use notstandard ports.
 20:59 < SSlater> Why does sealert sometimes give a proposed solution and othertimes Not?
 20:59 < zless> e.g.: semanage port -a -t http_port -p tcp 8880
 20:59 < domg472_> that not a valid type zless
 20:59 < stmg_> thanks so mucj
 20:59 < zless> domg472_, _t
 20:59  * nirik notes the next class up is Jon Stanley ( jds2001 ) - An introduction to Bugzilla 
 20:59 < jds2001> httpd_t would be in that case.
 20:59 < stmg_> *much
 21:00 < zless> domg472_, synergyc isn't up here atm, so had to go from memory
 21:00 < domg472_>  join #fedora-selinux for details
 21:00 < herlo> SSlater: I believe that if the policy knows how to solve it the solution can be given.  If the policy writer didn't 
 anticipate that sort of thing, it's kind of hard to give a solution
 21:00 < Dufflepod> Thanks herlo
 21:00 < herlo> ciao all
 21:00 < herlo> on to jds2001