From Fedora Project Wiki
Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008
IRC Log of the Class
20:00 -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info 20:01 <@nirik> A few general guidelines: Please try to keep on topic... if you have general fedora questions, #fedora is open for business as usual. 20:01 <@nirik> If you want some more social chatting, #fedora-social is open for that. 20:01 <@nirik> Some teachers may want you to hold questions, and some will want you to just chime in... they will say when they start their session. 20:02 < Guest86715> nick brunowolff 20:02 < Guest86715> \nick brunowolff 20:02 <@nirik> Also, note that I will be logging the classes for posting on the wiki. 20:02 <@nirik> So, our first class up today is SElinux Basics. Without further jabbering, I will hand things off to herlo... 20:02 < herlo> Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region. I work for a small Linux training company in Utah called Guru Labs. People online call me herlo 20:02 < herlo> thanks nirik 20:03 < herlo> so for those of you who might have missed it, I have slides up 20:03 < herlo> https://fedoraproject.org/wiki/Classroom/SELinux_Basics 20:03 < herlo> from that link you can get either pdf or odp 20:03 -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info 20:03 < herlo> I'll be pretty much following the flow there. If you have questions, please feel free to jump in. 20:04 < herlo> SELinux Basics 20:04 < herlo> What is SELinux? 20:05 < linuxguru> Security Enhanced Linux 20:05 < herlo> Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe. One fo the major functionalities that came out of this was SELinux 20:05 < herlo> linuxguru: right, Security Enhanced Linux 20:06 < herlo> one of the things that is interesting about security in Linux is the many ways to protect your boxen 20:06 < herlo> Firewalls, acls, etc. 20:06 < herlo> iptables has been around for some time and does a great job on the network 20:07 < herlo> thing is, it's really intended for network security 20:07 < herlo> so that's one layer 20:07 < herlo> but we want more layers 20:07 < herlo> In Unix we've always had the rwx permissions, which has been pretty good to us 20:08 < herlo> processes check the permissions of a file and make sure they have rights to access the file. 20:08 < herlo> SELinux is just a layer above. 20:09 < herlo> SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without fear of attacks on the system 20:09 < herlo> So two terms came about DAC and MAC 20:09 < herlo> I have two slides describing both 20:09 < herlo> DAC - Discretionary Access Control 20:09 < VileGent> ! when you change page say page please 20:09 < thomasj> :D 20:09 < herlo> This is traditional Linux/Unix type file perms 20:10 < herlo> VileGent: k, that was the first change, and thank you 20:10 < JamesB192_thekky> and ACLs? 20:10 < herlo> the simple rwx permissions, SUID SGID, etc 20:10 < herlo> JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems 20:11 < herlo> as well as many other applications too 20:11 < herlo> the thing about DAC is that it's really what we've been using for 20+ years 20:11 < herlo> nothing has inherently changed about it 20:11 < herlo> it's pretty much the same it was back then and will continue to do a good job of protecting our boxen 20:11 * nirik notes that this is page 3 on the pdf. 20:12 < herlo> but here's the thing 20:12 < herlo> What about processes accessing thing that while they have permissions to access, shouldn't be accessing 20:12 < herlo> ? 20:12 < koolhead1> ? 20:12 < bomama> what? 20:13 < domg472_> privilege escalation 20:13 < herlo> For instance, should the named (DNS daemon) be accessing files within apache? 20:13 < Abd4llA> nop 20:13 < linuxguru> naw. 20:13 < herlo> domg472_: right, something we don't want to happen 20:13 < herlo> next page 20:13 < herlo> this is where MAC - Mandatory Access Control comes in... 20:13 < brunowolff> I think the main point is that without selinux any process you run has all of your access rights. You don't always want to have that. 20:13 < herlo> brunowolff: correct 20:14 < herlo> brunowolff: many processes, not all 20:14 < LinuxCode> shouldnt questions/comments be directed at the end ? 20:14 < herlo> and it's possible that the process could perform an exploit on an unsecured application 20:14 < LinuxCode> wont get through the class otherwise 20:14 < herlo> LinuxCode: it's fine, questions are good... 20:14 < herlo> LinuxCode: we will... 20:14 < LinuxCode> k ;-] 20:14 < herlo> we're doing fine right now 20:14 < herlo> so MAC 20:14 < koolhead1> +1 20:15 < herlo> provides this functionality where instead of standard permissions, we have what's typically called a security context 20:15 < herlo> this security context is part of a policy 20:15 < herlo> and the policy defines the rules as to which processes can access which files 20:16 < linuxguru> one question here. regarding unconfined processes (server stuff) running on the system 20:16 < herlo> this also goes for ports, links, and many other elements in a Linux system 20:16 < herlo> linuxguru: we'll get to that in a minute 20:16 < linuxguru> okay 20:16 < herlo> so the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply 20:17 < herlo> if, however, that process is not allowed by policy it is denied 20:17 < herlo> also, if there is no policy rule for that particular process/file, the action is denied 20:17 < herlo> next page 20:17 < herlo> in comes security contexts 20:18 < herlo> this is page 5, btw 20:18 < herlo> each process has a context and each file has a context 20:18 < herlo> in general, we can think of each of the components as another layer where the policy can enforce rules 20:18 < herlo> user:role:type:sensitivity:category 20:19 < herlo> the policy can look at any one fo these component parts of the context and evaluate whether the process can access the file based upon user, a specific role, type, sensitivity or some category definition 20:20 < herlo> you might note that if you run 'ls -Z' on your home directory you'd see something like this 20:20 < herlo> $ ls -Z 20:20 < herlo> -rw-r--r-- clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout 20:20 < herlo> -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-200808200.odb 20:20 < herlo> -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-20080820.odb 20:20 < herlo> drwxr-xr-x clints clints unconfined_u:object_r:user_home_t:s0 bin 20:20 < herlo> lrwxrwxrwx clints clints system_u:object_r:user_home_t:s0 Books -> /data/books 20:21 < domg472_> .bash_logout seems mislabeled 20:21 < herlo> Fedora has implemented everything but the category, but older systems slowly built up from the first three components and are adding slowly 20:21 < daMaestro> .bash_logout is ok 20:21 < herlo> domg472_: probably not, but we'll talk about how to change that shortly... 20:21 < daMaestro> ;-) 20:21 < herlo> processes can also be looked at similarly 20:22 < herlo> ps -ef -Z | grep httpd 20:22 < herlo> unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22 < herlo> unconfined_u:system_r:httpd_t:s0 apache 6742 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22 < herlo> unconfined_u:system_r:httpd_t:s0 apache 6743 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22 < herlo> adding the -Z in either case can provide the context information. 20:22 < herlo> let me do one more listing of files here 20:23 < herlo> ls -Z /var/www/html/ 20:23 < herlo> -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 darkice-ubuntu.cfg 20:23 < herlo> -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks 20:23 < herlo> -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t:s0 F8VM.ks 20:23 < herlo> the ubuntu file is there because I record my local user groups... :) 20:23 < herlo> anyway, 20:23 < herlo> one thing you'll notice is the similarity in a couple areas between the processes adn the files... 20:23 < Abd4llA> will we get to the meanings for the differents tags ? 20:23 < herlo> Abd4llA: which tags? 20:24 < Abd4llA> object_r , system_r ..etc 20:24 < Abd4llA> in the context 20:24 < daMaestro> unconfined_u:system_r:httpd_t:s0 -> chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE 20:24 < herlo> Abd4llA: yes, we will 20:24 < herlo> daMaestro: we'll get to that soon 20:24 < daMaestro> k 20:25 < herlo> Abd4llA: essentially, the _r stuff implies it's a role component 20:25 < herlo> the _u is for users 20:25 < herlo> _t is for type, etc... 20:25 < herlo> and it has to do with which policy is affecting what parts of the SELinux context 20:26 < herlo> next slide - Default Policy: Targeted 20:26 < Abd4llA> k 20:26 < herlo> when policies are in force, you can look through them in the /selinux virtual filesystem 20:26 < herlo> as I recall, these are read-only 20:27 < herlo> sorry, having a bit of network issues, bear with me 20:27 < herlo> but the /selinux dir is fun to peruse and can teach you a lot about the policy 20:27 < herlo> the policy Fedora installs by default is called the 'Targeted' policy 20:28 < herlo> and primarily uses _t (or type) enforcement 20:28 < domg472_> and rbac 20:28 < herlo> going back a bit to my example of the apache DocumentRoot /var/ww/html and the httpd process, one might now notice that the processes and files have very similar types 20:29 < herlo> unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:29 < herlo> -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks 20:29 < herlo> in the policy it says, httpd_t processes can access httpd_sys_content_t type files... 20:30 < herlo> next slide: Manipulating Contexts 20:30 < herlo> but sometimes, the contexts are incorrect in the files 20:31 < herlo> and thus the proper process cannot access the file even though its permissions are correct and its in the correct directory 20:31 < herlo> this is where chcon and restorecon come in 20:31 < domg472_> run it on .bash_logout for example 20:31 < herlo> chcon can modify user, role, type, sensitivity, category on a particular file. Kind of think of it as the chown/chmod for SELinux 20:32 < herlo> domg472_: right 20:32 < herlo> domg472_: in that case, what I'd want to do is run restorecon, because it would follow the policy rules 20:32 < domg472_> chcon is for unprivileged users, prifileged user should use semanage 20:32 < domg472_> chcon is not persistent 20:32 < jds2001> domg472_: it is. 20:32 < domg472_> restorecon will override 20:32 < jds2001> oh yes. 20:33 < jds2001> or a filesystem relabel 20:33 < herlo> # restorecon .bash_logout 20:33 < herlo> [root@herlo-lap clints]# ls -Z .bash_logout 20:33 < herlo> -rw-r--r-- clints clints unconfined_u:object_r:user_home_t:s0 .bash_logout 20:33 < herlo> do please don't get ahead of where wwe are 20:33 < domg472_> ok 20:33 < herlo> semanage will work too, but we're not there yet 20:34 < herlo> this is SELinux Basics.. semanage can be used for much more advanced stuffs 20:34 < herlo> domg472_: however, you are right about chcon vs restorecon for who can use it... 20:35 < herlo> next slide: Manage/Modify the Policy 20:36 < nuonguy> herlo: question: how does restorecon know what the context for .bash_logout should be? 20:36 < herlo> essentially, the policy can be in one of three states 20:36 < herlo> nuonguy: the policy knows 20:36 < herlo> nuonguy: I'll show where you can get that information in a short bit 20:36 < nuonguy> k, thanks 20:36 < herlo> nuonguy: but to be honest, you don't actually need to know the policy to be effective with SELinux 20:37 < herlo> which sounds strange, but it's true 20:37 < herlo> however, we show it here shortly 20:37 < nuonguy> even if I need to install an app that provides no selinux/conext info? 20:37 < herlo> the first command 'getenforce' will show you the state of enforcement SELinux is currently in 20:37 < herlo> nuonguy: sure, but we're not going to broach that today 20:38 < herlo> nuonguy: however, I will show you where you can set those rules 20:38 < nuonguy> awesome, thanks 20:38 < herlo> # getenforce 20:38 < herlo> Permissive 20:39 < herlo> to toggle between Permissive and Enforcing, one could use setenforce 20:39 < herlo> # setenforce 1 20:39 < herlo> [root@herlo-lap ~]# getenforce 20:39 < herlo> Enforcing 20:39 < herlo> However, Disabled can also appear 20:40 < herlo> when getenforce is run 20:40 < herlo> but it must be set and then a reboot will remove the labels (security contexts) from the system... 20:40 < herlo> next slide: making the policy persist 20:41 < herlo> this is where everyone has been jumping to 20:41 < herlo> system-config-selinux is a very nice gui that can manage much of what you'd like to see in an SELinux policy 20:41 < herlo> it can set enforcing, Permissive, Disabled for boot, 20:42 < herlo> it can modify booleans, or small parts of the policy 20:42 < herlo> it can also show you what contexts files/ports/links/etc will have when restorecon is run 20:43 < herlo> as well as allow you to modify the policy rules right there 20:43 < herlo> that's under File Labeling / User Mapping / Network Ports and probably a few others 20:44 < jMCg> I suppose it already has some sensible templates for often used services. 20:44 < herlo> in addition, you can modify /etc/sysconfig/selinux and set the policy and/or Enforcement 20:44 < herlo> jMCg: it does, for type enforcement only 20:44 < herlo> but there are other policies, including strict (which most others are based upon) and Multi-Layer Security (MLS) 20:44 < brunowolff> nuonguy, part of the policy is a set of patterns used be restorecon to decide which is the correct label. The patterns aren't used when creating files normally. 20:44 < herlo> which you can import and install. These use more of the tags of the context.. 20:45 < herlo> brunowolff: yes, correct. Thanks 20:45 < herlo> you can also relabel the system according to the changes made here 20:45 < herlo> another tool listed on this page is semanage 20:46 < herlo> semanage can do many things including many of hte things that system-config-selinux does 20:46 < herlo> it's the command line tool to make policy components stick, including context changes 20:46 < herlo> the best thing I can say about semanage is that it has an excellent man page and shows examples of many things you can do to your system... 20:47 < herlo> getsebool/setsebool are also useful tools if you know the boolean you'd like to change 20:47 < herlo> next slide: Troubleshooting 20:47 < herlo> this is my favorite part 20:48 < herlo> as it says in the slide, many people turn SELinux off because they can't understand the avc messages in the logs 20:49 < herlo> /var/log/audit/audit.log shows many of these messages and an experienced SELinux user can learn what these things mean 20:49 < fengshaun> excuse me, where can we get the slides? 20:49 < herlo> but most people have a hard time reading them... 20:49 < herlo> fengshaun: https://fedoraproject.org/wiki/Classroom/SELinux_Basics 20:49 < fengshaun> thank you 20:49 < herlo> np 20:49 < herlo> so here's the tool that will make it easier than ever to read those messages 20:49 < herlo> setroubleshoot 20:50 < herlo> the daemon /usr/sbin/setroubleshootd, available in the setroubleshoot-server rpm 20:50 < herlo> is my favorite friend 20:50 < herlo> it's a sysV service that provides clear text solutions for allowing access when something doesn't work right 20:50 -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo (slides at: https://fedoraproject.org/wiki/Classroom/SELinux_Basics) - See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info 20:51 < herlo> because odds are, the user's permissions are correct, but SELinux is causing some sort of issue 20:51 < herlo> so I install setroubleshoot-server 20:51 < herlo> next slide: troubleshooting cont'd 20:51 < herlo> page 11 20:52 < herlo> and then run 20:52 < herlo> /etc/init.d/setroubleshoot start 20:52 < herlo> all of the sudden, I get clear messages in /var/log/messages 20:52 < domg472_> setroubleshoot is enabled by default 20:52 < herlo> domg472_: setroubleshoot is the client tools 20:52 < herlo> setroubleshoot-server might be enabled by default, I hadn't checked 20:53 * thomasj reminds domg472_ that this is herlo's class. So please let him teach, he's doing a great job. 20:53 < domg472_> ok 20:53 < herlo> but it's going to tell you to look at a specific sealert message 20:53 < herlo> copying the sealert command along with ath ugly long string... 20:53 < herlo> and voila, you have a solution as to how to allow access. 20:54 < herlo> for those of you who like gui's try sealert -b 20:54 < herlo> that's the sealert browser and it can also be launched from the Notification Area (the little star) in GNOME 20:54 < herlo> NOW 20:54 < herlo> here's the onlyt thing I want to warn you on 20:55 < herlo> don't by any circumstances take 'Allowing Access' to mean that you *should* perform the task listed there 20:55 < herlo> instead, you should use your critical minds and make a smart decision regarding whether allowing access is the right thing to do 20:56 < herlo> so I'm out of material and it looks like out of time 20:56 < herlo> any questions about this process? 20:56 < jMCg> Ad troubleshooting. 20:56 < kdn> Great job; thanks. 20:56 < jMCg> What troubles me most, is to remember that there's SELinux, and it could be responsible. 20:56 * VileGent gives herlo a hand and thanks 20:56 < thomasj> +1 20:57 * erinlea80 applauds! 20:57 < kdn> +1 20:57 < poti> +1 20:57 < djohngo> herlo: Thanks! 20:57 < domg472_> thanks 20:57 * fengshaun applauds too! 20:57 < jds2001> great job herlo :) 20:57 < brunowolff> The resources didn't include Dan Walsh's journal (http://danwalsh.livejournal.com/) which has up to date info about selinux. 20:57 < thomasj> herlo, awesome, thank you very much 20:57 < SSlater> +1 20:57 < herlo> jMCg: yes, I understand that, but it will become much more normal as you get used to it 20:57 * JMakey thanks herlo 20:57 < herlo> brunowolff: oh, yes, I should add that 20:57 < jMCg> When you get an EACCESS, you think of permissions, it'd be great if there was some different class of error to be used... 20:57 < Bugz> herlo: Very good, thanks 20:57 < linuxguru> yeah i had this doubt about unconfined processes running on my system. if a attacker is able to compromise my system using those processes (which have ports opened) will he be able to access stuff which is managed by selinux like confined processes such apache/samba etc. 20:57 < herlo> I'm glad you all liked it 20:57 < zless> thanks herlo. 20:57 < domg472_> if anyone has questions about selinux join #fedora-selinux and/or #selinux 20:57 < fengshaun> but date -u gives me 19:58! is my clock wrong? 20:57 < Ineluctable> thank you 20:58 < jds2001> fengshaun: an hour off. 20:58 < fengshaun> jds2001, oh god! 20:58 < herlo> linuxguru: right, so I'd consider a tighter policy or modify the policy to adjust the unconfined processes 20:58 <@nirik> thanks herlo ! 20:58 < herlo> linuxguru: so they aren't unconfined 20:58 < SSlater> ? 20:58 < herlo> SSlater: go 20:58 < zless> i'd just like to say that selinux has be "in the background" in f9 (for the desktop) much more than previously. the #1 thing i need to tweak is allowing firefox to use notstandard ports. 20:59 < SSlater> Why does sealert sometimes give a proposed solution and othertimes Not? 20:59 < zless> e.g.: semanage port -a -t http_port -p tcp 8880 20:59 < domg472_> that not a valid type zless 20:59 < stmg_> thanks so mucj 20:59 < zless> domg472_, _t 20:59 * nirik notes the next class up is Jon Stanley ( jds2001 ) - An introduction to Bugzilla 20:59 < jds2001> httpd_t would be in that case. 20:59 < stmg_> *much 21:00 < zless> domg472_, synergyc isn't up here atm, so had to go from memory 21:00 < domg472_> join #fedora-selinux for details 21:00 < herlo> SSlater: I believe that if the policy knows how to solve it the solution can be given. If the policy writer didn't anticipate that sort of thing, it's kind of hard to give a solution 21:00 < Dufflepod> Thanks herlo 21:00 < herlo> ciao all 21:00 < herlo> on to jds2001