From Fedora Project Wiki
(Redirected from Classroom/SELinux Basics)
Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008
IRC Log of the Class
| -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - See Communicate/IRC/Classroom for more info | 20:00 | |
| @nirik | A few general guidelines: Please try to keep on topic... if you have general fedora questions, #fedora is open for business as usual. | 20:01 |
|---|---|---|
| @nirik | If you want some more social chatting, #fedora-social is open for that. | 20:01 |
| @nirik | Some teachers may want you to hold questions, and some will want you to just chime in... they will say when they start their session. | 20:01 |
| Guest86715 | nick brunowolff | 20:02 |
| Guest86715 | \nick brunowolff | 20:02 |
| @nirik | Also, note that I will be logging the classes for posting on the wiki. | 20:02 |
| @nirik | So, our first class up today is SElinux Basics. Without further jabbering, I will hand things off to herlo... | 20:02 |
| herlo | Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region. I work for a small Linux training company in Utah called Guru Labs. People online call me herlo | 20:02 |
| herlo | thanks nirik | 20:02 |
| herlo | so for those of you who might have missed it, I have slides up | 20:03 |
| herlo | Classroom/SELinux_Basics | 20:03 |
| herlo | from that link you can get either pdf or odp | 20:03 |
| -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - See Communicate/IRC/Classroom for more info | 20:03 | |
| herlo | I'll be pretty much following the flow there. If you have questions, please feel free to jump in. | 20:03 |
| herlo | SELinux Basics | 20:04 |
| herlo | What is SELinux? | 20:04 |
| linuxguru | Security Enhanced Linux | 20:05 |
| herlo | Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe. One fo the major functionalities that came out of this was SELinux | 20:05 |
| herlo | linuxguru: right, Security Enhanced Linux | 20:05 |
| herlo | one of the things that is interesting about security in Linux is the many ways to protect your boxen | 20:06 |
| herlo | Firewalls, acls, etc. | 20:06 |
| herlo | iptables has been around for some time and does a great job on the network | 20:06 |
| herlo | thing is, it's really intended for network security | 20:07 |
| herlo | so that's one layer | 20:07 |
| herlo | but we want more layers | 20:07 |
| herlo | In Unix we've always had the rwx permissions, which has been pretty good to us | 20:07 |
| herlo | processes check the permissions of a file and make sure they have rights to access the file. | 20:08 |
| herlo | SELinux is just a layer above. | 20:08 |
| herlo | SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without fear of attacks on the system | 20:09 |
| herlo | So two terms came about DAC and MAC | 20:09 |
| herlo | I have two slides describing both | 20:09 |
| herlo | DAC - Discretionary Access Control | 20:09 |
| VileGent | ! when you change page say page please | 20:09 |
| thomasj | :D | 20:09 |
| herlo | This is traditional Linux/Unix type file perms | 20:09 |
| herlo | VileGent: k, that was the first change, and thank you | 20:10 |
| JamesB192_thekky | and ACLs? | 20:10 |
| herlo | the simple rwx permissions, SUID SGID, etc | 20:10 |
| herlo | JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems | 20:10 |
| herlo | as well as many other applications too | 20:11 |
| herlo | the thing about DAC is that it's really what we've been using for 20+ years | 20:11 |
| herlo | nothing has inherently changed about it | 20:11 |
| herlo | it's pretty much the same it was back then and will continue to do a good job of protecting our boxen | 20:11 |
| * nirik notes that this is page 3 on the pdf. | 20:11 | |
| herlo | but here's the thing | 20:12 |
| herlo | What about processes accessing thing that while they have permissions to access, shouldn't be accessing | 20:12 |
| herlo | ? | 20:12 |
| koolhead1 | ? | 20:12 |
| bomama | what? | 20:12 |
| domg472_ | privilege escalation | 20:13 |
| herlo | For instance, should the named (DNS daemon) be accessing files within apache? | 20:13 |
| Abd4llA | nop | 20:13 |
| linuxguru | naw. | 20:13 |
| herlo | domg472_: right, something we don't want to happen | 20:13 |
| herlo | next page | 20:13 |
| herlo | this is where MAC - Mandatory Access Control comes in... | 20:13 |
| brunowolff | I think the main point is that without selinux any process you run has all of your access rights. You don't always want to have that. | 20:13 |
| herlo | brunowolff: correct | 20:13 |
| herlo | brunowolff: many processes, not all | 20:14 |
| LinuxCode | shouldnt questions/comments be directed at the end ? | 20:14 |
| herlo | and it's possible that the process could perform an exploit on an unsecured application | 20:14 |
| LinuxCode | wont get through the class otherwise | 20:14 |
| herlo | LinuxCode: it's fine, questions are good... | 20:14 |
| herlo | LinuxCode: we will... | 20:14 |
| LinuxCode | k ;-] | 20:14 |
| herlo | we're doing fine right now | 20:14 |
| herlo | so MAC | 20:14 |
| koolhead1 | +1 | 20:14 |
| herlo | provides this functionality where instead of standard permissions, we have what's typically called a security context | 20:15 |
| herlo | this security context is part of a policy | 20:15 |
| herlo | and the policy defines the rules as to which processes can access which files | 20:15 |
| linuxguru | one question here. regarding unconfined processes (server stuff) running on the system | 20:16 |
| herlo | this also goes for ports, links, and many other elements in a Linux system | 20:16 |
| herlo | linuxguru: we'll get to that in a minute | 20:16 |
| linuxguru | okay | 20:16 |
| herlo | so the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply | 20:16 |
| herlo | if, however, that process is not allowed by policy it is denied | 20:17 |
| herlo | also, if there is no policy rule for that particular process/file, the action is denied | 20:17 |
| herlo | next page | 20:17 |
| herlo | in comes security contexts | 20:17 |
| herlo | this is page 5, btw | 20:18 |
| herlo | each process has a context and each file has a context | 20:18 |
| herlo | in general, we can think of each of the components as another layer where the policy can enforce rules | 20:18 |
| herlo | user:role:type:sensitivity:category | 20:18 |
| herlo | the policy can look at any one fo these component parts of the context and evaluate whether the process can access the file based upon user, a specific role, type, sensitivity or some category definition | 20:19 |
| herlo | you might note that if you run 'ls -Z' on your home directory you'd see something like this | 20:20 |
| herlo | $ ls -Z | 20:20 |
| herlo | -rw-r--r-- clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout | 20:20 |
| herlo | -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-200808200.odb | 20:20 |
| herlo | -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-20080820.odb | 20:20 |
| herlo | drwxr-xr-x clints clints unconfined_u:object_r:user_home_t:s0 bin | 20:20 |
| herlo | lrwxrwxrwx clints clints system_u:object_r:user_home_t:s0 Books -> /data/books | 20:20 |
| domg472_ | .bash_logout seems mislabeled | 20:21 |
| herlo | Fedora has implemented everything but the category, but older systems slowly built up from the first three components and are adding slowly | 20:21 |
| daMaestro | .bash_logout is ok | 20:21 |
| herlo | domg472_: probably not, but we'll talk about how to change that shortly... | 20:21 |
| daMaestro | ;-) | 20:21 |
| herlo | processes can also be looked at similarly | 20:21 |
| herlo | ps -ef -Z | grep httpd | 20:22 |
| herlo | unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd | 20:22 |
| herlo | unconfined_u:system_r:httpd_t:s0 apache 6742 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd | 20:22 |
| herlo | unconfined_u:system_r:httpd_t:s0 apache 6743 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd | 20:22 |
| herlo | adding the -Z in either case can provide the context information. | 20:22 |
| herlo | let me do one more listing of files here | 20:22 |
| herlo | ls -Z /var/www/html/ | 20:23 |
| herlo | -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 darkice-ubuntu.cfg | 20:23 |
| herlo | -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks | 20:23 |
| herlo | -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t:s0 F8VM.ks | 20:23 |
| herlo | the ubuntu file is there because I record my local user groups... :) | 20:23 |
| herlo | anyway, | 20:23 |
| herlo | one thing you'll notice is the similarity in a couple areas between the processes adn the files... | 20:23 |
| Abd4llA | will we get to the meanings for the differents tags ? | 20:23 |
| herlo | Abd4llA: which tags? | 20:23 |
| Abd4llA | object_r , system_r ..etc | 20:24 |
| Abd4llA | in the context | 20:24 |
| daMaestro | unconfined_u:system_r:httpd_t:s0 -> chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE | 20:24 |
| herlo | Abd4llA: yes, we will | 20:24 |
| herlo | daMaestro: we'll get to that soon | 20:24 |
| daMaestro | k | 20:24 |
| herlo | Abd4llA: essentially, the _r stuff implies it's a role component | 20:25 |
| herlo | the _u is for users | 20:25 |
| herlo | _t is for type, etc... | 20:25 |
| herlo | and it has to do with which policy is affecting what parts of the SELinux context | 20:25 |
| herlo | next slide - Default Policy: Targeted | 20:26 |
| Abd4llA | k | 20:26 |
| herlo | when policies are in force, you can look through them in the /selinux virtual filesystem | 20:26 |
| herlo | as I recall, these are read-only | 20:26 |
| herlo | sorry, having a bit of network issues, bear with me | 20:27 |
| herlo | but the /selinux dir is fun to peruse and can teach you a lot about the policy | 20:27 |
| herlo | the policy Fedora installs by default is called the 'Targeted' policy | 20:27 |
| herlo | and primarily uses _t (or type) enforcement | 20:28 |
| domg472_ | and rbac | 20:28 |
| herlo | going back a bit to my example of the apache DocumentRoot /var/ww/html and the httpd process, one might now notice that the processes and files have very similar types | 20:28 |
| herlo | unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd | 20:29 |
| herlo | -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks | 20:29 |
| herlo | in the policy it says, httpd_t processes can access httpd_sys_content_t type files... | 20:29 |
| herlo | next slide: Manipulating Contexts | 20:30 |
| herlo | but sometimes, the contexts are incorrect in the files | 20:30 |
| herlo | and thus the proper process cannot access the file even though its permissions are correct and its in the correct directory | 20:31 |
| herlo | this is where chcon and restorecon come in | 20:31 |
| domg472_ | run it on .bash_logout for example | 20:31 |
| herlo | chcon can modify user, role, type, sensitivity, category on a particular file. Kind of think of it as the chown/chmod for SELinux | 20:31 |
| herlo | domg472_: right | 20:32 |
| herlo | domg472_: in that case, what I'd want to do is run restorecon, because it would follow the policy rules | 20:32 |
| domg472_ | chcon is for unprivileged users, prifileged user should use semanage | 20:32 |
| domg472_ | chcon is not persistent | 20:32 |
| jds2001 | domg472_: it is. | 20:32 |
| domg472_ | restorecon will override | 20:32 |
| jds2001 | oh yes. | 20:32 |
| jds2001 | or a filesystem relabel | 20:33 |
| herlo | # restorecon .bash_logout | 20:33 |
| herlo | [root@herlo-lap clints]# ls -Z .bash_logout | 20:33 |
| herlo | -rw-r--r-- clints clints unconfined_u:object_r:user_home_t:s0 .bash_logout | 20:33 |
| herlo | doplease don't get ahead of where wwe are | 20:33 |
| domg472_ | ok | 20:33 |
| herlo | semanage will work too, but we're not there yet | 20:33 |
| herlo | this is SELinux Basics.. semanage can be used for much more advanced stuffs | 20:34 |
| herlo | domg472_: however, you are right about chcon vs restorecon for who can use it... | 20:34 |
| herlo | next slide: Manage/Modify the Policy | 20:35 |
| nuonguy | herlo: question: how does restorecon know what the context for .bash_logout should be? | 20:36 |
| herlo | essentially, the policy can be in one of three states | 20:36 |
| herlo | nuonguy: the policy knows | 20:36 |
| herlo | nuonguy: I'll show where you can get that information in a short bit | 20:36 |
| nuonguy | k, thanks | 20:36 |
| herlo | nuonguy: but to be honest, you don't actually need to know the policy to be effective with SELinux | 20:36 |
| herlo | which sounds strange, but it's true | 20:37 |
| herlo | however, we show it here shortly | 20:37 |
| nuonguy | even if I need to install an app that provides no selinux/conext info? | 20:37 |
| herlo | the first command 'getenforce' will show you the state of enforcement SELinux is currently in | 20:37 |
| herlo | nuonguy: sure, but we're not going to broach that today | 20:37 |
| herlo | nuonguy: however, I will show you where you can set those rules | 20:38 |
| nuonguy | awesome, thanks | 20:38 |
| herlo | # getenforce | 20:38 |
| herlo | Permissive | 20:38 |
| herlo | to toggle between Permissive and Enforcing, one could use setenforce | 20:39 |
| herlo | # setenforce 1 | 20:39 |
| herlo | [root@herlo-lap ~]# getenforce | 20:39 |
| herlo | Enforcing | 20:39 |
| herlo | However, Disabled can also appear | 20:39 |
| herlo | when getenforce is run | 20:40 |
| herlo | but it must be set and then a reboot will remove the labels (security contexts) from the system... | 20:40 |
| herlo | next slide: making the policy persist | 20:40 |
| herlo | this is where everyone has been jumping to | 20:41 |
| herlo | system-config-selinux is a very nice gui that can manage much of what you'd like to see in an SELinux policy | 20:41 |
| herlo | it can set enforcing, Permissive, Disabled for boot, | 20:41 |
| herlo | it can modify booleans, or small parts of the policy | 20:42 |
| herlo | it can also show you what contexts files/ports/links/etc will have when restorecon is run | 20:42 |
| herlo | as well as allow you to modify the policy rules right there | 20:43 |
| herlo | that's under File Labeling / User Mapping / Network Ports and probably a few others | 20:43 |
| jMCg | I suppose it already has some sensible templates for often used services. | 20:44 |
| herlo | in addition, you can modify /etc/sysconfig/selinux and set the policy and/or Enforcement | 20:44 |
| herlo | jMCg: it does, for type enforcement only | 20:44 |
| herlo | but there are other policies, including strict (which most others are based upon) and Multi-Layer Security (MLS) | 20:44 |
| brunowolff | nuonguy, part of the policy is a set of patterns used be restorecon to decide which is the correct label. The patterns aren't used when creating files normally. | 20:44 |
| herlo | which you can import and install. These use more of the tags of the context.. | 20:44 |
| herlo | brunowolff: yes, correct. Thanks | 20:45 |
| herlo | you can also relabel the system according to the changes made here | 20:45 |
| herlo | another tool listed on this page is semanage | 20:45 |
| herlo | semanage can do many things including many of hte things that system-config-selinux does | 20:46 |
| herlo | it's the command line tool to make policy components stick, including context changes | 20:46 |
| herlo | the best thing I can say about semanage is that it has an excellent man page and shows examples of many things you can do to your system... | 20:46 |
| herlo | getsebool/setsebool are also useful tools if you know the boolean you'd like to change | 20:47 |
| herlo | next slide: Troubleshooting | 20:47 |
| herlo | this is my favorite part | 20:47 |
| herlo | as it says in the slide, many people turn SELinux off because they can't understand the avc messages in the logs | 20:48 |
| herlo | /var/log/audit/audit.log shows many of these messages and an experienced SELinux user can learn what these things mean | 20:49 |
| fengshaun | excuse me, where can we get the slides? | 20:49 |
| herlo | but most people have a hard time reading them... | 20:49 |
| herlo | fengshaun: Classroom/SELinux_Basics | 20:49 |
| fengshaun | thank you | 20:49 |
| herlo | np | 20:49 |
| herlo | so here's the tool that will make it easier than ever to read those messages | 20:49 |
| herlo | setroubleshoot | 20:49 |
| herlo | the daemon /usr/sbin/setroubleshootd, available in the setroubleshoot-server rpm | 20:50 |
| herlo | is my favorite friend | 20:50 |
| herlo | it's a sysV service that provides clear text solutions for allowing access when something doesn't work right | 20:50 |
| herlo | because odds are, the user's permissions are correct, but SELinux is causing some sort of issue | 20:51 |
| herlo | so I install setroubleshoot-server | 20:51 |
| herlo | next slide: troubleshooting cont'd | 20:51 |
| herlo | page 11 | 20:51 |
| herlo | and then run | 20:52 |
| herlo | /etc/init.d/setroubleshoot start | 20:52 |
| herlo | all of the sudden, I get clear messages in /var/log/messages | 20:52 |
| domg472_ | setroubleshoot is enabled by default | 20:52 |
| herlo | domg472_: setroubleshoot is the client tools | 20:52 |
| herlo | setroubleshoot-server might be enabled by default, I hadn't checked | 20:52 |
| * thomasj reminds domg472_ that this is herlo's class. So please let him teach, he's doing a great job. | 20:53 | |
| domg472_ | ok | 20:53 |
| herlo | but it's going to tell you to look at a specific sealert message | 20:53 |
| herlo | copying the sealert command along with ath ugly long string... | 20:53 |
| herlo | and voila, you have a solution as to how to allow access. | 20:53 |
| herlo | for those of you who like gui's try sealert -b | 20:54 |
| herlo | that's the sealert browser and it can also be launched from the Notification Area (the little star) in GNOME | 20:54 |
| herlo | NOW | 20:54 |
| herlo | here's the onlyt thing I want to warn you on | 20:54 |
| herlo | don't by any circumstances take 'Allowing Access' to mean that you *should* perform the task listed there | 20:55 |
| herlo | instead, you should use your critical minds and make a smart decision regarding whether allowing access is the right thing to do | 20:55 |
| herlo | so I'm out of material and it looks like out of time | 20:56 |
| herlo | any questions about this process? | 20:56 |
| jMCg | Ad troubleshooting. | 20:56 |
| kdn | Great job; thanks. | 20:56 |
| jMCg | What troubles me most, is to remember that there's SELinux, and it could be responsible. | 20:56 |
| * VileGent gives herlo a hand and thanks | 20:56 | |
| thomasj | +1 | 20:56 |
| * erinlea80 applauds! | 20:57 | |
| kdn | +1 | 20:57 |
| poti | +1 | 20:57 |
| djohngo | herlo: Thanks! | 20:57 |
| domg472_ | thanks | 20:57 |
| * fengshaun applauds too! | 20:57 | |
| jds2001 | great job herlo :) | 20:57 |
| brunowolff | The resources didn't include Dan Walsh's journal (http://danwalsh.livejournal.com/) which has up to date info about selinux. | 20:57 |
| thomasj | herlo, awesome, thank you very much | 20:57 |
| SSlater | +1 | 20:57 |
| herlo | jMCg: yes, I understand that, but it will become much more normal as you get used to it | 20:57 |
| * JMakey thanks herlo | 20:57 | |
| herlo | brunowolff: oh, yes, I should add that | 20:57 |
| jMCg | When you get an EACCESS, you think of permissions, it'd be great if there was some different class of error to be used... | 20:57 |
| Bugz | herlo: Very good, thanks | 20:57 |
| linuxguru | yeah i had this doubt about unconfined processes running on my system. if a attacker is able to compromise my system using those processes (which have ports opened) will he be able to access stuff which is managed by selinux like confined processes such apache/samba etc. | 20:57 |
| herlo | I'm glad you all liked it | 20:57 |
| zless | thanks herlo. | 20:57 |
| domg472_ | if anyone has questions about selinux join #fedora-selinux and/or #selinux | 20:57 |
| fengshaun | but date -u gives me 19:58! is my clock wrong? | 20:57 |
| Ineluctable | thank you | 20:57 |
| jds2001 | fengshaun: an hour off. | 20:58 |
| fengshaun | jds2001, oh god! | 20:58 |
| herlo | linuxguru: right, so I'd consider a tighter policy or modify the policy to adjust the unconfined processes | 20:58 |
| @nirik | thanks herlo ! | 20:58 |
| herlo | linuxguru: so they aren't unconfined | 20:58 |
| SSlater | ? | 20:58 |
| herlo | SSlater: go | 20:58 |
| zless | i'd just like to say that selinux has be "in the background" in f9 (for the desktop) much more than previously. the #1 thing i need to tweak is allowing firefox to use notstandard ports. | 20:58 |
| SSlater | Why does sealert sometimes give a proposed solution and othertimes Not? | 20:59 |
| zless | e.g.: semanage port -a -t http_port -p tcp 8880 | 20:59 |
| domg472_ | that not a valid type zless | 20:59 |
| stmg_ | thanks so mucj | 20:59 |
| zless | domg472_, _t | 20:59 |
| * nirik notes the next class up is Jon Stanley ( jds2001 ) - An introduction to Bugzilla | 20:59 | |
| jds2001 | httpd_t would be in that case. | 20:59 |
| stmg_ | *much | 20:59 |
| zless | domg472_, synergyc isn't up here atm, so had to go from memory | 21:00 |
| domg472_ | join #fedora-selinux for details | 21:00 |
| herlo | SSlater: I believe that if the policy knows how to solve it the solution can be given. If the policy writer didn't anticipate that sort of thing, it's kind of hard to give a solution | 21:00 |
| Dufflepod | Thanks herlo | 21:00 |
| herlo | ciao all | 21:00 |
| herlo | on to jds2001 | 21:00 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!