Why do we turn off NSA-grade security features? Well early on, SELINUX was complex and confusing. However, the pains of dealing with SELINUX are long gone. In fact, the tools for working with SELINUX have long improved are now so easy, anyone can configure the security layer. Even one bad chmod on a server can leave you vulnerable. However, when SELINUX is running, rogue processes will be prevented from running havoc. You'll learn how easy it is to use SELINUX and how (with little effort) you can configure and troubleshoot this amazing security feature. Stop leaving gaps in your infrastructure and turn it back on.
2. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ABOUT
▸ Built using Kernel Modules
▸ More permissions than CRUD and Access
▸ Allows Multi-Level Security using BLP and Biba Models
▸ Permissions set on the inode instead of the file
▸ Mandatory Access Control (MAC)
4. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
WHAT YOU NEED TO KNOW
▸ Each iNode is given a single context
▸ Each context identifies a user, role, type and level
▸ SELINUX then allows (or denies) access using the context with a policy
▸ Decision is cached in the Access Vector Cache (AVC)
▸ Decisions is made after the DAC access is checked
5. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
WHAT YOU NEED TO KNOW
▸ SELINUX manages:
▸ Users
▸ Sockets
▸ Memory
▸ Directories
▸ TCP/UDP connections
6. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
PROCESS TYPES
▸ Confined
▸ Runs in own domain (role)
▸ Resources are limited to the roles and policy
▸ Un-Confined
▸ fallback to the DAC policies
7. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
CONTEXTS
▸ Policy checks context of inode for access
▸ "If a process is running with <context_foo> then anything with
<context_foo_type> is allowed access"
▸ Four parts: user, role, type and level (optional)
8. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
CONTEXTS
▸ Set automatically based on the parent context (mostly)
▸ RPM
▸ Management tools (ansible, chef, puppet)
▸ When a File transitions (moving an uploaded file)
▸ By the sysadmin with chcon, restorecon
9. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
FINDING CONTEXT
ls -alZ /home
10. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
FINDING CONTEXT
ps -Z
11. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
BOOLEANS
▸ On off settings for policies
▸ Allow HTTPD to make network connections
▸ Allow FTP to access home directories
▸ Overcomes issues with over labeling contexts
12. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
▸ TARGETED
▸ PERMISSIVE
▸ DISABLED (You already know this one)
13. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
<edit> /etc/selinux/config
14. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
sudo yum install setroubleshoot setroubleshoot-server
sudo service auditd restart
15. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
ls -alZ
sudo touch /.autorelabel
16. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
TURNING IT BACK ON
ls -alZ
33. ZendCon 2016
HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
RESOURCES
▸ RedHat Documentation for SELINUX: https://access.redhat.com/
documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-
Enhanced_Linux/index.html
▸ Servers for Hackers, Batteling SELINUX: https://serversforhackers.com/video/
battling-selinux-cast
▸ SELinux For Mere Mortals: https://www.youtube.com/watch?v=MxjenQ31b70