SlideShare a Scribd company logo

How to use SELINUX (No I don't mean turn it off)

Chuck Reeves
Chuck Reeves

Why do we turn off NSA-grade security features? Well early on, SELINUX was complex and confusing. However, the pains of dealing with SELINUX are long gone. In fact, the tools for working with SELINUX have long improved are now so easy, anyone can configure the security layer. Even one bad chmod on a server can leave you vulnerable. However, when SELINUX is running, rogue processes will be prevented from running havoc. You'll learn how easy it is to use SELINUX and how (with little effort) you can configure and troubleshoot this amazing security feature. Stop leaving gaps in your infrastructure and turn it back on.

Technology
1 of 34
Download to read offline
HOWTOUSE SELINUX CHUCK REEVES @MANCHUCK NO I DON'T MEAN TURN IT OFF
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF ABOUT ▸ Built using Kernel Modules ▸ More permissions than CRUD and Access ▸ Allows Multi-Level Security using BLP and Biba Models ▸ Permissions set on the inode instead of the file ▸ Mandatory Access Control (MAC)
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF WHAT YOU NEED TO KNOW ▸ Each iNode is given a single context ▸ Each context identifies a user, role, type and level ▸ SELINUX then allows (or denies) access using the context with a policy ▸ Decision is cached in the Access Vector Cache (AVC) ▸ Decisions is made after the DAC access is checked
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF WHAT YOU NEED TO KNOW ▸ SELINUX manages: ▸ Users ▸ Sockets ▸ Memory ▸ Directories ▸ TCP/UDP connections
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF PROCESS TYPES ▸ Confined ▸ Runs in own domain (role) ▸ Resources are limited to the roles and policy ▸ Un-Confined ▸ fallback to the DAC policies
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF CONTEXTS ▸ Policy checks context of inode for access ▸ "If a process is running with <context_foo> then anything with <context_foo_type> is allowed access" ▸ Four parts: user, role, type and level (optional)
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF CONTEXTS ▸ Set automatically based on the parent context (mostly) ▸ RPM ▸ Management tools (ansible, chef, puppet) ▸ When a File transitions (moving an uploaded file) ▸ By the sysadmin with chcon, restorecon
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF FINDING CONTEXT ls -alZ /home
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF FINDING CONTEXT ps -Z
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS ▸ On off settings for policies ▸ Allow HTTPD to make network connections ▸ Allow FTP to access home directories ▸ Overcomes issues with over labeling contexts
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON ▸ TARGETED ▸ PERMISSIVE ▸ DISABLED (You already know this one)
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON <edit> /etc/selinux/config
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON sudo yum install setroubleshoot setroubleshoot-server sudo service auditd restart
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON ls -alZ sudo touch /.autorelabel
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON ls -alZ
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: DATABASE tail -f /var/log/audit/audit.log
ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: DATABASE tail -f /var/log/messages
ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: DATABASE sealert -l <message id>
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS setsebool -P httpd_can_network_connect 1
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS semanage boolean -l | grep httpd_enable_ftp_server
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS getsebool -a getsebool <boolean>
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS semanage boolean -l | grep httpd_enable_ftp_server
ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: FILE UPLOAD ls -Z
ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: FILE UPLOAD sealert -l <message id>
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF SETTING CONTEXT chcon -R -t httpd_sys_content_t web/ ls -Z web
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF SETTING CONTEXT mkdir web/ touch web/file{1,2,3} ls -Z web
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF RESOURCES ▸ RedHat Documentation for SELINUX: https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security- Enhanced_Linux/index.html ▸ Servers for Hackers, Batteling SELINUX: https://serversforhackers.com/video/ battling-selinux-cast ▸ SELinux For Mere Mortals: https://www.youtube.com/watch?v=MxjenQ31b70
THANKS CHUCK REEVES @MANCHUCK

Recommended

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introductionMichael Nazzareno Trimarchi
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to SelinuxAtul Jha
 

Recommended

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Selinux
SelinuxSelinux
SelinuxMohitgupta8560
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic UsageDmytro Minochkin
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introductionMichael Nazzareno Trimarchi
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Introduction to Selinux
Introduction to SelinuxIntroduction to Selinux
Introduction to SelinuxAtul Jha
 
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
SELinux basics
SELinux basicsSELinux basics
SELinux basicsLubomir Rintel
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinuxRémy Gottschalk
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfnicerussianpainter
 

More Related Content

What's hot

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1Eliel Prado
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinuxShay Cohen
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinuxRémy Gottschalk
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 

What's hot (20)

The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux Overview
 
chroot and SELinux
chroot and SELinuxchroot and SELinux
chroot and SELinux
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
How to not disable SELinux
How to not disable SELinuxHow to not disable SELinux
How to not disable SELinux
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 

Similar to How to use SELINUX (No I don't mean turn it off)

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfnicerussianpainter
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansibleDharmit Shah
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Installation guide
Installation guideInstallation guide
Installation guidelaonap166
 
Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)Peter Bittner
 
Professional deployment
Professional deploymentProfessional deployment
Professional deploymentIvelina Dimova
 
Big data Analytics hands-on sessions
Big data Analytics hands-on sessionsBig data Analytics hands-on sessions
Big data Analytics hands-on sessionsPraveen Hanchinal
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanentlychinkshady
 
ZenPack Development with Jane Curry
ZenPack Development with Jane CurryZenPack Development with Jane Curry
ZenPack Development with Jane CurryZenoss
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agencysanchetanparmar
 
Configuration Management and Salt
Configuration Management and SaltConfiguration Management and Salt
Configuration Management and Salt55020
 
Introduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command lineIntroduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command lineBehzod Saidov
 
Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...
Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...
Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...VictorSzoltysek
 
Lean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushLean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushPantheon
 
R hive tutorial supplement 1 - Installing Hadoop
R hive tutorial supplement 1 - Installing HadoopR hive tutorial supplement 1 - Installing Hadoop
R hive tutorial supplement 1 - Installing HadoopAiden Seonghak Hong
 

Similar to How to use SELINUX (No I don't mean turn it off) (20)

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Installation guide
Installation guideInstallation guide
Installation guide
 
Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Professional deployment
Professional deploymentProfessional deployment
Professional deployment
 
Big data Analytics hands-on sessions
Big data Analytics hands-on sessionsBig data Analytics hands-on sessions
Big data Analytics hands-on sessions
 
4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently4 effective methods to disable se linux temporarily or permanently
4 effective methods to disable se linux temporarily or permanently
 
ZenPack Development with Jane Curry
ZenPack Development with Jane CurryZenPack Development with Jane Curry
ZenPack Development with Jane Curry
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
 
Configuration Management and Salt
Configuration Management and SaltConfiguration Management and Salt
Configuration Management and Salt
 
Introduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command lineIntroduction to WP-CLI: Manage WordPress from the command line
Introduction to WP-CLI: Manage WordPress from the command line
 
Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...
Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...
Real-World DevOps — 20 Practical Developers Tips for Tightening Your Operatio...
 
Hadoop 2.4 installing on ubuntu 14.04
Hadoop 2.4 installing on ubuntu 14.04Hadoop 2.4 installing on ubuntu 14.04
Hadoop 2.4 installing on ubuntu 14.04
 
Lean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushLean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and Drush
 
R hive tutorial supplement 1 - Installing Hadoop
R hive tutorial supplement 1 - Installing HadoopR hive tutorial supplement 1 - Installing Hadoop
R hive tutorial supplement 1 - Installing Hadoop
 

More from Chuck Reeves

Stop multiplying by 4 Laracon
Stop multiplying by 4 LaraconStop multiplying by 4 Laracon
Stop multiplying by 4 LaraconChuck Reeves
 
Stop multiplying by 4 Lone Star PHP
Stop multiplying by 4 Lone Star PHPStop multiplying by 4 Lone Star PHP
Stop multiplying by 4 Lone Star PHPChuck Reeves
 
Single page Apps with Angular and Apigility
Single page Apps with Angular and ApigilitySingle page Apps with Angular and Apigility
Single page Apps with Angular and ApigilityChuck Reeves
 
Zend Framework Foundations
Zend Framework FoundationsZend Framework Foundations
Zend Framework FoundationsChuck Reeves
 
Stop multiplying by 4 nyphp
Stop multiplying by 4 nyphpStop multiplying by 4 nyphp
Stop multiplying by 4 nyphpChuck Reeves
 
Stop multiplying by 4 PHP Tour 2014
Stop multiplying by 4 PHP Tour 2014Stop multiplying by 4 PHP Tour 2014
Stop multiplying by 4 PHP Tour 2014Chuck Reeves
 
Stop multiplying by 4: Practical Software Estimation
Stop multiplying by 4: Practical Software EstimationStop multiplying by 4: Practical Software Estimation
Stop multiplying by 4: Practical Software EstimationChuck Reeves
 
Software requirements and estimates
Software requirements and estimatesSoftware requirements and estimates
Software requirements and estimatesChuck Reeves
 
How x debug restored partial sanity to the insane
How x debug restored partial sanity to the insaneHow x debug restored partial sanity to the insane
How x debug restored partial sanity to the insaneChuck Reeves
 

More from Chuck Reeves (9)

Stop multiplying by 4 Laracon
Stop multiplying by 4 LaraconStop multiplying by 4 Laracon
Stop multiplying by 4 Laracon
 
Stop multiplying by 4 Lone Star PHP
Stop multiplying by 4 Lone Star PHPStop multiplying by 4 Lone Star PHP
Stop multiplying by 4 Lone Star PHP
 
Single page Apps with Angular and Apigility
Single page Apps with Angular and ApigilitySingle page Apps with Angular and Apigility
Single page Apps with Angular and Apigility
 
Zend Framework Foundations
Zend Framework FoundationsZend Framework Foundations
Zend Framework Foundations
 
Stop multiplying by 4 nyphp
Stop multiplying by 4 nyphpStop multiplying by 4 nyphp
Stop multiplying by 4 nyphp
 
Stop multiplying by 4 PHP Tour 2014
Stop multiplying by 4 PHP Tour 2014Stop multiplying by 4 PHP Tour 2014
Stop multiplying by 4 PHP Tour 2014
 
Stop multiplying by 4: Practical Software Estimation
Stop multiplying by 4: Practical Software EstimationStop multiplying by 4: Practical Software Estimation
Stop multiplying by 4: Practical Software Estimation
 
Software requirements and estimates
Software requirements and estimatesSoftware requirements and estimates
Software requirements and estimates
 
How x debug restored partial sanity to the insane
How x debug restored partial sanity to the insaneHow x debug restored partial sanity to the insane
How x debug restored partial sanity to the insane
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

How to use SELINUX (No I don't mean turn it off)

  • 2. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF ABOUT ▸ Built using Kernel Modules ▸ More permissions than CRUD and Access ▸ Allows Multi-Level Security using BLP and Biba Models ▸ Permissions set on the inode instead of the file ▸ Mandatory Access Control (MAC)
  • 3. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
  • 4. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF WHAT YOU NEED TO KNOW ▸ Each iNode is given a single context ▸ Each context identifies a user, role, type and level ▸ SELINUX then allows (or denies) access using the context with a policy ▸ Decision is cached in the Access Vector Cache (AVC) ▸ Decisions is made after the DAC access is checked
  • 5. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF WHAT YOU NEED TO KNOW ▸ SELINUX manages: ▸ Users ▸ Sockets ▸ Memory ▸ Directories ▸ TCP/UDP connections
  • 6. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF PROCESS TYPES ▸ Confined ▸ Runs in own domain (role) ▸ Resources are limited to the roles and policy ▸ Un-Confined ▸ fallback to the DAC policies
  • 7. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF CONTEXTS ▸ Policy checks context of inode for access ▸ "If a process is running with <context_foo> then anything with <context_foo_type> is allowed access" ▸ Four parts: user, role, type and level (optional)
  • 8. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF CONTEXTS ▸ Set automatically based on the parent context (mostly) ▸ RPM ▸ Management tools (ansible, chef, puppet) ▸ When a File transitions (moving an uploaded file) ▸ By the sysadmin with chcon, restorecon
  • 9. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF FINDING CONTEXT ls -alZ /home
  • 10. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF FINDING CONTEXT ps -Z
  • 11. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS ▸ On off settings for policies ▸ Allow HTTPD to make network connections ▸ Allow FTP to access home directories ▸ Overcomes issues with over labeling contexts
  • 12. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON ▸ TARGETED ▸ PERMISSIVE ▸ DISABLED (You already know this one)
  • 13. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON <edit> /etc/selinux/config
  • 14. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON sudo yum install setroubleshoot setroubleshoot-server sudo service auditd restart
  • 15. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON ls -alZ sudo touch /.autorelabel
  • 16. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF TURNING IT BACK ON ls -alZ
  • 17. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
  • 18. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
  • 19. ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: DATABASE tail -f /var/log/audit/audit.log
  • 20. ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: DATABASE tail -f /var/log/messages
  • 21. ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: DATABASE sealert -l <message id>
  • 22. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS setsebool -P httpd_can_network_connect 1
  • 23. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS semanage boolean -l | grep httpd_enable_ftp_server
  • 24. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS getsebool -a getsebool <boolean>
  • 25. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF BOOLEANS semanage boolean -l | grep httpd_enable_ftp_server
  • 27. ZendCon 2016 TEXT TROUBLESHOOTING EXAMPLE: FILE UPLOAD sealert -l <message id>
  • 28. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF SETTING CONTEXT chcon -R -t httpd_sys_content_t web/ ls -Z web
  • 29. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF SETTING CONTEXT mkdir web/ touch web/file{1,2,3} ls -Z web
  • 30. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
  • 31. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
  • 32. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF
  • 33. ZendCon 2016 HOW TO USE SELINUX - NO I DON'T MEAN TURN IT OFF RESOURCES ▸ RedHat Documentation for SELINUX: https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security- Enhanced_Linux/index.html ▸ Servers for Hackers, Batteling SELINUX: https://serversforhackers.com/video/ battling-selinux-cast ▸ SELinux For Mere Mortals: https://www.youtube.com/watch?v=MxjenQ31b70