From Fedora Project Wiki

mNo edit summary
m (internal link cleaning)
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
== Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008 ==
=== Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008 ===


* [http://herlo.fedorapeople.org/files/selinux-basics-fc.pdf PDF Slides]
* [http://herlo.fedorapeople.org/files/selinux-basics-fc.pdf PDF Slides]
* [http://herlo.fedorapeople.org/files/selinux-basics-fc.odp Impress Slides]
* [http://herlo.fedorapeople.org/files/selinux-basics-fc.odp Impress Slides]


The log will be placed here after the session is completed.
==== IRC Log of the Class ====
 
{|
|- id="t20:00"
| colspan="2" | -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - See [[Communicate/IRC/Classroom]] for more info
|| [[#t20:00|20:00]]
|- id="t20:01"
! style="background-color: #407a40" | @nirik
| style="color: #407a40" | A few general guidelines: Please try to keep on topic... if you have general fedora questions, #fedora is open for business as usual.
|| [[#t20:01|20:01]]
|- id="t20:01"
! style="background-color: #407a40" | @nirik
| style="color: #407a40" | If you want some more social chatting, #fedora-social is open for that.
|| [[#t20:01|20:01]]
|- id="t20:01"
! style="background-color: #407a40" | @nirik
| style="color: #407a40" | Some teachers may want you to hold questions, and some will want you to just chime in... they will say when they start their session.
|| [[#t20:01|20:01]]
|- id="t20:02"
! style="background-color: #42427e" |  Guest86715
| style="color: #42427e" | nick brunowolff
|| [[#t20:02|20:02]]
|- id="t20:02"
! style="background-color: #42427e" |  Guest86715
| style="color: #42427e" | \nick brunowolff
|| [[#t20:02|20:02]]
|- id="t20:02"
! style="background-color: #407a40" | @nirik
| style="color: #407a40" | Also, note that I will be logging the classes for posting on the wiki.
|| [[#t20:02|20:02]]
|- id="t20:02"
! style="background-color: #407a40" | @nirik
| style="color: #407a40" | So, our first class up today is SElinux Basics. Without further jabbering, I will hand things off to herlo...
|| [[#t20:02|20:02]]
|- id="t20:02"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region.  I work for a small Linux training company in Utah called Guru Labs. People online call me herlo
|| [[#t20:02|20:02]]
|- id="t20:02"
! style="background-color: #818144" |  herlo
| style="color: #818144" | thanks nirik
|| [[#t20:02|20:02]]
|- id="t20:03"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so for those of you who might have missed it, I have slides up
|| [[#t20:03|20:03]]
|- id="t20:03"
! style="background-color: #818144" |  herlo
| style="color: #818144" | [[Classroom/SELinux_Basics]]
|| [[#t20:03|20:03]]
|- id="t20:03"
! style="background-color: #818144" |  herlo
| style="color: #818144" | from that link you can get either pdf or odp
|| [[#t20:03|20:03]]
|- id="t20:03"
| colspan="2" | -!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - See [[Communicate/IRC/Classroom]] for more info
|| [[#t20:03|20:03]]
|- id="t20:03"
! style="background-color: #818144" |  herlo
| style="color: #818144" | I'll be pretty much following the flow there.  If you have questions, please feel free to jump in.
|| [[#t20:03|20:03]]
|- id="t20:04"
! style="background-color: #818144" |  herlo
| style="color: #818144" | SELinux Basics
|| [[#t20:04|20:04]]
|- id="t20:04"
! style="background-color: #818144" |  herlo
| style="color: #818144" | What is SELinux? 
|| [[#t20:04|20:04]]
|- id="t20:05"
! style="background-color: #854685" |  linuxguru
| style="color: #854685" | Security Enhanced Linux
|| [[#t20:05|20:05]]
|- id="t20:05"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe.  One fo the major functionalities that came out of this was SELinux
|| [[#t20:05|20:05]]
|- id="t20:05"
! style="background-color: #818144" |  herlo
| style="color: #818144" | linuxguru: right, Security Enhanced Linux
|| [[#t20:05|20:05]]
|- id="t20:06"
! style="background-color: #818144" |  herlo
| style="color: #818144" | one of the things that is interesting about security in Linux is the many ways to protect your boxen
|| [[#t20:06|20:06]]
|- id="t20:06"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Firewalls, acls, etc.
|| [[#t20:06|20:06]]
|- id="t20:06"
! style="background-color: #818144" |  herlo
| style="color: #818144" | iptables has been around for some time and does a great job on the network
|| [[#t20:06|20:06]]
|- id="t20:07"
! style="background-color: #818144" |  herlo
| style="color: #818144" | thing is, it's really intended for network security
|| [[#t20:07|20:07]]
|- id="t20:07"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so that's one layer
|| [[#t20:07|20:07]]
|- id="t20:07"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but we want more layers
|| [[#t20:07|20:07]]
|- id="t20:07"
! style="background-color: #818144" |  herlo
| style="color: #818144" | In Unix we've always had the rwx permissions, which has been pretty good to us
|| [[#t20:07|20:07]]
|- id="t20:08"
! style="background-color: #818144" |  herlo
| style="color: #818144" | processes check the permissions of a file and make sure they have rights to access the file.
|| [[#t20:08|20:08]]
|- id="t20:08"
! style="background-color: #818144" |  herlo
| style="color: #818144" | SELinux is just a layer above.
|| [[#t20:08|20:08]]
|- id="t20:09"
! style="background-color: #818144" |  herlo
| style="color: #818144" | SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without fear of attacks on the system
|| [[#t20:09|20:09]]
|- id="t20:09"
! style="background-color: #818144" |  herlo
| style="color: #818144" | So two terms came about DAC and MAC
|| [[#t20:09|20:09]]
|- id="t20:09"
! style="background-color: #818144" |  herlo
| style="color: #818144" | I have two slides describing both
|| [[#t20:09|20:09]]
|- id="t20:09"
! style="background-color: #818144" |  herlo
| style="color: #818144" | DAC - Discretionary Access Control
|| [[#t20:09|20:09]]
|- id="t20:09"
! style="background-color: #488888" |  VileGent
| style="color: #488888" | ! when you change page say page please
|| [[#t20:09|20:09]]
|- id="t20:09"
! style="background-color: #8c4a4a" |  thomasj
| style="color: #8c4a4a" | :D
|| [[#t20:09|20:09]]
|- id="t20:09"
! style="background-color: #818144" |  herlo
| style="color: #818144" | This is traditional Linux/Unix type file perms
|| [[#t20:09|20:09]]
|- id="t20:10"
! style="background-color: #818144" |  herlo
| style="color: #818144" | VileGent: k, that was the first change, and thank you
|| [[#t20:10|20:10]]
|- id="t20:10"
! style="background-color: #4b904b" |  JamesB192_thekky
| style="color: #4b904b" | and ACLs?
|| [[#t20:10|20:10]]
|- id="t20:10"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the simple rwx permissions, SUID SGID, etc
|| [[#t20:10|20:10]]
|- id="t20:10"
! style="background-color: #818144" |  herlo
| style="color: #818144" | JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems
|| [[#t20:10|20:10]]
|- id="t20:11"
! style="background-color: #818144" |  herlo
| style="color: #818144" | as well as many other applications too
|| [[#t20:11|20:11]]
|- id="t20:11"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the thing about DAC is that it's really what we've been using for 20+ years
|| [[#t20:11|20:11]]
|- id="t20:11"
! style="background-color: #818144" |  herlo
| style="color: #818144" | nothing has inherently changed about it
|| [[#t20:11|20:11]]
|- id="t20:11"
! style="background-color: #818144" |  herlo
| style="color: #818144" | it's pretty much the same it was back then and will continue to do a good job of protecting our boxen
|| [[#t20:11|20:11]]
|- id="t20:11"
| colspan="2" | * nirik notes that this is page 3 on the pdf.
|| [[#t20:11|20:11]]
|- id="t20:12"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but here's the thing
|| [[#t20:12|20:12]]
|- id="t20:12"
! style="background-color: #818144" |  herlo
| style="color: #818144" | What about processes accessing thing that while they have permissions to access, shouldn't be accessing
|| [[#t20:12|20:12]]
|- id="t20:12"
! style="background-color: #818144" |  herlo
| style="color: #818144" | ?
|| [[#t20:12|20:12]]
|- id="t20:12"
! style="background-color: #4d4d93" |  koolhead1
| style="color: #4d4d93" | ?
|| [[#t20:12|20:12]]
|- id="t20:12"
! style="background-color: #97974f" |  bomama
| style="color: #97974f" | what?
|| [[#t20:12|20:12]]
|- id="t20:13"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | privilege escalation
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #818144" |  herlo
| style="color: #818144" | For instance, should the named (DNS daemon) be accessing files within apache?
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #539e9e" |  Abd4llA
| style="color: #539e9e" | nop
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #854685" |  linuxguru
| style="color: #854685" | naw.
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #818144" |  herlo
| style="color: #818144" | domg472_: right, something we don't want to happen
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next page
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this is where MAC - Mandatory Access Control comes in...
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #a25555" |  brunowolff
| style="color: #a25555" | I think the main point is that without selinux any process you run has all of your access rights. You don't always want to have that.
|| [[#t20:13|20:13]]
|- id="t20:13"
! style="background-color: #818144" |  herlo
| style="color: #818144" | brunowolff: correct
|| [[#t20:13|20:13]]
|- id="t20:14"
! style="background-color: #818144" |  herlo
| style="color: #818144" | brunowolff: many processes, not all
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #57a657" |  LinuxCode
| style="color: #57a657" | shouldnt questions/comments be directed at the end ?
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and it's possible that the process could perform an exploit on an unsecured application
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #57a657" |  LinuxCode
| style="color: #57a657" | wont get through the class otherwise
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #818144" |  herlo
| style="color: #818144" | LinuxCode: it's fine, questions are good...
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #818144" |  herlo
| style="color: #818144" | LinuxCode: we will...
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #57a657" |  LinuxCode
| style="color: #57a657" | k ;-]
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #818144" |  herlo
| style="color: #818144" | we're doing fine right now
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so MAC
|| [[#t20:14|20:14]]
|- id="t20:14"
! style="background-color: #4d4d93" |  koolhead1
| style="color: #4d4d93" | +1
|| [[#t20:14|20:14]]
|- id="t20:15"
! style="background-color: #818144" |  herlo
| style="color: #818144" | provides this functionality where instead of standard permissions, we have what's typically called a security context
|| [[#t20:15|20:15]]
|- id="t20:15"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this security context is part of a policy
|| [[#t20:15|20:15]]
|- id="t20:15"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and the policy defines the rules as to which processes can access which files
|| [[#t20:15|20:15]]
|- id="t20:16"
! style="background-color: #854685" |  linuxguru
| style="color: #854685" | one question here. regarding unconfined processes (server stuff) running on the system
|| [[#t20:16|20:16]]
|- id="t20:16"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this also goes for ports, links, and many other elements in a Linux system
|| [[#t20:16|20:16]]
|- id="t20:16"
! style="background-color: #818144" |  herlo
| style="color: #818144" | linuxguru: we'll get to that in a minute
|| [[#t20:16|20:16]]
|- id="t20:16"
! style="background-color: #854685" |  linuxguru
| style="color: #854685" | okay
|| [[#t20:16|20:16]]
|- id="t20:16"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply
|| [[#t20:16|20:16]]
|- id="t20:17"
! style="background-color: #818144" |  herlo
| style="color: #818144" | if, however, that process is not allowed by policy it is denied
|| [[#t20:17|20:17]]
|- id="t20:17"
! style="background-color: #818144" |  herlo
| style="color: #818144" | also, if there is no policy rule for that particular process/file, the action is denied
|| [[#t20:17|20:17]]
|- id="t20:17"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next page
|| [[#t20:17|20:17]]
|- id="t20:17"
! style="background-color: #818144" |  herlo
| style="color: #818144" | in comes security contexts
|| [[#t20:17|20:17]]
|- id="t20:18"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this is page 5, btw
|| [[#t20:18|20:18]]
|- id="t20:18"
! style="background-color: #818144" |  herlo
| style="color: #818144" | each process has a context and each file has a context
|| [[#t20:18|20:18]]
|- id="t20:18"
! style="background-color: #818144" |  herlo
| style="color: #818144" | in general, we can think of each of the components as another layer where the policy can enforce rules
|| [[#t20:18|20:18]]
|- id="t20:18"
! style="background-color: #818144" |  herlo
| style="color: #818144" | user:role:type:sensitivity:category
|| [[#t20:18|20:18]]
|- id="t20:19"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the policy can look at any one fo these component parts of the context and evaluate whether the process can access the file based upon user, a specific role, type, sensitivity or some category definition
|| [[#t20:19|20:19]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | you might note that if you run 'ls -Z' on your home directory you'd see something like this
|| [[#t20:20|20:20]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | $ ls -Z
|| [[#t20:20|20:20]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-r--r--  clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout
|| [[#t20:20|20:20]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-rw-r--  clints clints unconfined_u:object_r:user_home_t:s0 attendees-200808200.odb
|| [[#t20:20|20:20]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-rw-r--  clints clints unconfined_u:object_r:user_home_t:s0 attendees-20080820.odb
|| [[#t20:20|20:20]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | drwxr-xr-x  clints clints unconfined_u:object_r:user_home_t:s0 bin
|| [[#t20:20|20:20]]
|- id="t20:20"
! style="background-color: #818144" |  herlo
| style="color: #818144" | lrwxrwxrwx  clints clints system_u:object_r:user_home_t:s0 Books -> /data/books
|| [[#t20:20|20:20]]
|- id="t20:21"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | .bash_logout seems mislabeled
|| [[#t20:21|20:21]]
|- id="t20:21"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Fedora has implemented everything but the category, but older systems slowly built up from the first three components and are adding slowly
|| [[#t20:21|20:21]]
|- id="t20:21"
! style="background-color: #5959a9" |  daMaestro
| style="color: #5959a9" | .bash_logout is ok
|| [[#t20:21|20:21]]
|- id="t20:21"
! style="background-color: #818144" |  herlo
| style="color: #818144" | domg472_: probably not, but we'll talk about how to change that shortly...
|| [[#t20:21|20:21]]
|- id="t20:21"
! style="background-color: #5959a9" |  daMaestro
| style="color: #5959a9" | ;-)
|| [[#t20:21|20:21]]
|- id="t20:21"
! style="background-color: #818144" |  herlo
| style="color: #818144" | processes can also be looked at similarly
|| [[#t20:21|20:21]]
|- id="t20:22"
! style="background-color: #818144" |  herlo
| style="color: #818144" | ps -ef -Z | grep httpd
|| [[#t20:22|20:22]]
|- id="t20:22"
! style="background-color: #818144" |  herlo
| style="color: #818144" | unconfined_u:system_r:httpd_t:s0 root    6740    1  0 09:30 ?        00:00:00 /usr/sbin/httpd
|| [[#t20:22|20:22]]
|- id="t20:22"
! style="background-color: #818144" |  herlo
| style="color: #818144" | unconfined_u:system_r:httpd_t:s0 apache  6742  6740  0 09:30 ?        00:00:00 /usr/sbin/httpd
|| [[#t20:22|20:22]]
|- id="t20:22"
! style="background-color: #818144" |  herlo
| style="color: #818144" | unconfined_u:system_r:httpd_t:s0 apache  6743  6740  0 09:30 ?        00:00:00 /usr/sbin/httpd
|| [[#t20:22|20:22]]
|- id="t20:22"
! style="background-color: #818144" |  herlo
| style="color: #818144" | adding the -Z in either case can provide the context information.
|| [[#t20:22|20:22]]
|- id="t20:22"
! style="background-color: #818144" |  herlo
| style="color: #818144" | let me do one more listing of files here
|| [[#t20:22|20:22]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | ls -Z /var/www/html/
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 darkice-ubuntu.cfg
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-------  apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t:s0 F8VM.ks
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the ubuntu file is there because I record my local user groups... :)
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | anyway,
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | one thing you'll notice is the similarity in a couple areas between the processes adn the files...
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #539e9e" |  Abd4llA
| style="color: #539e9e" | will we get to the meanings for the differents tags ?
|| [[#t20:23|20:23]]
|- id="t20:23"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Abd4llA: which tags?
|| [[#t20:23|20:23]]
|- id="t20:24"
! style="background-color: #539e9e" |  Abd4llA
| style="color: #539e9e" | object_r , system_r ..etc
|| [[#t20:24|20:24]]
|- id="t20:24"
! style="background-color: #539e9e" |  Abd4llA
| style="color: #539e9e" | in the context
|| [[#t20:24|20:24]]
|- id="t20:24"
! style="background-color: #5959a9" |  daMaestro
| style="color: #5959a9" | unconfined_u:system_r:httpd_t:s0 -> chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE
|| [[#t20:24|20:24]]
|- id="t20:24"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Abd4llA: yes, we will
|| [[#t20:24|20:24]]
|- id="t20:24"
! style="background-color: #818144" |  herlo
| style="color: #818144" | daMaestro: we'll get to that soon
|| [[#t20:24|20:24]]
|- id="t20:24"
! style="background-color: #5959a9" |  daMaestro
| style="color: #5959a9" | k
|| [[#t20:24|20:24]]
|- id="t20:25"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Abd4llA: essentially, the _r stuff implies it's a role component
|| [[#t20:25|20:25]]
|- id="t20:25"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the _u is for users
|| [[#t20:25|20:25]]
|- id="t20:25"
! style="background-color: #818144" |  herlo
| style="color: #818144" | _t is for type, etc...
|| [[#t20:25|20:25]]
|- id="t20:25"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and it has to do with which policy is affecting what parts of the SELinux context
|| [[#t20:25|20:25]]
|- id="t20:26"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next slide - Default Policy: Targeted
|| [[#t20:26|20:26]]
|- id="t20:26"
! style="background-color: #539e9e" |  Abd4llA
| style="color: #539e9e" | k
|| [[#t20:26|20:26]]
|- id="t20:26"
! style="background-color: #818144" |  herlo
| style="color: #818144" | when policies are in force, you can look through them in the /selinux virtual filesystem
|| [[#t20:26|20:26]]
|- id="t20:26"
! style="background-color: #818144" |  herlo
| style="color: #818144" | as I recall, these are read-only
|| [[#t20:26|20:26]]
|- id="t20:27"
! style="background-color: #818144" |  herlo
| style="color: #818144" | sorry, having a bit of network issues, bear with me
|| [[#t20:27|20:27]]
|- id="t20:27"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but the /selinux dir is fun to peruse and can teach you a lot about the policy
|| [[#t20:27|20:27]]
|- id="t20:27"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the policy Fedora installs by default is called the 'Targeted' policy
|| [[#t20:27|20:27]]
|- id="t20:28"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and primarily uses _t (or type) enforcement
|| [[#t20:28|20:28]]
|- id="t20:28"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | and rbac
|| [[#t20:28|20:28]]
|- id="t20:28"
! style="background-color: #818144" |  herlo
| style="color: #818144" | going back a bit to my example of the apache DocumentRoot /var/ww/html and the httpd process, one might now notice that the processes and files have very similar types
|| [[#t20:28|20:28]]
|- id="t20:29"
! style="background-color: #818144" |  herlo
| style="color: #818144" |  unconfined_u:system_r:httpd_t:s0 root    6740    1  0 09:30 ?        00:00:00 /usr/sbin/httpd
|| [[#t20:29|20:29]]
|- id="t20:29"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-------  apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks
|| [[#t20:29|20:29]]
|- id="t20:29"
! style="background-color: #818144" |  herlo
| style="color: #818144" | in the policy it says, httpd_t processes can access httpd_sys_content_t type files...
|| [[#t20:29|20:29]]
|- id="t20:30"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next slide: Manipulating Contexts
|| [[#t20:30|20:30]]
|- id="t20:30"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but sometimes, the contexts are incorrect in the files
|| [[#t20:30|20:30]]
|- id="t20:31"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and thus the proper process cannot access the file even though its permissions are correct and its in the correct directory
|| [[#t20:31|20:31]]
|- id="t20:31"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this is where chcon and restorecon come in
|| [[#t20:31|20:31]]
|- id="t20:31"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | run it on .bash_logout for example
|| [[#t20:31|20:31]]
|- id="t20:31"
! style="background-color: #818144" |  herlo
| style="color: #818144" | chcon can modify user, role, type, sensitivity, category on a particular file.  Kind of think of it as the chown/chmod for SELinux
|| [[#t20:31|20:31]]
|- id="t20:32"
! style="background-color: #818144" |  herlo
| style="color: #818144" | domg472_: right
|| [[#t20:32|20:32]]
|- id="t20:32"
! style="background-color: #818144" |  herlo
| style="color: #818144" | domg472_: in that case, what I'd want to do is run restorecon, because it would follow the policy rules
|| [[#t20:32|20:32]]
|- id="t20:32"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | chcon is for unprivileged users, prifileged user should use semanage
|| [[#t20:32|20:32]]
|- id="t20:32"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | chcon is not persistent
|| [[#t20:32|20:32]]
|- id="t20:32"
! style="background-color: #adad5b" |  jds2001
| style="color: #adad5b" | domg472_: it is.
|| [[#t20:32|20:32]]
|- id="t20:32"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | restorecon will override
|| [[#t20:32|20:32]]
|- id="t20:32"
! style="background-color: #adad5b" |  jds2001
| style="color: #adad5b" | oh yes.
|| [[#t20:32|20:32]]
|- id="t20:33"
! style="background-color: #adad5b" |  jds2001
| style="color: #adad5b" | or a filesystem relabel
|| [[#t20:33|20:33]]
|- id="t20:33"
! style="background-color: #818144" |  herlo
| style="color: #818144" | # restorecon .bash_logout
|| [[#t20:33|20:33]]
|- id="t20:33"
! style="background-color: #818144" |  herlo
| style="color: #818144" | [root@herlo-lap clints]# ls -Z .bash_logout
|| [[#t20:33|20:33]]
|- id="t20:33"
! style="background-color: #818144" |  herlo
| style="color: #818144" | -rw-r--r--  clints clints unconfined_u:object_r:user_home_t:s0 .bash_logout
|| [[#t20:33|20:33]]
|- id="t20:33"
! style="background-color: #818144" |  herlo
| style="color: #818144" | doplease don't get ahead of where wwe are
|| [[#t20:33|20:33]]
|- id="t20:33"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | ok
|| [[#t20:33|20:33]]
|- id="t20:33"
! style="background-color: #818144" |  herlo
| style="color: #818144" | semanage will work too, but we're not there yet
|| [[#t20:33|20:33]]
|- id="t20:34"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this is SELinux Basics.. semanage can be used for much more advanced stuffs
|| [[#t20:34|20:34]]
|- id="t20:34"
! style="background-color: #818144" |  herlo
| style="color: #818144" | domg472_: however, you are right about chcon vs restorecon for who can use it...
|| [[#t20:34|20:34]]
|- id="t20:35"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next slide: Manage/Modify the Policy
|| [[#t20:35|20:35]]
|- id="t20:36"
! style="background-color: #b15db1" |  nuonguy
| style="color: #b15db1" | herlo: question: how does restorecon know what the context for .bash_logout should be?
|| [[#t20:36|20:36]]
|- id="t20:36"
! style="background-color: #818144" |  herlo
| style="color: #818144" | essentially, the policy can be in one of three states
|| [[#t20:36|20:36]]
|- id="t20:36"
! style="background-color: #818144" |  herlo
| style="color: #818144" | nuonguy: the policy knows
|| [[#t20:36|20:36]]
|- id="t20:36"
! style="background-color: #818144" |  herlo
| style="color: #818144" | nuonguy: I'll show where you can get that information in a short bit
|| [[#t20:36|20:36]]
|- id="t20:36"
! style="background-color: #b15db1" |  nuonguy
| style="color: #b15db1" | k, thanks
|| [[#t20:36|20:36]]
|- id="t20:36"
! style="background-color: #818144" |  herlo
| style="color: #818144" | nuonguy: but to be honest, you don't actually need to know the policy to be effective with SELinux
|| [[#t20:36|20:36]]
|- id="t20:37"
! style="background-color: #818144" |  herlo
| style="color: #818144" | which sounds strange, but it's true
|| [[#t20:37|20:37]]
|- id="t20:37"
! style="background-color: #818144" |  herlo
| style="color: #818144" | however, we show it here shortly
|| [[#t20:37|20:37]]
|- id="t20:37"
! style="background-color: #b15db1" |  nuonguy
| style="color: #b15db1" | even if I need to install an app that provides no selinux/conext info?
|| [[#t20:37|20:37]]
|- id="t20:37"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the first command 'getenforce' will show you the state of enforcement SELinux is currently in
|| [[#t20:37|20:37]]
|- id="t20:37"
! style="background-color: #818144" |  herlo
| style="color: #818144" | nuonguy: sure, but we're not going to broach that today
|| [[#t20:37|20:37]]
|- id="t20:38"
! style="background-color: #818144" |  herlo
| style="color: #818144" | nuonguy: however, I will show you where you can set those rules
|| [[#t20:38|20:38]]
|- id="t20:38"
! style="background-color: #b15db1" |  nuonguy
| style="color: #b15db1" | awesome, thanks
|| [[#t20:38|20:38]]
|- id="t20:38"
! style="background-color: #818144" |  herlo
| style="color: #818144" | # getenforce
|| [[#t20:38|20:38]]
|- id="t20:38"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Permissive
|| [[#t20:38|20:38]]
|- id="t20:39"
! style="background-color: #818144" |  herlo
| style="color: #818144" | to toggle between Permissive and Enforcing, one could use setenforce
|| [[#t20:39|20:39]]
|- id="t20:39"
! style="background-color: #818144" |  herlo
| style="color: #818144" | # setenforce 1
|| [[#t20:39|20:39]]
|- id="t20:39"
! style="background-color: #818144" |  herlo
| style="color: #818144" | [root@herlo-lap ~]# getenforce
|| [[#t20:39|20:39]]
|- id="t20:39"
! style="background-color: #818144" |  herlo
| style="color: #818144" | Enforcing
|| [[#t20:39|20:39]]
|- id="t20:39"
! style="background-color: #818144" |  herlo
| style="color: #818144" | However, Disabled can also appear
|| [[#t20:39|20:39]]
|- id="t20:40"
! style="background-color: #818144" |  herlo
| style="color: #818144" | when getenforce is run
|| [[#t20:40|20:40]]
|- id="t20:40"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but it must be set and then a reboot will remove the labels (security contexts) from the system...
|| [[#t20:40|20:40]]
|- id="t20:40"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next slide: making the policy persist
|| [[#t20:40|20:40]]
|- id="t20:41"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this is where everyone has been jumping to
|| [[#t20:41|20:41]]
|- id="t20:41"
! style="background-color: #818144" |  herlo
| style="color: #818144" | system-config-selinux is a very nice gui that can manage much of what you'd like to see in an SELinux policy
|| [[#t20:41|20:41]]
|- id="t20:41"
! style="background-color: #818144" |  herlo
| style="color: #818144" | it can set enforcing, Permissive, Disabled for boot,
|| [[#t20:41|20:41]]
|- id="t20:42"
! style="background-color: #818144" |  herlo
| style="color: #818144" | it can modify booleans, or small parts of the policy
|| [[#t20:42|20:42]]
|- id="t20:42"
! style="background-color: #818144" |  herlo
| style="color: #818144" | it can also show you what contexts files/ports/links/etc will have when restorecon is run
|| [[#t20:42|20:42]]
|- id="t20:43"
! style="background-color: #818144" |  herlo
| style="color: #818144" | as well as allow you to modify the policy rules right there
|| [[#t20:43|20:43]]
|- id="t20:43"
! style="background-color: #818144" |  herlo
| style="color: #818144" | that's under File Labeling / User Mapping / Network Ports and probably a few others
|| [[#t20:43|20:43]]
|- id="t20:44"
! style="background-color: #5fb4b4" |  jMCg
| style="color: #5fb4b4" | I suppose it already has some sensible templates for often used services.
|| [[#t20:44|20:44]]
|- id="t20:44"
! style="background-color: #818144" |  herlo
| style="color: #818144" | in addition, you can modify /etc/sysconfig/selinux and set the policy and/or Enforcement
|| [[#t20:44|20:44]]
|- id="t20:44"
! style="background-color: #818144" |  herlo
| style="color: #818144" | jMCg: it does, for type enforcement only
|| [[#t20:44|20:44]]
|- id="t20:44"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but there are other policies, including strict (which most others are based upon) and Multi-Layer Security (MLS)
|| [[#t20:44|20:44]]
|- id="t20:44"
! style="background-color: #a25555" |  brunowolff
| style="color: #a25555" | nuonguy, part of the policy is a set of patterns used be restorecon to decide which is the correct label.  The patterns aren't used when creating files normally.
|| [[#t20:44|20:44]]
|- id="t20:44"
! style="background-color: #818144" |  herlo
| style="color: #818144" | which you can import and install.  These use more of the tags of the context..
|| [[#t20:44|20:44]]
|- id="t20:45"
! style="background-color: #818144" |  herlo
| style="color: #818144" | brunowolff: yes, correct.  Thanks
|| [[#t20:45|20:45]]
|- id="t20:45"
! style="background-color: #818144" |  herlo
| style="color: #818144" | you can also relabel the system according to the changes made here
|| [[#t20:45|20:45]]
|- id="t20:45"
! style="background-color: #818144" |  herlo
| style="color: #818144" | another tool listed on this page is semanage
|| [[#t20:45|20:45]]
|- id="t20:46"
! style="background-color: #818144" |  herlo
| style="color: #818144" | semanage can do many things including many of hte things that system-config-selinux does
|| [[#t20:46|20:46]]
|- id="t20:46"
! style="background-color: #818144" |  herlo
| style="color: #818144" | it's the command line tool to make policy components stick, including context changes
|| [[#t20:46|20:46]]
|- id="t20:46"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the best thing I can say about semanage is that it has an excellent man page and shows examples of many things you can do to your system...
|| [[#t20:46|20:46]]
|- id="t20:47"
! style="background-color: #818144" |  herlo
| style="color: #818144" | getsebool/setsebool are also useful tools if you know the boolean you'd like to change
|| [[#t20:47|20:47]]
|- id="t20:47"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next slide: Troubleshooting
|| [[#t20:47|20:47]]
|- id="t20:47"
! style="background-color: #818144" |  herlo
| style="color: #818144" | this is my favorite part
|| [[#t20:47|20:47]]
|- id="t20:48"
! style="background-color: #818144" |  herlo
| style="color: #818144" | as it says in the slide, many people turn SELinux off because they can't understand the avc messages in the logs
|| [[#t20:48|20:48]]
|- id="t20:49"
! style="background-color: #818144" |  herlo
| style="color: #818144" | /var/log/audit/audit.log shows many of these messages and an experienced SELinux user can learn what these things mean
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #b86161" |  fengshaun
| style="color: #b86161" | excuse me, where can we get the slides?
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but most people have a hard time reading them...
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #818144" |  herlo
| style="color: #818144" | fengshaun: [[Classroom/SELinux_Basics]]
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #b86161" |  fengshaun
| style="color: #b86161" | thank you
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #818144" |  herlo
| style="color: #818144" | np
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so here's the tool that will make it easier than ever to read those messages
|| [[#t20:49|20:49]]
|- id="t20:49"
! style="background-color: #818144" |  herlo
| style="color: #818144" | setroubleshoot
|| [[#t20:49|20:49]]
|- id="t20:50"
! style="background-color: #818144" |  herlo
| style="color: #818144" | the daemon /usr/sbin/setroubleshootd, available in the setroubleshoot-server rpm
|| [[#t20:50|20:50]]
|- id="t20:50"
! style="background-color: #818144" |  herlo
| style="color: #818144" | is my favorite friend
|| [[#t20:50|20:50]]
|- id="t20:50"
! style="background-color: #818144" |  herlo
| style="color: #818144" | it's a sysV service that provides clear text solutions for allowing access when something doesn't work right
|| [[#t20:50|20:50]]
|- id="t20:51"
! style="background-color: #818144" |  herlo
| style="color: #818144" | because odds are, the user's permissions are correct, but SELinux is causing some sort of issue
|| [[#t20:51|20:51]]
|- id="t20:51"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so I install setroubleshoot-server
|| [[#t20:51|20:51]]
|- id="t20:51"
! style="background-color: #818144" |  herlo
| style="color: #818144" | next slide: troubleshooting cont'd
|| [[#t20:51|20:51]]
|- id="t20:51"
! style="background-color: #818144" |  herlo
| style="color: #818144" | page 11
|| [[#t20:51|20:51]]
|- id="t20:52"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and then run
|| [[#t20:52|20:52]]
|- id="t20:52"
! style="background-color: #818144" |  herlo
| style="color: #818144" | /etc/init.d/setroubleshoot start
|| [[#t20:52|20:52]]
|- id="t20:52"
! style="background-color: #818144" |  herlo
| style="color: #818144" | all of the sudden, I get clear messages in /var/log/messages
|| [[#t20:52|20:52]]
|- id="t20:52"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | setroubleshoot is enabled by default
|| [[#t20:52|20:52]]
|- id="t20:52"
! style="background-color: #818144" |  herlo
| style="color: #818144" | domg472_: setroubleshoot is the client tools
|| [[#t20:52|20:52]]
|- id="t20:52"
! style="background-color: #818144" |  herlo
| style="color: #818144" | setroubleshoot-server might be enabled by default, I hadn't checked
|| [[#t20:52|20:52]]
|- id="t20:53"
| colspan="2" | * thomasj reminds domg472_ that this is herlo's class. So please let him teach, he's doing a great job.
|| [[#t20:53|20:53]]
|- id="t20:53"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | ok
|| [[#t20:53|20:53]]
|- id="t20:53"
! style="background-color: #818144" |  herlo
| style="color: #818144" | but it's going to tell you to look at a specific sealert message
|| [[#t20:53|20:53]]
|- id="t20:53"
! style="background-color: #818144" |  herlo
| style="color: #818144" | copying the sealert command along with ath ugly long string...
|| [[#t20:53|20:53]]
|- id="t20:53"
! style="background-color: #818144" |  herlo
| style="color: #818144" | and voila, you have a solution as to how to allow access.
|| [[#t20:53|20:53]]
|- id="t20:54"
! style="background-color: #818144" |  herlo
| style="color: #818144" | for those of you who like gui's try sealert -b
|| [[#t20:54|20:54]]
|- id="t20:54"
! style="background-color: #818144" |  herlo
| style="color: #818144" | that's the sealert browser and it can also be launched from the Notification Area (the little star) in GNOME
|| [[#t20:54|20:54]]
|- id="t20:54"
! style="background-color: #818144" |  herlo
| style="color: #818144" | NOW
|| [[#t20:54|20:54]]
|- id="t20:54"
! style="background-color: #818144" |  herlo
| style="color: #818144" | here's the onlyt thing I want to warn you on
|| [[#t20:54|20:54]]
|- id="t20:55"
! style="background-color: #818144" |  herlo
| style="color: #818144" | don't by any circumstances take 'Allowing Access' to mean that you *should* perform the task listed there
|| [[#t20:55|20:55]]
|- id="t20:55"
! style="background-color: #818144" |  herlo
| style="color: #818144" | instead, you should use your critical minds and make a smart decision regarding whether allowing access is the right thing to do
|| [[#t20:55|20:55]]
|- id="t20:56"
! style="background-color: #818144" |  herlo
| style="color: #818144" | so I'm out of material and it looks like out of time
|| [[#t20:56|20:56]]
|- id="t20:56"
! style="background-color: #818144" |  herlo
| style="color: #818144" | any questions about this process?
|| [[#t20:56|20:56]]
|- id="t20:56"
! style="background-color: #5fb4b4" |  jMCg
| style="color: #5fb4b4" | Ad troubleshooting.
|| [[#t20:56|20:56]]
|- id="t20:56"
! style="background-color: #62bb62" |  kdn
| style="color: #62bb62" | Great job; thanks.
|| [[#t20:56|20:56]]
|- id="t20:56"
! style="background-color: #5fb4b4" |  jMCg
| style="color: #5fb4b4" | What troubles me most, is to remember that there's SELinux, and it could be responsible.
|| [[#t20:56|20:56]]
|- id="t20:56"
| colspan="2" | * VileGent gives herlo a hand and thanks
|| [[#t20:56|20:56]]
|- id="t20:56"
! style="background-color: #8c4a4a" |  thomasj
| style="color: #8c4a4a" | +1
|| [[#t20:56|20:56]]
|- id="t20:57"
| colspan="2" | * erinlea80 applauds!
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #62bb62" |  kdn
| style="color: #62bb62" | +1
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #6464bf" |  poti
| style="color: #6464bf" | +1
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #c3c366" |  djohngo
| style="color: #c3c366" | herlo: Thanks!
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | thanks
|| [[#t20:57|20:57]]
|- id="t20:57"
| colspan="2" | * fengshaun applauds too!
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #adad5b" |  jds2001
| style="color: #adad5b" | great job herlo :)
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #a25555" |  brunowolff
| style="color: #a25555" | The resources didn't include Dan Walsh's journal (http://danwalsh.livejournal.com/) which has up to date info about selinux.
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #8c4a4a" |  thomasj
| style="color: #8c4a4a" | herlo, awesome, thank you very much
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #c668c6" |  SSlater
| style="color: #c668c6" | +1
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #818144" |  herlo
| style="color: #818144" | jMCg: yes, I understand that, but it will become much more normal as you get used to it
|| [[#t20:57|20:57]]
|- id="t20:57"
| colspan="2" | * JMakey thanks herlo
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #818144" |  herlo
| style="color: #818144" | brunowolff: oh, yes, I should add that
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #5fb4b4" |  jMCg
| style="color: #5fb4b4" | When you get an EACCESS, you think of permissions, it'd be great if there was some different class of error to be used...
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #6acaca" |  Bugz
| style="color: #6acaca" | herlo: Very good, thanks
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #854685" |  linuxguru
| style="color: #854685" | yeah i had this doubt about unconfined processes running on my system. if a attacker is able to compromise my system using those processes (which have ports opened) will he be able to access stuff which is managed by selinux like confined processes such apache/samba etc.
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #818144" |  herlo
| style="color: #818144" | I'm glad you all liked it
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #ce6c6c" |  zless
| style="color: #ce6c6c" | thanks herlo.
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | if anyone has questions about selinux join #fedora-selinux and/or #selinux
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #b86161" |  fengshaun
| style="color: #b86161" | but date -u gives me 19:58!  is my clock wrong?
|| [[#t20:57|20:57]]
|- id="t20:57"
! style="background-color: #6ed16e" |  Ineluctable
| style="color: #6ed16e" | thank you
|| [[#t20:57|20:57]]
|- id="t20:58"
! style="background-color: #adad5b" |  jds2001
| style="color: #adad5b" | fengshaun: an hour off.
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #b86161" |  fengshaun
| style="color: #b86161" | jds2001, oh god!
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #818144" |  herlo
| style="color: #818144" | linuxguru: right, so I'd consider a tighter policy or modify the policy to adjust the unconfined processes
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #407a40" | @nirik
| style="color: #407a40" | thanks herlo !
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #818144" |  herlo
| style="color: #818144" | linuxguru: so they aren't unconfined
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #c668c6" |  SSlater
| style="color: #c668c6" | ?
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #818144" |  herlo
| style="color: #818144" | SSlater: go
|| [[#t20:58|20:58]]
|- id="t20:58"
! style="background-color: #ce6c6c" |  zless
| style="color: #ce6c6c" | i'd just like to say that selinux has be "in the background" in f9 (for the desktop) much more than previously.  the #1 thing i need to tweak is allowing firefox to use notstandard ports.
|| [[#t20:58|20:58]]
|- id="t20:59"
! style="background-color: #c668c6" |  SSlater
| style="color: #c668c6" | Why does sealert sometimes give a proposed solution and othertimes Not?
|| [[#t20:59|20:59]]
|- id="t20:59"
! style="background-color: #ce6c6c" |  zless
| style="color: #ce6c6c" | e.g.: semanage port -a -t http_port -p tcp 8880
|| [[#t20:59|20:59]]
|- id="t20:59"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" | that not a valid type zless
|| [[#t20:59|20:59]]
|- id="t20:59"
! style="background-color: #7070d5" |  stmg_
| style="color: #7070d5" | thanks so mucj
|| [[#t20:59|20:59]]
|- id="t20:59"
! style="background-color: #ce6c6c" |  zless
| style="color: #ce6c6c" | domg472_, _t
|| [[#t20:59|20:59]]
|- id="t20:59"
| colspan="2" | * nirik notes the next class up is Jon Stanley ( jds2001 ) - An introduction to Bugzilla
|| [[#t20:59|20:59]]
|- id="t20:59"
! style="background-color: #adad5b" |  jds2001
| style="color: #adad5b" | httpd_t would be in that case.
|| [[#t20:59|20:59]]
|- id="t20:59"
! style="background-color: #7070d5" |  stmg_
| style="color: #7070d5" | *much
|| [[#t20:59|20:59]]
|- id="t21:00"
! style="background-color: #ce6c6c" |  zless
| style="color: #ce6c6c" | domg472_, synergyc isn't up here atm, so had to go from memory
|| [[#t21:00|21:00]]
|- id="t21:00"
! style="background-color: #9b519b" |  domg472_
| style="color: #9b519b" |  join #fedora-selinux for details
|| [[#t21:00|21:00]]
|- id="t21:00"
! style="background-color: #818144" |  herlo
| style="color: #818144" | SSlater: I believe that if the policy knows how to solve it the solution can be given.  If the policy writer didn't anticipate that sort of thing, it's kind of hard to give a solution
|| [[#t21:00|21:00]]
|- id="t21:00"
! style="background-color: #d9d972" |  Dufflepod
| style="color: #d9d972" | Thanks herlo
|| [[#t21:00|21:00]]
|- id="t21:00"
! style="background-color: #818144" |  herlo
| style="color: #818144" | ciao all
|| [[#t21:00|21:00]]
|- id="t21:00"
! style="background-color: #818144" |  herlo
| style="color: #818144" | on to jds2001
|| [[#t21:00|21:00]]
|}
 
Generated by irclog2html.py 2.7 by [mailto:marius@pov.lt Marius Gedminas] - find it at [http://mg.pov.lt/irclog2html mg.pov.lt]!


[[Category:Classroom]]
[[Category:Classroom]]

Latest revision as of 09:09, 18 September 2016

Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008

IRC Log of the Class

-!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - See Communicate/IRC/Classroom for more info 20:00
@nirik A few general guidelines: Please try to keep on topic... if you have general fedora questions, #fedora is open for business as usual. 20:01
@nirik If you want some more social chatting, #fedora-social is open for that. 20:01
@nirik Some teachers may want you to hold questions, and some will want you to just chime in... they will say when they start their session. 20:01
Guest86715 nick brunowolff 20:02
Guest86715 \nick brunowolff 20:02
@nirik Also, note that I will be logging the classes for posting on the wiki. 20:02
@nirik So, our first class up today is SElinux Basics. Without further jabbering, I will hand things off to herlo... 20:02
herlo Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region. I work for a small Linux training company in Utah called Guru Labs. People online call me herlo 20:02
herlo thanks nirik 20:02
herlo so for those of you who might have missed it, I have slides up 20:03
herlo Classroom/SELinux_Basics 20:03
herlo from that link you can get either pdf or odp 20:03
-!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - See Communicate/IRC/Classroom for more info 20:03
herlo I'll be pretty much following the flow there. If you have questions, please feel free to jump in. 20:03
herlo SELinux Basics 20:04
herlo What is SELinux? 20:04
linuxguru Security Enhanced Linux 20:05
herlo Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe. One fo the major functionalities that came out of this was SELinux 20:05
herlo linuxguru: right, Security Enhanced Linux 20:05
herlo one of the things that is interesting about security in Linux is the many ways to protect your boxen 20:06
herlo Firewalls, acls, etc. 20:06
herlo iptables has been around for some time and does a great job on the network 20:06
herlo thing is, it's really intended for network security 20:07
herlo so that's one layer 20:07
herlo but we want more layers 20:07
herlo In Unix we've always had the rwx permissions, which has been pretty good to us 20:07
herlo processes check the permissions of a file and make sure they have rights to access the file. 20:08
herlo SELinux is just a layer above. 20:08
herlo SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without fear of attacks on the system 20:09
herlo So two terms came about DAC and MAC 20:09
herlo I have two slides describing both 20:09
herlo DAC - Discretionary Access Control 20:09
VileGent ! when you change page say page please 20:09
thomasj :D 20:09
herlo This is traditional Linux/Unix type file perms 20:09
herlo VileGent: k, that was the first change, and thank you 20:10
JamesB192_thekky and ACLs? 20:10
herlo the simple rwx permissions, SUID SGID, etc 20:10
herlo JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems 20:10
herlo as well as many other applications too 20:11
herlo the thing about DAC is that it's really what we've been using for 20+ years 20:11
herlo nothing has inherently changed about it 20:11
herlo it's pretty much the same it was back then and will continue to do a good job of protecting our boxen 20:11
* nirik notes that this is page 3 on the pdf. 20:11
herlo but here's the thing 20:12
herlo What about processes accessing thing that while they have permissions to access, shouldn't be accessing 20:12
herlo ? 20:12
koolhead1 ? 20:12
bomama what? 20:12
domg472_ privilege escalation 20:13
herlo For instance, should the named (DNS daemon) be accessing files within apache? 20:13
Abd4llA nop 20:13
linuxguru naw. 20:13
herlo domg472_: right, something we don't want to happen 20:13
herlo next page 20:13
herlo this is where MAC - Mandatory Access Control comes in... 20:13
brunowolff I think the main point is that without selinux any process you run has all of your access rights. You don't always want to have that. 20:13
herlo brunowolff: correct 20:13
herlo brunowolff: many processes, not all 20:14
LinuxCode shouldnt questions/comments be directed at the end ? 20:14
herlo and it's possible that the process could perform an exploit on an unsecured application 20:14
LinuxCode wont get through the class otherwise 20:14
herlo LinuxCode: it's fine, questions are good... 20:14
herlo LinuxCode: we will... 20:14
LinuxCode k ;-] 20:14
herlo we're doing fine right now 20:14
herlo so MAC 20:14
koolhead1 +1 20:14
herlo provides this functionality where instead of standard permissions, we have what's typically called a security context 20:15
herlo this security context is part of a policy 20:15
herlo and the policy defines the rules as to which processes can access which files 20:15
linuxguru one question here. regarding unconfined processes (server stuff) running on the system 20:16
herlo this also goes for ports, links, and many other elements in a Linux system 20:16
herlo linuxguru: we'll get to that in a minute 20:16
linuxguru okay 20:16
herlo so the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply 20:16
herlo if, however, that process is not allowed by policy it is denied 20:17
herlo also, if there is no policy rule for that particular process/file, the action is denied 20:17
herlo next page 20:17
herlo in comes security contexts 20:17
herlo this is page 5, btw 20:18
herlo each process has a context and each file has a context 20:18
herlo in general, we can think of each of the components as another layer where the policy can enforce rules 20:18
herlo user:role:type:sensitivity:category 20:18
herlo the policy can look at any one fo these component parts of the context and evaluate whether the process can access the file based upon user, a specific role, type, sensitivity or some category definition 20:19
herlo you might note that if you run 'ls -Z' on your home directory you'd see something like this 20:20
herlo $ ls -Z 20:20
herlo -rw-r--r-- clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout 20:20
herlo -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-200808200.odb 20:20
herlo -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-20080820.odb 20:20
herlo drwxr-xr-x clints clints unconfined_u:object_r:user_home_t:s0 bin 20:20
herlo lrwxrwxrwx clints clints system_u:object_r:user_home_t:s0 Books -> /data/books 20:20
domg472_ .bash_logout seems mislabeled 20:21
herlo Fedora has implemented everything but the category, but older systems slowly built up from the first three components and are adding slowly 20:21
daMaestro .bash_logout is ok 20:21
herlo domg472_: probably not, but we'll talk about how to change that shortly... 20:21
daMaestro ;-) 20:21
herlo processes can also be looked at similarly 20:21
herlo ps -ef -Z | grep httpd 20:22
herlo unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22
herlo unconfined_u:system_r:httpd_t:s0 apache 6742 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22
herlo unconfined_u:system_r:httpd_t:s0 apache 6743 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22
herlo adding the -Z in either case can provide the context information. 20:22
herlo let me do one more listing of files here 20:22
herlo ls -Z /var/www/html/ 20:23
herlo -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 darkice-ubuntu.cfg 20:23
herlo -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks 20:23
herlo -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t:s0 F8VM.ks 20:23
herlo the ubuntu file is there because I record my local user groups... :) 20:23
herlo anyway, 20:23
herlo one thing you'll notice is the similarity in a couple areas between the processes adn the files... 20:23
Abd4llA will we get to the meanings for the differents tags ? 20:23
herlo Abd4llA: which tags? 20:23
Abd4llA object_r , system_r ..etc 20:24
Abd4llA in the context 20:24
daMaestro unconfined_u:system_r:httpd_t:s0 -> chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE 20:24
herlo Abd4llA: yes, we will 20:24
herlo daMaestro: we'll get to that soon 20:24
daMaestro k 20:24
herlo Abd4llA: essentially, the _r stuff implies it's a role component 20:25
herlo the _u is for users 20:25
herlo _t is for type, etc... 20:25
herlo and it has to do with which policy is affecting what parts of the SELinux context 20:25
herlo next slide - Default Policy: Targeted 20:26
Abd4llA k 20:26
herlo when policies are in force, you can look through them in the /selinux virtual filesystem 20:26
herlo as I recall, these are read-only 20:26
herlo sorry, having a bit of network issues, bear with me 20:27
herlo but the /selinux dir is fun to peruse and can teach you a lot about the policy 20:27
herlo the policy Fedora installs by default is called the 'Targeted' policy 20:27
herlo and primarily uses _t (or type) enforcement 20:28
domg472_ and rbac 20:28
herlo going back a bit to my example of the apache DocumentRoot /var/ww/html and the httpd process, one might now notice that the processes and files have very similar types 20:28
herlo unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:29
herlo -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks 20:29
herlo in the policy it says, httpd_t processes can access httpd_sys_content_t type files... 20:29
herlo next slide: Manipulating Contexts 20:30
herlo but sometimes, the contexts are incorrect in the files 20:30
herlo and thus the proper process cannot access the file even though its permissions are correct and its in the correct directory 20:31
herlo this is where chcon and restorecon come in 20:31
domg472_ run it on .bash_logout for example 20:31
herlo chcon can modify user, role, type, sensitivity, category on a particular file. Kind of think of it as the chown/chmod for SELinux 20:31
herlo domg472_: right 20:32
herlo domg472_: in that case, what I'd want to do is run restorecon, because it would follow the policy rules 20:32
domg472_ chcon is for unprivileged users, prifileged user should use semanage 20:32
domg472_ chcon is not persistent 20:32
jds2001 domg472_: it is. 20:32
domg472_ restorecon will override 20:32
jds2001 oh yes. 20:32
jds2001 or a filesystem relabel 20:33
herlo # restorecon .bash_logout 20:33
herlo [root@herlo-lap clints]# ls -Z .bash_logout 20:33
herlo -rw-r--r-- clints clints unconfined_u:object_r:user_home_t:s0 .bash_logout 20:33
herlo doplease don't get ahead of where wwe are 20:33
domg472_ ok 20:33
herlo semanage will work too, but we're not there yet 20:33
herlo this is SELinux Basics.. semanage can be used for much more advanced stuffs 20:34
herlo domg472_: however, you are right about chcon vs restorecon for who can use it... 20:34
herlo next slide: Manage/Modify the Policy 20:35
nuonguy herlo: question: how does restorecon know what the context for .bash_logout should be? 20:36
herlo essentially, the policy can be in one of three states 20:36
herlo nuonguy: the policy knows 20:36
herlo nuonguy: I'll show where you can get that information in a short bit 20:36
nuonguy k, thanks 20:36
herlo nuonguy: but to be honest, you don't actually need to know the policy to be effective with SELinux 20:36
herlo which sounds strange, but it's true 20:37
herlo however, we show it here shortly 20:37
nuonguy even if I need to install an app that provides no selinux/conext info? 20:37
herlo the first command 'getenforce' will show you the state of enforcement SELinux is currently in 20:37
herlo nuonguy: sure, but we're not going to broach that today 20:37
herlo nuonguy: however, I will show you where you can set those rules 20:38
nuonguy awesome, thanks 20:38
herlo # getenforce 20:38
herlo Permissive 20:38
herlo to toggle between Permissive and Enforcing, one could use setenforce 20:39
herlo # setenforce 1 20:39
herlo [root@herlo-lap ~]# getenforce 20:39
herlo Enforcing 20:39
herlo However, Disabled can also appear 20:39
herlo when getenforce is run 20:40
herlo but it must be set and then a reboot will remove the labels (security contexts) from the system... 20:40
herlo next slide: making the policy persist 20:40
herlo this is where everyone has been jumping to 20:41
herlo system-config-selinux is a very nice gui that can manage much of what you'd like to see in an SELinux policy 20:41
herlo it can set enforcing, Permissive, Disabled for boot, 20:41
herlo it can modify booleans, or small parts of the policy 20:42
herlo it can also show you what contexts files/ports/links/etc will have when restorecon is run 20:42
herlo as well as allow you to modify the policy rules right there 20:43
herlo that's under File Labeling / User Mapping / Network Ports and probably a few others 20:43
jMCg I suppose it already has some sensible templates for often used services. 20:44
herlo in addition, you can modify /etc/sysconfig/selinux and set the policy and/or Enforcement 20:44
herlo jMCg: it does, for type enforcement only 20:44
herlo but there are other policies, including strict (which most others are based upon) and Multi-Layer Security (MLS) 20:44
brunowolff nuonguy, part of the policy is a set of patterns used be restorecon to decide which is the correct label. The patterns aren't used when creating files normally. 20:44
herlo which you can import and install. These use more of the tags of the context.. 20:44
herlo brunowolff: yes, correct. Thanks 20:45
herlo you can also relabel the system according to the changes made here 20:45
herlo another tool listed on this page is semanage 20:45
herlo semanage can do many things including many of hte things that system-config-selinux does 20:46
herlo it's the command line tool to make policy components stick, including context changes 20:46
herlo the best thing I can say about semanage is that it has an excellent man page and shows examples of many things you can do to your system... 20:46
herlo getsebool/setsebool are also useful tools if you know the boolean you'd like to change 20:47
herlo next slide: Troubleshooting 20:47
herlo this is my favorite part 20:47
herlo as it says in the slide, many people turn SELinux off because they can't understand the avc messages in the logs 20:48
herlo /var/log/audit/audit.log shows many of these messages and an experienced SELinux user can learn what these things mean 20:49
fengshaun excuse me, where can we get the slides? 20:49
herlo but most people have a hard time reading them... 20:49
herlo fengshaun: Classroom/SELinux_Basics 20:49
fengshaun thank you 20:49
herlo np 20:49
herlo so here's the tool that will make it easier than ever to read those messages 20:49
herlo setroubleshoot 20:49
herlo the daemon /usr/sbin/setroubleshootd, available in the setroubleshoot-server rpm 20:50
herlo is my favorite friend 20:50
herlo it's a sysV service that provides clear text solutions for allowing access when something doesn't work right 20:50
herlo because odds are, the user's permissions are correct, but SELinux is causing some sort of issue 20:51
herlo so I install setroubleshoot-server 20:51
herlo next slide: troubleshooting cont'd 20:51
herlo page 11 20:51
herlo and then run 20:52
herlo /etc/init.d/setroubleshoot start 20:52
herlo all of the sudden, I get clear messages in /var/log/messages 20:52
domg472_ setroubleshoot is enabled by default 20:52
herlo domg472_: setroubleshoot is the client tools 20:52
herlo setroubleshoot-server might be enabled by default, I hadn't checked 20:52
* thomasj reminds domg472_ that this is herlo's class. So please let him teach, he's doing a great job. 20:53
domg472_ ok 20:53
herlo but it's going to tell you to look at a specific sealert message 20:53
herlo copying the sealert command along with ath ugly long string... 20:53
herlo and voila, you have a solution as to how to allow access. 20:53
herlo for those of you who like gui's try sealert -b 20:54
herlo that's the sealert browser and it can also be launched from the Notification Area (the little star) in GNOME 20:54
herlo NOW 20:54
herlo here's the onlyt thing I want to warn you on 20:54
herlo don't by any circumstances take 'Allowing Access' to mean that you *should* perform the task listed there 20:55
herlo instead, you should use your critical minds and make a smart decision regarding whether allowing access is the right thing to do 20:55
herlo so I'm out of material and it looks like out of time 20:56
herlo any questions about this process? 20:56
jMCg Ad troubleshooting. 20:56
kdn Great job; thanks. 20:56
jMCg What troubles me most, is to remember that there's SELinux, and it could be responsible. 20:56
* VileGent gives herlo a hand and thanks 20:56
thomasj +1 20:56
* erinlea80 applauds! 20:57
kdn +1 20:57
poti +1 20:57
djohngo herlo: Thanks! 20:57
domg472_ thanks 20:57
* fengshaun applauds too! 20:57
jds2001 great job herlo :) 20:57
brunowolff The resources didn't include Dan Walsh's journal (http://danwalsh.livejournal.com/) which has up to date info about selinux. 20:57
thomasj herlo, awesome, thank you very much 20:57
SSlater +1 20:57
herlo jMCg: yes, I understand that, but it will become much more normal as you get used to it 20:57
* JMakey thanks herlo 20:57
herlo brunowolff: oh, yes, I should add that 20:57
jMCg When you get an EACCESS, you think of permissions, it'd be great if there was some different class of error to be used... 20:57
Bugz herlo: Very good, thanks 20:57
linuxguru yeah i had this doubt about unconfined processes running on my system. if a attacker is able to compromise my system using those processes (which have ports opened) will he be able to access stuff which is managed by selinux like confined processes such apache/samba etc. 20:57
herlo I'm glad you all liked it 20:57
zless thanks herlo. 20:57
domg472_ if anyone has questions about selinux join #fedora-selinux and/or #selinux 20:57
fengshaun but date -u gives me 19:58! is my clock wrong? 20:57
Ineluctable thank you 20:57
jds2001 fengshaun: an hour off. 20:58
fengshaun jds2001, oh god! 20:58
herlo linuxguru: right, so I'd consider a tighter policy or modify the policy to adjust the unconfined processes 20:58
@nirik thanks herlo ! 20:58
herlo linuxguru: so they aren't unconfined 20:58
SSlater ? 20:58
herlo SSlater: go 20:58
zless i'd just like to say that selinux has be "in the background" in f9 (for the desktop) much more than previously. the #1 thing i need to tweak is allowing firefox to use notstandard ports. 20:58
SSlater Why does sealert sometimes give a proposed solution and othertimes Not? 20:59
zless e.g.: semanage port -a -t http_port -p tcp 8880 20:59
domg472_ that not a valid type zless 20:59
stmg_ thanks so mucj 20:59
zless domg472_, _t 20:59
* nirik notes the next class up is Jon Stanley ( jds2001 ) - An introduction to Bugzilla 20:59
jds2001 httpd_t would be in that case. 20:59
stmg_ *much 20:59
zless domg472_, synergyc isn't up here atm, so had to go from memory 21:00
domg472_ join #fedora-selinux for details 21:00
herlo SSlater: I believe that if the policy knows how to solve it the solution can be given. If the policy writer didn't anticipate that sort of thing, it's kind of hard to give a solution 21:00
Dufflepod Thanks herlo 21:00
herlo ciao all 21:00
herlo on to jds2001 21:00

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!

Retrieved from "https://fedoraproject.org/w/index.php?title=SELinux_Basics_(2008-11-08_classroom)&oldid=472412"