SELinux Basics (2008-11-08 classroom)

From FedoraProject

Jump to: navigation, search

Fedora Classroom - SELinux Basics - Clint Savage - Saturday, November 7, 2008

IRC Log of the Class

-!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - Introduction - See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info 20:00
@nirik A few general guidelines: Please try to keep on topic... if you have general fedora questions, #fedora is open for business as usual. 20:01
@nirik If you want some more social chatting, #fedora-social is open for that. 20:01
@nirik Some teachers may want you to hold questions, and some will want you to just chime in... they will say when they start their session. 20:01
Guest86715 nick brunowolff 20:02
Guest86715 \nick brunowolff 20:02
@nirik Also, note that I will be logging the classes for posting on the wiki. 20:02
@nirik So, our first class up today is SElinux Basics. Without further jabbering, I will hand things off to herlo... 20:02
herlo Hi all, my name is Clint Savage, and I am North American Fedora Ambassador western USA region. I work for a small Linux training company in Utah called Guru Labs. People online call me herlo 20:02
herlo thanks nirik 20:02
herlo so for those of you who might have missed it, I have slides up 20:03
herlo https://fedoraproject.org/wiki/Classroom/SELinux_Basics 20:03
herlo from that link you can get either pdf or odp 20:03
-!- nirik changed the topic of #fedora-classroom to: Fedora Classroom - SElinux Basics with your teacher: herlo - See https://fedoraproject.org/wiki/Communicate/IRC/Classroom for more info 20:03
herlo I'll be pretty much following the flow there. If you have questions, please feel free to jump in. 20:03
herlo SELinux Basics 20:04
herlo What is SELinux? 20:04
linuxguru Security Enhanced Linux 20:05
herlo Well, a few years back, the NSA designed a set of rules that would help in keeping their confidential information safe. One fo the major functionalities that came out of this was SELinux 20:05
herlo linuxguru: right, Security Enhanced Linux 20:05
herlo one of the things that is interesting about security in Linux is the many ways to protect your boxen 20:06
herlo Firewalls, acls, etc. 20:06
herlo iptables has been around for some time and does a great job on the network 20:06
herlo thing is, it's really intended for network security 20:07
herlo so that's one layer 20:07
herlo but we want more layers 20:07
herlo In Unix we've always had the rwx permissions, which has been pretty good to us 20:07
herlo processes check the permissions of a file and make sure they have rights to access the file. 20:08
herlo SELinux is just a layer above. 20:08
herlo SELinux can protect local filesystems even better, providing tools to make it easy to use the applications without fear of attacks on the system 20:09
herlo So two terms came about DAC and MAC 20:09
herlo I have two slides describing both 20:09
herlo DAC - Discretionary Access Control 20:09
VileGent  ! when you change page say page please 20:09
thomasj  :D 20:09
herlo This is traditional Linux/Unix type file perms 20:09
herlo VileGent: k, that was the first change, and thank you 20:10
JamesB192_thekky and ACLs? 20:10
herlo the simple rwx permissions, SUID SGID, etc 20:10
herlo JamesB192_thekky: ACLs stands for Access Control Lists and is a supplementary feature of many filesystems 20:10
herlo as well as many other applications too 20:11
herlo the thing about DAC is that it's really what we've been using for 20+ years 20:11
herlo nothing has inherently changed about it 20:11
herlo it's pretty much the same it was back then and will continue to do a good job of protecting our boxen 20:11
* nirik notes that this is page 3 on the pdf. 20:11
herlo but here's the thing 20:12
herlo What about processes accessing thing that while they have permissions to access, shouldn't be accessing 20:12
herlo  ? 20:12
koolhead1  ? 20:12
bomama what? 20:12
domg472_ privilege escalation 20:13
herlo For instance, should the named (DNS daemon) be accessing files within apache? 20:13
Abd4llA nop 20:13
linuxguru naw. 20:13
herlo domg472_: right, something we don't want to happen 20:13
herlo next page 20:13
herlo this is where MAC - Mandatory Access Control comes in... 20:13
brunowolff I think the main point is that without selinux any process you run has all of your access rights. You don't always want to have that. 20:13
herlo brunowolff: correct 20:13
herlo brunowolff: many processes, not all 20:14
LinuxCode shouldnt questions/comments be directed at the end ? 20:14
herlo and it's possible that the process could perform an exploit on an unsecured application 20:14
LinuxCode wont get through the class otherwise 20:14
herlo LinuxCode: it's fine, questions are good... 20:14
herlo LinuxCode: we will... 20:14
LinuxCode k ;-] 20:14
herlo we're doing fine right now 20:14
herlo so MAC 20:14
koolhead1 +1 20:14
herlo provides this functionality where instead of standard permissions, we have what's typically called a security context 20:15
herlo this security context is part of a policy 20:15
herlo and the policy defines the rules as to which processes can access which files 20:15
linuxguru one question here. regarding unconfined processes (server stuff) running on the system 20:16
herlo this also goes for ports, links, and many other elements in a Linux system 20:16
herlo linuxguru: we'll get to that in a minute 20:16
linuxguru okay 20:16
herlo so the policy says, here's the rule for that process accessing that file, if it's allowed, then the normal permissions apply 20:16
herlo if, however, that process is not allowed by policy it is denied 20:17
herlo also, if there is no policy rule for that particular process/file, the action is denied 20:17
herlo next page 20:17
herlo in comes security contexts 20:17
herlo this is page 5, btw 20:18
herlo each process has a context and each file has a context 20:18
herlo in general, we can think of each of the components as another layer where the policy can enforce rules 20:18
herlo user:role:type:sensitivity:category 20:18
herlo the policy can look at any one fo these component parts of the context and evaluate whether the process can access the file based upon user, a specific role, type, sensitivity or some category definition 20:19
herlo you might note that if you run 'ls -Z' on your home directory you'd see something like this 20:20
herlo $ ls -Z 20:20
herlo -rw-r--r-- clints clints system_u:object_r:user_home_dir_t:s0 (2).bash_logout 20:20
herlo -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-200808200.odb 20:20
herlo -rw-rw-r-- clints clints unconfined_u:object_r:user_home_t:s0 attendees-20080820.odb 20:20
herlo drwxr-xr-x clints clints unconfined_u:object_r:user_home_t:s0 bin 20:20
herlo lrwxrwxrwx clints clints system_u:object_r:user_home_t:s0 Books -> /data/books 20:20
domg472_ .bash_logout seems mislabeled 20:21
herlo Fedora has implemented everything but the category, but older systems slowly built up from the first three components and are adding slowly 20:21
daMaestro .bash_logout is ok 20:21
herlo domg472_: probably not, but we'll talk about how to change that shortly... 20:21
daMaestro  ;-) 20:21
herlo processes can also be looked at similarly 20:21
herlo ps -ef -Z | grep httpd 20:22
herlo unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22
herlo unconfined_u:system_r:httpd_t:s0 apache 6742 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22
herlo unconfined_u:system_r:httpd_t:s0 apache 6743 6740 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:22
herlo adding the -Z in either case can provide the context information. 20:22
herlo let me do one more listing of files here 20:22
herlo ls -Z /var/www/html/ 20:23
herlo -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 darkice-ubuntu.cfg 20:23
herlo -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks 20:23
herlo -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t:s0 F8VM.ks 20:23
herlo the ubuntu file is there because I record my local user groups... :) 20:23
herlo anyway, 20:23
herlo one thing you'll notice is the similarity in a couple areas between the processes adn the files... 20:23
Abd4llA will we get to the meanings for the differents tags ? 20:23
herlo Abd4llA: which tags? 20:23
Abd4llA object_r , system_r ..etc 20:24
Abd4llA in the context 20:24
daMaestro unconfined_u:system_r:httpd_t:s0 -> chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE 20:24
herlo Abd4llA: yes, we will 20:24
herlo daMaestro: we'll get to that soon 20:24
daMaestro k 20:24
herlo Abd4llA: essentially, the _r stuff implies it's a role component 20:25
herlo the _u is for users 20:25
herlo _t is for type, etc... 20:25
herlo and it has to do with which policy is affecting what parts of the SELinux context 20:25
herlo next slide - Default Policy: Targeted 20:26
Abd4llA k 20:26
herlo when policies are in force, you can look through them in the /selinux virtual filesystem 20:26
herlo as I recall, these are read-only 20:26
herlo sorry, having a bit of network issues, bear with me 20:27
herlo but the /selinux dir is fun to peruse and can teach you a lot about the policy 20:27
herlo the policy Fedora installs by default is called the 'Targeted' policy 20:27
herlo and primarily uses _t (or type) enforcement 20:28
domg472_ and rbac 20:28
herlo going back a bit to my example of the apache DocumentRoot /var/ww/html and the httpd process, one might now notice that the processes and files have very similar types 20:28
herlo unconfined_u:system_r:httpd_t:s0 root 6740 1 0 09:30 ? 00:00:00 /usr/sbin/httpd 20:29
herlo -rw------- apache apache system_u:object_r:httpd_sys_content_t:s0 F8.ks 20:29
herlo in the policy it says, httpd_t processes can access httpd_sys_content_t type files... 20:29
herlo next slide: Manipulating Contexts 20:30
herlo but sometimes, the contexts are incorrect in the files 20:30
herlo and thus the proper process cannot access the file even though its permissions are correct and its in the correct directory 20:31
herlo this is where chcon and restorecon come in 20:31
domg472_ run it on .bash_logout for example 20:31
herlo chcon can modify user, role, type, sensitivity, category on a particular file. Kind of think of it as the chown/chmod for SELinux 20:31
herlo domg472_: right 20:32
herlo domg472_: in that case, what I'd want to do is run restorecon, because it would follow the policy rules 20:32
domg472_ chcon is for unprivileged users, prifileged user should use semanage 20:32
domg472_ chcon is not persistent 20:32
jds2001 domg472_: it is. 20:32
domg472_ restorecon will override 20:32
jds2001 oh yes. 20:32
jds2001 or a filesystem relabel 20:33
herlo # restorecon .bash_logout 20:33
herlo [root@herlo-lap clints]# ls -Z .bash_logout 20:33
herlo -rw-r--r-- clints clints unconfined_u:object_r:user_home_t:s0 .bash_logout 20:33
herlo doplease don't get ahead of where wwe are 20:33
domg472_ ok 20:33
herlo semanage will work too, but we're not there yet 20:33
herlo this is SELinux Basics.. semanage can be used for much more advanced stuffs 20:34
herlo domg472_: however, you are right about chcon vs restorecon for who can use it... 20:34
herlo next slide: Manage/Modify the Policy 20:35
nuonguy herlo: question: how does restorecon know what the context for .bash_logout should be? 20:36
herlo essentially, the policy can be in one of three states 20:36
herlo nuonguy: the policy knows 20:36
herlo nuonguy: I'll show where you can get that information in a short bit 20:36
nuonguy k, thanks 20:36
herlo nuonguy: but to be honest, you don't actually need to know the policy to be effective with SELinux 20:36
herlo which sounds strange, but it's true 20:37
herlo however, we show it here shortly 20:37
nuonguy even if I need to install an app that provides no selinux/conext info? 20:37
herlo the first command 'getenforce' will show you the state of enforcement SELinux is currently in 20:37
herlo nuonguy: sure, but we're not going to broach that today 20:37
herlo nuonguy: however, I will show you where you can set those rules 20:38
nuonguy awesome, thanks 20:38
herlo # getenforce 20:38
herlo Permissive 20:38
herlo to toggle between Permissive and Enforcing, one could use setenforce 20:39
herlo # setenforce 1 20:39
herlo [root@herlo-lap ~]# getenforce 20:39
herlo Enforcing 20:39
herlo However, Disabled can also appear 20:39
herlo when getenforce is run 20:40
herlo but it must be set and then a reboot will remove the labels (security contexts) from the system... 20:40
herlo next slide: making the policy persist 20:40
herlo this is where everyone has been jumping to 20:41
herlo system-config-selinux is a very nice gui that can manage much of what you'd like to see in an SELinux policy 20:41
herlo it can set enforcing, Permissive, Disabled for boot, 20:41
herlo it can modify booleans, or small parts of the policy 20:42
herlo it can also show you what contexts files/ports/links/etc will have when restorecon is run 20:42
herlo as well as allow you to modify the policy rules right there 20:43
herlo that's under File Labeling / User Mapping / Network Ports and probably a few others 20:43
jMCg I suppose it already has some sensible templates for often used services. 20:44
herlo in addition, you can modify /etc/sysconfig/selinux and set the policy and/or Enforcement 20:44
herlo jMCg: it does, for type enforcement only 20:44
herlo but there are other policies, including strict (which most others are based upon) and Multi-Layer Security (MLS) 20:44
brunowolff nuonguy, part of the policy is a set of patterns used be restorecon to decide which is the correct label. The patterns aren't used when creating files normally. 20:44
herlo which you can import and install. These use more of the tags of the context.. 20:44
herlo brunowolff: yes, correct. Thanks 20:45
herlo you can also relabel the system according to the changes made here 20:45
herlo another tool listed on this page is semanage 20:45
herlo semanage can do many things including many of hte things that system-config-selinux does 20:46
herlo it's the command line tool to make policy components stick, including context changes 20:46
herlo the best thing I can say about semanage is that it has an excellent man page and shows examples of many things you can do to your system... 20:46
herlo getsebool/setsebool are also useful tools if you know the boolean you'd like to change 20:47
herlo next slide: Troubleshooting 20:47
herlo this is my favorite part 20:47
herlo as it says in the slide, many people turn SELinux off because they can't understand the avc messages in the logs 20:48
herlo /var/log/audit/audit.log shows many of these messages and an experienced SELinux user can learn what these things mean 20:49
fengshaun excuse me, where can we get the slides? 20:49
herlo but most people have a hard time reading them... 20:49
herlo fengshaun: https://fedoraproject.org/wiki/Classroom/SELinux_Basics 20:49
fengshaun thank you 20:49
herlo np 20:49
herlo so here's the tool that will make it easier than ever to read those messages 20:49
herlo setroubleshoot 20:49
herlo the daemon /usr/sbin/setroubleshootd, available in the setroubleshoot-server rpm 20:50
herlo is my favorite friend 20:50
herlo it's a sysV service that provides clear text solutions for allowing access when something doesn't work right 20:50
herlo because odds are, the user's permissions are correct, but SELinux is causing some sort of issue 20:51
herlo so I install setroubleshoot-server 20:51
herlo next slide: troubleshooting cont'd 20:51
herlo page 11 20:51
herlo and then run 20:52
herlo /etc/init.d/setroubleshoot start 20:52
herlo all of the sudden, I get clear messages in /var/log/messages 20:52
domg472_ setroubleshoot is enabled by default 20:52
herlo domg472_: setroubleshoot is the client tools 20:52
herlo setroubleshoot-server might be enabled by default, I hadn't checked 20:52
* thomasj reminds domg472_ that this is herlo's class. So please let him teach, he's doing a great job. 20:53
domg472_ ok 20:53
herlo but it's going to tell you to look at a specific sealert message 20:53
herlo copying the sealert command along with ath ugly long string... 20:53
herlo and voila, you have a solution as to how to allow access. 20:53
herlo for those of you who like gui's try sealert -b 20:54
herlo that's the sealert browser and it can also be launched from the Notification Area (the little star) in GNOME 20:54
herlo NOW 20:54
herlo here's the onlyt thing I want to warn you on 20:54
herlo don't by any circumstances take 'Allowing Access' to mean that you *should* perform the task listed there 20:55
herlo instead, you should use your critical minds and make a smart decision regarding whether allowing access is the right thing to do 20:55
herlo so I'm out of material and it looks like out of time 20:56
herlo any questions about this process? 20:56
jMCg Ad troubleshooting. 20:56
kdn Great job; thanks. 20:56
jMCg What troubles me most, is to remember that there's SELinux, and it could be responsible. 20:56
* VileGent gives herlo a hand and thanks 20:56
thomasj +1 20:56
* erinlea80 applauds! 20:57
kdn +1 20:57
poti +1 20:57
djohngo herlo: Thanks! 20:57
domg472_ thanks 20:57
* fengshaun applauds too! 20:57
jds2001 great job herlo :) 20:57
brunowolff The resources didn't include Dan Walsh's journal (http://danwalsh.livejournal.com/) which has up to date info about selinux. 20:57
thomasj herlo, awesome, thank you very much 20:57
SSlater +1 20:57
herlo jMCg: yes, I understand that, but it will become much more normal as you get used to it 20:57
* JMakey thanks herlo 20:57
herlo brunowolff: oh, yes, I should add that 20:57
jMCg When you get an EACCESS, you think of permissions, it'd be great if there was some different class of error to be used... 20:57
Bugz herlo: Very good, thanks 20:57
linuxguru yeah i had this doubt about unconfined processes running on my system. if a attacker is able to compromise my system using those processes (which have ports opened) will he be able to access stuff which is managed by selinux like confined processes such apache/samba etc. 20:57
herlo I'm glad you all liked it 20:57
zless thanks herlo. 20:57
domg472_ if anyone has questions about selinux join #fedora-selinux and/or #selinux 20:57
fengshaun but date -u gives me 19:58! is my clock wrong? 20:57
Ineluctable thank you 20:57
jds2001 fengshaun: an hour off. 20:58
fengshaun jds2001, oh god! 20:58
herlo linuxguru: right, so I'd consider a tighter policy or modify the policy to adjust the unconfined processes 20:58
@nirik thanks herlo ! 20:58
herlo linuxguru: so they aren't unconfined 20:58
SSlater  ? 20:58
herlo SSlater: go 20:58
zless i'd just like to say that selinux has be "in the background" in f9 (for the desktop) much more than previously. the #1 thing i need to tweak is allowing firefox to use notstandard ports. 20:58
SSlater Why does sealert sometimes give a proposed solution and othertimes Not? 20:59
zless e.g.: semanage port -a -t http_port -p tcp 8880 20:59
domg472_ that not a valid type zless 20:59
stmg_ thanks so mucj 20:59
zless domg472_, _t 20:59
* nirik notes the next class up is Jon Stanley ( jds2001 ) - An introduction to Bugzilla 20:59
jds2001 httpd_t would be in that case. 20:59
stmg_ *much 20:59
zless domg472_, synergyc isn't up here atm, so had to go from memory 21:00
domg472_ join #fedora-selinux for details 21:00
herlo SSlater: I believe that if the policy knows how to solve it the solution can be given. If the policy writer didn't anticipate that sort of thing, it's kind of hard to give a solution 21:00
Dufflepod Thanks herlo 21:00
herlo ciao all 21:00
herlo on to jds2001 21:00

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!