SELinux in the Enterprise - Red Hat Summit
SELinux in the Enterprise - Red Hat Summit
SELinux in the Enterprise - Red Hat Summit
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Manag<strong>in</strong>g <strong>SEL<strong>in</strong>ux</strong> <strong>in</strong> <strong>the</strong> <strong>Enterprise</strong>Daniel J WalshSenior Pr<strong>in</strong>cipal Software Eng<strong>in</strong>eer@rhatdan, danwalsh.livejournal.com,dwalsh@redat.comJun 12 2013
How to manage <strong>SEL<strong>in</strong>ux</strong> <strong>in</strong> a large environment?●●Move blobs of data to remote mach<strong>in</strong>es.Execute commands on <strong>the</strong> remote mach<strong>in</strong>e.Centralize logg<strong>in</strong>g.Any questions?●
<strong>SEL<strong>in</strong>ux</strong> four th<strong>in</strong>gs1.Label<strong>in</strong>g2.<strong>SEL<strong>in</strong>ux</strong> needs to know•booleans•semanage commands3.Custom policy modules4.You've been hacked!http://danwalsh.livejournal.com/30837.html
<strong>SEL<strong>in</strong>ux</strong> is a Label<strong>in</strong>g System
<strong>SEL<strong>in</strong>ux</strong> is a Label<strong>in</strong>g SystemEvery process has a label
<strong>SEL<strong>in</strong>ux</strong> is a Label<strong>in</strong>g SystemEvery process has a labelEvery file/directory/object has a label
<strong>SEL<strong>in</strong>ux</strong> is a Label<strong>in</strong>g SystemEvery process has a labelEvery file/directory/object has a labelPolicy rules def<strong>in</strong>e how process access objects via labels
<strong>SEL<strong>in</strong>ux</strong> is a Label<strong>in</strong>g SystemEvery process has a labelEvery file/directory/object has a labelPolicy rules def<strong>in</strong>e how process access objects via labelsThe Kernel enforces <strong>the</strong> rules
If a file object is mislabeledyou will get errors?
Someone putSkittles<strong>in</strong> <strong>the</strong>M&Mdispenser!!!
Adm<strong>in</strong>istrators can mess up label<strong>in</strong>g●●Creat<strong>in</strong>g files/directories can cause problems●# mkdir /root/.sshBe careful with <strong>the</strong> mv command●# mv ~/<strong>in</strong>dex.html /var/www/html/If you check <strong>the</strong> Ownership on a new file/directory?
Adm<strong>in</strong>istrators can mess up label<strong>in</strong>g●●Creat<strong>in</strong>g files/directories can cause problems●# mkdir /root/.sshBe careful with <strong>the</strong> mv command●# mv ~/<strong>in</strong>dex.html /var/www/html/If you check <strong>the</strong> Ownership on a new file/directory?Check <strong>the</strong> SELINUX LABEL, or just run restorecon
Adm<strong>in</strong>istrators can mess up label<strong>in</strong>gCreat<strong>in</strong>g files/directories can cause problems●●●# mkdir /root/.sshBe careful with <strong>the</strong> mv command# mv ~/<strong>in</strong>dex.html /var/www/html/restorecon -R -v /root/.ssh /var/www/htmlBIG improvements with label creation <strong>in</strong> RHEL7...http://danwalsh.livejournal.com/46018.html
<strong>SEL<strong>in</strong>ux</strong> likes everyth<strong>in</strong>g to be <strong>in</strong> <strong>the</strong> default locationIf you change <strong>the</strong> location of content, FIX <strong>the</strong> labels.If you put Apache content <strong>in</strong> /srv/myweb execute:●semanage fcontext -a -t httpd_sys_content_t '/src/myweb(/.*)?'
<strong>SEL<strong>in</strong>ux</strong> likes everyth<strong>in</strong>g to be <strong>in</strong> <strong>the</strong> default locationIf you change <strong>the</strong> location of content, FIX <strong>the</strong> labels.If you put Apache content <strong>in</strong> /srv/myweb execute:●semanage fcontext -a -t httpd_sys_content_t '/src/myweb(/.*)?'If you put your homedirs <strong>in</strong> /myhome execute:●semanage fcontext -a -e /home /myhome
<strong>SEL<strong>in</strong>ux</strong> likes everyth<strong>in</strong>g to be <strong>in</strong> <strong>the</strong> default locationIf you change <strong>the</strong> location of content, FIX <strong>the</strong> labels.If you put Apache content <strong>in</strong> /srv/myweb execute●semanage fcontext -a -t httpd_sys_content_t '/src/myweb(/.*)?'If you put your homedirs <strong>in</strong> /myhome execute●semanage fcontext -a -e /home /myhomerestorecon -R -v /myhome /src/myweb
<strong>SEL<strong>in</strong>ux</strong> needs to know?<strong>SEL<strong>in</strong>ux</strong> Least Privilege
<strong>SEL<strong>in</strong>ux</strong> needs to know?Reasonable<strong>SEL<strong>in</strong>ux</strong> Least Privilege
<strong>SEL<strong>in</strong>ux</strong> needs to know?Reasonable<strong>SEL<strong>in</strong>ux</strong> Least PrivilegeStandard configurations should work out of <strong>the</strong> box.
Alter Default Configuration?If you●Change Apache to send email●<strong>SEL<strong>in</strong>ux</strong> needs to know!!!●semanage boolean --on httpd_can_sendmail
Alter Default Configuration?If you●Change Apache to send email●<strong>SEL<strong>in</strong>ux</strong> needs to know!!!●semanage boolean --on httpd_can_sendmail● Change sshd port to port 500?●<strong>SEL<strong>in</strong>ux</strong> needs to know!!!● semanage port -a -t sshd_port_t -p tcp 500
How do I know what types, booleans, port def<strong>in</strong>itionsare available?> 700 man pages added to RHEL6httpd_sel<strong>in</strong>ux(8) <strong>SEL<strong>in</strong>ux</strong> Policy httpd httpd_sel<strong>in</strong>ux(8)NAMEhttpd_sel<strong>in</strong>ux - Security Enhanced L<strong>in</strong>ux Policy for <strong>the</strong> httpd processesDESCRIPTIONSecurity-Enhanced L<strong>in</strong>ux secures <strong>the</strong> httpd processes via flexible mandatoryaccess control....The httpd processes execute with <strong>the</strong> httpd_t <strong>SEL<strong>in</strong>ux</strong> type. You cancheck if you have <strong>the</strong>se processes runn<strong>in</strong>g by execut<strong>in</strong>g <strong>the</strong> ps commandwith <strong>the</strong> -Z qualifier.http://danwalsh.livejournal.com/52156.html
Custom Policy ModulesApplications and <strong>SEL<strong>in</strong>ux</strong> policy can have bugs
Custom Policy ModulesApplications and <strong>SEL<strong>in</strong>ux</strong> policy can have bugs●●grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpdsemodule -i myhttpd.pp
Custom Policy ModulesApplications and <strong>SEL<strong>in</strong>ux</strong> policy can have bugs●●grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpdsemodule -i myhttpd.ppYou might want to ship your own policies for your own apps●●●sepolgen /usr/sb<strong>in</strong>/myappsemodule -i myapp.ppRHEL7● sepolicy generate ...
Contribute back●●If you f<strong>in</strong>d bugs <strong>in</strong> applications or <strong>SEL<strong>in</strong>ux</strong> policy●Report <strong>the</strong>mIf you write policy,●Contribute it back to <strong>Red</strong> <strong>Hat</strong>/Upstream
You might be hacked●●●<strong>SEL<strong>in</strong>ux</strong> is not a <strong>in</strong>trusion detection tool.setroubleshoot can do some detection, you should use it.●●●●Conf<strong>in</strong>ed apps attempt<strong>in</strong>g to turn off <strong>SEL<strong>in</strong>ux</strong>, PWNDConf<strong>in</strong>ed apps attempt<strong>in</strong>g to modify kernel, PWNDConf<strong>in</strong>ed apps attempt<strong>in</strong>g to clear log files, PWNDmmap_zero? Maybe unless it is wh<strong>in</strong>e. (W<strong>in</strong>e)You probably want remote logg<strong>in</strong>g setup for this
But how do you manage <strong>SEL<strong>in</strong>ux</strong> <strong>in</strong> <strong>the</strong> enterprise.●●How do you configure your remote mach<strong>in</strong>es?How do you manage your remote content.
But how do you manage <strong>SEL<strong>in</strong>ux</strong> <strong>in</strong> <strong>the</strong> enterprise.●●●How do you configure your remote mach<strong>in</strong>es?How do you manage your remote content.<strong>SEL<strong>in</strong>ux</strong> customization is just configuration.●<strong>SEL<strong>in</strong>ux</strong> should be managed <strong>the</strong> same as o<strong>the</strong>r configuration.
Advanced semanageSemanage is sloooooow●Most semanage commands compile/load policy
Advanced semanageSemanage is sloooooow●Most semanage commands compile/load policySemanage Transactions●Allows several semanage commands with one command.semanage -S targeted -i -
Sett<strong>in</strong>g up identical mach<strong>in</strong>es with <strong>SEL<strong>in</strong>ux</strong>Modify one mach<strong>in</strong>e <strong>the</strong> way you like?Now apply to five o<strong>the</strong>r identical mach<strong>in</strong>es.
Sett<strong>in</strong>g up identical mach<strong>in</strong>es with <strong>SEL<strong>in</strong>ux</strong>Modify 1 mach<strong>in</strong>e <strong>the</strong> way you like?Now apply to 5 o<strong>the</strong>r identical mach<strong>in</strong>es.# semanage -o /tmp/sel<strong>in</strong>ux.mods# scp /tmp/sel<strong>in</strong>ux.mods to remote mach<strong>in</strong>ehttp://danwalsh.livejournal.com/41794.html
Sett<strong>in</strong>g up identical mach<strong>in</strong>es with <strong>SEL<strong>in</strong>ux</strong>Modify 1 mach<strong>in</strong>e <strong>the</strong> way you like?Now apply to 5 o<strong>the</strong>r identical mach<strong>in</strong>es.# semanage -o /tmp/sel<strong>in</strong>ux.mods# scp /tmp/sel<strong>in</strong>ux.mods to remote mach<strong>in</strong>eOn remote mach<strong>in</strong>e:# semanage -i /tmp/sel<strong>in</strong>ux.modshttp://danwalsh.livejournal.com/41794.html
cat sel<strong>in</strong>ux.modsboolean -Dboolean -1 allow_poly<strong>in</strong>stantiationboolean -0 authlog<strong>in</strong>_nsswitch_use_ldapuser -Dfcontext -Dfcontext -a -f 'all files' -t httpd_sys_content_t '/myweb(/.*)?'fcontext -a -f 'all files' -t public_content_t '/shared(/.*)?'fcontext -a -f 'all files' -t samba_share_t '/shared/samba(/.*)?'...http://danwalsh.livejournal.com/41794.html
<strong>Red</strong> <strong>Hat</strong> SatelliteShipp<strong>in</strong>g <strong>SEL<strong>in</strong>ux</strong> commands <strong>in</strong> RPM●●●Run semanage commands <strong>in</strong> post <strong>in</strong>stallPackag<strong>in</strong>g <strong>SEL<strong>in</strong>ux</strong> Policy modules with<strong>in</strong> RPMIn RHEL7●“sepolicy generate” will generate an example rpm spec file.
%def<strong>in</strong>e relabel_files() \restorecon -R /usr/sb<strong>in</strong>/rwhod; \%def<strong>in</strong>e sel<strong>in</strong>ux_policyver 3.12.1-44Name: rwhod_sel<strong>in</strong>uxVersion: 1.0Release: 1%{?dist}Summary: <strong>SEL<strong>in</strong>ux</strong> policy module for rwhodRPM specfilefor <strong>SEL<strong>in</strong>ux</strong>Group:System Environment/Base...Source0:rwhod.ppSource1:rwhod.ifSource2:rwhod_sel<strong>in</strong>ux.8...Requires: policycoreutils, libsel<strong>in</strong>ux-utilsRequires(post): sel<strong>in</strong>ux-policy-base >= %{sel<strong>in</strong>ux_policyver}, policycorutilsRequires(postun): policycoreutilsBuildArch: noarch%descriptionThis package <strong>in</strong>stalls and sets up <strong>the</strong> <strong>SEL<strong>in</strong>ux</strong> policy security module for rwhod.%<strong>in</strong>stall<strong>in</strong>stall -d %{buildroot}%{_datadir}/sel<strong>in</strong>ux/packages<strong>in</strong>stall -m 644 %{SOURCE0} %{buildroot}%{_datadir}/sel<strong>in</strong>ux/packages<strong>in</strong>stall -d %{buildroot}%{_datadir}/sel<strong>in</strong>ux/devel/<strong>in</strong>clude/contrib<strong>in</strong>stall -m 644 %{SOURCE1} %{buildroot}%{_datadir}/sel<strong>in</strong>ux/devel/<strong>in</strong>clude/contrib/
%postsemodule -n -i %{_datadir}/sel<strong>in</strong>ux/packages/rwhod.ppif /usr/sb<strong>in</strong>/sel<strong>in</strong>uxenabled ; <strong>the</strong>n/usr/sb<strong>in</strong>/load_policy%relabel_filesfi;exit 0RPM specfilefor <strong>SEL<strong>in</strong>ux</strong>%postunif [ $1 -eq 0 ]; <strong>the</strong>nsemodule -n -r rwhodif /usr/sb<strong>in</strong>/sel<strong>in</strong>uxenabled ; <strong>the</strong>n/usr/sb<strong>in</strong>/load_policy%relabel_filesfi;fi;exit 0%files%attr(0600,root,root) %{_datadir}/sel<strong>in</strong>ux/packages/rwhod.pp%{_datadir}/sel<strong>in</strong>ux/devel/<strong>in</strong>clude/contrib/rwhod.if%{_mandir}/man8/rwhod_sel<strong>in</strong>ux.8.*...
Can I ship <strong>the</strong> same policies <strong>in</strong> RHEL5 as RHEL6?
Can I ship <strong>the</strong> same policies <strong>in</strong> RHEL5 as RHEL6?●●NoNewer Major Version <strong>in</strong>clude new access checks●open is checked <strong>in</strong> RHEL6 but not <strong>in</strong> RHEL5
Can I ship <strong>the</strong> same policies <strong>in</strong> RHEL5 as RHEL6?●●●●NoNewer Major Version <strong>in</strong>clude new access checks●open is checked <strong>in</strong> RHEL6 but not <strong>in</strong> RHEL5.Policy should be stable for a major versionPolicy should be compiled and on <strong>the</strong> lowest m<strong>in</strong>or version.
Puppet●●●<strong>SEL<strong>in</strong>ux</strong> b<strong>in</strong>d<strong>in</strong>gs●Built<strong>in</strong> restorecon, sel<strong>in</strong>ux functions, semanage functionsdirectly.Puppet recipes should <strong>in</strong>clude <strong>SEL<strong>in</strong>ux</strong> commandsShell out to semanage commands●A lot of Fedora Infrastructure built on top of Puppet
class proxy {<strong>in</strong>clude sel<strong>in</strong>ux-enforc<strong>in</strong>gselboolean { ["httpd_can_network_connect_db","httpd_can_network_relay","httpd_can_network_connect","allow_ypb<strong>in</strong>d",]:value => on,}Puppet RecipeFor <strong>SEL<strong>in</strong>ux</strong>persistent => true,}semanage_port { "8081-8089":type => "http_port_t",proto => "tcp",}semanage_port { "10001-10003":type => "http_cache_port_t",proto => "tcp",}semanage_fcontext { "/srv/cache/mod_cache(/.*)?":type => "httpd_cache_t",}
Ansible – http://www.ansible.cc●●●●Uses ssh protocol●advantage no dest<strong>in</strong>ation daemon.Built<strong>in</strong> sel<strong>in</strong>ux and seboolean functions.Ansible playbooks should <strong>in</strong>clude <strong>SEL<strong>in</strong>ux</strong> commandsExecute semanage, same way adm<strong>in</strong>istrator would.●●Newer Fedora Infrastructure mov<strong>in</strong>g to AnsibleOpenShift <strong>in</strong>frastructure <strong>in</strong> Fedora setup us<strong>in</strong>g Ansible.
- name: set sel<strong>in</strong>ux bools appropriatelyAnsible Playbookaction: seboolean state=true persistent=yes name=$itemwith_items:For <strong>SEL<strong>in</strong>ux</strong>- httpd_unified- httpd_can_network_connect- httpd_can_network_relay- named_write_master_zones- allow_ypb<strong>in</strong>d- name: sel<strong>in</strong>ux module <strong>in</strong>stall - stickshiftaction: command semodule -i /usr/share/sel<strong>in</strong>ux/packages/rubygem-stickshift-common/stickshift.pp- name: sel<strong>in</strong>ux module disable - passengeraction: command semodule -d passengerignore_errors: True- name: sel<strong>in</strong>ux module <strong>in</strong>stall - o<strong>the</strong>r passengeraction: command semodule -i /usr/share/sel<strong>in</strong>ux/packages/rubygem-passenger/rubygem-passenger.pp- name: fix up files for sel<strong>in</strong>uxaction: command $itemwith_items:- "fixfiles -R rubygem-passenger restore"- "fixfiles -R mod_passenger restore"- "restorecon -rv /var/run"- "restorecon -rv /usr/lib/ruby/gems/1.8/gems/passenger-*"- "restorecon -rv /usr/sb<strong>in</strong>/mcollectived /var/log/mcollective.log /run/mcollective.pid"
O<strong>the</strong>r distributed tools for manag<strong>in</strong>g <strong>SEL<strong>in</strong>ux</strong>●●●●●●cfeng<strong>in</strong>epulpfunctivoli?openview?OpenLMI●Were work<strong>in</strong>g on it
Modify<strong>in</strong>g <strong>SEL<strong>in</strong>ux</strong> <strong>in</strong> kickstartExample: Configure MLS/LSPP system <strong>in</strong> RHEL6sed -i 's/SELINUXTYPE=targeted/SELINUX=mls/g' /etc/sel<strong>in</strong>ux/configsetenforce 0load_policy 2>&1 | grep -v no.longer.<strong>in</strong>.policyecho "Fix<strong>in</strong>g file labels..."# FIXME: fixfiles ignores allegedly R/O filesystems due to bad /etc/mtab ?cat /proc/mounts > /etc/mtabfixfiles -Ff restorerestorecon -Fr /root /home
What about You've been hacked?
Audit subsystem remote logg<strong>in</strong>gOn <strong>the</strong> clients●/etc/audisp/plug<strong>in</strong>s.d/au-remote.conf●●active = yes/etc/audisp/audisp-remote.conf●remote_server=remote-audit.redhat.comOn <strong>the</strong> server●/etc/audit/auditd.conf● tcp_listen_port = 60
Setroubleshoot Remote Logg<strong>in</strong>g/etc/setroubleshoot/setroubleshoot.conf●●●●[email]smtp_host = smtp.foobar.redhat.com# from_address: The From: email headerfrom_address = <strong>SEL<strong>in</strong>ux</strong>_Troubleshoot.HOSTNAME/var/lib/setroubleshoot/email_alert_recipients●dwalsh@redhat.com
What about RBAC?How I conf<strong>in</strong>ed mywife with <strong>SEL<strong>in</strong>ux</strong>?
Conf<strong>in</strong>ed Users●Term<strong>in</strong>al user/ssh - guest_t●●●No Network, No setuid, no exec <strong>in</strong> homedirBrowser user/kiosk - xguest_t●Web access ports only. No setuid, no exec <strong>in</strong> homedirFull Desktop user - User_t●Full Network, No SETUID●●Conf<strong>in</strong>ed Adm<strong>in</strong>/Desktop User - Staff_t●●Full Network, sudo to adm<strong>in</strong> only, no root password.Usually a conf<strong>in</strong>ed adm<strong>in</strong>Unconf<strong>in</strong>ed user - unconf<strong>in</strong>ed_t (Default)●<strong>SEL<strong>in</strong>ux</strong> does not block access
IDM/FreeIPA supports <strong>SEL<strong>in</strong>ux</strong> Conf<strong>in</strong>ed Users●●At log<strong>in</strong> sssd contacts FreeIPA for user@mach<strong>in</strong>eDownloads /etc/sel<strong>in</strong>ux/targeted/log<strong>in</strong>scat dwalshsshd:staff_u:s0-s0:c0.c1023*:guest_u:s0-s0:c0.c1023●Sudo be configured by IPA with <strong>SEL<strong>in</strong>ux</strong> Config●dwalsh ALL=(ALL) TYPE=webadm_t ROLE=webadm_rALL
Conf<strong>in</strong>ed users us<strong>in</strong>g LDAP●LDAP does not have User-Mach<strong>in</strong>e Mapp<strong>in</strong>g●●LDAP could be setup for global mapp<strong>in</strong>g/etc/sel<strong>in</strong>ux/targeted/seuserssystem_u:system_u:s0-s0:c0.c1023root:unconf<strong>in</strong>ed_u:s0-s0:c0.c1023__default__:unconf<strong>in</strong>ed_u:s0-s0:c0.c1023xguest:xguest_u:s0dwalsh:staff_u:s0-s0:c0.c1023
Conf<strong>in</strong>ed Users Active Directory●Be<strong>in</strong>g worked on
Questions?
Improv<strong>in</strong>g <strong>SEL<strong>in</strong>ux</strong> Usability●●●<strong>SEL<strong>in</strong>ux</strong> UXD usability tests <strong>in</strong> <strong>the</strong> GSS booth.Added > 700 Man pages for each conf<strong>in</strong>ed doma<strong>in</strong>Add<strong>in</strong>g GUI to be application focused● How does <strong>SEL<strong>in</strong>ux</strong> conf<strong>in</strong>e doma<strong>in</strong> X?●●What booleans? What Types? What Network Ports?How can I modify <strong>the</strong>m?