Stop disabling SELinux!

Maciej Lasyk, Stop Disabling SELinux
Maciej Lasyk
Kraków, InfoSec meetup #1
2014-03-12
1/32
Stop Disabling SELinux

Maciej Lasyk, High Availability Explained
● Business value and security
● Does stock price change after security fail?
● Apps or env? Which one should be 'secure'?
Does security matter?
Maciej Lasyk, Stop Disabling SELinux 2/32

How does security look like?
App
Env
3/32

Security is based on layers!Security is based on layers!
NetworkNetwork
OSOS
App / DBApp / DB
HardwareHardware
LSMLSM
Maybe virt-sec?Maybe virt-sec?
4/32

Such security..Such security..
Very fortress!!1Very fortress!!1
WOW :)WOW :)
5/32

● Think about it as an internal firewall
● Guarding procs, files, users
● Users don't manage security, admin does
SELinux – what?

- 2000: NSA, GPL
- 2001: Linux Kernel Summit, NSA vs Linus, LSM announced
(SELinux, Apparmor, Smack, and TOMOYO Linux)
- 2003: Merge with mainline Kernel 2.6.0-test3
- RHEL4
- Ubuntu LTS 8.04 Hardy Heron & rest (even Novell)
SELinux – short history recap

- hosting multiple services on one box / vps
- virtualization host (imagine containers)
- libvirt-sandbox FTW!
- any apps that are not secure or sec – aware
- SELinux sandbox
- root access for anyone :)
- DBAs, devs - whatever :)
- try it yourself: http://www.coker.com.au/selinux/play.html
- Gentoo Hardened: https://wiki.gentoo.org/wiki/Project:Hardened
- Desktops (yes!)
SELinux – use cases

SELinux – how it works?
syscalls work like interfaces for accessing some resources
9/32

DAC
MAC
upstream kernel has been fixed to report
check for mmap_zero for MAC AFTER DAC
(2014-03-05, http://danwalsh.livejournal.com/69035.html)
11/32

- http://www.nsa.gov/research/_files/selinux/papers/freenix01/node18.shtml#sec:perf:macro
SELinux – performance
Just test it yourself: git://git.selinuxproject.org/~serge/selinux-testsuite
13/32
avcstat
uptime: 10h
hit ratio: 99.94%!
(57mln of lookups)

SELinux – learning curve

SELinux – installation
apt-get install selinux-basics selinux-policy-default auditd
Gentoo is.. like always – little complicated..
emerge hardened-sources
EC2? yum install libselinux* selinux-policy* policycoreutils
RHEL / CentOS / Fedora is rdy
11/3215/32

SELinux – need assistance?
- IRC: freenode, #selinux
- Mailing list: selinux@lists.fedoraproject.org
- URLs:
- http://stopdisablingselinux.com/
- http://www.nsa.gov/research/selinux/faqs.shtml
- https://fedoraproject.org/wiki/SELinux
- Books?
- SELinux System Administration, Sven Vermeulen,
2013, ISBN-10: 1783283173 ($15)
- SELinux by Example: Using Security Enhanced Linux,
Frank Mayer, Karl MacMillan,
David Caplan, 2006,
ISBN-10: 0131963694
16/32

SELinux and Android
- from 4.3 – permissive
- from 4.4 enforcing
- Will help us with BYOD :)
- No setuid/setgid programs (4.3)
http://selinuxproject.org/page/SEAndroid
http://source.android.com/devices/tech/security/se-linux.html
17/32

Maciej Lasyk, High Availability ExplainedMaciej Lasyk, Stop Disabling SELinux
- Currently RPM based (but could build from sources)
- Sandboxes for LXC / Qemu / KVM
- Rather with systemd
- virt-sandbox -c lxc:/// /bin/sh
- virt-sandbox-service create ... httpd.service myhttpd
- systemctl start myhttpd_sandbox.service
libvirt-sandbox!
18/32

libvirt-sandbox!
- The libvirt guest is created when the virt-sandbox command starts
- The libvirt guest is automatically deleted when the virt-sandbox
command completes, or dies from a signal
- The sandboxed command sees a read-only view of the entire host
filesystem
- Specific areas can be made writable by mapping in an alternative
host directory
- There is no network access inside the sandbox by default
- Virtual network interfaces can be associated with libvirt virtual
networks
- The stdin/stdout/stderr file handles of the sandbox command
will be connected to the controlling terminal.
19/32

So what about other LSMs?
http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html
20/32

So what about other LSMs?
- AppArmor identifies file system objects by path name
instead of inode
- There is no notion of multi-level security with AppArmor
- AppArmor user rather flat files based configuration
- SELinux supports the concept of a "remote policy server"
- There is no apparmor or grsec in android :)
21/32

SELinux primer
stopdisablingselinux.com
or
http://opensource.com/business/13/11/selinux-policy-guide
22/32

SELinux primer
Everyone gets a label!
23/32

SELinux primer
allow cat cat_chow:food eat;
allow dog dog_chow:food eat;
24/32

SELinux primer
AVC (Access Vector Cache)
25/32

SELinux primer
AVC (Access Vector Cache)
26/32

SELinux primer
In real world...
process: httpd_t
files under Apache: httpd_sys_content_t
database data: mysqld_data_t
hacked Apache process can not access mysqld files!
27/32

SELinux primer
Can same type of process be confined differently?
28/32

SELinux primer
Yes! With MCS enforcement!
29/32

SELinux primer
In real world...
2 processes: httpd_t
files under httpd: httpd_sys_content_t
So how to deny files from differ instances of httpd_t?
With MCS labels like s0:c1,c2 ; s0:c3,c4 etc
s0, s1, s2 – sensitivity levels
c1,c2,c3... - categories (up to 255)
30/32

So remember..
Every time you run setenforce 0, you make Dan Walsh
weep
Dan is a nice guy and he certainly doesn't deserve that.
31/32

Maciej Lasyk
Kraków, InfoSec meetup #1
2014-03-12
http://maciek.lasyk.info/sysop
maciek@lasyk.info
@docent-net
Stop Disabling SELinux
Thank you :)
32/32

Stop disabling SELinux!

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Stop disabling SELinux!

Similar to Stop disabling SELinux! (20)

More from Maciej Lasyk

More from Maciej Lasyk (14)

Recently uploaded

Recently uploaded (20)

Stop disabling SELinux!