Forgot your password?
New user?
Views
SE Linux
What is SE Linux?
- A system of mandatory access controls via type enforcement.
What SE Linux does
Applications will always have faults. We need to assume it will happen and prepare our systems for it.
This is one reason why I am a big fan of SE Linux and Redhat's effort to secure the desktop using mandatory access controls via a system of type enforcement. Your web browser can currently access any file owned by you and email it off somewhere else. It has no business having this much access to your data. It can probably also install software pulled down from the net which results in malware infestations.
History
This technology was developed by the government through research projects during the 70's and 80's. They had big government think tanks like MITRE[1]? working on it which produced a number of valuable research papers.
http://csrc.nist.gov/publications/history/bell76.pdf
The NSA used the results of this research into mandatory access controls to create SE Linux as a proof of concept and it has worked out so well that folks like RedHat? have adopted it and now all of my servers run it.
How it does it
DAC = Discretionary Access Controls
MAC = Mandatory Access Controls
TE = Type enforcement
Assigning everything a type and implementing some policy which says what types can do what with which other types is a very powerful way of limiting access and potential for damage.
Real-world attacks which SE Linux has already stopped
SELinux mitigation news from tresys: http://www.tresys.com/innovation.php
SELinux mitigates remote root vulnerability in OpenPegasus? http://james-morris.livejournal.com/25421.html
SELinux mitigates HPLIP vulnerability http://james-morris.livejournal.com/25140.html
SELinux Constrains Samba Vulnerability http://danwalsh.livejournal.com/10131.html
SELinux blocks CVE-2006-3626 (local privilege escalation) http://james-morris.livejournal.com/12599.html
A seatbelt for server software: SELinux blocks real-world exploits: Apache web server, the Mambo content management system, the Sendmail MTA, and a commonly-installed PHP module, in addition to the HP and Samba bugs. http://www.linuxworld.com/news/2008/022408-selinux.html?page=2
Risk Report: A year of Red Hat Enterprise Linux 4: Lupper worm http://www.redhat.com/magazine/017mar06/features/riskreport/
How to properly configure it instead of just turning it off
How to know when you get a denial:
- desktop applet
- sealert
- /var/log/audit/audit.log
The easiest way to fix it:
Jul 8 15:00:09 blog setroubleshoot: SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" to /var/cfengine/outputs/cf_blog_interactivate_com_2008-07-08--15-00-06 (var_t). For complete SELinux messages. run sealert -l bad3d9e7-15c5-4aed-9163-4f8029b59d9b
When you run sealert it explains:
[root@blog ~]# sealert -l bad3d9e7-15c5-4aed-9163-4f8029b59d9b
Summary
SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" to
/var/cfengine/outputs/cf_blog_interactivate_com_2008-07-08--15-00-06
(var_t).
Detailed Description
SELinux denied access requested by /sbin/ifconfig. It is not expected that
this access is required by /sbin/ifconfig and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for
/var/cfengine/outputs/cf_blog_interactivate_com_2008-07-08--15-00-06,
restorecon -v /var/cfengine/outputs/cf_blog_interactivate_com_2008-07-08--
15-00-06 If this does not work, there is currently no automatic way to allow
this access. Instead, you can generate a local policy module to allow this
access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:ifconfig_t
Target Context system_u:object_r:var_t
Target Objects /var/cfengine/outputs/cf_blog_interactivate_com_20
08-07-08--15-00-06 [ file ]
Affected RPM Packages net-tools-1.60-73 [application]
Policy RPM selinux-policy-2.4.6-104.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name blog.interactivate.com
Platform Linux blog.interactivate.com 2.6.18-53.1.14.el5xen
#1 SMP Wed Mar 5 12:08:17 EST 2008 x86_64 x86_64
Alert Count 1
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="ifconfig" dev=dm-1 egid=0 euid=0
exe="/sbin/ifconfig" exit=0 fsgid=0 fsuid=0 gid=0 items=0
path="/var/cfengine/outputs/cf_blog_interactivate_com_2008-07-08--15-00-06"
pid=16155 scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0
So to allow this access we can do:
[root@blog treed]# audit2allow -a -m local
module local 1.0;
require {
type ifconfig_t;
type snmpd_t;
type var_t;
class file write;
}
[root@blog treed]# audit2allow -a -m local > local.te
[root@php5dev ~]# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local.mod
[root@php5dev ~]# semodule_package -o local.pp -m local.mod
[root@php5dev ~]# /usr/sbin/semodule -i ./local.pp
Done.
SLIDE: the SELinux policy development IDE http://james-morris.livejournal.com/30051.html
aka. an SE Linux policy wizard
Lots more SE Linux commands:
audit2allow (1) - generate SELinux policy allow rules from logs of denied operations audit2why (8) - Translates SELinux audit messages into a description of why the access was denied avcstat (8) - Display SELinux AVC statistics booleans (8) - Policy booleans enable runtime customization of SELinux policy chcat (8) - change file SELinux security category chcon (1) - change SELinux security context checkmodule (8) - SELinux policy module compiler checkpolicy (8) - SELinux policy compiler fixfiles (8) - fix file SELinux security contexts ftpd_selinux (8) - Security Enhanced Linux Policy for the ftp daemon genhomedircon (8) - generate SELinux file context configuration entries for user home directories getenforce (8) - get the current mode of SELinux getsebool (8) - get SELinux boolean value(s) httpd_selinux (8) - Security Enhanced Linux Policy for the httpd daemon kerberos_selinux (8) - Security Enhanced Linux Policy for Kerberos load_policy (8) - load a new SELinux policy into the kernel matchpathcon (8) - get the default SELinux security context for the specified path from the file contexts configuration named_selinux (8) - Security Enhanced Linux Policy for the Internet Name server (named) daemon nfs_selinux (8) - Security Enhanced Linux Policy for NFS pam_selinux (8) - PAM module to set the default security context restorecon (8) - restore file(s) default SELinux security contexts restorecond (8) - daemon that watches for file creation and then sets the default SELinux file context rsync_selinux (8) - Security Enhanced Linux Policy for the rsync daemon run_init (8) - run an init script in the proper SELinux context runcon (1) - run command with specified SELinux security context samba_selinux (8) - Security Enhanced Linux Policy for Samba secon (1) - See an SELinux context, from a file, program or user input selinux (8) - NSA Security-Enhanced Linux (SELinux) selinuxenabled (8) - tool to be used within shell scripts to determine if selinux is enabled semanage (8) - SELinux Policy Management tool semodule (8) - Manage SELinux policy modules semodule_deps (8) - show the dependencies between SELinux policy packages semodule_expand (8) - Expand a SELinux policy module package semodule_link (8) - Link SELinux policy module packages together semodule_package (8) - Create a SELinux policy module package sestatus (8) - SELinux status tool setenforce (8) - modify the mode SELinux is running in setfiles (8) - set file SELinux security contexts setsebool (8) - set SELinux boolean value togglesebool (8) - flip the current value of a SELinux boolean ypbind_selinux (8) - Security Enhanced Linux Policy for NIS
Future of SE Linux: securing the desktop
Fedora 9: Confined users
Why Linux will not befall the same fate as Windows while continuing to gain popularity
Better security.
Resources
- http://www.nsa.gov/selinux/
- http://danwalsh.livejournal.com/
- http://fedoraproject.org/wiki/SELinux
- http://selinux.sourceforge.net/
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/selg-overview.html
<tessier_> I have a need for httpd to be able to access a certain directory heirarchy under /home. Is there a guide on how to produce the new label for these files and give httpd access to read it?
<domg472> man httpd_selinux
<domg472> youd set a boolean and such
<domg472> man semanage is also a good read
<domg472> getsebool -a -> httpd_enable_homedirs --> on
<tessier_> domg472: Wow, thanks!
<domg472> semanage fcontext -a -t httpd_sys_content_t "/home/???/public_html(/.*)?"
<tessier_> Seems there is an answer for everything these days. SE Linux has come a long way. man -k selinux reveals copious documentation
<domg472> not sure if that is right tho
Always keep your own custom local.te around, preferably in version control. It is like source code and you need to keep it around as you cannot extract policy from the compiled binaries.
This will check audit log for all denials and generate allow rules:
[root@php5dev ~]?# audit2allow -a -m local
Add results to your local.te
[root@php5dev ~]?# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local.mod
[root@php5dev ~]?# semodule_package -o local.pp -m local.mod
[root@php5dev ~]?# /usr/sbin/semodule -i ./local.pp
Securing trac with SE Linux:
http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications