Slug 2009 06 SELinux For Sysadmins

1. SELinux for Sysadmins

2. SELinux for Sysadmins Beyond 'restorecon'

3. SELinux for Sysadmins Principles for using SELinux

4. SELinux for Sysadmins Principles for using SELinux

5. Through real world examples

6. Real world example 1 Share home directories through NFS

7. Real world example 1 Share home directories through NFS [server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)

8. [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...

9. Real world example 1 Share home directories through NFS [server]# cat /etc/exports /home 192.168.0.0/24(rw,soft)

10. [client]# cat /etc/fstab ... server:/home /home nfs soft 1 2 ...

11. [client]# mount /home Permission denied

12. SELinux for Sysadmins Share home directories through NFS

13. Is this a SELinux problem?

15. Is this a SELinux problem? Check /var/log/audit/audit.log

17. Is this a SELinux problem? Check /var/log/audit/audit.log grep mount /var/log/audit/audit.log

19. If it is a SELinux problem: getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

21. If it is a SELinux problem: getsebool -a | grep home ftp_home_dir --> off httpd_enable_homedirs --> on openvpn_enable_homedirs --> off samba_create_home_dirs --> off samba_enable_home_dirs --> off spamd_enable_home_dirs --> on use_nfs_home_dirs --> off use_samba_home_dirs --> off

23. If it is a SELinux problem: setsebool use_nfs_home_dirs on

25. If it is a SELinux problem: setsebool -P use_nfs_home_dirs on

26. Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on

27. Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa

28. Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa setsebool -P use_samba_home_dirs on

30. setsebool -P samba_enable_home_dirs on

31. Real world example 1 Share home directories through NFS setsebool -P use_nfs_home_dirs on Share home directories through SaMBa setsebool -P use_samba_home_dirs on Mount SaMBa home dirs on client setsebool -P samba_enable_home_dirs on Share home dirs on SaMBa server

33. setsebool -P samba_enable_home_dirs on Share ~/public_html through Apache setsebool -P apache_enable_homedirs on

34. SELinux for Sysadmins Principles for using SELinux Use booleans where possible

35. Real world example 2 Sharing /data through SaMBa

36. Real world example 2 Sharing /data through SaMBa getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> off virt_use_samba --> off

37. SELinux for Sysadmins File contexts

38. SELinux for Sysadmins File contexts [root@tachyon ~]# ls -laZ /var drwxr-xr-x root root system_u:object_r:var_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. drwxr-xr-x root root system_u:object_r:acct_data_t:s0 account drwxr-xr-x root root system_u:object_r:var_t:s0 cache drwxr-xr-x root root system_u:object_r:cvs_data_t:s0 cvs drwxr-xr-x root root system_u:object_r:var_t:s0 db drwxr-xr-x root root system_u:object_r:var_t:s0 empty drwxr-xr-x root root system_u:object_r:games_data_t:s0 games drwxrwx--T root gdm system_u:object_r:xserver_log_t:s0 gdm drwxr-xr-x root root system_u:object_r:var_lib_t:s0 lib drwxr-xr-x root root system_u:object_r:var_t:s0 local drwxrwxr-x root lock system_u:object_r:var_lock_t:s0 lock drwxr-xr-x root root system_u:object_r:var_log_t:s0 log lrwxrwxrwx root root system_u:object_r:mail_spool_t:s0 mail drwxr-xr-x root root system_u:object_r:var_t:s0 nis drwxr-xr-x root root system_u:object_r:var_t:s0 opt drwxr-xr-x root root system_u:object_r:var_t:s0 preserve ...

39. SELinux for Sysadmins File contexts Specify the context in which it is to be used

40. SELinux for Sysadmins File contexts Specify the context in which it is to be used

41. Inherited like permissions

42. Real world example 2 Sharing /data through SaMBa [root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..

43. Real world example 2 Sharing /data through SaMBa [root@tachyon ~]# mkdir /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r:default_t:s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 .. [root@tachyon ~]# chcon -R -t samba_share_t /data [root@tachyon ~]# ls -laZ /data drwxr-xr-x root root unconfined_u:object_r: samba_share_t :s0 . drwxr-xr-x root root system_u:object_r:root_t:s0 ..

45. Use the right file context

46. man {ftpd,named,rsync,httpd,nfs,samba, kerberos,nis,ypbind}_selinux is your friend!

47. Real world example 3 Sharing /data with SaMBa and VSFTPD

48. Real world example 3 Sharing /data with SaMBa and VSFTPD Gotcha!

49. Real world example 3 Sharing /data with SaMBa and VSFTPD Files can only have one security context!

51. getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off

53. allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

55. allow_ftpd_use_cifs is written to allow (vs)ftpd to share a directory that is mounted from a CIFS server!

56. What to do?

57. Real world example 3 # setenforce off

59. # selinuxenabled && echo yes

62. # run service, exercise functionality

65. # setenforce on

68. # setenforce on

69. # grep vsftpd /var/log/audit/audit.log | audit2allow -M -m vsftpd

72. # setenforce on

74. # ls vsftpd.* vsftpd.pp vsftpd.te

75. Real world example 3 cat vsftpd.te module vsftpd 1.0; require { type samba_share_t; type vsftpd_t; class dir { rename write search read remove_name getattr add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow vsftpd_t samba_share_t:dir { rename write search read remove_name getattr add_name }; allow vsftpd_t samba_share_t:file { rename setattr read lock create write getattr unlink };

78. # setenforce on

80. # semodule -i vsftpd.pp

84. Create policy where necessary

89. Policy must be conservative

100. system-config-selinux

101. Questions?

Slug 2009 06 SELinux For Sysadmins

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Slug 2009 06 SELinux For Sysadmins (20)

Recently uploaded (20)

Slug 2009 06 SELinux For Sysadmins