Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? ...
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? ...
![Page 1: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/1.jpg)
SELinux using SLIDE
Shane JahnkeCS591December 7, 2009
![Page 2: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/2.jpg)
Overview
What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE
Installation and Configuration Irssi Example
Conclusions
![Page 3: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/3.jpg)
What is SELinux?
SELinux (Security-enhanced Linux) Developed by the NSA▪ Research Partners: NAI Labs, SCC, MITRE
Reference policy of the Flask security architecture Enforces mandatory access control policies▪ Type Enforcement (TE)▪ Role-based Access Control (RBAC)▪ Multi-level Security (MLS)
Availability▪ Mainstreamed into Debian, Ubuntu, RHEL, Fedora, Gentoo▪ Ported to Solaris and FreeBSD
![Page 4: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/4.jpg)
SELinux Contexts
Processes and files are assigned a context. User: identity known to policy that is
authorized for a specific set of rules Role: users are authorized for roles, and
roles are authorized for domains Type: defines a domain for processes,
and a type for files. Level: (optional) used with MLS
restrictions
![Page 5: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/5.jpg)
Changing SELinux Policies
To make policy changes: Use Booleans, if possible▪ Runtime change, no need to reload/recompile▪ Configurable without knowledge of policy
writing▪ Example: httpd using NFS/Samba file types
Match file context with domain▪ Use man <httpd,nfs,samba>_selinux▪ Example: sharing directory using Samba
![Page 6: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/6.jpg)
Changing SELinux Policies (cont.)
To make policy changes: Audit2allow▪ Allows rule from logs of denied by Access
Vector Cache (AVC)▪ Example: audit2allow -w -a (creates packaged
policy file for installation) Create policy (using SLIDE)
![Page 7: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/7.jpg)
What is SLIDE?
SELinux Policy Integrated Development Environment Developed by Tresys Technology Eclipse Plugin Integrates with Reference Policy Makes SELinux policy development
easier
![Page 8: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/8.jpg)
SLIDE Features
Project/Module creation wizards Auto-completion of interface names Simplifies compilation and building
module packages Integrated remote policy installation
and audit log monitoring Supports both modular and
monolithic policy development
![Page 9: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/9.jpg)
Reference Policy (refpolicy)
Based on NSA example policy Actively developed by Tresys
Technology Complete SELinux policy Basis for creating policies within
SLIDE
![Page 10: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/10.jpg)
Installation & Configuration
Installed Fedora 12 distribution Packages Needed:
eclipse-slide (Eclipse with plugin) slideRemote-moduler (for policy testing) SSH Server (for policy testing) setools-console (optional GUI console)
Used selinux-policy-3.6.32-49 Downloaded src (refpolicy) for use with
SLIDE
![Page 11: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/11.jpg)
Irssi Tutorial Example
Text-mode IRC client Create new “irssi” policy module
using reference policy
![Page 12: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/12.jpg)
Private Policy Tab
Editor Tabs
Policy Explorer
Layer
Module
Build Output
![Page 13: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/13.jpg)
File Contexts Tab
![Page 14: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/14.jpg)
Interfaces Tab
![Page 15: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/15.jpg)
Conclusions
SELinux is complicated and requires extensive knowledge of the reference policy.
SLIDE indeed makes developing policies by performing difficult tasks such as compiling, packaging, and installing policies remotely.
![Page 16: Shane Jahnke CS591 December 7, 2009. What is SELinux? Changing SELinux Policies What is SLIDE? Reference Policy SLIDE Installation and Configuration.](https://reader030.fdocuments.in/reader030/viewer/2022032522/56649d6d5503460f94a4cef5/html5/thumbnails/16.jpg)
References
http://www.nsa.gov/research/selinux/ http://docs.fedoraproject.org/selinux-
user-guide/f11/en-US/ http://oss.tresys.com/projects http://
domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html
http://selinuxproject.org/page/User_Resources