Security in Red Hat

Enterprise Linux 7

Daniel J Walsh

Consulting Engineer


Mark Shuttleworth


"At least we know now who belongs to the

Open Source Tea Party

And to put all the hue and cry into context: Mir is relevant for approximately 1% of all developers, just those who think about shell development. Every app developer will consume Mir through their toolkit. By contrast, those same outraged individuals have NIH’d just about every important piece of the stack they can get their hands on… most notably SystemD, which is hugely invasive and hardly justified.

Systemd Security Features


Mark Shuttleworth Shows Why Open Source Is Awesome, Ubuntu to Adopt Systemd
systemd starting daemons

Services always start the same way

started at boot
started by dbus
started by admin

Eliminate leaked info from administrative account to service


to systemd unit file


to systemd unit file

Journald Security Features

Kay Sievers


Captures messages from boot to shutdown

Captures stdout/stderr from services into log

Captures identity of application writing to /dev/log

MESSAGE=sshd Fake message from sshd.
_CMDLINE=/usr/sbin/ntpd -n -u ntp:ntp -g

Systemd Secures Journald from attack

SELinux Changes

New Confined Domains

New Confined Domains F13

httpd_mediawiki_script_t Mediawiki wiki engine
namespace_init_t Init script used by pam_namespace
boinc domains Berkeley Network Computing
jabber domainsOpenSOurce Jabber Server
mpd_tMusic Play Daemon
munin plugin domainsmonitor network resource tool
nagios plugin domainsmonitor infrastructure tool
passenger_tRuby application server
piranha domainsclusteing service tools
foghorn_tD-Bus to SNMP service
vdagent_tAgent for Spice guests

New Confined Domains F14

drdb_tBlock Device over network daemon
mock_tPackage Building tools
mozilla_plugin_tFirefox Plugin Containement
puppet daemonspuppet daemons
vnstatd_tConsole-based network traffic monitor
zarafa_domainsCollaboration Platform

New Confined Domains F15

staff_gkeyringd_tConfined keyring in user sessions
chrome_sandbox domainschrome_sandbox applications
telepathy domainscommunications framework
iwhd_tImage Warehouse Daemon
mongod_tmongodb database daemon
thin_tthin Ruby Webserver
collectd domains Statistics collection daemon
colord_tcolor daemon
fail2ban_client_tfail2ban daemon
firewalld_tfirewall daemon
l2tpd_t Layer 2 Tunnelling Daemon
spamd domainsspam detection domains
systemd helper domainsCollaboration Platform
abrt domainsAutomatic Bug Reporting
systemd domainssystemd helper applications

New Confined Domains F16

thumb_tThumb Drive Protection
pptp_tClient for Mirosoft PTP Tunnels
quota_nld_tNetlink Socket Quata Daemon
sshd_sandbox_tsshd sandboxed apps domain
nova domainsOpenstack Nova Processes
rabbitmq domainsrabbitmq AMQP Server Processes
iwhd_tImage WareHouse Daemon

New Confined Domains F17

couchdb_tDocument database server
zoneminder_tCamera monitoring/analysis tool
keystone_tOpenStack Identity Service
pacemaker_tCluster resource manager
sge DomainsDomains for Sun Grid Engine

New Confined Domains F18

pkcsslotd_tmanages PKCS#11 objects
slpd_tServer Location Protocol Daemon
sensord_tSensor information logging daemon
mandb_tCron job used to create /var/cache/man content
glusterd_tpolicy for glusterd service
stapserver_tInstrumentation System Server
realmd_tAD realms/domains enrollment daemon
phpfpm_tFastCGI Process Manager

New Permissive Domains F19

systemd_localed_tsystemd locale settings tool
systemd_hostnamed_tsystemd hostname settings tool
systemd_sysctl_tsystemd sysctl settings tool
httpd_mythtv_script_tmythtv cgi scripts
openshift_cron_tCron jobs for openshift
swift_tOpenStack Object Storage Server

Domains of interest

thumb_tThumbnail Protection
mozilla_plugin_tFirefox Plugin Containement
chrome_sandbox domainschrome_sandbox applications

New Protections

setsebool deny_ptrace
SELinux Systemd Access Control

Labeled NFS

Improving SELinux Usability

File Labeling

File Name Transitions

New SELinux support in coreutils

mv -Z, cp -Z, mkdir -Z, install -Z ...

Improved Command Documentation

bash completion


# getsebool samba_<tab>
samba_create_home_dirs   samba_export_all_ro      samba_share_fusefs
samba_domain_controller  samba_export_all_rw      samba_share_nfs
samba_enable_home_dirs   samba_run_unconfined   


# semanage <tab>
boolean     fcontext    login       node        port       
dontaudit   interface   module      permissive  user

# semanage fcontext -<tab>
-a           -d           --deleteall  -f           --help       --modify
--add        -D           -e           --ftype      --locallist  -t
-C           --delete     --equal      -h           -m           --type

new/improved man pages for semanage

Setroubleshoot - Journald integration
Figuring out SELinux issues prior to RHEL7
Máirín Duffy creates new content for her website. But

when she tests it she gets Permission Denied


She looked at apache logs

# tail /var/log/httpd/error_log
[Fri Aug 02 08:05:43.347080 2013] [core:error] [pid 10556] (13)Permission denied: [client ::1:38045] AH00132: file permissions deny server access: /var/www/html/index.html

Maybe SELinux

# ausearch -m avc -ts recent -i
type=PATH msg=audit(08/02/2013 08:05:43.346:1197) : item=0 name=/var/www/html/index.html inode=3145858 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=CWD msg=audit(08/02/2013 08:05:43.346:1197) :  cwd=/
type=SYSCALL msg=audit(08/02/2013 08:05:43.346:1197) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f476595da40 a1=O_RDONLY|O_CLOEXEC a2=0x0 a3=0x7fffe27e11b0 items=1 ppid=10552 pid=10556 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache ses=unset tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(08/02/2013 08:05:43.346:1197) : avc:  denied { read } for  pid=10556 comm=httpd name=index.html dev="sda3" ino=3145858 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file 

Did Setroubleshoot help?

# grep setroubleshoot /var/log/messages
Aug  2 08:01:46 redsox setroubleshoot: SELinux is preventing /usr/sbin/httpd from read access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l fd6b9022-1ced-4065-905a-8f0e884f9915

sealert -l fd6b9022-1ced-4065-905a-8f0e884f9915

SELinux is preventing /usr/sbin/httpd from read access on the file /var/www/html/index.html.

*****  Plugin restorecon (92.2 confidence) suggests  *************************

If you want to fix the label.
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
#  /sbin/restorecon -v /var/www/html/index.html

Máirín Duffy gets Permission Denied on her web site

sytemctl status httpd

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Fri 2013-08-02 08:01:35 EDT; 30min ago
 Main PID: 10552 (httpd)
   Status: "Total requests: 4; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─10552 /usr/sbin/httpd -DFOREGROUND
           ├─10553 /usr/libexec/nss_pcache 196611 off /etc/httpd/alias
           ├─10554 /usr/sbin/httpd -DFOREGROUND
           ├─10555 /usr/sbin/httpd -DFOREGROUND
           └─10569 /usr/sbin/httpd -DFOREGROUND

Aug 02 08:01:35 systemd[1]: Started The Apache HTTP Server.
Aug 02 08:01:46 python[10564]: SELinux is preventing /usr/sbin/httpd from read access on the file /va...html.
*****  Plugin restorecon (92.2 confidence) suggests  *************************
If you want to fix the label.
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
#  /sbin/restorecon -v /var/www/html/index.html


New tool suite

Introducing sepolicy"

sepolicy manpage

autogenerated > 1000 Man pages, one per confined domain

man samba_selinux
smbd_selinux(8)            SELinux Policy smbd               smbd_selinux(8)

    smbd_selinux - Security Enhanced Linux Policy for the smbd processes

   Security-Enhanced Linux secures the smbd processes via flexible mandatory access control.

   The smbd processes execute with the smbd_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.

   For example:
   ps -eZ | grep smbd_t

   The smbd_t SELinux type can be entered via the smbd_exec_t file type.
   The default entrypoint paths for the smbd_t domain are the following:
sepolicy generate

replace sepolgen

Generate Man page

Generate RPM Spec file ready for install

sepolicy gui
sepolicy gui

Secure Linux Containers

General Changes

Code Cleanup

Coverity & other static analyzer
dhcp 61 patches
bind9 35 patches
dnsmasq 23 patches sent
squid 157 patches
net-snmp 161 patches
fixed ...

GCC/glibc Improvements


GCC/glibc Improvements

setuid, setgid,file system capability Apps & Daemons built with PIE and RELRO
RELocation Read-Only

Remove SUID Applications

Change setuid apps to use file capabilities, where possible.

Hard Link/Soft Link Protection




SSSD supports one-time passwords

sudo can now use sssd for authorization data (sudoers)

KRB5 Credential Cache Moved into kernel key ring

openssh 6.2 better support for multi-factor authentication

Stop httpd attacks including sql and command injection.
Shared System Certificates

NSS (Mozilla products like Firefox/Thunderbird)
share the same CA.

KVM/QEMU Security Features

QEMU sandbox
libsecomp, eliminate syscalls from qemu process

paravirtualized device exposed as hardware RNG device to guest

Libvirt fine-grained ACL lists
Restrict actions on guests based on specific rules


Mutual Trusts with Active Directory