reveal.js - The HTML Presentation Framework

Security in Red Hat
Enterprise Linux 7

Daniel J Walsh

Consulting Engineer

@rhatdan, danwalsh.livejournal.com, dwalsh@redhat.com

Mark Shuttleworth

Canonical/Ubuntu

"At least we know now who belongs to the
Open Source Tea Party
And to put all the hue and cry into context: Mir is relevant for approximately 1% of all developers, just those who think about shell development. Every app developer will consume Mir through their toolkit. By contrast, those same outraged individuals have NIH’d just about every important piece of the stack they can get their hands on… most notably SystemD, which is hugely invasive and hardly justified.
"

Systemd Security Features

Super
Lennart?

Mark Shuttleworth Shows Why Open Source Is Awesome, Ubuntu to Adopt Systemd

http://news.softpedia.com/news/Mark-Shuttleworth-Shows-Why-Open-Source-Is-Awesome-Ubuntu-to-Adopt-Systemd-426925.shtml

systemd starting daemons

Services always start the same way

started at boot
started by dbus
started by admin

Eliminate leaked info from administrative account to service http://danwalsh.livejournal.com/51942.html

PrivateTmp

Add
PrivateTmp=yes
to systemd unit file
http://danwalsh.livejournal.com/51459.html

PrivateNetwork

Add
PrivateNetwork=yes
to systemd unit file

Journald Security Features

Kay Sievers

journald

Captures messages from boot to shutdown

Captures stdout/stderr from services into log

Captures identity of application writing to /dev/log

SYSLOG_IDENTIFIER=sshd
SYSLOG_PID=2302
MESSAGE=sshd Fake message from sshd.
_PID=2302
_UID=0
_GID=0
_AUDIT_LOGINUID=3267
_COMM=ntpd
_EXE=/usr/sbin/ntpd
_CMDLINE=/usr/sbin/ntpd -n -u ntp:ntp -g
_SYSTEMD_CGROUP=/system/ntpd.service
_SYSTEMD_UNIT=ntpd.service
_SELINUX_CONTEXT=system_u:system_r:ntpd_t:s0
_SOURCE_REALTIME_TIMESTAMP=1330527027590337
_BOOT_ID=4c3d0faf6b774fb7930972c1a4a5f870

http://danwalsh.livejournal.com/52550.html

Systemd Secures Journald from attack

http://danwalsh.livejournal.com/58647.html

SELinux Changes

New Confined Domains

New Confined Domains F13

httpd_mediawiki_script_t	Mediawiki wiki engine
namespace_init_t	Init script used by pam_namespace
boinc domains	Berkeley Network Computing
jabber domains	OpenSOurce Jabber Server
mpd_t	Music Play Daemon
munin plugin domains	monitor network resource tool
nagios plugin domains	monitor infrastructure tool
passenger_t	Ruby application server
piranha domains	clusteing service tools
foghorn_t	D-Bus to SNMP service
vdagent_t	Agent for Spice guests

New Confined Domains F14

drdb_t	Block Device over network daemon
mock_t	Package Building tools
mozilla_plugin_t	Firefox Plugin Containement
puppet daemons	puppet daemons
vnstatd_t	Console-based network traffic monitor
zarafa_domains	Collaboration Platform

New Confined Domains F15

staff_gkeyringd_t	Confined keyring in user sessions
chrome_sandbox domains	chrome_sandbox applications
telepathy domains	communications framework
iwhd_t	Image Warehouse Daemon
mongod_t	mongodb database daemon
thin_t	thin Ruby Webserver
collectd domains	Statistics collection daemon
colord_t	color daemon
fail2ban_client_t	fail2ban daemon
firewalld_t	firewall daemon
l2tpd_t	Layer 2 Tunnelling Daemon
spamd domains	spam detection domains
systemd helper domains	Collaboration Platform
abrt domains	Automatic Bug Reporting
systemd domains	systemd helper applications

New Confined Domains F16

thumb_t	Thumb Drive Protection
pptp_t	Client for Mirosoft PTP Tunnels
quota_nld_t	Netlink Socket Quata Daemon
sshd_sandbox_t	sshd sandboxed apps domain
nova domains	Openstack Nova Processes
rabbitmq domains	rabbitmq AMQP Server Processes
iwhd_t	Image WareHouse Daemon

New Confined Domains F17

couchdb_t	Document database server
zoneminder_t	Camera monitoring/analysis tool
keystone_t	OpenStack Identity Service
pacemaker_t	Cluster resource manager
sge Domains	Domains for Sun Grid Engine

New Confined Domains F18

pkcsslotd_t	manages PKCS#11 objects
slpd_t	Server Location Protocol Daemon
sensord_t	Sensor information logging daemon
mandb_t	Cron job used to create /var/cache/man content
glusterd_t	policy for glusterd service
stapserver_t	Instrumentation System Server
realmd_t	AD realms/domains enrollment daemon
phpfpm_t	FastCGI Process Manager

New Permissive Domains F19

systemd_localed_t	systemd locale settings tool
systemd_hostnamed_t	systemd hostname settings tool
systemd_sysctl_t	systemd sysctl settings tool
httpd_mythtv_script_t	mythtv cgi scripts
openshift_cron_t	Cron jobs for openshift
swift_t	OpenStack Object Storage Server

Domains of interest

thumb_t	Thumbnail Protection http://danwalsh.livejournal.com/54092.html
mozilla_plugin_t	Firefox Plugin Containement
chrome_sandbox domains	chrome_sandbox applications

New Protections

setsebool deny_ptrace

http://danwalsh.livejournal.com/49336.html

SELinux Systemd Access Control
http://danwalsh.livejournal.com/57377.html

Labeled NFS

Improving SELinux Usability

File Labeling

File Name Transitions http://danwalsh.livejournal.com/45414.html

New SELinux support in coreutils http://danwalsh.livejournal.com/67751.html

mv -Z, cp -Z, mkdir -Z, install -Z ...

Improved Command Documentation

bash completion

setsebool/getsebool

# getsebool samba_<tab>
samba_create_home_dirs   samba_export_all_ro      samba_share_fusefs
samba_domain_controller  samba_export_all_rw      samba_share_nfs
samba_enable_home_dirs   samba_run_unconfined

semanage

# semanage <tab>
boolean     fcontext    login       node        port       
dontaudit   interface   module      permissive  user

# semanage fcontext -<tab>
-a           -d           --deleteall  -f           --help       --modify
--add        -D           -e           --ftype      --locallist  -t
-C           --delete     --equal      -h           -m           --type

new/improved man pages for semanage

Setroubleshoot - Journald integration

Figuring out SELinux issues prior to RHEL7

Máirín Duffy creates new content for her website. But

when she tests it she gets Permission Denied

Why?

She looked at apache logs

# tail /var/log/httpd/error_log
[Fri Aug 02 08:05:43.347080 2013] [core:error] [pid 10556] (13)Permission denied: [client ::1:38045] AH00132: file permissions deny server access: /var/www/html/index.html

Maybe SELinux

# ausearch -m avc -ts recent -i
type=PATH msg=audit(08/02/2013 08:05:43.346:1197) : item=0 name=/var/www/html/index.html inode=3145858 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=CWD msg=audit(08/02/2013 08:05:43.346:1197) :  cwd=/
type=SYSCALL msg=audit(08/02/2013 08:05:43.346:1197) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f476595da40 a1=O_RDONLY|O_CLOEXEC a2=0x0 a3=0x7fffe27e11b0 items=1 ppid=10552 pid=10556 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache ses=unset tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(08/02/2013 08:05:43.346:1197) : avc:  denied { read } for  pid=10556 comm=httpd name=index.html dev="sda3" ino=3145858 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

Did Setroubleshoot help?

# grep setroubleshoot /var/log/messages
Aug  2 08:01:46 redsox setroubleshoot: SELinux is preventing /usr/sbin/httpd from read access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l fd6b9022-1ced-4065-905a-8f0e884f9915

sealert -l fd6b9022-1ced-4065-905a-8f0e884f9915

SELinux is preventing /usr/sbin/httpd from read access on the file /var/www/html/index.html.

*****  Plugin restorecon (92.2 confidence) suggests  *************************

If you want to fix the label.
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
#  /sbin/restorecon -v /var/www/html/index.html

In RHEL7

Máirín Duffy gets Permission Denied on her web site

sytemctl status httpd

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Fri 2013-08-02 08:01:35 EDT; 30min ago
 Main PID: 10552 (httpd)
   Status: "Total requests: 4; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─10552 /usr/sbin/httpd -DFOREGROUND
           ├─10553 /usr/libexec/nss_pcache 196611 off /etc/httpd/alias
           ├─10554 /usr/sbin/httpd -DFOREGROUND
           ├─10555 /usr/sbin/httpd -DFOREGROUND
           └─10569 /usr/sbin/httpd -DFOREGROUND

Aug 02 08:01:35 redsox.boston.devel.redhat.com systemd[1]: Started The Apache HTTP Server.
Aug 02 08:01:46 redsox.boston.devel.redhat.com python[10564]: SELinux is preventing /usr/sbin/httpd from read access on the file /va...html.
*****  Plugin restorecon (92.2 confidence) suggests  *************************
If you want to fix the label.
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
#  /sbin/restorecon -v /var/www/html/index.html
http://danwalsh.livejournal.com/65777.html

New tool suite

Introducing sepolicy
http://danwalsh.livejournal.com/60366.html http://danwalsh.livejournal.com/60528.html" http://danwalsh.livejournal.com/60801.html

sepolicy manpage

autogenerated > 1000 Man pages, one per confined domain

man samba_selinux
smbd_selinux(8)            SELinux Policy smbd               smbd_selinux(8)

NAME
    smbd_selinux - Security Enhanced Linux Policy for the smbd processes

DESCRIPTION
   Security-Enhanced Linux secures the smbd processes via flexible mandatory access control.

   The smbd processes execute with the smbd_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.

   For example:
   ps -eZ | grep smbd_t

ENTRYPOINTS
   The smbd_t SELinux type can be entered via the smbd_exec_t file type.
   The default entrypoint paths for the smbd_t domain are the following:
   /usr/sbin/smbd
...

sepolicy generate
http://danwalsh.livejournal.com/61107.html

replace sepolgen

Generate Man page

Generate RPM Spec file ready for install

sepolicy gui