Daniel J Walsh
SELinux is a LABELING system
Every Process has a LABEL
Every File, Directory, System object has a LABEL
Policy rules control access between labeled processes and labeled objects
The Kernel enforces the rules
Isolates Processes from each other based on types
Apache processes labeled as httpd_t
can can only read/write apache content "httpd_sys_content_t"
Communicate with Mariadb via /var/run/mariadb.socket (mariadb_sock_t).
Can't read Mariadb database directly (mariadb_db_t),
even if root.
Multi Category Security
Based on Multi Level Security (MLS)
Protects like processes from each other.
VM's, Openshift Gears, SELinux Sandboxes, Docker Containers.
Tooling picks out random MCS Label.
Assigns MCS Label to all content
Launches the processes with same label
Tooling guarantees uniqueness
The 4 key causes of SELinux errors
1. SELinux == Labeling
2. SELinux Needs to Know
3. SELinux Policy/App can have bugs
4. You could be COMPROMISED!!!
Every process and object on the machine has a label
associated with it
If your files are not labeled correctly access might be denied.
If you use alternative paths for confined domains
SELinux needs to KNOW.
http files in /srv/myweb instead of /var/www/html?
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
# restorecon -R /srv/myweb
semanage fcontext -a -e /srv/myweb /var/www
Tells SELinux to label all files directories under
/srv/myweb the same as /var/www
/srv/myweb/cgi-bin/mycgi.cgi will get labeled httpd_sys_script_t
semanage fcontext -a -e /export/home /home
Label all files under
/export/home as if they were under /home
/export/home/dwalsh/.ssh will get labeled ssh_home_t
How did you configure your apache server?
If you want httpd to send email
# setsebool -P httpd_can_sendmail 1
Vsftp setup for users to login
# setsebool -P ftp_home_dir 1
HTTPD is setup to listen on port 8585
# semanage port -a -t http_port_t -p tcp 8585
Unusual Code Paths
Redirection of stdout
Leaked File Descriptors
Badly built libraries
Report the bugs in Bugzilla so we can fix them
Current tools do not do a good job of differentiating
If you have a confined domain that tries to:
Load a kernel module
Turn off SELinux enforcing mode
Write to etc_t? shadow_t
Modify iptables rules