Daniel J Walsh

Consulting Engineer

Twitter: @rhatdan




Everyone Please Stand Up and Repeat after me

SELinux is a LABELING system

Every Process has a LABEL

Every File, Directory, System object has a LABEL

Policy rules control access between labeled processes and labeled objects

The Kernel enforces the rules

SELinux Coloring Book

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

Type Enforcement

Isolates Processes from each other based on types

Apache processes labeled as httpd_t
can can only read/write apache content "httpd_sys_content_t"

Communicate with Mariadb via /var/run/mariadb.socket (mariadb_sock_t).

Can't read Mariadb database directly (mariadb_db_t),
even if root.

MCS Enforcement

Multi Category Security

Based on Multi Level Security (MLS)

MCS Enforcement

MCS Enforcement

MCS Enforcement

MCS Enforcement

MCS Enforcement

MCS Enforcement

Protects like processes from each other.

VM's, Openshift Gears, SELinux Sandboxes, Docker Containers.

Tooling picks out random MCS Label.

Assigns MCS Label to all content

Launches the processes with same label

Tooling guarantees uniqueness

What is SELinux trying to tell me?

The 4 key causes of SELinux errors

1. SELinux == Labeling

2. SELinux Needs to Know

3. SELinux Policy/App can have bugs

4. You could be COMPROMISED!!!

SELinux == Labeling

Every process and object on the machine has a label
associated with it

If your files are not labeled correctly access might be denied.

If you use alternative paths for confined domains
SELinux needs to KNOW.

http files in /srv/myweb instead of /var/www/html?
Tell SELinux.

# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
# restorecon -R /srv/myweb

Equivalency labeling

semanage fcontext -a -e /srv/myweb /var/www

Tells SELinux to label all files directories under
/srv/myweb the same as /var/www

/srv/myweb/cgi-bin/mycgi.cgi will get labeled httpd_sys_script_t

semanage fcontext -a -e /export/home /home

Label all files under
/export/home as if they were under /home

/export/home/dwalsh/.ssh will get labeled ssh_home_t

SELinux needs to KNOW

How did you configure your apache server?

Tell SELinux!!

If you want httpd to send email

# setsebool -P httpd_can_sendmail 1

Vsftp setup for users to login

# setsebool -P ftp_home_dir 1

HTTPD is setup to listen on port 8585

# semanage port -a -t http_port_t -p tcp 8585

SELinux policy/Apps can have bugs

SELinux policy Can have bugs

Unusual Code Paths


Redirection of stdout

Apps can have bugs

Leaked File Descriptors

Executable Memory

Badly built libraries

Report the bugs in Bugzilla so we can fix them

You could be COMPROMISED!!!

Current tools do not do a good job of differentiating

If you have a confined domain that tries to:

Load a kernel module

Turn off SELinux enforcing mode

Write to etc_t? shadow_t

Modify iptables rules

You might be compromised