Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
Introduction
3
What could go wrong?
4
Enter SELinux
5
MAC vs. DAC Smackdown
6
MAC vs. DAC Smackdown (cont.)
7
SELinux Benefits
8
SELinux Forms of Access Control
9
What SELinux is not
SELinux is not:
A replacement for passwords, firewalls, or other security systems.
Antivirus software.
An all-in-one security solution.
10
Getting into SELinux The Security Context
11
Looking at the Security Context
12
-Z is your friend
13
SELinux Aware Applications
14
mv versus cp: How to get yourself into
Context Hell
15
mv versus cp: How to get yourself into
context hell (cont.)
16
SELinux Modes
17
Setting Up SELinux
18
Enabling SELinux
touch /.autorelabel
and reboot.
19
Troubleshooting SELinux
20
Wrong Subject Context
21
Wrong Object Context
restorecon /path/to/file-name
22
Right Subject and Object Context but No Access
The program and the file have the correct contexts, but
the policy should allow some operation between the two
contexts, which is currently not allowed.
In this case, it will be necessary to modify the SELinux
policy.
First, consider looking thru the list of SELinux booleans
for one that is related to the service which is not working
using either getsebool or semanage.
Hmm. Whats an SELinux boolean?
23
SELinux Booleans
24
SELinux Boolean Examples
25
Audit2allow Policy Modules The Easy Way
26
Audit2allow Examples
27
Building a Policy Profile
28
What a Policy Module Source File Looks Like
require {
type nrpe_t;
type rpm_var_lib_t;
class dir search;
}
29
Creating and Loading a Policy Package
30
Going From Permissive to Enforcing Mode
31
Permissive Domains
32
Permissive Domains Uses
33
Indiana Jones and the Search for Unconfined
Daemons
34
The Magic Incantation for Unconfined Daemons
35
Making Enforcing Mode a Way of Life
36
SELinux Resources
37
T-t-t-t-thats all, folks!
Gary Smith
Information System Security Officer, Molecular Science
Computing, EMSL, Pacific Northwest National
Laboratory
Richland, WA
gary.smith@pnnl.gov
38