filmov
tv
Understanding RHEL9 SELinux and working with default targeted mode theory and practical
Показать описание
What is SELinux?
Overview
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open source community in 2000, and was integrated into the upstream Linux kernel in 2003.
Discretionary access control (DAC) vs. mandatory access control (MAC)-
Traditionally, Linux and UNIX systems have used DAC. But SELinux is an example of a MAC system for Linux.
With DAC, files and processes have owners. You can have the user own a file, a group own a file, or other, which can be anyone else. Users have the ability to change permissions on their own files. chmod ,chgrp,chown etc
The root user has full access control with a DAC system. If you have root access, then you can access any other user’s files or do whatever you want on the system.
But on MAC systems like SELinux, there is administratively set policy around access. Even if the DAC settings on your home directory are changed, an SELinux policy in place to prevent another user or process from accessing the directory will keep the system safe.
SELinux policies let you be specific and cover a large number of processes. You can make changes with SELinux to limit access between users, files, directories, and more.
How does SELinux work?
SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.
When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.
If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied.
How to configure SELinux
There are a number of ways that you can configure SELinux to protect your system. The most common are targeted policy or multi-level security (MLS).
Targeted policy is the default option and covers a range of processes, tasks, and services. MLS can be very complicated and is typically only used by government organizations.
You can tell what your system is supposed to be running at by looking at the for rhel 8 /etc/sysconfig/selinux , for rfel 9 /etc/selinux/config file. The file will have a section that shows you whether SELinux is in permissive mode, enforcing mode, or disabled, and which policy is supposed to be loaded.
SELinux labeling and type enforcement
Type enforcement and labeling are the most important concepts for SELinux.
SELinux works as a labeling system, which means that all of the files, processes, and ports in a system have an SELinux label associated with them. Labels are a logical way of grouping things together. The kernel manages the labels during boot.
Labels are in the format user:role:type:level (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS. Label context type is the most important for targeted policy.
SELinux uses type enforcement to enforce a policy that is defined on the system. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file labeled with a certain type.
Enabling SELinux
If SELinux has been disabled in your environment, you can enable SElinux by editing /etc/selinux/config and setting SELINUX=permissive. Since SELinux was not currently enabled, you don’t want to set it to enforcing right away because the system will likely have things mislabeled that can keep the system from booting.
After explaining How to Change SELINUX mode- In this Video, I will explain assuming "SELINUX=enforcing, SELINUXTYPE=targeted" which is the default setting of SELinux.
In this mode, Access Vector Rules(AV rules: ACL) deals only Type/Domain/ContextType, which is the third attribute of context, and ignore other attribute, User, Role, and Sensitivity range.
What are booleans?
Booleans are on/off settings for functions in SELinux. . You can find out which booleans have already been set in your system by running getsebool -a.
Overview
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open source community in 2000, and was integrated into the upstream Linux kernel in 2003.
Discretionary access control (DAC) vs. mandatory access control (MAC)-
Traditionally, Linux and UNIX systems have used DAC. But SELinux is an example of a MAC system for Linux.
With DAC, files and processes have owners. You can have the user own a file, a group own a file, or other, which can be anyone else. Users have the ability to change permissions on their own files. chmod ,chgrp,chown etc
The root user has full access control with a DAC system. If you have root access, then you can access any other user’s files or do whatever you want on the system.
But on MAC systems like SELinux, there is administratively set policy around access. Even if the DAC settings on your home directory are changed, an SELinux policy in place to prevent another user or process from accessing the directory will keep the system safe.
SELinux policies let you be specific and cover a large number of processes. You can make changes with SELinux to limit access between users, files, directories, and more.
How does SELinux work?
SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.
When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.
If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied.
How to configure SELinux
There are a number of ways that you can configure SELinux to protect your system. The most common are targeted policy or multi-level security (MLS).
Targeted policy is the default option and covers a range of processes, tasks, and services. MLS can be very complicated and is typically only used by government organizations.
You can tell what your system is supposed to be running at by looking at the for rhel 8 /etc/sysconfig/selinux , for rfel 9 /etc/selinux/config file. The file will have a section that shows you whether SELinux is in permissive mode, enforcing mode, or disabled, and which policy is supposed to be loaded.
SELinux labeling and type enforcement
Type enforcement and labeling are the most important concepts for SELinux.
SELinux works as a labeling system, which means that all of the files, processes, and ports in a system have an SELinux label associated with them. Labels are a logical way of grouping things together. The kernel manages the labels during boot.
Labels are in the format user:role:type:level (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS. Label context type is the most important for targeted policy.
SELinux uses type enforcement to enforce a policy that is defined on the system. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file labeled with a certain type.
Enabling SELinux
If SELinux has been disabled in your environment, you can enable SElinux by editing /etc/selinux/config and setting SELINUX=permissive. Since SELinux was not currently enabled, you don’t want to set it to enforcing right away because the system will likely have things mislabeled that can keep the system from booting.
After explaining How to Change SELINUX mode- In this Video, I will explain assuming "SELINUX=enforcing, SELINUXTYPE=targeted" which is the default setting of SELinux.
In this mode, Access Vector Rules(AV rules: ACL) deals only Type/Domain/ContextType, which is the third attribute of context, and ignore other attribute, User, Role, and Sensitivity range.
What are booleans?
Booleans are on/off settings for functions in SELinux. . You can find out which booleans have already been set in your system by running getsebool -a.
0:15:22
1:42:26
0:21:56
0:05:35
0:10:44
0:09:11
0:12:46
1:05:17
0:15:16
0:15:45
0:05:26
0:15:07
0:00:45
0:24:15
0:38:09
0:02:11
0:25:05
1:01:58
0:04:52
0:10:18
0:07:25
0:02:08
0:14:15
0:24:57