Skip to main content

Demystifying SELinux Part II: Who’s Policy Is It Anyway?

Dave Quigley (KEYW Corporation)
Operations & System Administration | Security
D139/140
Tutorial Please note: to attend, your registration must include Tutorials.
Average rating: ***..
(3.75, 4 ratings)
Slides:   1-ODP    external link

THIS TUTORIAL HAS REQUIREMENTS AND INSTRUCTIONS LISTED BELOW

Building on last year’s critically acclaimed “Demystifying SELinux: WTF is it saying?” talk Demystifying SELinux Part II: Who’s policy is it anyway? is an extended tutorial which has attendees work through real life examples of SELinux configuration and policy construction. Whether you attended last year’s “Demystifying SELinux: WTF is it saying?” talk or not the tutorial will give you the know how to tackle SELinux head on and use it in your production environments.

While more and more people are starting to do the legwork in understanding SELinux instead of turning it off right away it still seems like black magic to a great number of people. I’m here to let you know that with a little bit of time and a few simple commands already on your Linux machine you can begin to chip away at the SELinux’s hard shell and get to the creamy nougat of understanding in the middle.

In the tutorial we cover what SELinux does why it is important and why you shouldn’t turn it off. Next we address the basics of what SELinux is and how it decides to protect your system using a lovely audience member and an easy to understand exercise. Then attendees will work through real life examples to discover the tools available to you to be able to bend SELinux to your will and get a feel for what it is doing on your system. The attendees will then work through problem scenarios learning how to identify and fix issues associated with SELinux. Finally the attendees will be given a file transfer client and server and shown how to construct policy for this daemon. This will help attendees begin to understand policy construction allowing them to apply these concepts to their own in-house developed tools.

At the end of the talk you’ll be flying high with your new understanding of SELinux and SELinux Policy and be ready to take on the world. Next time someone on your DEVOPS team says just turn SELinux off you’ll say “No! I got this. I took that Tutorial at OSCON and I can figure this out!”

TUTORIAL REQUIREMENTS AND INSTRUCTIONS FOR ATTENDEES

* To make the most out of the session a system with CentOS 6.5 will be useful. The session provides hands on experience with SELinux so getting your hands dirty is a must.
* The Centos 6.5 install should consist of the base graphical install along with the packages listed below which provide SELinux policy tools, the SELinux SLIDE package for eclipse and other tools required for the labs.

checkpolicy

eclipse-setools

eclipse-slide

httpd

mcstrans

memcached

pbp-mysql

pgp-xml

php

php-gd

php-mbstring

php-pecl-apc

php-pecl-memcache

policycoreutils

policycoreutils-gui

policycoreutils-newrole

policycoreutils-python

policycoreutils-sandbox

selinux-policy-doc

selinux-policy-minimum

selinux-policy-targeted

selinux-policyv

setools

setools-console

setools-gui

setroubleshoot

setroubleshoot-doc

setroubleshoot-plugins

setroubleshoot-server


QUESTIONS for the speaker?: Use the “Leave a Comment or Question” section at the bottom to address them.

Photo of Dave Quigley

Dave Quigley

KEYW Corporation

David Quigley making a return appearance to OSCON after his “Demystifying SELinux: WTF is it saying?” talk started his career as a Computer Systems Researcher for the National Information Assurance Research Lab at the NSA where he worked as a member of the SELinux team. David leads the design and implementation efforts to provide Labeled-NFS support for SELinux. David has previously contributed to the open source community through maintaining the Unionfs 1.0 code base and through code contributions to various other projects. David has presented at conferences such as the Ottawa Linux Symposium, the StorageSS workshop, LinuxCon and several local Linux User Group meetings where presentation topics have included storage, file systems, and security. David currently works as a Computer Science Professional for the Operations, Analytics and Software Development (OASD) Division at Keyw Corporation.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)

Comments

Picture of Dave Quigley
07/20/2014 6:07am PDT

The php and SELinux policy package corrections are correct. You don’t have ton use eclipse slide for your policy development but it is nice to use. I will provide those rpms for you guys at the tutorial since they aren’t in any other repo.

07/19/2014 8:17pm PDT

From your response, I assume we do not need eclipse-setools and eclipse-slide. I also am guessing that the other packages are php-mysql and php-xml.

07/19/2014 8:08pm PDT

Here’s the output from

yum install `cat pkgs` where pkgs is the text list of the packages you listed:

No package eclipse-setools available.
No package eclipse-slide available.
No package pbp-mysql available.
No package pgp-xml available.
No package selinux-policyv available.

Picture of Dave Quigley
07/19/2014 4:14pm PDT

Taking a closer look at the policy list that selinux-policyv should be just selinux-policy. There shouldn’t be a selinux-policy-devel package on CentOS 6 as it was rolled into the selinux-policy package.

Picture of Dave Quigley
07/19/2014 1:37pm PDT

If you tell me which packages fail I can post the correct ones tonight. I see one called SELinux-policyv which I’m assuming is selinux-policy-devel. Also anything related to eclipse-slide won’t be available. I took the policy list off of my demo machine not realizing I hand rolled those packages. I’ll have a USB stick or two at the tutorial with an updated vm and those packages. If you want the slides and packages ahead of time you can go to my github account which is dpquigl and pull down the materials for tomorrow.’its the repo titled the same thing as the talk.

07/19/2014 10:39am PDT

You have at least one typo in your package names — and I can’t find some of the packages in the main CentOS 6 repos.

Picture of Dave Quigley
07/10/2014 10:55am PDT

You can try CentOS 7.0 but note that the exercises I’ve been working on are geared towards 6.5. I haven’t used 7.0 yet and while I’m aware of what changes have gone into it I haven’t played around with them yet. Also the sample application we’ll use for policy writing has been tested to work on Centos 6.5 but I haven’t tested it on 7.0. Part of the reason for this is that I don’t have a systemd service file for it. If anyone wants to write a systemd service file for it they are more than welcome to. You can find it at my github page (https://github.com/dpquigl/ftransferd) I’m more than happy to take a pull request for it if someone writes it. Also note that there is at least one bug in there that is meant to be caught(I wanted to include a code execution exploit as well but I didn’t have time). I don’t need patches fixing it because its not intended to be used as a real service but is just an example of policy protecting a faulty service.

Picture of Lowell Gould
07/10/2014 9:35am PDT

Dave, Is CentOS 6.5 mandatory or will 7.0 work for this tutorial as well? Thanks
Lowell Gould