Friday 26 July 2013
SE LINUX How to Part 2 : users, processes, confinment and unconfinment
SELinux Contexts for Processes
Use the ps -eZ command to view the SELinux context for processes. For example:
1.Open a terminal, such as Applications → System Tools → Terminal.
2.Run the /usr/bin/passwd command. Do not enter a new password.
3.Open a new tab, or another terminal, and run the ps -eZ | grep passwd command. The output is similar to the following:
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
SELinux Contexts for Users
Use the id -Z command to view the SELinux context associated with your Linux user:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Targeted Policy
When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain.
Use the ps -eZ command to view the SELinux context for processes. For example:
1.Open a terminal, such as Applications → System Tools → Terminal.
2.Run the /usr/bin/passwd command. Do not enter a new password.
3.Open a new tab, or another terminal, and run the ps -eZ | grep passwd command. The output is similar to the following:
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
SELinux Contexts for Users
Use the id -Z command to view the SELinux context associated with your Linux user:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Targeted Policy
When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain.
Wednesday 24 July 2013
SE LINUX How to PART 1 : users, roles, types, levels and domains
Security-Enhanced Linux (SELinux) is a Linux security module that is built into the Linux kernel. SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement® (TE), and, optionally, Multi-Level Security (MLS).
SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions placed on SELinux users. Run the semanage login -l command as the Linux root user to view a list of mappings between SELinux and Linux user accounts :
# ROLES # Part of SELinux is the Role-Based Access Control (RBAC) security model. SELinux users are authorized for roles, and roles are authorized for domains.
# TYPES # The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. Processes are separated from each other by running in their own domains.
# LEVELS # The level is an attribute of MLS and MCS. An MLS range is a pair of levels (example s0-s2) Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity. If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (ie. CompanyConfidential). MCS in Fedora supports 1024 different categories: c0 through to c1023. MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments.
To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy via the /etc/selinux/config file.
- When, in the traditionnary Linux/Unix DAC (discretionary access control), access is controlled based only on Linux user and group IDs.
$ ls -l file1
-rw-rw-r--. 1 user1 group1 0 May 11 10:46 file1The first three permission bits, rw, control the access the Linux user1 user (in this case, the owner) has to file1. The next three permission bits, rw-, control the access the Linux group1 group has to file1. The last three permission bits, r--, control the access everyone else has to file1, which includes all users and processes.
- In SELinux, the context can be consulted using ls -Z command:
$ ls -Z file1
-rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).
SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions placed on SELinux users. Run the semanage login -l command as the Linux root user to view a list of mappings between SELinux and Linux user accounts :
The last column, MLS/MCS Range, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS)
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
# ROLES # Part of SELinux is the Role-Based Access Control (RBAC) security model. SELinux users are authorized for roles, and roles are authorized for domains.
# TYPES # The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. Processes are separated from each other by running in their own domains.
# LEVELS # The level is an attribute of MLS and MCS. An MLS range is a pair of levels (example s0-s2) Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity. If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (ie. CompanyConfidential). MCS in Fedora supports 1024 different categories: c0 through to c1023. MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments.
To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy via the /etc/selinux/config file.
Tuesday 23 July 2013
How to know if SE linux is running and test its status
Test if SELinux is running
You can test to see if SELinux is currently enabled with the following command:
selinuxenabled && echo enabled || echo disabled
Or Run the
You can test to see if SELinux is currently enabled with the following command:
selinuxenabled && echo enabled || echo disabled
Or Run the
sestatus command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used: $ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Monday 22 July 2013
How to disable SE Linux
DISABLING SE LINUX
edit vi /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change SELINUX=enforcing to SELINUX=permissive or SELINUX=disabled
Reboot if you want to prove it.
edit vi /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
... just change SELINUX=enforcing to SELINUX=permissive or SELINUX=disabled
Reboot if you want to prove it.
Thursday 18 July 2013
List of Common Public DNS Servers
Google
8.8.8.8
8.8.4.4
Dnsadvantage
156.154.70.1
156.154.71.1
OpenDNS
208.67.222.222
208.67.220.220
Norton
198.153.192.1
198.153.194.1
Verizon GTEI DNS
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
Comodo Secure DNS
8.26.56.26
8.20.247.20
8.8.8.8
8.8.4.4
Dnsadvantage
156.154.70.1
156.154.71.1
OpenDNS
208.67.222.222
208.67.220.220
Norton
198.153.192.1
198.153.194.1
Verizon GTEI DNS
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
Comodo Secure DNS
8.26.56.26
8.20.247.20
Subscribe to:
Posts (Atom)