Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS
05.01.2015 Views
Share Embed Flag

Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS

Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS

Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
mil.oss.org

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>SEL<strong>in</strong>ux</strong> user conf<strong>in</strong>ement <strong>in</strong><br />

<strong>Red</strong> <strong>Hat</strong> <strong>Enterprise</strong> L<strong>in</strong>ux 6:<br />

Easily lett<strong>in</strong>g users get their jobs done, and<br />

that's it<br />

David Egts, RHCA, RHCSS<br />

Pr<strong>in</strong>cipal Architect<br />

<strong>Red</strong> <strong>Hat</strong>, Inc.

Overview<br />

●<br />

●<br />

●<br />

●<br />

Why do this<br />

What are conf<strong>in</strong>ed users<br />

How do I set them up<br />

Open discussion<br />

2

WHY

<strong>SEL<strong>in</strong>ux</strong> – limit<strong>in</strong>g exploit impact<br />

<strong>SEL<strong>in</strong>ux</strong> is a flexible Mandatory Access Control architecture <strong>with</strong><strong>in</strong><br />

the standard Open Source L<strong>in</strong>ux Kernel<br />

Exploit<br />

Exploit<br />

4

Without <strong>SEL<strong>in</strong>ux</strong><br />

DAC System<br />

Password<br />

Files<br />

Access<br />

to Internal<br />

Network<br />

Web<br />

Server<br />

Firewall<br />

Rules<br />

Attacker<br />

5

With <strong>SEL<strong>in</strong>ux</strong><br />

DAC System<br />

MAC System<br />

Password<br />

Files<br />

Web<br />

Server<br />

Attacker<br />

Password<br />

Files<br />

Web<br />

Server<br />

Attacker<br />

Access<br />

to Internal<br />

Network<br />

Firewall<br />

Rules<br />

Access<br />

to Internal<br />

Network<br />

Firewall<br />

Rules<br />

6

WHY CONFINE USERS

DIRTY SECRET

Conf<strong>in</strong>ed users covered today<br />

●<br />

●<br />

●<br />

●<br />

●<br />

●<br />

guest_u<br />

xguest_u<br />

user_u<br />

staff_u<br />

webadm_u<br />

Kiosk mode<br />

9

SETUP

Setup<br />

●<br />

●<br />

●<br />

●<br />

●<br />

Install a RHEL 6 system (virtual guest totally f<strong>in</strong>e)<br />

●<br />

Select the Desktop variant so we have X<br />

Register system <strong>with</strong> RHN<br />

Update system and add some more packages<br />

●<br />

yum ­y update && yum ­y <strong>in</strong>stall<br />

policycoreutils­python xguest<br />

Enable Apache<br />

●<br />

chkconfig httpd on<br />

Reboot if yum updated your kernel<br />

●<br />

reboot<br />

11

guest_u

guest_u<br />

19

# tail ­f /var/log/audit/audit.log<br />

23

# tail ­f /var/log/audit/audit.log<br />

28

guest_u<br />

34

xguest_u

xguest_u<br />

36

xguest_u<br />

41

user_u

user_u<br />

43

user_u<br />

52

staff_u

staff_u<br />

54

staff_u<br />

62

webadm_u

webadm_u<br />

64

xguest KIOSK USER

xguest kiosk user<br />

●<br />

●<br />

●<br />

●<br />

●<br />

Behaves just like xguest_u users<br />

Plus user's files <strong>in</strong> $HOME and /tmp are erased upon<br />

logout<br />

Account name (log<strong>in</strong>) is xguest<br />

GECOS name (human name shown <strong>in</strong> gdm) is Guest<br />

xguest account created when xguest was <strong>in</strong>stalled<br />

80

CONCLUSIONS

Conclusions<br />

●<br />

<strong>SEL<strong>in</strong>ux</strong><br />

●<br />

●<br />

●<br />

Time tested<br />

Conf<strong>in</strong>e applications from do<strong>in</strong>g harm<br />

Conf<strong>in</strong>e users from do<strong>in</strong>g harm<br />

● Application conf<strong>in</strong>ement ma<strong>in</strong>stream <strong>in</strong> RHEL 4/5<br />

● User conf<strong>in</strong>ement now ma<strong>in</strong>stream <strong>in</strong> RHEL 6<br />

89

WHERE CAN YOU APPLY<br />

THIS RIGHT NOW

For more <strong>in</strong>formation and special thanks<br />

●<br />

●<br />

●<br />

Security-Enhanced L<strong>in</strong>ux User Guide<br />

●<br />

http://docs.redhat.com/docs/en-<br />

US/<strong>Red</strong>_<strong>Hat</strong>_<strong>Enterprise</strong>_L<strong>in</strong>ux/6/html/Security-<br />

Enhanced_L<strong>in</strong>ux/<strong>in</strong>dex.html<br />

RHS429: <strong>Red</strong> <strong>Hat</strong> <strong>Enterprise</strong> <strong>SEL<strong>in</strong>ux</strong> Policy<br />

Adm<strong>in</strong>istration<br />

●<br />

https://www.redhat.com/courses/rhs429_red_hat_enterp<br />

rise_sel<strong>in</strong>ux_policy_adm<strong>in</strong>istration/<br />

Dan Walsh and his blog<br />

●<br />

http://danwalsh.livejournal.com/<br />

91

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!