Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS
Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS
Confining Users with SELinux in Red Hat Enterprise Linux 6 - Mil-OSS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>SEL<strong>in</strong>ux</strong> user conf<strong>in</strong>ement <strong>in</strong><br />
<strong>Red</strong> <strong>Hat</strong> <strong>Enterprise</strong> L<strong>in</strong>ux 6:<br />
Easily lett<strong>in</strong>g users get their jobs done, and<br />
that's it<br />
David Egts, RHCA, RHCSS<br />
Pr<strong>in</strong>cipal Architect<br />
<strong>Red</strong> <strong>Hat</strong>, Inc.
Overview<br />
●<br />
●<br />
●<br />
●<br />
Why do this<br />
What are conf<strong>in</strong>ed users<br />
How do I set them up<br />
Open discussion<br />
2
WHY
<strong>SEL<strong>in</strong>ux</strong> – limit<strong>in</strong>g exploit impact<br />
<strong>SEL<strong>in</strong>ux</strong> is a flexible Mandatory Access Control architecture <strong>with</strong><strong>in</strong><br />
the standard Open Source L<strong>in</strong>ux Kernel<br />
Exploit<br />
Exploit<br />
4
Without <strong>SEL<strong>in</strong>ux</strong><br />
DAC System<br />
Password<br />
Files<br />
Access<br />
to Internal<br />
Network<br />
Web<br />
Server<br />
Firewall<br />
Rules<br />
Attacker<br />
5
With <strong>SEL<strong>in</strong>ux</strong><br />
DAC System<br />
MAC System<br />
Password<br />
Files<br />
Web<br />
Server<br />
Attacker<br />
Password<br />
Files<br />
Web<br />
Server<br />
Attacker<br />
Access<br />
to Internal<br />
Network<br />
Firewall<br />
Rules<br />
Access<br />
to Internal<br />
Network<br />
Firewall<br />
Rules<br />
6
WHY CONFINE USERS
DIRTY SECRET
Conf<strong>in</strong>ed users covered today<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
guest_u<br />
xguest_u<br />
user_u<br />
staff_u<br />
webadm_u<br />
Kiosk mode<br />
9
SETUP
Setup<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Install a RHEL 6 system (virtual guest totally f<strong>in</strong>e)<br />
●<br />
Select the Desktop variant so we have X<br />
Register system <strong>with</strong> RHN<br />
Update system and add some more packages<br />
●<br />
yum y update && yum y <strong>in</strong>stall<br />
policycoreutilspython xguest<br />
Enable Apache<br />
●<br />
chkconfig httpd on<br />
Reboot if yum updated your kernel<br />
●<br />
reboot<br />
11
guest_u
guest_u<br />
19
# tail f /var/log/audit/audit.log<br />
23
# tail f /var/log/audit/audit.log<br />
28
guest_u<br />
34
xguest_u
xguest_u<br />
36
xguest_u<br />
41
user_u
user_u<br />
43
user_u<br />
52
staff_u
staff_u<br />
54
staff_u<br />
62
webadm_u
webadm_u<br />
64
xguest KIOSK USER
xguest kiosk user<br />
●<br />
●<br />
●<br />
●<br />
●<br />
Behaves just like xguest_u users<br />
Plus user's files <strong>in</strong> $HOME and /tmp are erased upon<br />
logout<br />
Account name (log<strong>in</strong>) is xguest<br />
GECOS name (human name shown <strong>in</strong> gdm) is Guest<br />
xguest account created when xguest was <strong>in</strong>stalled<br />
80
CONCLUSIONS
Conclusions<br />
●<br />
<strong>SEL<strong>in</strong>ux</strong><br />
●<br />
●<br />
●<br />
Time tested<br />
Conf<strong>in</strong>e applications from do<strong>in</strong>g harm<br />
Conf<strong>in</strong>e users from do<strong>in</strong>g harm<br />
● Application conf<strong>in</strong>ement ma<strong>in</strong>stream <strong>in</strong> RHEL 4/5<br />
● User conf<strong>in</strong>ement now ma<strong>in</strong>stream <strong>in</strong> RHEL 6<br />
89
WHERE CAN YOU APPLY<br />
THIS RIGHT NOW
For more <strong>in</strong>formation and special thanks<br />
●<br />
●<br />
●<br />
Security-Enhanced L<strong>in</strong>ux User Guide<br />
●<br />
http://docs.redhat.com/docs/en-<br />
US/<strong>Red</strong>_<strong>Hat</strong>_<strong>Enterprise</strong>_L<strong>in</strong>ux/6/html/Security-<br />
Enhanced_L<strong>in</strong>ux/<strong>in</strong>dex.html<br />
RHS429: <strong>Red</strong> <strong>Hat</strong> <strong>Enterprise</strong> <strong>SEL<strong>in</strong>ux</strong> Policy<br />
Adm<strong>in</strong>istration<br />
●<br />
https://www.redhat.com/courses/rhs429_red_hat_enterp<br />
rise_sel<strong>in</strong>ux_policy_adm<strong>in</strong>istration/<br />
Dan Walsh and his blog<br />
●<br />
http://danwalsh.livejournal.com/<br />
91