13:58:01 <flock-ectr112> #startmeeting
13:58:01 <zodbot> Meeting started Sat Aug 10 13:58:01 2013 UTC.  The chair is flock-ectr112. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:58:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
13:58:18 <flock-ectr112> joining the meeting in progress. had some networking issues
13:58:57 <flock-ectr112> use the sestatus command to see the current status of selinux
13:59:22 <flock-ectr112> two concepts to understand with SELinux: labeling and enforcement
13:59:32 <flock-ectr112> everything is labeled with an SELinux context
13:59:44 <flock-ectr112> kernel manages labels for processes, ports, etc
14:00:48 <flock-ectr112> let's look at Apache: not insecure, but has wide ranging services
14:01:18 <flock-ectr112> httpd process context is httpd_exec_t
14:01:44 <flock-ectr112> config dir is httpd_config_t, log dir is httpd_log_t, content is httpd_content_t
14:02:06 <flock-ectr112> when httpd is run, runs under context httpd_t
14:02:17 <flock-ectr112> ps -Z shows context of processes
14:03:03 <flock-ectr112> netstat -tnlpZ | grep httpd  will show the context for ports
14:03:25 <flock-ectr112> can also use semanage port -l to list selinux context for ports
14:03:42 <flock-ectr112> /etc/shadow has type shadow_t
14:04:03 <flock-ectr112> #topic type enforcement
14:04:33 <flock-ectr112> processes should interact with files having a corresponding label
14:05:40 <flock-ectr112> -Z argument can be used with many linux command to view the SELinux context
14:05:50 <flock-ectr112> chcon/restorecon to change context of a file
14:06:02 <flock-ectr112> contexts are set when files are created based on parent directory context
14:06:11 <flock-ectr112> RPMs can set contexts
14:06:17 <flock-ectr112> login process sets default context
14:07:23 <flock-ectr112> application foo_t creates a file in a directory albeled bar_t, policy can require a transition so that file is created with the baz_t label
14:08:07 <flock-ectr112> transition - a rule for saying what label is given to a newly created file instead of inheriting context from the parent directory
14:08:34 <flock-ectr112> semanage - used for managing SELinux contexts
14:08:52 <flock-ectr112> turning off SELinux is like turning up the radio reallly loud when your car is making a strange noise
14:09:13 <flock-ectr112> SELinux errors may mean labeling is wrong, or policy needs to be tweaked
14:09:28 <flock-ectr112> or bug in policy
14:10:50 <flock-ectr112> or you're being broken in to
14:12:04 <flock-ectr112> booleans - on/off settings for SELinux
14:12:37 <flock-ectr112> getsebook -a to see all booleans
14:12:42 <flock-ectr112> (there are a zillion of them)
14:13:11 <flock-ectr112> to set a boolean, setsebook [boolean] [0|1]
14:13:21 <flock-ectr112> use -P argument to make it a permanent setting
14:13:30 <jamielinux> s/getsebook/getsebool/
14:13:35 <jamielinux> s/setsebook/setsebool/
14:13:38 <flock-ectr112> install setroubleshoot/setroubleshoot-server on machines you're developing policies on
14:13:54 <flock-ectr112> restart auditd service and away you go
14:14:00 <flock-ectr112> #topic case studies
14:14:19 <flock-ectr112> fred wants to have his own web page in $HOME/public_html
14:14:30 <flock-ectr112> enable UserDir in httpd.conf, restart web server
14:14:46 <flock-ectr112> change permissions on directory
14:15:00 <flock-ectr112> red logs in, creates index.html file
14:15:21 <flock-ectr112> fire up web browser and <bzzz> error
14:15:35 <flock-ectr112> don't have permission to access
14:15:48 <flock-ectr112> check the usual suspets: access_log, error_log
14:16:09 <flock-ectr112> tells you noting new
14:16:13 <flock-ectr112> look in /var/log/messages
14:16:22 <flock-ectr112> see SELinux is preventing access
14:16:38 <flock-ectr112> run sealert to see what's wrong
14:17:03 <flock-ectr112> sealert tells you what to do to fix the problem
14:17:24 <flock-ectr112> can create a policy module to allow access, or just change the boolean
14:17:49 <flock-ectr112> use sesetbool -P to change the booleans, problem fixed
14:18:39 <flock-ectr112> look at the booleans.local under /etc/selinux/targeted/modules/active
14:18:51 <flock-ectr112> shows all the changes made to selinux policy on the local machine
14:18:57 <flock-ectr112> (don't edit this file directly)
14:19:48 <flock-ectr112> modifying the file doesn't do any good. gets recreated when policy is rebuilt
14:20:38 <flock-ectr112> new case
14:20:54 <flock-ectr112> user has created web content, asks for it to be moved to production web server
14:21:12 <flock-ectr112> move $HOME/contect/* to /www/html/
14:21:22 <flock-ectr112> access denied
14:21:35 <flock-ectr112> (content owned by creator, change ownership)
14:21:43 <flock-ectr112> still now luck. look in /var/log/messages
14:21:50 <flock-ectr112> tells you to run sealert
14:22:28 <flock-ectr112> changed ownership, but context is still user_home_t
14:22:43 <flock-ectr112> file has wrong context for where it moved to
14:22:50 <flock-ectr112> figure out what the context should be
14:22:58 <flock-ectr112> (httpd_sys_content_t)
14:23:10 <flock-ectr112> use chcon to change context of file
14:23:29 <flock-ectr112> chcon -u system_u -r object_r -t http_sys_content_t /var/www/home/html/index.html
14:23:36 <flock-ectr112> or
14:23:44 <flock-ectr112> chcon -t httypd_sys_content_t /var/www/html/index.html
14:23:54 <flock-ectr112> if you're lazy, reference a known good context
14:24:03 <flock-ectr112> chcon --reference /var/www/htlm /var/www/html/index.html
14:24:16 <flock-ectr112> to restore a directory and files to default context, use restorecon
14:24:28 <flock-ectr112> restorecon -vR /var/www/html/
14:24:33 <flock-ectr112> -v = verbose
14:24:36 <flock-ectr112> -R = recursive
14:24:43 <flock-ectr112> now it works
14:25:46 <flock-ectr112> most restrictive access control wins
14:26:07 <flock-ectr112> contexts are stored in /etc/selinux/targeted/contexts/files/file_contexts
14:26:22 <flock-ectr112> 4000+ entries in this file. don't modify directory. changes will be lost
14:26:47 <flock-ectr112> use it as a reference for future
14:26:51 <flock-ectr112> new case
14:27:06 <flock-ectr112> someone wants web directory in a non-standard dir
14:27:31 <flock-ectr112> create directory, modify config file, restart web server
14:27:33 <flock-ectr112> but nothing
14:27:39 <flock-ectr112> look in /var/log/messages
14:27:47 <flock-ectr112> run sealert
14:28:05 <flock-ectr112> tells you the label on /foo/bar/index.html needs to be changed
14:28:26 <flock-ectr112> but you get a long list of file contexts. which one to use?
14:29:29 <flock-ectr112> want all files under /foo to have the same context
14:29:43 <flock-ectr112> semanage fcontext -a -t httpd_sys_content_t "/foo(/.*)?"
14:29:45 <flock-ectr112> (regexp)
14:29:58 <flock-ectr112> or
14:30:06 <flock-ectr112> semanage fcontext -a -e /var/www/ /foo/
14:30:20 <flock-ectr112> (set context of /foo equal to /var/www/
14:30:27 <flock-ectr112> then restorecon -vR /foo/
14:31:09 <flock-ectr112> #topic creating policy modules
14:31:30 <flock-ectr112> what if you get a case where you install an app and need a new policy for the app
14:31:52 <flock-ectr112> /var/log/audit/audit.log for error messages
14:32:06 <flock-ectr112> look in /var/log/messages
14:32:16 <flock-ectr112> run sealert (see the pattern?)
14:32:35 <flock-ectr112> set SELinux enforcement to permissive mode, then run the app
14:32:47 <flock-ectr112> will log denials but not act on them
14:33:17 <flock-ectr112> run sealert to see the problems
14:34:23 <flock-ectr112> audit2allow to create policy module from messages in audit.log
14:34:43 <flock-ectr112> semodule -i foo.pp to install the policy
14:35:20 <flock-ectr112> just because you can do it, doesn't mean you should
14:35:40 <flock-ectr112> if you're randomly getting selinux errors, don't just want to ignore them
14:35:47 <flock-ectr112> don't blindly follow the instructions
14:35:55 <flock-ectr112> #topic enabling selinux
14:36:05 <flock-ectr112> edit /etc/selinux/config and set SELINUX=permissive
14:36:22 <flock-ectr112> create /.autorelabel
14:36:24 <flock-ectr112> reboot
14:36:28 <flock-ectr112> system will relabel the file system
14:36:37 <flock-ectr112> will take a while
14:37:07 <flock-ectr112> can also use fixfiles relabel
14:37:23 <flock-ectr112> after relabeling, set SELINUX=enforcing
14:37:27 <flock-ectr112> in config file, reboot
14:38:11 <flock-ectr112> selinux-system-config if you want a gui
14:39:03 <flock-ectr112> can look at status, boolean, file labels, network ports
14:39:17 <flock-ectr112> policy modules
14:39:34 <flock-ectr112> can also add modules
14:40:06 <flock-ectr112> #topic final thoughts
14:40:09 <flock-ectr112> don
14:40:14 <flock-ectr112> don't turn it off
14:40:19 <flock-ectr112> can save you in the event of a breach
14:40:26 <flock-ectr112> much easier to use selinux now than it was before
14:40:33 <flock-ectr112> nsa grade security available at no extra cost
14:41:09 <flock-ectr112> SELinux guide at docs.redhat.com
14:41:20 <flock-ectr112> fedoraproject.org/wiki/SELinux
14:41:27 <flock-ectr112> fedora-selinux-list mailing list
14:41:52 <flock-ectr112> redhat training SELinux policy administration
14:42:22 <flock-ectr112> selinux videos at access.redhat.com
14:42:27 <flock-ectr112> #topic Q&A
14:42:41 <flock-ectr112> self-updating applications should die, right?
14:43:04 <flock-ectr112> i.e. firefox installing/updating plugins
14:43:15 <flock-ectr112> there is an selinux policy for the firefox plugin dir
14:43:22 <flock-ectr112> drupal updating modules
14:43:48 <flock-ectr112> if those plugins are written badly, selinux will prevent them from accessing things they're not supposed to
14:44:01 <flock-ectr112> contact the plugin/app dev to have them fix those problems
14:45:02 <flock-ectr112> #endmeeting