hitcon 101 sharing selinux 從不認識到在一起 · the ways to disable selinux setenforce 0...
TRANSCRIPT
![Page 1: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/1.jpg)
HITCON 101 SharingSELinux
從不認識到在一起
![Page 2: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/2.jpg)
About Me
王禹軒 (Bighead)● 中央大學 Advanced Defense Lab
○ 打胖
● 工研院 Intern○ Whitelist 1.0 PoC○ Hypervisor-based Whitelist (page verification)○ SELinux
![Page 3: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/3.jpg)
SELinux Top Search
![Page 4: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/4.jpg)
The ways to disable SELinux
● Setenforce 0● Edit /etc/selinux/config : SELINUX = permissive or disable● Delete policy● Get rid of the boot argument : security=selinux selinux=1
![Page 5: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/5.jpg)
The ways to disable SELinux
● Setenforce 0● Edit /etc/selinux/config : SELINUX = permissive or disable● Delete policy● Get rid of the boot argument : security=selinux selinux=1● Do NOT use default SELinux-enabled distro (CentOS)
![Page 6: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/6.jpg)
The ways to disable SELinux
● Setenforce 0● Edit /etc/selinux/config : SELINUX = permissive or disable● Delete policy● Get rid of the boot argument : security=selinux selinux=1● Do NOT use default SELinux-enabled distro (CentOS)
SELinux gives you the power to close it
![Page 7: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/7.jpg)
Don’t be Afraid of SELinux
● 60 page survey paper● 400 page SELinux Notebook● Makefile survey● Policy Set survey● Powerful mentor
![Page 8: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/8.jpg)
Don’t be Afraid of SELinux
● 60 page survey paper● 400 page SELinux Notebook● Makefile survey● Policy Set survey● Powerful mentor
Don’t be afraid! It is not scary
![Page 9: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/9.jpg)
Trust Lovely Santa Claus
Reference : Santa Claus PNG Transparent Image - PngPix
![Page 10: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/10.jpg)
Trust Evil Santa Claus !?
Futurama : Robot Santa Claus
![Page 11: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/11.jpg)
Why Access Control ?
● Goal: Protect data and resources from unauthorized use○ Confidentiality (or secrecy) :
Related to disclosure of information
○ Integrity : Related to modification of information
○ Availability : Related to denial of access to information
Reference: Security Awareness Posters
![Page 12: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/12.jpg)
Access Control Basic Terminology
● Subject: Active entity – user or process
● Object: Passive entity – file or resource
● Access operations: read, write, ...
Subject Object
Action
![Page 13: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/13.jpg)
Access Control is Hard Because
● Access control requirements are domain-specific○ Generic approaches over-generalize
● Access control requirements can change○ Anyone could be an administrator
Reference : https://profile.cheezburger.com/imaguid/
![Page 14: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/14.jpg)
Basic Concepts of Different Access Control Policies
● Discretionary (DAC): (authorization-based) policies
control access based on the identity of the requestor and
on access rules stating what requestors are (or are not)
allowed to do.
● Mandatory (MAC): policies control access based on
mandated regulations determined by a central authority.
![Page 15: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/15.jpg)
DAC : Access Matrix Model
File 1 File 2 File 3 Program 1
Aliceownreadwrite
readwrite
Bob readreadwrite
execute
Charlie readexecute
read
![Page 16: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/16.jpg)
DAC - Identity !!
![Page 17: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/17.jpg)
DAC weaknesses (1/2)
● Scenario
○ Bob owns a secret file, Bob can read it, but not
Daniel
○ In DAC, Bob can be cheated to leak the information
to Daniel.
○ How?
■ Trojan horse: software containing hidden code
that performs (illegitimate) functions not known to
the caller
![Page 18: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/18.jpg)
Trojan horse - Simple Example
Bob invokes
Application (e.g. calendar)
read contactswrite stolen
code
malicious code
Secret File content
owner Bob
Alice 06-12345678Charlie 06-23456781
File stolen
owner Daniel
Alice 06-12345678Charlie 06-23456781
(Bob,write,stolen)
![Page 19: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/19.jpg)
DAC weaknesses (2/2)
• DAC constraints only identity, no control on what happens to information during execution.
• No separation of User identity and execution instance.• Trojan Horses exploit access privileges of calling subjects
identity.
![Page 20: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/20.jpg)
MAC - Behavior !!
![Page 21: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/21.jpg)
● Policies control access based on mandated regulations determined by a central authority.
User Application Process Label
Bob calendar_t
Central Authority Rule
Subject Label Object Label Permission
calendar_t secret_t No read
calendar_t stolen_t Read, No write
File name Object Label
Secret file secret_t
File stolen stolen_t
How MAC fix the DAC weakness (1/2)
![Page 22: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/22.jpg)
How MAC fix the DAC weakness (2/2)
Bob invokes
Calendar (calendar_t)
read contactswrite stolen
code
malicious code
Secret File content (secret_t)
owner Bob
Alice 06-12345678Charlie 06-23456781
File stolen (stolen_t)
owner Daniel
Alice 06-12345678Charlie 06-23456781
(Bob,write stolen fail)
![Page 23: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/23.jpg)
Different MAC Mechanisms
![Page 24: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/24.jpg)
Apparmor
● Path-based system : filesystem no need to support extended attribute
● Per-program profile : describe what program can do.● Concept of Different Subject Domain : If you want a
different Subject Domain, you should create a hard link & rename the program & create a new profile for it.
![Page 25: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/25.jpg)
Apparmor Profile
![Page 26: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/26.jpg)
Extended Attribute
Security.selinux = “Label”
File inode
![Page 27: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/27.jpg)
Smack (Simplified Mandatory Access Control Kernel)● Label base : file system should support extended attribute● Default rules are fixed in kernel
○ Any access requested by a task labelled "*" is denied.○ A read or execute access requested by a task labelled "^" is permitted.○ A read or execute access requested on an object labelled "_" is
permitted.○ Any access requested on an object labelled "*" is permitted.○ Any access requested by a task on an object with the same label is
permitted.○ Any access requested that is explicitly defined in the loaded rule set is
permitted.○ Any other access is denied.
![Page 28: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/28.jpg)
SELinux
● Label base : file system should support extended attribute● Finer granularity :
● Different MAC model support : Type Enforcement, MCS, MLS, RBAC
● Hard to learn
Subject Object:ClassAction
![Page 29: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/29.jpg)
Why Choose SELinux : Comparison
NAME SELinux Smack Apparmor
Type MAC MAC MAC
Granularity (Hook Point)
176 114 62
Extended Attribute Yes Yes No
Separation of Policy and Mechanism
Yes Partial Yes
![Page 30: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/30.jpg)
SELinux Concept (1/2)
ObjectLabel
Process Request Resource(e.g. files,printers)
Access Request
SubjectLabel
● Mode : ○ Enforce & Permissive & Disable
● Label Format : ○ User:Role:Type:Range
![Page 31: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/31.jpg)
SELinux Concept Outline (2/2)
● Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
● Multi-Category Security(MCS): An extension of Multi-Level Security.
● Multi-Level Security (MLS): Not commonly used and often hidden in the default targeted policy.
![Page 32: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/32.jpg)
Type enforcement (1/2)
Reference : https://opensource.com/business/13/11/selinux-policy-guide
![Page 33: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/33.jpg)
Type enforcement (2/2)
![Page 34: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/34.jpg)
MCS (1/2)
![Page 35: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/35.jpg)
MCS (2/2)
![Page 36: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/36.jpg)
MLS (1/2)
![Page 37: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/37.jpg)
MLS (2/2)
![Page 38: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/38.jpg)
How to Use SELinux Management Tool
![Page 39: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/39.jpg)
Enable SELinux First !
![Page 40: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/40.jpg)
SELinux Management : Get Selinux Context (Label)
● ls -Z (get file selinux context)● ps Z (get process selinux context)● seinfo -t : lists all contexts currently in use on your system
![Page 41: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/41.jpg)
SELinux Management : 2 Step Used to Relabel File Type Using Setfiles
● File_contexts : used by the file labeling utilities.● semanage fcontext --add --type httpd_sys_content_t
"/var/www(/.*)?"○ First write the new context to the
/etc/selinux/targeted/contexts/files/file_contexts.local file.
● setfiles file_contexts /var/www○ Next, we will run the setfiles command. This will relabel
the file or directory with what's been recorded in the previous step
![Page 42: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/42.jpg)
SELinux Management : Command to Change File Label & Check Policy
● chcon --type bin_t test.c○ change the context of the file.
● runcon -t kernel_t /bin/bash● sesearch --allow --source kernel_t --target proc_t
○ check the type of access allowed for ourselves
![Page 43: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/43.jpg)
SELinux Management : Boolean
● List Boolean : ○ getsebool -a
● Set Boolean : ○ setsebool BooleanName (1
or 0)
![Page 44: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/44.jpg)
Troubleshoot : Audit Message (1/2)
● avc : denied { relabelto } for pid=1382 comm=”chcon” name=”test.c” dev=”sda1” ino=418253 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unconfined_t:s0 tclass=file
● Dmesg | grep avc | audit2allow -M test○ Generate test.pp, use semodule -i test.pp to install
policy module.
![Page 45: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/45.jpg)
Troubleshoot : Audit Message (2/2)
![Page 46: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/46.jpg)
User to Developer : What Change ?
![Page 47: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/47.jpg)
SELinux Architecture - LSM Hook
![Page 48: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/48.jpg)
LSM Hook and SELinux Security Server
System Call Interface
Entry Points
Security Server
with CentralPolicy
AccessHook
Security-sensitiveOperation
Authorize Request ?
Yes/No
AccessHook
AccessHook
Security-sensitiveOperation
Security-sensitiveOperation
Reference : http://web.eecs.umich.edu/~aprakash/security/handouts/AccessModel_040112_v2.ppt
![Page 49: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/49.jpg)
SELinux Architecture - SELinux-aware Application
![Page 50: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/50.jpg)
What is the SELinux-aware Package
.te.if.fc
Refpolicy
Program Behavior
![Page 51: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/51.jpg)
SELinux-aware Level
1. Unaware (e.q. rm)2. Aware, but not necessary (e.q. ls, ps)3. Access Securityfs without checking special class (e.q. getenforce)4. In addition to access Securityfs, check the permission in special class below
(e.q. systemd, init, setenforce)a. File, Socket, Database, Filesystem class
i. Relabeltoii. Relabelfrom
b. Process classi. Dyntransitionii. Setexeciii. Setfscreateiv. Setkeycreatev. Setsockcreate
c. Security classd. Kernel service class
![Page 52: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/52.jpg)
Example : Linux Initialization
init
Getty & Login
init.rc
PAM : Authenticate User &
Compute corresponding SELinux user context
Load policy & Reexecute itself to change context
seusers
contexts/users/...
![Page 53: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/53.jpg)
SELinux Architecture - Build Policy
![Page 54: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/54.jpg)
How to Write Policy by Yourself
Monolithic Base
Policy Module
● All build by 3 file : ○ .te : like .c file○ .if : like .h file○ .fc (describe file context)
![Page 55: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/55.jpg)
Policy Build Sequence
Kernel Policy Language
Policy Set(Written with M4 macro language)
Policy Binary
Macro Expansion
Checkpolicy orCheckmodule
![Page 56: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/56.jpg)
Secure Boot
Reference : https://developer.ibm.com/articles/protect-system-firmware-openpower/
Access Control - SELinux
Integrity - IMA/EVM
![Page 57: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/57.jpg)
Call Our Team
pchang9
The 9th Generation pchang
Yi-Ting
大
頭
![Page 59: HITCON 101 Sharing SELinux 從不認識到在一起 · The ways to disable SELinux Setenforce 0 Edit /etc/selinux/config : SELINUX = permissive or disable Delete policy Get rid of](https://reader030.vdocuments.net/reader030/viewer/2022041103/5f0318c77e708231d40784c3/html5/thumbnails/59.jpg)
Q&A X SELinux Demo
59
SELinux enforce mode SELinux permissive mode
Busybox (Embedded System)
Ubuntu限定指定資料夾僅能指定程序存取
保護特定程序不被任何人kill
SELinux enforce modeon Raspberry Pi 3 Model B+