Do people care about security?

do you ship selinux policy for your product?

AGENDA

  • Security on fire

AGENDA

  • Security on fire
  • How did SELinux help you with Shellshock?

AGENDA

  • Security on fire
  • How did SELinux help you with Shellshock?
  • More friendly SELinux

AGENDA

  • Security on fire
  • How did SELinux help you with Shellshock?
  • More friendly SELinux
  • How do we ship Fedora distribution policy?

AGENDA

  • Security on fire
  • How did SELinux help you with Shellshock?
  • More friendly SELinux
  • How do we ship Fedora distribution policy?
  • How to ship own product policy?

"When/How/Where"?

When DO people care about security?

Security on fire

How do security issues affect me?

  • Will I lose my personal data?

Security on fire

 

  • Will I lose my personal data?
  • Will be my personal data shared on Internet?

Security on fire

 

  • Will I lose my personal data?
  • Will be my personal data shared on the Internet?
  • Will be my account bank stolen?

Security on fire

 

  • Will I lose my personal data?
  • Will be my personal data shared on the Internet?
  • Will be my account bank stolen?
  • Is my personal device protected anyhow?

Security on fire

 

  • Will I lose my personal data?
  • Will be my personal data shared on the Internet?
  • Will be my account bank stolen?
  • Is my personal device protected anyhow?
  • Are trusted institutions really trusted and protected from this security issue?

Security on fire

Where do security issues come from?

Security on fire

How are they fixed?

reactive security

 

 

Security on fire

reactive security

  •  ​window of vulnerability 

 

Security on fire

reactive security

  •  ​window of vulnerability 
  •  backport a fix

 

Security on fire

reactive security

  •  ​window of vulnerability 
  •  backport a fix
  •  release an update

 

Security on fire

Your system is not protected from consequences of exploits!

Security on fire

proactive security

Security on fire

proactive security

  •  filling window of vulnerability

Security on fire

it Protects your system from consequences of exploits!

Security on fire

security enhanced LINUX is a security mechanism bringing proactive security for your system

Security on fire

What are the latest known exploits?

Security on fire

Venom

Security on fire

Venom

sudo privilege escalation

Security on fire

Venom

sudo privilege escalation

SHELLSHOCK

 

Security on fire

Hacking time!

env val='() { :;}; echo Unexpected command' bash -c "echo Real command"

Command to set env var before execution of Bash command

Tacked-on arbitrary command which will be executed

Victim

Web server

cgi script

connect to attacker 

Attacker

Listen on port

Victim

Web server

cgi script

connect to attacker 

Attacker

Listen on port

DEMO TIME!

conclusion?

BIG

USABILITY IMPROVEMENTS

in SELinux tooling

  • performance gains

friendly selinux

# dnf install selinux-policy-targeted
# semodule -d docker
# semodule -e docker

friendly selinux

 

~ 15 seconds for

friendly selinux

friendly selinux

  • performance gains
    • 75% speed-up of tools that perform SELinux policy management

friendly selinux

  • performance gains
    • 75% speed-up of tools that perform SELinux policy management
  • easier to provide your own SELinux policies

friendly selinux

# dnf install docker-selinux

friendly selinux

# dnf install docker-selinux

 

libsepol.scope_copy_callback:docker Duplicate declaration in module

friendly selinux

# dnf install docker-selinux
# semodule --list=full | grep docker
400 docker
100 docker

 

friendly selinux

  • performance gains
    • 75% speed-up of tools that perform SELinux policy management
  • easier to provide your own SELinux policies
    • assigning priorities to modules

friendly selinux

MODULE PRIORITIES IN FEDORA 25?

friendly selinux

100 - system modules from selinux-policy

SEMODULE="semodule -p %{buildroot} -X 100

 

200 - modules from other packages

%{_sbindir}/semodule -n -s %{selinuxtype} -X 200 -i $MODULES

 

300 - modules based on setroubleshoot suggestions

semodule -X 300 -i my-sshd.pp

 

400 - default

semodule is called without -X or --priority

friendly selinux

  • performance gains
    • 75% speed-up of tools that perform SELinux policy management
  • easier to provide your own SELinux policies
    • assigning priorities to modules
  • new Common Intermediate Language - CIL

friendly selinux

  • HLL vs. CIL
# cat mysandbox.te

policy_module(mysandbox,1.0)

require{
 type sandbox_web_t;
  attribute userdomain; 
 }

allow sandbox_web_t userdomain:unix_stream_socket connectto;

friendly selinux

  • HLL vs. CIL
# make -f ../Makefile mysandbox.pp

# semodule -i mysandbox.pp

friendly selinux

  • HLL vs. CIL

userspace

friendly selinux

  • CIL
# cat mysandbox.cil


(allow sandbox_web_t unconfined_t (unix_stream_socket (connectto)))

 

# semodule -i mysandbox.cil

friendly selinux

  • CIL

friendly selinux

*.cil

policy.29

semodule

  • performance gains
    • 75% speed-up of tools that perform SELinux policy management
  • easier to provide your own SELinux policies
    • assigning priorities to modules
  • new Common Intermidiate Language - CIL
    • readable intermediate policy language

friendly selinux

  • performance gains
    • 75% speed-up of tools that perform SELinux policy management
  • easier to provide your own SELinux policies
    • assigning priorities to modules
  • new Common Intermidiate Language - CIL
    • readable intermediate policy language
    • potential for new High Level Languages (in Java Script?)

friendly selinux

  • CIL

friendly selinux

???

*.cil

policy.29

semodule

???

  • new  Common Intermidiate Level Language  - CIL
    • lolpolicy (HLL) from Joshua Brindle
I iz logwatch
     in ur webserver
     reading ur logs

friendly selinux

It is HERE.

FEDORA 24.

friendly selinux

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

SELinux TEAM AT RED HAT

Miroslav Grepl

Team Lead

Paul Moore

Kernel

Petr Lautrbach

Userspace

Lukáš Vrabec

Policy

Miloš Malík

Policy, Userspace

Vít Mojžíš

Policy, Analyse Tool

Where I can find Selinux policy in fedora?

$ rpm --all -q | grep "selinux-policy*"
selinux-policy-doc-3.13.1-191.5.fc24.noarch
selinux-policy-devel-3.13.1-191.5.fc24.noarch
selinux-policy-3.13.1-191.5.fc24.noarch
selinux-policy-targeted-3.13.1-191.5.fc24.noarch

Application policy for Fedora is stored in selinux-policy rpm package

We call this policy

distro policy

We call this policy

distro policy

Distro policy is adjusted for Fedora

Distro policy contains:

Distro policy contains:

  • policies for core components (kernel, systemd, ...)

Distro policy contains:

  • policies for core components (kernel, systemd, ...)
  • policies for common daemons  (httpd, ftpd, ...)

Distro policy contains:

  • policies for core components (kernel, systemd, ...)
  • policies for common daemons  (httpd, ftpd, ...)
  • policies for user domains (sysadm, user, guest,  ...)

Distro policy contains:

  • policies for core components (kernel, systemd, ...)
  • policies for common daemons  (httpd, ftpd, ...)
  • policies for user domains (sysadm, user, guest,  ...)

Distro policy does not contain:

  • policies for third party components (whatever you download from the internet)

We're trying to cover all daemons in Fedora

# semodule -l | wc -l
417

Where can I find policy sources?

useful links:

We know that...

writing your own selinux policy is possible 

We know that...

writing your own selinux policy is possible 

and easy  

We know that...

But...

Can i ship the module easily?

yes!

you can ship own module:

you can ship own module:

  • as subpackage of your RPM package

you can ship own module:

  • as subpackage of your RPM package
  • inside your RPM package

Example

We can try to install docker on Fedora...

$ rpm -q docker
package docker is not installed


$ sudo semodule -l | grep docker
$

$ sudo dnf install docker
...
...
...
Installed:
  docker.x86_64 2:1.10.3-24.git29066b4.fc24                
  docker-selinux.x86_64 2:1.10.3-24.git29066b4.fc24 


$ rpm -q --all | grep docker 
docker-v1.10-migrator-1.10.3-24.git29066b4.fc24.x86_64
docker-selinux-1.10.3-24.git29066b4.fc24.x86_64
docker-1.10.3-24.git29066b4.fc24.x86_64

$ sudo semodule -l | grep docker
docker

Shipping your own selinux module brings benefits

Shipping your own selinux module brings benefits

  • changes in policy can be ​modified immediately

    • no need to wait while selinux maintainer will fix it.​​

Shipping your own selinux module brings benefits

  • changes in policy can be ​modified immediately

    • no need to wait while selinux maintainer will fix it.​​

  • ​independent from selinux-policy distro updates
    • ​policy changes will be updated together with your application

Shipping your own selinux module brings benefits

  • changes in policy can be ​modified immediately

    • no need to wait while selinux maintainer will fix it.​​

  • ​independent from selinux-policy distro updates
    • ​policy changes will be updated together with your application
  • own policy module can reflect latest features inside application
    • ​policy and application will be synchronized

how to do this? 

we'll need:

we'll need:

  • rpm and selinux-policy devel packages
    • ​selinux-policy-devel rpm-build            

we'll need:

  • rpm and selinux-policy devel packages
    • ​selinux-policy-devel rpm-build
  • ​​​working SELinux policy for your product

we'll need:

  • rpm and selinux-policy devel packages
    • ​selinux-policy-devel rpm-build
  • ​​​working SELinux policy for your product
  • makefile to compile SELinux policy

we'll need:

  • rpm and selinux-policy devel packages
    • ​selinux-policy-devel rpm-build
  • ​​​working SELinux policy for your product
  • makefile to compile SELinux policy
  • spec file for your application

## prepare some stuff

$ sudo dnf install selinux-policy-devel rpm-build # install nessesary packages

$ mkdir myapp-selinux-0.1
$ cd myapp-selinux-0.1/

## example of policy for shipping

$cat myapp.te # create short selinux-policy
policy_module(myapp,1.0)
 
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t) 
 
# Grant myapp_t the signal privilege
allow myapp_t self:process { signal };
 
$ cat myapp.fc
/sbin/myapp --  gen_context(system_u:object_r:myapp_exec_t,s0)

$ cat myapp.if
## <summary>Policy for myapp.</summary>

$ ls
myapp.fc  myapp.if  myapp.te
## Makefile for policy

TARGETS?= myapp
MODULES?=${TARGETS:=.pp.bz2}
 
all: ${TARGETS:=.pp.bz2}
 
%.pp.bz2: %.pp
	@echo Compressing $^ -\ $@
	bzip2 -9 $^
 
%.pp: %.te
	make -f /usr/share/selinux/devel/Makefile $@
 
clean:
	rm -f *~ *.tc *.pp *.pp.bz2
	rm -rf tmp

the POlicy is ready now.

the POlicy is ready now.

Let's integrate it to the spec file...

## build section
%build
make SHARE="%{_datadir}" TARGETS="%{modulenames}"

...
...
...

## install section
%install
 
# Install SELinux interfaces
%_format INTERFACES $x.if
install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 $INTERFACES \
	%{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
        # /usr/share/selinux/devel/include/contrib
  
# Install policy modules
%_format MODULES $x.pp.bz2
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 0644 $MODULES \
	%{buildroot}%{_datadir}/selinux/packages   # /usr/share/selinux/packages
 
%post

## post-install section
# Install all modules in a single transaction
#
%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES
if %{_sbindir}/selinuxenabled ; then
    %{_sbindir}/load_policy
    %relabel_files
fi
 
 
%postun
if [ $1 -eq 0 ]; then
	%{_sbindir}/semodule -n -r %{modulenames} &> /dev/null || :
	if %{_sbindir}/selinuxenabled ; then
		%{_sbindir}/load_policy
		%relabel_files
	fi
fi

## files section
%files
%defattr(-,root,root,0755)
%attr(0644,root,root) %{_datadir}/selinux/packages/*.pp.bz2
%attr(0644,root,root) %{_datadir}/selinux/devel/include/%{moduletype}/*.if

SELinux module is part of your package now!

useful links:

Future?

Using CIL priorities feature makes shipping own modules even easier!

Distro SELinux policy including also docker module.

Example

Distro SELinux policy including also docker module.

Example

Distro SELinux modules have priority 100.

Distro SELinux policy including also docker module.

Example

$ rpm -q docker-selinux
package docker-selinux is not installed

# semodule -lfull | grep docker
100 docker            pp

Distro SELinux modules have priority 100.

What will happens after installing docker-selinux rpm package?

$ rpm -q docker-selinux
package docker-selinux is not installed

# semodule -lfull | grep docker
100 docker            pp

# dnf install docker
...
...

Installed:
  
  docker.x86_64 2:1.10.3-24.git29066b4.fc24                
  docker-selinux.x86_64 2:1.10.3-24.git29066b4.fc24

Complete!


## Active policy is policy with higher priority
$ sudo semodule -lfull | grep docker
300 docker            pp         
100 docker            pp

Only active policy is the one with higher priority!

your Own selinux module can be installed without any changes in distro policy!

Security wins with SELinux!

Any questions?

Thank you!

lvrabec@redhat.com

mgrepl@redhat.com