A fresh look at SELinux...


The SELinux coloring book explains three type of security enforcement used by SELinux.

Type Enforcement

This is the main use of SELinux, where every process gets a type and all objects on the system gets a type, SELinux policy governs how process types are able to interect with file types and the kernel enforces the rules.  The SELinux coloring book uses cats/dogs to describe the along with cat and dog food.

Second form of SELinux separation is called MCS Separation.  In this enforcement, the process and the file system objects get assigned a MCS label along with the type labels, and the kernel enforces that the MCS label of the process much match the label of file content exactly or the kernel will prevent the access. This enforcement is used for separation of VMs and containers.


The third enforcement to be explained is MLS (Multi Level Security),  This uses the same MCS feild as before except this time we are using different MLS rules as defined by US Govt Standards.  SELinux can be use in MLS mode to secure the highest level security information in the US Govt.


The second part of the talk explains what SELinux is trying to tell you when it generates an error.  I descibe this as one of four things.


1 Your labeling is wrong.

SELinux is primarily a labeling system, and if something is mislabeled on your system SELinux will complain, and block access.  The talk will explain how to correct your labeling issues.

2. SELinux needs to know

SELinux is setup in a default configuration, using Reasonable defaults, sometimes you want to run your system with different configurations.  You need to tell SELinux how your system is setup.  This part of the talk will explain different ways you can configure your SELinux system from booleans to changing your network port definitions.

3.  SELinux and Applications can have bugs

Sometimes SELinux blocks the way an application runs or the application has bugs that cause it to trigger SELinux issues.  This section explains how you can modify SELinux policy to allow the access until the policy and/or the application is fixed.

4. You are being hacked.

This section will cover how to differentiate the 3 sections above from a hacker gaining access to your system and SELinux blocking his access.


Room 103
Sunday, January 24, 2016 - 15:00 to 16:00