Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> SELinux/AppArmor, Are there any guides or tutorials?
wearetheborg
 Posted: May 2 2011, 06:00 PM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 352
Member No.: 18
Joined: 11-April 11









I would like to study SELinux and AppArmor, and become proficient in using them.
Are there any guides, tutorials or books for noobies?


--------------------
PM
^
thomei
 Posted: May 2 2011, 07:19 PM
Quote Post


SLF Member
***

Group: Members
Posts: 68
Member No.: 38
Joined: 12-April 11











--------------------
thomei
think free, think Linux
PM
^
wearetheborg
 Posted: May 2 2011, 07:51 PM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 352
Member No.: 18
Joined: 11-April 11









Thanks!

Some of the resources are pretty old and outdated I gather (eg the book) though.


--------------------
PM
^
joka
 Posted: May 2 2011, 08:32 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 169
Member No.: 107
Joined: 28-April 11









IMO the best publicly available starting point for SE-Linux is the RHEL 6 SELinux Guide

Also interesting and informative are the articles in Dan Walsh's Blog
PM
^
schotty
 Posted: May 3 2011, 07:47 AM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 112
Joined: 30-April 11









Although at work right now, I have some off the top of my head that I can pull up here. I am having issues with Internet Exploder here being so old and crippled that some pages heavy on ajax aren't working right. But these should get you going.

If you are completely new to SELinux, read thru all of these top few first. Get the jist of what the hell SELinux really is, how it works, and what and why things are done. The main wiki has some really good breakdowns that are generic to any distro (been a while since I went thru em all), but will get you to understanding alot of things. Then move on to the Fedora/Red Hat ones to start tailoring what you need to what the RH folk and Fedora teams pre-setup for you.

IMNSHO, killing off SELinux because of a weird error is a flat out stupid maneuver if you have a system that you want secure in the slightest. The way the policies work, is not too different in end user implementation than a firewall is. And in some ways this is a firewall for applications, rather than packets. If a program is getting pissey, fix it. Its not hard (well, except for wine, but thats another ball of wax ...). But for some reason I see alot of people say to disable it. Don't. Just fix the problems that the troubleshooter warns you of.

Have fun!

And the links:
http://www.nsa.gov/research/selinux/
http://selinuxproject.org/page/Main_Page


http://docs.fedoraproject.org/en-US/Fedora/14/html/Security_Guide/index.html
http://wiki.centos.org/HowTos/SELinux
https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/
which points to
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96/html-single/Security-Enhanced_Linux/index.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96/html-single/Security_Guide/index.html
PMEmail Poster
^
U308
 Posted: May 3 2011, 02:27 PM
Quote Post


SLF Expert
******

Group: Members
Posts: 509
Member No.: 32
Joined: 11-April 11









Good links, lot's of reading hours ohmy.gif

Am I right in saying that we already have some protection out of the box ? Those files in /
are all not unconfined meaning of course that they are confined.
$ ls -Z firefox
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 firefox
$
PM
^
wearetheborg
 Posted: May 3 2011, 04:00 PM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 352
Member No.: 18
Joined: 11-April 11









Thanks schotty! smile.gif


--------------------
PM
^
joka
 Posted: May 3 2011, 07:47 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 169
Member No.: 107
Joined: 28-April 11









QUOTE (U308 @ May 3 2011, 03:27 PM)
Am I right in saying that we already have some protection out of the box ? Those files in /
are all not unconfined meaning of course that they are confined.
$ ls -Z firefox
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       firefox

Regarding Firefox: no. The command above just says that firefox has the default label (security context) of a binary file. The standard SELinux policy of SL or Fedora has no specific rules for Firefox or other desktop applications.
Protected out of the box are mainly services (to prevent that a successful exploit gets root access).

However, SL 6 has SELinux based sandbox. The command
CODE
sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox
PM
^
AndrewSerk
 Posted: May 3 2011, 09:40 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 518
Member No.: 54
Joined: 14-April 11









QUOTE (joka @ May 3 2011, 02:47 PM)

However, SL 6 has SELinux based sandbox. The command
CODE
sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox


That is a great tip! smile.gif
Thanks joka
PM
^
wearetheborg
 Posted: May 3 2011, 09:45 PM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 352
Member No.: 18
Joined: 11-April 11









QUOTE (AndrewSerk @ May 3 2011, 04:40 PM)
QUOTE (joka @ May 3 2011, 02:47 PM)

However, SL 6 has SELinux based sandbox. The command
CODE
sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox


That is a great tip! smile.gif
Thanks joka



That is sweet!


--------------------
PM
^
U308
 Posted: May 4 2011, 09:04 AM
Quote Post


SLF Expert
******

Group: Members
Posts: 509
Member No.: 32
Joined: 11-April 11









QUOTE (joka @ May 3 2011, 09:47 PM)
QUOTE (U308 @ May 3 2011, 03:27 PM)
Am I right in saying that we already have some protection out of the box ? Those files in /
are all not unconfined meaning of course that they are confined.
$ ls -Z firefox
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       firefox

Regarding Firefox: no. ......
Protected out of the box are mainly services (to prevent that a successful exploit gets root access).
However, SL 6 has SELinux based sandbox. The command
CODE
sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

would start Firefox in an isolated sandbox and in its own nested X server.


Thank you for that info joka !
PM
^
irlandes
 Posted: May 4 2011, 02:46 PM
Quote Post


SLF Member
***

Group: Members
Posts: 56
Member No.: 22
Joined: 11-April 11









So, that is what the sandbox packages I saw when I was "shopping" were all about.
PM
^
wearetheborg
 Posted: Sep 18 2012, 02:12 AM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 352
Member No.: 18
Joined: 11-April 11









QUOTE (joka @ May 3 2011, 02:47 PM)
QUOTE (U308 @ May 3 2011, 03:27 PM)
Am I right in saying that we already have some protection out of the box ? Those files in /
are all not unconfined meaning of course that they are confined.
$ ls -Z firefox
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       firefox

Regarding Firefox: no. The command above just says that firefox has the default label (security context) of a binary file. The standard SELinux policy of SL or Fedora has no specific rules for Firefox or other desktop applications.
Protected out of the box are mainly services (to prevent that a successful exploit gets root access).

However, SL 6 has SELinux based sandbox. The command
CODE
sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

would start Firefox in an isolated sandbox and in its own nested X server.
Try out URL file:///home/MyUserId in sandbox'd Firefox
Package that provides sandbox is: policycoreutils-sandbox


Is there a way to pass a directory (say Downloads) where the sandboxed program can download and upload programs to?

And to use
CODE
sandbox -X -t sandbox_web_t firefox http://scientificlinuxforum.org

do I need to set up SElinux first, or can I just run as is (after package installation of selinux and policycoreutils-sandbox?


--------------------
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll