Security-Enhanced Linux for mere mortals

Рет қаралды 127,482

Red Hat Summit

Күн бұрын

Пікірлер: 183

@whatdamath 5 жыл бұрын

my right ear still has no idea what SEL is

@SirWolf2018 5 жыл бұрын

I had to change my sound device settings to stop this annoyance.

@MRW515 4 жыл бұрын

lol

@SirWolf2018 3 жыл бұрын

Actually, in the Accessibility settings you can *Turn on mono audio*, but still annoying!

@7xr1e20ln8 3 жыл бұрын

Holy moly I didn't know What the Math guy was into SELinux lol

@leonardoespinosa3796 3 жыл бұрын

I found the solution: Watched it all over again with the headphones switched over sides =P

@pkaramol 5 жыл бұрын

The presentation is fantastic. But what's with Red Hat refusing to adopt the stereo technology?

@akashpsajeev1771 4 жыл бұрын

Apparently they've dropped support for it in this release even though they supported it before.

@paulwebster9844 3 жыл бұрын

It was in stereo. The presenter was only ever on the left side of the video

@SirWolf2018 3 жыл бұрын

@@paulwebster9844 You do realize that's not helping us?

@paulwebster9844 3 жыл бұрын

@@SirWolf2018 Apologies. My definition of "humour" seems to be lop-sided too.

@SirWolf2018 3 жыл бұрын

@@paulwebster9844 Sorry, I wasn't in the right mood to appreciate humor at that time. Please ignore what I said.

@RyanEstep5877 6 жыл бұрын

Hands down. The best explanation that I have ever heard. Thanks.

@Chris-Christopher- 3 жыл бұрын

The guy's belt ruined it for me.

@zXHAcKeRzXz 3 жыл бұрын

semi-heard*

@sefirotsama 3 жыл бұрын

The most informative and complete SE linux talk I've seen. Very good of your time. Good presenter.

@daniel280187 5 жыл бұрын

What a great presentation!!. It definitely changed my way of looking at SELinux and it will anyone struggling to understand those key concepts. I will share this video with my colleagues. Thanks for sharing.

@orbotik 4 жыл бұрын

Saved my butt. Followed along, CLI examples so helpful. No SELinux disables here!

@011azr 3 жыл бұрын

Just a tips for Windows user out there. Press the windows button and then type "Ease of access audio settings". In the "Turn on mono audio", toggle the button to change it to "On". You're very welcome ;)

@Trippykiyay 3 жыл бұрын

Best SElinux presentation i have ever seen. THANK YOU!

@dundydunker 2 жыл бұрын

This was one of the most helpful presentations. Knowing now that selinux provides errors with solutions is a life changer for me!

@carrycat876 Жыл бұрын

All you really need to understand SE Linux - This was very helpful thank you 🙏

@forbinplanet9900 3 жыл бұрын

Concise, clear and very very useful! I used what I learned here to clear up a problem that I'd been trying to solve for weeks.

@zXHAcKeRzXz 3 жыл бұрын

Technically speaking the audio is KZbin fault. When you submit it mono audio video (logical when you've recorded with only one mic), YT convert it to stereo but only feed one channel. So yeah it's weird I suggest that they develop mono audio support to stream just the original mono audio without converting it. And I suggest for the audio engine of every OS to automatically reproduce the sound of feeded channel to non feeded channel automatically (Like if you use 5.1 on a 7.1 or 2.1 on a 5.1 or whatever, no speakers should be left unused, it's annoying)

@kimvette1 3 жыл бұрын

Third-party classes like I've taken for RHEL 5-7 keep selinux obfuscated and overcomplicate the instructions --- I suspect because they don't understand it themselves so they treat it like voodoo. Thank you for breaking it down like this!

@ThomasCameron 11 ай бұрын

You're very welcome.

@robertochieng1705 3 жыл бұрын

this video moved me to SELinux guru. I had no clue what SELinux no matter how much I read

@kellyp1440 2 жыл бұрын

This is awesome - watched this and fixed a problem that had been bugging me for days :)

@louiehernandez7821 3 жыл бұрын

Thank you for the breakdown of SE Linux. Very super helpful.

@example101 3 жыл бұрын

REDHAT DOCS AND SUMMIT SPEAKERS ARE AWESOME.

@TirajAdikari 9 ай бұрын

Thank you. Your experience shows in the way you have explained difficult subject in such an easy manner.

@BenThatOneGuy 4 жыл бұрын

Fantastic explanation. This is a top tier presentation on one of the harder things to learn about linux admin work.

@ThinAung-y8e Ай бұрын

Do we have updated presentation for RHEL8 / 9?

@Oswee 3 жыл бұрын

This is so fantastic talk! Made many great notes.

@richard_ackad 4 жыл бұрын

Very interesting and constructive presentation.

@MubarakAlrashidi 5 жыл бұрын

You made it so easy. Thanks

@ahmadatef6484 3 ай бұрын

Anybody has an idea where can I find those slides?

@vieldcs 3 жыл бұрын

Long tutorial, but very usful to me. Thumb up.

@Kuvaldis1983 6 ай бұрын

Perfect!!! Thanks for such an easy-to-understand approach!!!

@JamesSusanka 8 ай бұрын

I find it funny that corporations are so worried about security but yet will force employees to run Windows as their desktop when that is about the worse thing you can run on your desktop.

@GregTheHun 2 жыл бұрын

Can't seem to find the presentation file for this anymore, anyone have a link to get it?

@ThomasCameron 11 ай бұрын

videos.cdn.redhat.com/summit2015/presentations/13893_security-enhanced-linux-for-mere-mortals.pdf

@rokyo401 6 ай бұрын

Does the SELinux labels do anything in a system that isn't using SELinux? So, if I physically remove the hard disk from a system protected by SELinux and mount it on a system that doesn't use SELinux, will the labels still protect the home folder of the user who chmod 777'd all his files or will I be able to read them because only DAC is active then? The second, right?

@KifKroker Ай бұрын

SELinux can't protect you when its not in use, if you break out the hdd you can read the data. If you disable selinux it will also not protect you anymore ...

@RyanEstep5877 9 ай бұрын

I need you to explain all of RHEL

@neptronix 2 жыл бұрын

Great talk, thank you!!

@TiagoJoaoSilva 3 жыл бұрын

Great presentation, but IMO, having to use "permissive" and policy modules looks like a failure in the concept of SELinux. Having to 'spray and pray' instead of fixing from first principles shows, to me, that the first principles are not very well thought-out.

@ThomasCameron 11 ай бұрын

Generally, SELinux works fine with software which is included with the distro. It's mostly when you start to use non-SELinux aware apps from third parties where it can get in your way. I hope that this helped you in those cases.

@SunsetGraffiti 26 күн бұрын

Very helpful and demystifying!

@ramendersingh3072 5 жыл бұрын

if a system is compromised and the attacker has root access then selinux is useless. How does selinux prevent attack?

@kuhluhOG 4 жыл бұрын

well, if a service (Let's say a webserver) is being run as root and a hacker takes control of that service, without SELinux, your are done with SELinux, he may have "root-access", but not all the privileges because he still runs for example a shell as a child-process of the webserver

@SergePavlovsky 2 жыл бұрын

what will attacker do with root access? connect somewhere and run shell? selinux will deny it

@joejavacavalier2001 2 жыл бұрын

I've seen PHP based sites get compromised and PHP files over written. I've tried to simulate such an attack on Fedora. There are separate context types to allow and deny Apache and PHP-FPM from overwriting other code files.

@zakmire6925 4 жыл бұрын

Does anyone know if SELinux can cause connectivity issue for F5 health check for Apache servers

@Departure4885 6 жыл бұрын

Great video!

@slopedoff 4 жыл бұрын

nice presentation, Tomas Cameron but why do you use armitage? to track down logs from mailserver? at which point, can anyone clear this out? ty

@ThomasCameron 10 ай бұрын

Sorry, I just now saw this. Armitage is just the name of the server I built the examples on. It's a character from the Neruomancer novel by William Gibson.

@antonfernando8409 2 жыл бұрын

Does ubuntu 20.04 use seclinux stuff?

@elabeddhahbi3301 4 жыл бұрын

I wanna know why people still can read the /etc/passwd when they find rce

@modo4211 2 жыл бұрын

19:00 : Is installing setroubleshoot and setroubleshoot-server not recommended in production environments? If so why?

@ThomasCameron 11 ай бұрын

You want to keep your production environment as thin as possible. You should use those tools in a dev/test environment and replicate the problem there.

@OrdenJust Жыл бұрын

I am unclear on something. If you see from the logs that SELinux is blocking something, how do you know you should "fix" that by allowing the access? Maybe the "denied" or "prevented" messages should not be "fixed", because denying is exactly the right thing to do.

@ThomasCameron 11 ай бұрын

I talked about that. Just because something is blocked doesn't mean that it's a problem. You may be doing something wrong. If you know that you're doing something right, I talk about how to make changes via booleans or semanage fcontext. If you're not clear, feel free to ask questions, I'll help out however I can. Cheers!

@OrdenJust 11 ай бұрын

@@ThomasCameron Thank you for this reply. For what it is worth, I rarely know that I am doing something right. :)

@amitkhulbe 3 жыл бұрын

I am a lefty and naturally have more control and strength on left. But today my right side has the power of configuring selinux and left is lagging!!

@timleungck 5 жыл бұрын

if an attacker compromises the web server and able to exploit the OS and gain root privilege. Can SELinux stop the root user from doing malicious activity? This is a chicken and egg problem for me, since root should have access to modify the SELinux policy, but we also wanna stop attacker from modify the SELinux policy even if they get root access. Can this problem be solved at this level? Or we need some hardware to help us?

@timleungck 5 жыл бұрын

www.coker.com.au/selinux/play.html Here's a server with root UID=0 but have restricted access, how can this happen?

@oliverford5367 Жыл бұрын

The Web server shouldn't run as root, but as a limited user

@qinmishu 12 күн бұрын

very helpful

@tylerjames3159 3 жыл бұрын

Video Timestamp: @24:44 ~~~ NAME="CentOS Stream" VERSION="8" ~~~ It would seem that this file location no longer exists as shown here. /etc/selinux/targeted/m* ## dir does not exist From my research, you can find booleans.local under /var/lib/selinux/targeted/active/ It appears to contain the same information.

@entropy79 Жыл бұрын

Fantastic :)

@tilopanaropamarpa 4 жыл бұрын

Please improve sound recording, please

@LiveWireBT 3 жыл бұрын

SE Linux: Built for NSA requirements. »Um it throws errors and we are lazy, so we turn it off. « Also: Oracle DB, built for NSA requirements. »We have to hire special administrators for that! It's important!« No double standards here, move on.

@iainkay3630 Ай бұрын

Could not watch with audio in one ear.

@MohammadHusain 5 жыл бұрын

Awesome!

@bog9867 3 жыл бұрын

Great

@sealivezentrum 2 жыл бұрын

For anyone not knowing this: If you expect it to be secure bear in mind that SElinus also has e.g. timing attacks purposefully build in by certain groups of interest

@meladath5181 2 жыл бұрын

The fact that you need a 43 minute lecture on how to "not turn it off" is why everyone turns it off.

@vickyrfirmansyah 3 жыл бұрын

fak , i thought my headset is broken

@joseguzman224 3 жыл бұрын

i just clicked the play button and I decided that I am out, can't deal with this left ear audio.

@edgarmatzinger9742 2 жыл бұрын

Title: _"How does selinux work?"_ It doesn't. It's a pain in the behind.

@oliverford5367 Жыл бұрын

But it secures the system. So a vulnerability in say apache or nginx doesn't lead to full compromise

@edgarmatzinger9742 Жыл бұрын

@@oliverford5367Selinux does *NOT* prevent anything like that.

@oliverford5367 Жыл бұрын

@@edgarmatzinger9742 It does surely? It limits would an nginx server running malicious code could access.

@edgarmatzinger9742 Жыл бұрын

@@oliverford5367 And how would you get nginx to run that _"malicious code?"_ If you're able to use crafted urls to run such code or access incorrect/prohibited data, selinux is not going to help you. I'm all for hardening a linux system. When designing a system, security must be built-in. And is selinux the last part to configure. IMHO selinux is poorly build and has lousy logging. Audit2why produces useless information like "unable to access subsystem." OK, and now what? And this is after setting up the necessary contexts and booleans... Yes, I could've tried to create a new policy. But that doesn't tell me why things don't work. And is nothing more than a workaround.

@mysticgoose 2 жыл бұрын

Setenforce 0

@quittobaccotoday Жыл бұрын

I'd rather have nix package manager than selinux on my Fedora desktop. And apparently you can't have both.

@jacksondaniels007 4 жыл бұрын

I really needed this presented just the way you did, this was a really great/clear explanation. The fact that you were able to make this make sense to me of all people, proves you deserve as many gold stars Red Hat can shower down on you.

@PaulZyCZ 5 жыл бұрын

There is something wrong with audio in the recording, I hear only left-ear channel (had to open it in VLC).

@theboomshadow 5 жыл бұрын

Oh my gosh, Thank you! That fixed the problem for me.

@NeerajSainiTheBoss 4 жыл бұрын

thanks!!!! switching to mono fixed it

@AndrewElmore 4 жыл бұрын

I just assumed that my headphones had stopped working.

@parkasat 4 жыл бұрын

how do you open it in vlc?

@OnlajnIdentitet 4 жыл бұрын

@@parkasat * Media/Open Network Stream... (paste KZbin video URL in the Network tab) When video starts to play, go to to * Audio/Stereo Mode (select Mono)

@Worscht3000 3 жыл бұрын

selinux prevented /bin/rightear from listening good information :) Thanks for the tricks managing basic stuff, will def write that down to my stay lazy notes

@marekbubenik1556 3 жыл бұрын

Great presentation! I finally know how to deal with SELinux, haha. Thank you

@hvanmegen 3 жыл бұрын

oh, you mean by typing 'echo SELINUX=disabled > /etc/selinux/config ; shutdown -r now' ? 🤣

@abhishekshah11 5 жыл бұрын

I finally understand this. Thank you!

@daveeasterly2470 6 жыл бұрын

An easier way to find the regular expression you need to change the context on your /foor/bar/ web content directory is to run `man semanage-fcontext` and jump down to the "EXAMPLES." Try `man -k semanage` to find some more related documentation. And to really get your hardcore nerd on, try this : `yum -y install selinux-policy-doc ; mandb ; man -k _selinux` and you'll find docs that explain the relevant contexts and booleans in pages like "httpd_selinux" and "sshd_selinux" and so on.

@ThomasCameron 5 жыл бұрын

That's a good idea, I'm totally stealing it. ;-)

@daveeasterly2470 4 жыл бұрын

@@ThomasCameron Hope Bezos is treating you well, sir! Big loss for RH when you left. You rock.

@loneosama1 5 жыл бұрын

This was really good presentation. My friend had explained me a bit on SE linux earlier so this was a good step up from that

@FlorisApon 3 жыл бұрын

On Windows 10: Ease of Access > Audio > Turn on mono audio You're welcome

@Rickety3263 3 жыл бұрын

Preparing for my comptia linux certification... Watched through beginning to end... now I will be re-creating each of these examples in my lab. This is awesome thank you

@tobyhdr 5 жыл бұрын

Awesome presentation, thank you!

@paulwoods4094 3 жыл бұрын

Fantastic presentation, learned lot from this, gives me some ideas of how to go about fixing issues with SELinux.

@leknyzma 5 жыл бұрын

you clearly know what you are doing. hats down

@nafasm 5 жыл бұрын

Thanks Thomas it's really nice presentation

@ThomasCameron 5 жыл бұрын

My pleasure, thanks for the kind words.

@ContantContact 2 жыл бұрын

Dating yourself via Novell certified? I am an OS/2 and OS/2 Warp certified engineer. That didn't age well, with the predatory MS in town....

@ThomasCameron 11 ай бұрын

We're old, partner.

@hugopfeffer4175 2 жыл бұрын

setsebool -P right_side_headphone on

@spaceman117X 3 жыл бұрын

After spending couple of hours testing every example from this video, and fixing SEL issues on authorized_keys file, i feel like I get some new superpower. The feeling is PRICELESS!

@ThomasCameron 11 ай бұрын

💙

@OthmanAlikhan 3 жыл бұрын

Thanks for the video =)

@densidad13 2 жыл бұрын

Just by seeing this I made sense of much of system admin stuff I've been exposed as a linux newcomer over the last year. To be honest is does seem rather easy to have this security layer. I'll try to install it in my system.

@carpetedrestroom5218 2 жыл бұрын

my left ear enjoyed that

@iraytrace 2 жыл бұрын

This is a great video presentation. Sad I didn't find this 3.5 years ago.

@jacobchmielowiec4470 2 жыл бұрын

This is gold.

@JimTTang 3 ай бұрын

Excellent presentation skill! I don't use SELinux in the workplace but I'm confident to say I can handle basic situations by restorecon and semanage. Brovo, very nice presentation!

@stanleyogadachinedu 23 күн бұрын

It's been 6 years now, But I still don't understand SELINUX 😂

@RootsterAnon 8 күн бұрын

This video perfectly summary of what SEL is.

@Tiller1990 Жыл бұрын

gold. always fixed selinux bugs with stackoverflow and crossed fingers, not anymore

@tilopanaropamarpa 4 жыл бұрын

Painful to listen to however great the content.

@narayanbhat3279 5 жыл бұрын

i could only hear my lelt speaker of mac firing towards me

@cessposter 3 жыл бұрын

m e r e m o r t a l s

@michaelplaczek9385 2 жыл бұрын

my left ear enjoyed this alot

@arzoo82 5 жыл бұрын

My right ear feels rejected.

@kr0w035 2 жыл бұрын

My right ear still needs to learn about se linux

@nickprokopets4042 Жыл бұрын

Perfect. Thanks.

@takis-t 4 жыл бұрын

Thanks a lot. Very helpful! I want selinux into a debian based distro please 😭

@kuhluhOG 4 жыл бұрын

they are going for AppArmor instead

@takis-t 4 жыл бұрын

@@kuhluhOG I know. I have already did a thesis for comparison between them. But blacklisting in apparmror is not as good and as developoed as in selinux