I really needed this presented just the way you did, this was a really great/clear explanation. The fact that you were able to make this make sense to me of all people, proves you deserve as many gold stars Red Hat can shower down on you.
Preparing for my comptia linux certification... Watched through beginning to end... now I will be re-creating each of these examples in my lab. This is awesome thank you
Just a tips for Windows user out there. Press the windows button and then type "Ease of access audio settings". In the "Turn on mono audio", toggle the button to change it to "On". You're very welcome ;)
What a great presentation!!. It definitely changed my way of looking at SELinux and it will anyone struggling to understand those key concepts. I will share this video with my colleagues. Thanks for sharing.
Technically speaking the audio is RUclips fault. When you submit it mono audio video (logical when you've recorded with only one mic), YT convert it to stereo but only feed one channel. So yeah it's weird I suggest that they develop mono audio support to stream just the original mono audio without converting it. And I suggest for the audio engine of every OS to automatically reproduce the sound of feeded channel to non feeded channel automatically (Like if you use 5.1 on a 7.1 or 2.1 on a 5.1 or whatever, no speakers should be left unused, it's annoying)
After spending couple of hours testing every example from this video, and fixing SEL issues on authorized_keys file, i feel like I get some new superpower. The feeling is PRICELESS!
An easier way to find the regular expression you need to change the context on your /foor/bar/ web content directory is to run `man semanage-fcontext` and jump down to the "EXAMPLES." Try `man -k semanage` to find some more related documentation. And to really get your hardcore nerd on, try this : `yum -y install selinux-policy-doc ; mandb ; man -k _selinux` and you'll find docs that explain the relevant contexts and booleans in pages like "httpd_selinux" and "sshd_selinux" and so on.
@@parkasat * Media/Open Network Stream... (paste RUclips video URL in the Network tab) When video starts to play, go to to * Audio/Stereo Mode (select Mono)
selinux prevented /bin/rightear from listening good information :) Thanks for the tricks managing basic stuff, will def write that down to my stay lazy notes
Excellent presentation skill! I don't use SELinux in the workplace but I'm confident to say I can handle basic situations by restorecon and semanage. Brovo, very nice presentation!
Third-party classes like I've taken for RHEL 5-7 keep selinux obfuscated and overcomplicate the instructions --- I suspect because they don't understand it themselves so they treat it like voodoo. Thank you for breaking it down like this!
Just by seeing this I made sense of much of system admin stuff I've been exposed as a linux newcomer over the last year. To be honest is does seem rather easy to have this security layer. I'll try to install it in my system.
Great presentation, but IMO, having to use "permissive" and policy modules looks like a failure in the concept of SELinux. Having to 'spray and pray' instead of fixing from first principles shows, to me, that the first principles are not very well thought-out.
Generally, SELinux works fine with software which is included with the distro. It's mostly when you start to use non-SELinux aware apps from third parties where it can get in your way. I hope that this helped you in those cases.
Does the SELinux labels do anything in a system that isn't using SELinux? So, if I physically remove the hard disk from a system protected by SELinux and mount it on a system that doesn't use SELinux, will the labels still protect the home folder of the user who chmod 777'd all his files or will I be able to read them because only DAC is active then? The second, right?
SELinux can't protect you when its not in use, if you break out the hdd you can read the data. If you disable selinux it will also not protect you anymore ...
Sorry, I just now saw this. Armitage is just the name of the server I built the examples on. It's a character from the Neruomancer novel by William Gibson.
You want to keep your production environment as thin as possible. You should use those tools in a dev/test environment and replicate the problem there.
I find it funny that corporations are so worried about security but yet will force employees to run Windows as their desktop when that is about the worse thing you can run on your desktop.
I am unclear on something. If you see from the logs that SELinux is blocking something, how do you know you should "fix" that by allowing the access? Maybe the "denied" or "prevented" messages should not be "fixed", because denying is exactly the right thing to do.
I talked about that. Just because something is blocked doesn't mean that it's a problem. You may be doing something wrong. If you know that you're doing something right, I talk about how to make changes via booleans or semanage fcontext. If you're not clear, feel free to ask questions, I'll help out however I can. Cheers!
Looks like he tries to sell me a SELinux. This is my very first meeting with SELinux. If booleans and labels around httpd are part of SELinux itself then its such a clumsy solution that i dont buy it. I think httpd process gets some context marker upon start with systemd unit config and future security checks are based on data context labels. This would make sense. But what are booleans that way then? Somehow hardcoded-ish things specially made for somehow recognized httpd process? I'll read about it later. This is just first thoughts mainly for myself.
if an attacker compromises the web server and able to exploit the OS and gain root privilege. Can SELinux stop the root user from doing malicious activity? This is a chicken and egg problem for me, since root should have access to modify the SELinux policy, but we also wanna stop attacker from modify the SELinux policy even if they get root access. Can this problem be solved at this level? Or we need some hardware to help us?
@@kuhluhOG I know. I have already did a thesis for comparison between them. But blacklisting in apparmror is not as good and as developoed as in selinux
well, if a service (Let's say a webserver) is being run as root and a hacker takes control of that service, without SELinux, your are done with SELinux, he may have "root-access", but not all the privileges because he still runs for example a shell as a child-process of the webserver
I've seen PHP based sites get compromised and PHP files over written. I've tried to simulate such an attack on Fedora. There are separate context types to allow and deny Apache and PHP-FPM from overwriting other code files.
I am trying to learn each element of the regular expression: "(/.*)?" Can someone help me fill in the blanks from the below: () == grouping regex together / == ??? . == equal to any one character * == equal to zero or more of the preceding character (in this case, would the previous character be "."?) ? == equal to zero or one of the preceding character (probably anything represented by (/.*) right?)
After doing a LOT of research... it would just seem that regex interprets the / as literally just a "\/" with no special meaning. So in this case, / would be interpreted as the typical subdirectory syntax.
For anyone not knowing this: If you expect it to be secure bear in mind that SElinus also has e.g. timing attacks purposefully build in by certain groups of interest
Video Timestamp: @24:44 ~~~ NAME="CentOS Stream" VERSION="8" ~~~ It would seem that this file location no longer exists as shown here. /etc/selinux/targeted/m* ## dir does not exist From my research, you can find booleans.local under /var/lib/selinux/targeted/active/ It appears to contain the same information.
SE Linux: Built for NSA requirements. »Um it throws errors and we are lazy, so we turn it off. « Also: Oracle DB, built for NSA requirements. »We have to hire special administrators for that! It's important!« No double standards here, move on.
my right ear still has no idea what SEL is
I had to change my sound device settings to stop this annoyance.
lol
Actually, in the Accessibility settings you can *Turn on mono audio*, but still annoying!
Holy moly I didn't know What the Math guy was into SELinux lol
I found the solution: Watched it all over again with the headphones switched over sides =P
The presentation is fantastic.
But what's with Red Hat refusing to adopt the stereo technology?
Apparently they've dropped support for it in this release even though they supported it before.
It was in stereo. The presenter was only ever on the left side of the video
@@paulwebster9844 You do realize that's not helping us?
@@SirWolf2018 Apologies. My definition of "humour" seems to be lop-sided too.
@@paulwebster9844 Sorry, I wasn't in the right mood to appreciate humor at that time. Please ignore what I said.
Hands down. The best explanation that I have ever heard. Thanks.
The guy's belt ruined it for me.
semi-heard*
This was one of the most helpful presentations. Knowing now that selinux provides errors with solutions is a life changer for me!
I really needed this presented just the way you did, this was a really great/clear explanation. The fact that you were able to make this make sense to me of all people, proves you deserve as many gold stars Red Hat can shower down on you.
Preparing for my comptia linux certification... Watched through beginning to end... now I will be re-creating each of these examples in my lab. This is awesome thank you
Just a tips for Windows user out there. Press the windows button and then type "Ease of access audio settings". In the "Turn on mono audio", toggle the button to change it to "On". You're very welcome ;)
The most informative and complete SE linux talk I've seen. Very good of your time. Good presenter.
What a great presentation!!. It definitely changed my way of looking at SELinux and it will anyone struggling to understand those key concepts. I will share this video with my colleagues. Thanks for sharing.
Technically speaking the audio is RUclips fault. When you submit it mono audio video (logical when you've recorded with only one mic), YT convert it to stereo but only feed one channel. So yeah it's weird
I suggest that they develop mono audio support to stream just the original mono audio without converting it. And I suggest for the audio engine of every OS to automatically reproduce the sound of feeded channel to non feeded channel automatically (Like if you use 5.1 on a 7.1 or 2.1 on a 5.1 or whatever, no speakers should be left unused, it's annoying)
Saved my butt. Followed along, CLI examples so helpful. No SELinux disables here!
Best SElinux presentation i have ever seen. THANK YOU!
After spending couple of hours testing every example from this video, and fixing SEL issues on authorized_keys file, i feel like I get some new superpower. The feeling is PRICELESS!
💙
All you really need to understand SE Linux - This was very helpful thank you 🙏
An easier way to find the regular expression you need to change the context on your /foor/bar/ web content directory is to run `man semanage-fcontext` and jump down to the "EXAMPLES."
Try `man -k semanage` to find some more related documentation.
And to really get your hardcore nerd on, try this : `yum -y install selinux-policy-doc ; mandb ; man -k _selinux` and you'll find docs that explain the relevant contexts and booleans in pages like "httpd_selinux" and "sshd_selinux" and so on.
That's a good idea, I'm totally stealing it. ;-)
@@ThomasCameron Hope Bezos is treating you well, sir! Big loss for RH when you left. You rock.
There is something wrong with audio in the recording, I hear only left-ear channel (had to open it in VLC).
Oh my gosh, Thank you! That fixed the problem for me.
thanks!!!! switching to mono fixed it
I just assumed that my headphones had stopped working.
how do you open it in vlc?
@@parkasat
* Media/Open Network Stream... (paste RUclips video URL in the Network tab)
When video starts to play, go to to
* Audio/Stereo Mode (select Mono)
I finally understand this. Thank you!
this video moved me to SELinux guru. I had no clue what SELinux no matter how much I read
Concise, clear and very very useful! I used what I learned here to clear up a problem that I'd been trying to solve for weeks.
selinux prevented /bin/rightear from listening good information :)
Thanks for the tricks managing basic stuff, will def write that down to my stay lazy notes
Great presentation! I finally know how to deal with SELinux, haha. Thank you
oh, you mean by typing 'echo SELINUX=disabled > /etc/selinux/config ; shutdown -r now' ? 🤣
Excellent presentation skill! I don't use SELinux in the workplace but I'm confident to say I can handle basic situations by restorecon and semanage.
Brovo, very nice presentation!
This was really good presentation. My friend had explained me a bit on SE linux earlier so this was a good step up from that
Third-party classes like I've taken for RHEL 5-7 keep selinux obfuscated and overcomplicate the instructions --- I suspect because they don't understand it themselves so they treat it like voodoo. Thank you for breaking it down like this!
You're very welcome.
This is a great video presentation. Sad I didn't find this 3.5 years ago.
REDHAT DOCS AND SUMMIT SPEAKERS ARE AWESOME.
Thank you for the breakdown of SE Linux. Very super helpful.
Thank you. Your experience shows in the way you have explained difficult subject in such an easy manner.
you clearly know what you are doing. hats down
Fantastic presentation, learned lot from this, gives me some ideas of how to go about fixing issues with SELinux.
This is awesome - watched this and fixed a problem that had been bugging me for days :)
I have been watching this video so many times that I almost know it by memory, now SELinux is starting to make more sense for me :)
Came across this topic today in Redhat Academy. This presentation was really helpful.
This video perfectly summary of what SEL is.
Just by seeing this I made sense of much of system admin stuff I've been exposed as a linux newcomer over the last year. To be honest is does seem rather easy to have this security layer. I'll try to install it in my system.
Awesome presentation, thank you!
Fantastic explanation. This is a top tier presentation on one of the harder things to learn about linux admin work.
This is so fantastic talk! Made many great notes.
Long tutorial, but very usful to me. Thumb up.
Perfect!!! Thanks for such an easy-to-understand approach!!!
Very interesting and constructive presentation.
You made it so easy. Thanks
Very helpful and demystifying!
Thomas Cameron is fabulous.
A very helpful and eye-opening presentation.
You just made my day, kind internet stranger. Thank you. 🙂
My left ear really enjoyed the lecture... Really good explanation!
Thanks Thomas it's really nice presentation
My pleasure, thanks for the kind words.
Great presentation, but IMO, having to use "permissive" and policy modules looks like a failure in the concept of SELinux. Having to 'spray and pray' instead of fixing from first principles shows, to me, that the first principles are not very well thought-out.
Generally, SELinux works fine with software which is included with the distro. It's mostly when you start to use non-SELinux aware apps from third parties where it can get in your way. I hope that this helped you in those cases.
Do we have updated presentation for RHEL8 / 9?
On Windows 10: Ease of Access > Audio > Turn on mono audio
You're welcome
Great talk, thank you!!
Does the SELinux labels do anything in a system that isn't using SELinux? So, if I physically remove the hard disk from a system protected by SELinux and mount it on a system that doesn't use SELinux, will the labels still protect the home folder of the user who chmod 777'd all his files or will I be able to read them because only DAC is active then? The second, right?
SELinux can't protect you when its not in use, if you break out the hdd you can read the data. If you disable selinux it will also not protect you anymore ...
Thanks for the video =)
my left ear enjoyed this alot
I am a lefty and naturally have more control and strength on left. But today my right side has the power of configuring selinux and left is lagging!!
gold. always fixed selinux bugs with stackoverflow and crossed fingers, not anymore
I would love this talk to instead be a written article.
Can we have that please?
Dating yourself via Novell certified?
I am an OS/2 and OS/2 Warp certified engineer.
That didn't age well, with the predatory MS in town....
We're old, partner.
use SoundFixer FF extension to switch to mono and fix the sound
This is gold.
Great video!
was a great presentation, thank you very much
nice presentation, Tomas Cameron but why do you use armitage?
to track down logs from mailserver? at which point, can anyone clear this out?
ty
Sorry, I just now saw this. Armitage is just the name of the server I built the examples on. It's a character from the Neruomancer novel by William Gibson.
19:00 : Is installing setroubleshoot and setroubleshoot-server not recommended in production environments? If so why?
You want to keep your production environment as thin as possible. You should use those tools in a dev/test environment and replicate the problem there.
I find it funny that corporations are so worried about security but yet will force employees to run Windows as their desktop when that is about the worse thing you can run on your desktop.
I am unclear on something. If you see from the logs that SELinux is blocking something, how do you know you should "fix" that by allowing the access? Maybe the "denied" or
"prevented" messages should not be "fixed", because denying is exactly the right thing to do.
I talked about that. Just because something is blocked doesn't mean that it's a problem. You may be doing something wrong. If you know that you're doing something right, I talk about how to make changes via booleans or semanage fcontext. If you're not clear, feel free to ask questions, I'll help out however I can. Cheers!
@@ThomasCameron Thank you for this reply. For what it is worth, I rarely know that I am doing something right. :)
I need you to explain all of RHEL
Looks like he tries to sell me a SELinux. This is my very first meeting with SELinux. If booleans and labels around httpd are part of SELinux itself then its such a clumsy solution that i dont buy it. I think httpd process gets some context marker upon start with systemd unit config and future security checks are based on data context labels. This would make sense. But what are booleans that way then? Somehow hardcoded-ish things specially made for somehow recognized httpd process? I'll read about it later. This is just first thoughts mainly for myself.
Does anyone know if SELinux can cause connectivity issue for F5 health check for Apache servers
if an attacker compromises the web server and able to exploit the OS and gain root privilege. Can SELinux stop the root user from doing malicious activity? This is a chicken and egg problem for me, since root should have access to modify the SELinux policy, but we also wanna stop attacker from modify the SELinux policy even if they get root access. Can this problem be solved at this level? Or we need some hardware to help us?
www.coker.com.au/selinux/play.html Here's a server with root UID=0 but have restricted access, how can this happen?
The Web server shouldn't run as root, but as a limited user
Thanks a lot. Very helpful!
I want selinux into a debian based distro please 😭
they are going for AppArmor instead
@@kuhluhOG I know. I have already did a thesis for comparison between them. But blacklisting in apparmror is not as good and as developoed as in selinux
if a system is compromised and the attacker has root access then selinux is useless. How does selinux prevent attack?
well, if a service (Let's say a webserver) is being run as root and a hacker takes control of that service, without SELinux, your are done
with SELinux, he may have "root-access", but not all the privileges because he still runs for example a shell as a child-process of the webserver
what will attacker do with root access? connect somewhere and run shell? selinux will deny it
I've seen PHP based sites get compromised and PHP files over written. I've tried to simulate such an attack on Fedora. There are separate context types to allow and deny Apache and PHP-FPM from overwriting other code files.
Anybody has an idea where can I find those slides?
My right ear still needs to learn about se linux
I wanna know why people still can read the /etc/passwd when they find rce
Great presentation
I am trying to learn each element of the regular expression: "(/.*)?"
Can someone help me fill in the blanks from the below:
() == grouping regex together
/ == ???
. == equal to any one character
* == equal to zero or more of the preceding character (in this case, would the previous character be "."?)
? == equal to zero or one of the preceding character (probably anything represented by (/.*) right?)
After doing a LOT of research... it would just seem that regex interprets the / as literally just a "\/" with no special meaning.
So in this case, / would be interpreted as the typical subdirectory syntax.
sometimes i reverse my headphones so the right side of my brain understands SELinux too.
Does ubuntu 20.04 use seclinux stuff?
my left ear enjoyed that
Perfect. Thanks.
For anyone not knowing this: If you expect it to be secure bear in mind that SElinus also has e.g. timing attacks purposefully build in by certain groups of interest
Can't seem to find the presentation file for this anymore, anyone have a link to get it?
videos.cdn.redhat.com/summit2015/presentations/13893_security-enhanced-linux-for-mere-mortals.pdf
Video Timestamp: @24:44
~~~
NAME="CentOS Stream"
VERSION="8"
~~~
It would seem that this file location no longer exists as shown here.
/etc/selinux/targeted/m*
## dir does not exist
From my research, you can find booleans.local under /var/lib/selinux/targeted/active/
It appears to contain the same information.
🔥🔥🔥
setsebool -P right_side_headphone on
Perfect thank you heaps
SELinux ... Unecessary performance overhead on desktop usage?
I heavily doubt it, even on obsolete machines.
The only performance hit is in the milliseconds it takes to load the policy. The impact is negligible.
The presentation is awesome but my right ear channel is corrupted.
SE Linux: Built for NSA requirements. »Um it throws errors and we are lazy, so we turn it off. «
Also: Oracle DB, built for NSA requirements. »We have to hire special administrators for that! It's important!«
No double standards here, move on.
Awesome presentation. But it requires more hands on experiences to understand what he is trying to sell.
Please improve sound recording, please
very helpful
Fantastic :)
i could only hear my lelt speaker of mac firing towards me
Awesome!
My right ear feels rejected.
Рахмет!
m e r e m o r t a l s
Fantastic.
The fact that you need a 43 minute lecture on how to "not turn it off" is why everyone turns it off.