Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt
|
|
- Leona Briggs
- 6 years ago
- Views:
Transcription
1 Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt Instructor, Consultant and Author Sandervanvugt.nl
2 About Sander van Vugt Trainer, consultant and author Doing much work on SUSE Linux Enterprise as well as the other distribution (and started to appreciate SELinux on that distribution) org nl} 2
3 Why would you need kernel level security anyway? Some things cannot be handled with permissions and firewalls alone... Just updating your server doesn't protect against badly written scripts or zero-day exploits Restricting on permissions isn't always feasible (you don't want to take away other permissions on /tmp for instance) Firewall protection is also limited 3
4 What are your options for kernel level security? SELinux or AppArmor AppArmor is the current default in SLES 11 Large market demand for SELinux More vivid community for SELinux SELinux is more thorough, but more complex as well Solutions building their own lists of syscalls to be blocked 4
5 SELinux Status in SUSE Linux Enterprise Server 11 SP 3 Complete Support for the stack Consult your SUSE support engineer to find out about policy support Binary support still developing What it comes down to: install the refpolicy, find out that it doesn't do what you need it to do and walk the long road of having it do what you need it to do This session helps you taking the first steps 5
6 SELinux in SLES12 AppArmor will still be the default solution Many customers are using AppArmor and want to keep using it SELinux will be fully supported as well and a small MLS policy will be provided to protect specific parts of a system Developing an all-including policy is on the roadmap 6
7 Overview
8 What is SELinux All syscalls are are denied by default, unless specifically enabled All objects (files, ports, processes etc.) are provided with a security label (the context) User, role and type part in the context Type part is the most important The SELinux policy contains rules where you can see which source context has access to which target context 8
9 SELinux Components The Policy is the key component It defines the security contexts for type enforcements That means: if you use ls -Z on a directory, you'll find a context user, role and type and the policy knows how to handle that. It all comes down to a line like the following that is defined in the policy: allow user_t bin_t : file {read execute getattr}; This states that user_t (the source) has allow to bin_t (the target) on the object class file with the permissions read execute and getattr The SELinux Policy has tens of thousands of rules Which makes it extremely complex 9
10 Refpolicy: mother of all policies The refpolicy is a generic fully functional policy managed as a free software project Application developers provide code for the Refpolicy, where after peer review it can be included Refpolicy is a common base for distributions that only need to make modifications to it Because of differences that in some cases are huge, making these changes can be hard 10
11 Using Policy Features MLS is multi level security, every object gets a security clearance label MCS (Multi Category Security) is MLS but less detailed Targeted is the normal policy without MLS Support of features is indicted by policy version, current is 28. Compile policy to support different options How to handle unknown permissions? Do or don't support unconfined domains? 11
12 Compiling the Policy Monolithic: One huge policy Don't use it anymore! Modular: Different rules are groups in modules, which makes it more readable and less complicated to manage 12
13 Managing SELinux
14 Managing SELinux means applying context You can find the context you need on default objects From the _selinux man page (if available) Using semanage fcontext -l From the policy itself (may be hard) 14
15 Managing SELinux Setting the Appropriate Contexts Use semanage fcontext -l to find available contexts Use semanage fcontext -a -t your_content_t /web(/.*)? Use restorecon -R -v / to relabel Setting Booleans Use semanage boolean -l to get an overview of available Booleans Use getsebool -a for an overview Use setsebool -P your_boolean on to switch on a boolean 15
16 Understanding SELinux Modes Set mode while booting Enforcing: Active and Armored Permissive: Active, but only logging Use this while setting up your system! Log messages are in /var/log/audit/audit.log Disabled Are there good reasons to switch to disabled? 16
17 Applications and SELinux Most applications are not SELinux aware Some applications are and they make active SELinux calls These applications behave differently than expected on a system where SELinux code is active Check your application with ldd Most applications on SUSE are not native SELinux 17
18 Configuring SELinux on SLES
19 Installing SELinux on SUSE Linux Enterprise Server Install all SELinux Packages Use YaST for easy selection Install a Policy Install the refpolicy source file from OpenSUSE.org Enable GRUB Boot Options and reboot security=selinux selinux=1 enforcing=0 Compile the policy and reboot 19
20 Compiling the Policy Extract the tarball to /etc/selinux/refpolicy Edit /etc/selinux/refpolicy/build.conf DISTRO = suse UNK_PERMS = allow DIRECT_INITRC = y MONOLITHIC = n Leave other params to their default Run make load from /etc/selinux/refpolicy Reboot Fix a small bug and run make relabel for file system labelling semanage fcontext -a -e /dev /lib/udev/devices restorecon -Rv / 20
21 At This Point: Verify the Installation Use sestatus -v Shows current mode and process / file contexts Use semanage boolean -l Lists all boolean switches to change policy settings and at the same time verifies access to the policy Use semanage fcontext -l Lists all file contexts and verifies policy access 21
22 Tuning Policy Modules
23 About Policy Modules Policy modules provide the base chunks of SELinux functionality semodule -l Shut off all rules for a part of the system by unloading the corresponding policy (not very useful) semodule -d Or compile a new module that allows all you need to accomplish: use audit2allow 23
24 Modifying Policies manually Input files are in /etc/selinux/refpolicy/policy/modules/services *.te files contain everything a module needs to have *.if files define how other policy modules get access to this policy *.fc files contain the labeling instructions After modifying the input files, run make && make install && make load to activate them 24
25 Using Audit2allow Audit2allow helps analyzing the log messages in /var/log/audit/audit.log audit2allow -w -a presents the audit information in a more readable way audit2allow -a shows the type enforcement rule that allows the denied access audit2allow -a -M blah creates a te file and a compiled pp file that will allow the denied access After creating the new module, use semodule -i modulename.pp to execute it Be careful when using audit2allow 25
26 Disabling SELinux for a single service semanage permissive -a somelabel_t Get an overview of current permissive domains using semanage permissive -l Not supported on all environments 26
27 More information Refpolicy project: Dan Walsh blog: Sven Vermeulen, SELinux System Administration (ISBN ) 27
28 Questions? Thank you. 28
29 Corporate Headquarters Maxfeldstrasse Nuremberg Germany (Worldwide) Join us on: 29
30 Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
Best practices with SUSE Linux Enterprise Server Starter System and extentions Ihno Krumreich
Best practices with SUSE Linux Enterprise Server Starter System and extentions Ihno Krumreich Project Manager for Linux on System z Ihno@SUSE.de SHARE Atlanta 2012 Session 10728 Reasoning Requirements
More informationUsing Linux Containers as a Virtualization Option
Using Linux Containers as a Virtualization Option Michal Svec Product Manager msvec@suse.com Mike Friesenegger Sales Engineer mfriesenegger@suse.com 2 Containers Linux Containers Virtualization OS Level
More informationHow To Make Databases on SUSE Linux Enterprise Server Highly Available Mike Friesenegger
How To Make Databases on SUSE Linux Enterprise Server Highly Available Mike Friesenegger SUSE Sales Engineer mikef@suse.com Agenda Clarify the term "Availability" What is High Availability Minimize a Database
More informationSUSE Linux Enterprise Kernel Back to the Future
SUSE Enterprise Kernel Back to the Future Olaf Kirch Director Server Engineering okir@suse.com Agenda SUSE Enterprise Service Packs What makes a SUSE Enterprise kernel an enterprise kernel? Bringing you
More informationManaging Linux Servers Comparing SUSE Manager and ZENworks Configuration Management
Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management Product Support As of September 30,2012, Novell no longer offers general support and will only provide limited updates
More informationSUSE OpenStack Cloud. Enabling your SoftwareDefined Data Center. SUSE Expert Days. Nyers Gábor Trainer &
SUSE OpenStack Cloud Enabling your SoftwareDefined Data Center SUSE Expert Days Nyers Gábor Trainer & Consultant @Trebut gnyers@trebut.com The Journey to the SDDC Physical to Virtual to Cloud One application
More informationLinux and z Systems in the Datacenter Berthold Gunreben
Linux and z Systems in the Datacenter Berthold Gunreben Build Service Engineer SUSE Linux Available Architectures for SUSE Linux Enterprise Server X86, z Systems, Power Common Source Code for all architectures
More informationEssentials. Johannes Meixner. about Disaster Recovery (abbreviated DR) with Relax-and-Recover (abbreviated ReaR)
Essentials about Disaster Recovery (abbreviated DR) with Relax-and-Recover (abbreviated ReaR) Johannes Meixner Why DR with ReaR matters Relax-and-Recover is currently used in particular
More informationProvisioning with SUSE Enterprise Storage. Nyers Gábor Trainer &
Provisioning with SUSE Enterprise Storage Nyers Gábor Trainer & Consultant @Trebut gnyers@trebut.com Managing storage growth and costs of the software-defined datacenter PRESENT Easily scale and manage
More informationOpen Enterprise & Open Community
Open Enterprise & Open Community Working Together Richard Brown opensuse Chairman SUSE Linux GmbH Andrew Wafaa Principal Engineer, Open Source ARM Ltd Stephan Kulow opensuse Release Manager SUSE Linux
More informationNovell SLES 10/Xen. Roadmap Presentation. Clyde R. Griffin Manager, Xen Virtualization Novell, Inc. cgriffin at novell.com.
Novell SLES 10/Xen Roadmap Presentation Clyde R. Griffin Manager, Xen Virtualization Novell, Inc. cgriffin at novell.com September 8, 2006 SUSE Linux Enterprise Server 10 SLES 10 w/xen 3.0.2 is now available
More informationSaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend
SaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend Joachim Werner Senior Product Manager SUSE Linux GmbH Bogdan Maryniuk Software Engineer SUSE Linux GmbH joe@suse.com
More informationBuild with SUSE Studio, Deploy with SUSE Linux Enterprise Point of Service and Manage with SUSE Manager Case Study
Build with SUSE Studio, Deploy with SUSE Linux Enterprise Point of Service and Manage with SUSE Manager Case Study Vladimir Botka Joachim Plack Anthony Tortola Product Manager vbotka@suse.com Senior Project
More informationSUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud
SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud Joachim Werner Senior Product Manager joe@suse.com Jeff Lindholm Sales Engineer Jlindholm@suse.com SUSE and Linux Workloads
More informationLinux High Availability on IBM z Systems
Linux High Availability on IBM z Systems An Overview Kristoffer Gronlund Berthold Gunreben High Availability Engineer SUSE Build Service Engineer SUSE Outline 2 Highly Available Hardware Introduction to
More informationSUSE Linux Enterprise High Availability Extension
A Xen Cluster Success Story Using the SUSE Linux Enterprise High Availability Extension Mark Robinson Director, MrLinux mark@mrlinux.co.uk Case Study: R M Donaldson APC High Power Partner My first commercial
More informationDocker Networking In OpenStack What you need to know now. Fawad Khaliq
Docker Networking In OpenStack What you need to know now Fawad Khaliq About Me OpenStack Community Member Developer in Neutron Maintainer of PLUMgrid Neutron Plugin (networking-plumgrid) How to contact
More informationSICOOB. The Second Largest Linux on IBM System z Implementation in the World. Thiago Sobral. Claudio Kitayama
SICOOB The Second Largest Linux on IBM System z Implementation in the World Claudio Kitayama Thiago Sobral IT Infrastructure Analyst Sicoob claudio.kitayama@sicoob.com.br Sales Engineer tsobral@suse.com
More informationSUSE Manager in Large Scale 17220
SUSE Manager in Large Scale 17220 Don Vosburg Alejandro Bonilla Sales Engineer dvosburg@suse.com Sales Engineer abonilla@suse.com Geeko comes to SHARE Agenda What is SUSE Manager? What can I do with it
More informationIntroduction to Software Defined Infrastructure SUSE Linux Enterprise 15
Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15 Matthias G. Eckermann Director Product Management SUSE Linux Enterprise Helsinki, 2018-03-08 SUSE Software-defined Infrastructure
More informationSUSE An introduction...
Virtualization @ SUSE An introduction... Mike Latimer Sr. Engineering Manager SUSE mlatimer@suse.com Agenda Who is SUSE? Introduction to Virtualization Types of Hypervisors Xen KVM libvirt Virtualization
More informationCloud in a box. Fully automated installation of SUSE Openstack Cloud 5 on Dell VRTX. Lars Everbrand. Software Developer
Cloud in a box Fully automated installation of SUSE Openstack Cloud 5 on Dell VRTX Lars Everbrand Software Developer lars.everbrand@ericsson.com 2 From 3 To Introduction Disclaimer All views expressed
More informationFrom GIT to a custom OS image in a few click OS image made easy
From GIT to a custom OS image in a few click OS image made easy Frédéric Crozat Senior Software Engineer SUSE fcrozat@suse.com Goals Create ISO live image to ease testing Automate image creation as much
More informationSUSE Manager and Salt
SUSE Manager and Salt The Three Cs of the IT Transformation Challenge Transform your approach to infrastructure to enable the business to capitalize on new innovations of data Cost Complexity Compliance
More informationDefine Your Future with SUSE
Define Your Future with SUSE SUSE Linux Enterprise and more Bo Jin Sales Engineer bo.jin@suse.com SUSE auf einen Blick 25+ +8% Jahre Erfahrung in der Open-SourceEntwicklung SUSE-Wachstum vgl. mit anderen
More informationWelcome to SUSE Expert Days 2017 Service Delivery with DevOps
Welcome to SUSE Expert Days 2017 Service Delivery with DevOps Changing Application Service Delivery with DevOps 2 Key Components for DevOps Success Good habits and people Development done now Automate
More informationSaving Real Storage with xip2fs and DCSS. Ihno Krumreich Project Manager for SLES on System z
Saving Real Storage with xip2fs and DCSS Ihno Krumreich Project Manager for SLES on System z ihno@suse.de Agenda Overview DCSS What is DCSS? xip2fs What is xip2fs? DCSS How to create? Maintenance Problems
More informationBOV89296 SUSE Best Practices Sharing Expertise, Experience and Knowledge. Christoph Wickert Technical Writer SUSE /
BOV89296 SUSE Best Practices Sharing Expertise, Experience and Knowledge Christoph Wickert Technical Writer SUSE / cwickert@suse.com AGENDA The SUSE Documentation Team SUSE Best Practices Open Source Tools
More informationExploring History with Hawk
Exploring History with Hawk An Introduction to Cluster Forensics Kristoffer Grönlund High Availability Software Developer kgronlund@suse.com This tutorial High Availability in 5 minutes Introduction to
More informationA Carrier-Grade Cloud Phone System
A Carrier-Grade Cloud Phone System Based on SUSE Linux Enterprise Server & High Availability Extension Brett Buckingham Managing Director, silhouette R&D Broadview Networks bbuckingham@broadviewnet.com
More informationBuilding a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.
Building a Secure and Compliant Cloud Infrastructure Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc. Why Are We Here? Expanded Enterprise Data access anywhere, anytime
More informationExpert Days SUSE Enterprise Storage
Expert Days 2018 SUSE Enterprise Storage SUSE Enterprise Storage An intelligent software-defined storage solution, powered by Ceph technology, that enables IT to transform their enterprise storage infrastructure
More informationExploring the High Availability Storage Infrastructure. Tutorial 323 Brainshare Jo De Baer Technology Specialist Novell -
Exploring the High Availability Storage Infrastructure. Tutorial 323 Brainshare 2007 Jo De Baer Technology Specialist Novell - jdebaer@novell.com Agenda The High Availability Storage Infrastructure very
More informationSecure Authentication
Secure Authentication Two Factor Authentication LDAP Based SSH Keys Mark Gardner UMB Financial Corporation Noor Kreadly Federal Reserve Bank of Kansas City Prerequisites 2 Software Used edirectory 9.0
More informationNovell Infiniband and XEN
Novell Infiniband and XEN XEN-IB project status Patrick Mullaney November 22, 2006 Infiniband and XEN Background Client requirements: > Guest OS access to Infiniband fabric > Initial approach:» L3 based
More informationSELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany
SELinux Updates Thorsten Scherf Senior Consultant Red Hat Global Professional Services 01.12.2011 Berlin / Germany Agenda SELinux review What happened to strict policy Policy customization and development
More informationSDS Heterogeneous OS Access. Technical Strategist
SDS Heterogeneous OS Access Alejandro Bonilla Technical Strategist abonilla@suse.com Agenda Introduction to Ceph Architecture RADOS Block Device (RBD) iscsi overview Exposing Ceph RBDs via iscsi 2 LIO
More informationSaving Your Bacon Recovering From Common Linux Startup Failures
Saving Your Bacon Recovering From Common Linux Startup Failures Mark Post Novell, Inc. Friday, August 12, 2011 Session Number 10105 Agenda How the boot process is supposed to work What things can go wrong
More informationSamba HA Cluster on SLES 9
Samba HA Cluster on SLES 9 High Availability with Samba 3 on Linux Rolf Schmidt Support Engineer Novell, Inc. Rolf.Schmidt@novell.com May 29, 2006 Agenda Introduction Samba Setup Definitions High Availability
More informationUsing Crowbar to Deploy Your OpenStack Cloud. Adam Spiers Vincent Untz John H Terpstra
Using Crowbar to Deploy Your OpenStack Cloud Adam Spiers Vincent Untz John H Terpstra Clouds don t come with an auto-pilot 2 IT Problem: Scale Explosion Mainframe 1980 3 Client / Server 1990 Datacenter
More informationThe opensuse project. Motivation, Goals, and Opportunities. Sonja Krause-Harder Michael Löffler. March 6, 2006
The opensuse project Motivation, Goals, and Opportunities Sonja Krause-Harder Michael Löffler March 6, 2006 What is opensuse / SUSE Linux? opensuse is a community project (not a distribution) wiki, mailinglist,
More informationDevOps with SUSE: How SUSE Manager, SUSE Studio and SUSE Cloud APIs Facilitate Continuous Software Delivery. Wolfgang Engel.
DevOps with SUSE: How SUSE Manager, SUSE Studio and SUSE Cloud APIs Facilitate Continuous Software Delivery Joachim Werner Wolfgang Engel Senior Product Manager SUSE/joe@suse.com Engineer SUSE/wengel@suse.com
More informationSELinux. Thorsten Scherf. Red Hat EMEA. October 2015
SELinux Thorsten Scherf Red Hat EMEA October 2015 What is wrong with UNIX security? Programs have full control over the access given to files they create (Discretionary Access Control DAC) Therefore no
More informationUnleash the Power of Ceph Across the Data Center
Unleash the Power of Ceph Across the Data Center TUT18972: FC/iSCSI for Ceph Ettore Simone Alchemy LAB ettore.simone@alchemy.solutions Agenda Introduction The Bridge The Architecture Benchmarks A Light
More informationBefore We Start... 1
1 Before We Start... Isn't One Type of Car Enough? Functionality Efficiency Performance Emotions Reliability? MgE Functionality Efficiency Performance Emotions C. Nocke 2 Isn't One Type of filesystem Enough?
More informationToo Many Metas A high level look at building a metadata desktop. Joe Shaw
Too Many Metas A high level look at building a metadata desktop Joe Shaw joe@ximian.com Overview About me Dashboard Beagle desktop search Metadata solution -- what's the problem? A few statements (facts?)
More informationSELinux For Mere Mortals
SELinux For Mere Mortals (Or, Don't Turn It Off ) Dan Walsh Principal Software Engineer, Red Hat Thomas Cameron, RHCA Managing Solutions Architect, Red Hat June 23rd, 2010 Agenda About Us What is SELinux?
More informationGaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009
Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009 Dale Olds Novell Distinguished Engineer dolds@novell.com Overview 2 Problems with identity management today It's
More informationopenqa making QA interesting since 2013 Ondrej Holecek /aaannz/
openqa making QA interesting since 2013 Ondrej Holecek /aaannz/ oholecek@suse.com opensuse storytime opensuse walking packaging stuff build check release time? manual QA 3 release/ milestone opensuse Leap-ing
More informationSELINUX SUPPORT IN HFI1 AND PSM2
14th ANNUAL WORKSHOP 2018 SELINUX SUPPORT IN HFI1 AND PSM2 Dennis Dalessandro, Network SW Engineer Intel Corp 4/2/2018 NOTICES AND DISCLAIMERS INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH
More informationSELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com
SELinux Introduction Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com Overview 1. Who am I? 2. What is SELinux? 3. DAC vs MAC 4. Type Enforcement 5. Labels 6. Sometimes SELinux denies badness
More informationSUSE Linux Enterprise 11
SUSE Linux Enterprise 11 Singapore OSS Community Launch 22 nd April 2009 Kam, Han Wen ( 甘汉文 ) Senior Technology Specialist Global Strategic Partners (Asia Pacific) Why Choose SUSE Linux Enterprise Server
More informationScaling a Highly Available Global SUSE Manager Deployment at Rackspace to Manage Multiple Linux Platforms
Scaling a Highly Available Global SUSE Manager Deployment at Rackspace to Manage Multiple Linux Platforms Aaron Conklin Jeff Price Product Manager Rackspace Principle Architect SUSE First-level bullet
More informationDemystifying SELinux:
Demystifying SELinux: What is it trying to tell me? David Quigley dpquigl@davequigley.com 1 What is Access Control? A system for restricting who or what is allowed to access specific resources and how
More informationHands-on with Native Linux Containers (LXC) Workbook
Hands-on with Native Linux Containers (LXC) Workbook Course ATT1801.0.0 Lab Manual September 6, 2012 Proprietary Statement Copyright 2012 Novell, Inc. All rights reserved. Novell, Inc., has intellectual
More information96Boards Enablement for opensuse
96Boards Enablement for opensuse Progress Report and Remaining Issues Andreas Färber Expert Virtualization andreas.faerber@suse.com The Presenter and ARM Background in virtualization software (QEMU) Involved
More informationVSP16. Venafi Security Professional 16 Course 04 April 2016
VSP16 Venafi Security Professional 16 Course 04 April 2016 VSP16 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for: Enterprise Security Officers
More informationSoftware Defined. All The Way with OpenStack. T. R. Bosworth Senior Product Manager SUSE OpenStack Cloud
Software Defined All The Way with OpenStack T. R. Bosworth Senior Product Manager SUSE OpenStack Cloud Mark Darnell Senior Product Manager SUSE OpenStack Cloud Why Bother with Software Defined Infrastructure?
More informationSELinux Policy Development. Jason Zaman FOSSASIA 2018 March 24 blog.perfinion.com
SELinux Policy Development Jason Zaman FOSSASIA 2018 March 24 blog.perfinion.com Overview 1. Whoami 2. What is SELinux? 3. Parts of an SELinux Policy 4. Policy Modules 5. Reference Policy a. Perms b. Patterns
More information10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 4 Introduction to SELinux
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 4 Introduction to SELinux Roadmap Why SELinux? Overview
More informationKnow your competition A review of qemu and KVM for System z
Know your competition A review of qemu and KVM for System z Mark Post SUSE Tuesday, August 5, 2014 Session 15693 Insert Custom Session QR if Desired. Agenda What is qemu and KVM High-level architecture
More informationAccess Control. SELinux. Mestrado Integrado em Engenharia Informática e Computação. Computer Systems Security
Access Control SELinux Mestrado Integrado em Engenharia Informática e Computação Computer Systems Security João Carlos Eusébio Almeida - up201306301 João Gabriel Marques Costa - up201304197 May 17, 2017
More informationSUSE. High Performance Computing. Kai Dupke. Meike Chabowski. Senior Product Manager SUSE Linux Enterprise
SUSE High Performance Computing Kai Dupke Meike Chabowski Senior Product Manager SUSE Linux Enterprise kdupke@suse.com Senior Product Marketing Manager SUSE Linux Enterprise Meike.Chabowski@suse.com Distribution:
More informationopenqa features capabilities bugs Ondrej Holecek /aaannz/
openqa features capabilities bugs Ondrej Holecek /aaannz/ oholecek@suse.com What makes openqa User focused 3 Watching the screen User focused 4 Watching the screen Keyboard and mouse input User focused
More informationFun with SELinux. Writing SELinux Policy Permissive Domains Real bugs. Miroslav Grepl Presented by
Fun with SELinux Writing SELinux Policy Permissive Domains Real bugs Presented by Miroslav Grepl mgrepl@redhat.com Today's Topics 1. Show process of writing a policy - understanding basics of SELinux ==
More informationIO110: Open Enterprise Server 2. Hardware you can hit with a hammer, software you can only curse at...
IO110: Open Enterprise Server 2 Hardware you can hit with a hammer, software you can only curse at... Agenda OES2 in 2008 What's in it and when to expect it Timeline New features Enhancements Lessons learned
More informationopenqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager
openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager mawerner@suse.com Testing is HARD - Everyone who has built any software, ever. Upstreams Upstream projects are moving
More informationPackaging made easy. How the opensuse build service makes building packages easy for developers who don't care about packaging
Packaging made easy How the opensuse build service makes building packages easy for developers who don't care about packaging Cornelius Schumacher Motivation Packaging: Creating installable
More informationSELinux Workshop Redux. Jamie Duncan, Senior Technical Account Manager RVaLUG - 18 April 2014
SELinux Workshop Redux Jamie Duncan, Senior Technical Account Manager RVaLUG - 18 April 2014 Red Hat and SELinux Red Hat leads the way in SELinux development. John Dennis, Ulrich Drepper, Steve Grubb,
More informationSecurity Enhanced Linux. Thanks to David Quigley
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4
More informationVirtualization at Scale in SUSE Linux Enterprise Server
Virtualization at Scale in SUSE Linux Enterprise Server Jim Fehlig Software Engineer jfehlig@suse.com Agenda General guidelines Network guidelines Disk guidelines CPU and memory guidelines NUMA guidelines
More informationTroubleshooting Your SUSE TUT6113. Cloud. Paul Thompson SUSE Technical Consultant. Dirk Müller SUSE OpenStack Engineer
Troubleshooting Your SUSE TUT6113 Cloud Paul Thompson SUSE Technical Consultant Dirk Müller SUSE OpenStack Engineer 2 SUSE Cloud... SUSE Cloud Troubleshooting 3 SUSE Cloud 4653 Parameters 4 SUSE Cloud
More informationopenqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager
openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager mawerner@suse.com Testing is HARD - Everyone who has built any software, ever. 2 Upstreams Upstream projects are moving
More informationCollecting data from IoT devices using Sigfox network
Collecting data from IoT devices using Sigfox network Making data collection easier Jan Krupa Operations Engineer JKrupa@suse.com About me IoT networks Sigfox network What is Sigfox Sigfox employs
More informationZdeněk Kubala Senior QA
(Kernel) Isolation PV, HVM, OS-V technologies in Linux Introduction and description of the isolation diferences between HM, PV and OS-level virt. technologies. Zdeněk Kubala Senior QA Engineer zkubala@suse.com
More informationSELi He nux a dlin in F e edora 8 Dan N W am als e h Red D H a at te
SELinux Headline Fedora 8 Dan Walsh Name Red Hat Date SELinux History In Fedora Fedora 2 SELinux Introduced Strict Policy, Disabled, Confine User/Daemons Fedora 3 Targeted Policy, Enabled,
More informationNovell Data Synchronizer Mobility Pack Overview. Novell. Readme. January 28, 2013
Novell Data Synchronizer Mobility Pack 1.2.5 Readme Novell January 28, 2013 NOTE: The 1.2.5 update pertains to the Mobility Pack. The Data Synchronizer product for use with connectors other than the Mobility
More informationSELinux. Daniel J Walsh SELinux Lead Engineer
SELinux Daniel J Walsh SELinux Lead Engineer 0 Day Exploits Patch Cycle Someone discovers a vulnerability in software Package Maintainer and OS Vendor Notified Fix generated/distributed Fix installed by
More informationSELINUX FOR MERE MORTALS
SELINUX FOR MERE MORTALS (Or, Don't Turn It Off ) Thomas Cameron, RHCA, RHCDS, RHCVA, RHCSS, RHCX Managing Solutions Architect, Red Hat Wednesday, May 4th, 2011 Agenda About Us What is SELinux? About Us
More informationHigh Availability for Highly Reliable Systems
High Availability for Highly Reliable Systems Mike Friesenegger SUSE Wednesday, February 6, 2013 Session: 12367 Agenda What is a high availability (HA) cluster? What is required to build a HA cluster using
More informationUsing Manage Alarm Tool
Using Manage Alarm Tool Release 1.0 Issue 1 April 2013 2013 Avaya Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and
More informationAvaya Aura Call Center Elite Multichannel Documentation Roadmap
Multichannel Documentation Roadmap Release 6.4 Issue 2 April 2015 2015 Avaya Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is
More informationAdvanced patching of SUSE Linux Enterprise Server 10 with ZENworks Linux Management 7.2
SUSE LINUX Enterprise Server 10 www.novell.com Advanced patching of SUSE Linux Enterprise Server 10 with ZENworks Linux Management 7.2 Version 0.1 Disclaimer Novell, Inc. makes no representations or warranties
More information3 Mobility Pack Installation Instructions
Novell Data Synchronizer Mobility Pack Readme Novell September 10, 2010 1 Overview The Novell Data Synchronizer Mobility Pack creates a new Synchronizer system that consists of the Synchronizer services,
More informationSELinux Workshop Redux Jamie Duncan, Red Hat RVaLUG 19 April 2014
SELinux Workshop Redux Jamie Duncan, Red Hat RVaLUG 19 April 2014 Introduction The expectation is that you will either have a virtual machine to use, or that you will revert any changes made to your machine
More information2/26/13. Hands-on SELinux: A Practical Introduction. Roadmap. SELinux Tools. Security Training Course. Day 1: Day 2: GUI
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains
More informationVersion is the follow-on release after version 8.1, featuring:
PlateSpin Portability Suite 8.1.1 Release Notes August 17, 2009 1 About this Release Novell These release notes apply to both PlateSpin Portability Suite products, PlateSpin Migrate and PlateSpin Protect.
More informationApril Understanding Federated Single Sign-On (SSO) Process
April 2013 Understanding Federated Single Sign-On (SSO) Process Understanding Federated Single Sign-On Process (SSO) Disclaimer The following is intended to outline our general product direction. It is
More informationWhat's New with SUSE Linux Enterprise Server for z Systems
What's New with SUSE Linux Enterprise Server for z Systems Ihno Krumreich Projectmanager Ihno@suse.de August 10th, 2015 Session 17484 SUSE Linux Enterprise A highly reliable, scalable and secure server
More informationUser Guide for Avaya Equinox Add-in for IBM Lotus Notes
User Guide for Avaya Equinox Add-in for IBM Lotus Notes Release 9.0 Issue 1 January 2017 2014-2017, Avaya, Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information
More informationamdgpu Graphics Stack Documentation
amdgpu Graphics Stack Documentation Release unknown-build Advanced Micro Devices, Inc. Oct 25, 2018 Contents 1 Table of Contents 1 1.1 Preamble................................................. 1 1.2 Overview.................................................
More informationOctober Oracle Application Express Statement of Direction
October 2017 Oracle Application Express Statement of Direction Disclaimer This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle.
More informationSELinux Basics. Clint Savage Fedora Ambassador. Fedora Classroom November 9, 2008
SELinux Basics Clint Savage Fedora Ambassador Fedora Classroom November 9, 2008 What is SELinux? Another layer of security Created by the NSA / Red Hat Helps add to the multiple layers of defense Generally
More informationSamba and Ceph. Release the Kraken! David Disseldorp
Samba and Ceph Release the Kraken! David Disseldorp ddiss@samba.org Agenda Ceph Overview State of Samba Integration Performance Outlook Ceph Distributed storage system Scalable Fault tolerant Performant
More informationIP Office 9.0 IP Office Server Edition Reference Configuration
IP Office 9.0 IP Office Server Edition Reference Configuration Release 9.0.3 15-604135 May 2014 2014 Avaya Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information
More informationVeritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018
Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018 0. Disclaimer The following is intended to outline our general product direction. It is intended for information
More informationThe Journey of an I/O request through the Block Layer
The Journey of an I/O request through the Block Layer Suresh Jayaraman Linux Kernel Engineer SUSE Labs sjayaraman@suse.com Introduction Motivation Scope Common cases More emphasis on the Block layer Why
More informationThe issues included in this document were identified in Novell ZENworks 7.3 Linux Management with Interim Release 3 (IR3).
Novell ZENworks 7.3 Linux Management with Interim Release 3 June 02, 2010 Novell 1 Overview The issues included in this document were identified in Novell ZENworks 7.3 Linux Management with Interim Release
More informationBC403 Advanced ABAP Debugging
BC403 Advanced ABAP Debugging. COURSE OUTLINE Course Version: 15 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication
More information9/18/14. Hands-on SELinux: A Practical Introduction. Roadmap. SELinux Tools. Security Training Course. Day 1: Day 2: GUI
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2014 Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains
More information