1 00:00:00,000 --> 00:00:02,830 [No audio] 2 00:00:02,830 --> 00:00:06,738 Security Enhanced Linux. Now a lot of 3 00:00:06,764 --> 00:00:08,694 you are probably thinking, oh my god, 4 00:00:08,792 --> 00:00:11,982 SELinux, that's very complicated. Okay. 5 00:00:12,116 --> 00:00:15,762 I do agree it is somewhat complicated to a 6 00:00:15,776 --> 00:00:19,002 degree but for people who have already spent time in 7 00:00:19,016 --> 00:00:23,106 it and been working with SELinux already find it 8 00:00:23,228 --> 00:00:28,602 easier than initially how they thought. So one thing I 9 00:00:28,616 --> 00:00:32,514 will promise you that, I will try my best to 10 00:00:32,552 --> 00:00:37,398 explain how SELinux works, but keep in mind it's a 11 00:00:37,544 --> 00:00:41,058 very big topic, that I might not be able to 12 00:00:41,084 --> 00:00:43,890 cover every aspect of SELinux. So again, 13 00:00:43,940 --> 00:00:47,238 I'll try my best. So let's see, let's first talk about 14 00:00:47,384 --> 00:00:52,702 what is SELinux? As a regular definition, it's Security-Enhanced 15 00:00:52,726 --> 00:00:56,958 Linux it's a Linux kernel security module that provides a 16 00:00:56,984 --> 00:01:03,138 mechanism for supporting access control security policy including mandatory access 17 00:01:03,224 --> 00:01:07,182 control. I got this definition straight from Wikipedia. If you 18 00:01:07,196 --> 00:01:10,914 go ahead and search online, you'll find that definition right 19 00:01:10,952 --> 00:01:13,350 there. And the second thing I do want to cover 20 00:01:13,400 --> 00:01:17,230 is it's a project of United States National Security Agency 21 00:01:17,350 --> 00:01:21,018 NSA and the SELinux community.The other one, both 22 00:01:21,044 --> 00:01:23,434 of them worked together, came up of course the beginning 23 00:01:23,482 --> 00:01:26,466 NSA was the one who was involved, who wants to 24 00:01:26,528 --> 00:01:33,642 enhance or add more security around Linux. So I have 25 00:01:33,836 --> 00:01:38,418 gone over the definition of SELinux from Wikipedia, now I 26 00:01:38,444 --> 00:01:42,594 am going to tell you exactly how I can explain 27 00:01:42,692 --> 00:01:46,026 you in a graphical and easier way, and I really 28 00:01:46,088 --> 00:01:51,860 hope that you understand how SELinux works and what is it for? 29 00:01:52,310 --> 00:01:55,182 Let's take an example of a server. So we have 30 00:01:55,196 --> 00:01:59,758 a Linux server, and it has directories, directory has files, 31 00:01:59,914 --> 00:02:04,506 and all other different files in other directories, and also 32 00:02:04,628 --> 00:02:10,570 the server has processes like NFS, web server, or FTP 33 00:02:10,630 --> 00:02:15,018 server. Also it has sockets, that whenever it starts a 34 00:02:15,044 --> 00:02:18,438 program to communicate to one another Linux machine it needs 35 00:02:18,464 --> 00:02:21,166 to open up a socket and it has a memory. 36 00:02:21,358 --> 00:02:24,306 All that is, as you know, 37 00:02:24,488 --> 00:02:28,398 is managed or comes under the 38 00:02:28,424 --> 00:02:33,078 ownership of users and groups right? 39 00:02:33,224 --> 00:02:37,830 We all know that and how we control the permissions 40 00:02:38,270 --> 00:02:41,802 is by of course reassigning them to who owns that 41 00:02:41,876 --> 00:02:44,034 and which group owns that and then there is three 42 00:02:44,072 --> 00:02:48,154 level of permission we do and that is read, write, executable, 43 00:02:48,322 --> 00:02:53,118 and each one of them are divided into users the 44 00:02:53,144 --> 00:02:54,754 first three bits for users, 45 00:02:54,862 --> 00:02:59,346 second three bits for group, and the last three bits for 46 00:02:59,408 --> 00:03:06,618 others. So all of that is controlled through change mod. So a 47 00:03:06,644 --> 00:03:10,950 user can do change mod to whatever that they wanted to 48 00:03:11,000 --> 00:03:13,662 change it to. So if you own a file, or if 49 00:03:13,676 --> 00:03:16,950 you create a file let's call it file1, you could 50 00:03:17,000 --> 00:03:21,262 do a change mod on that file, and control the permission 51 00:03:21,406 --> 00:03:25,794 as however you want to view it. This type of access 52 00:03:25,952 --> 00:03:32,202 is called DAC Discretionary Access Control, where user has control over 53 00:03:32,276 --> 00:03:37,978 everything. Now comes the SELinux. What SELinux is, it's 54 00:03:38,014 --> 00:03:45,920 basically a Mandatory access control, and it goes around this Discretionary Access Control. 55 00:03:46,310 --> 00:03:48,798 So what it means that let's say you have a 56 00:03:48,824 --> 00:03:53,334 user, and user is HTTP user in your environment, and 57 00:03:53,372 --> 00:03:56,970 let's say that user has been compromised by a hacker. 58 00:03:57,470 --> 00:03:59,982 So what I have is, if the 59 00:03:59,996 --> 00:04:04,458 Apache HTTP Server is compromised, an attacker cannot use 60 00:04:04,484 --> 00:04:07,822 the process to read files in user home directory, 61 00:04:07,966 --> 00:04:11,074 unless a specific SELinux policy rule was added 62 00:04:11,122 --> 00:04:13,400 or configured to allow such access. 63 00:04:13,970 --> 00:04:18,029 In simple words, what I could show you here is if 64 00:04:18,079 --> 00:04:24,870 that user, HTTP user, only if SELinux is enabled, what this 65 00:04:24,920 --> 00:04:29,970 SELinux can do is it tells the user hey, you do 66 00:04:30,020 --> 00:04:38,554 have access to this file, for example /var/www/html directory, but I 67 00:04:38,592 --> 00:04:43,886 am not going to give you access to /var/www/cgi-bin. 68 00:04:44,018 --> 00:04:46,574 Now think of it, both of these directories 69 00:04:46,682 --> 00:04:49,870 are actually owned by that Http user, right? 70 00:04:50,040 --> 00:04:54,362 So isn't that how funny it is that the same user 71 00:04:54,446 --> 00:04:57,634 can access one directory and cannot access the other, or can 72 00:04:57,672 --> 00:05:00,494 access one file but cannot access the other file. 73 00:05:00,662 --> 00:05:04,706 Yes, that is possible through SELinux. 74 00:05:04,838 --> 00:05:06,370 That's why they came in and said 75 00:05:06,420 --> 00:05:08,050 hey guys, this is not good. 76 00:05:08,160 --> 00:05:12,070 Maybe one user, let's say iafzal, can access a file 77 00:05:12,070 --> 00:05:17,026 /home/iafzal in the file, but we don't want him 78 00:05:17,088 --> 00:05:19,930 to access any other file in the same directory. 79 00:05:20,550 --> 00:05:24,514 Well, it's because again, if that user is 80 00:05:24,552 --> 00:05:27,154 compromised, that user can access other directories too. 81 00:05:27,192 --> 00:05:29,626 And you want to prevent that. 82 00:05:29,748 --> 00:05:32,582 So at the end, result is the user 83 00:05:32,726 --> 00:05:36,550 cannot do change mod to whatever the user likes. 84 00:05:36,930 --> 00:05:42,274 That's what SELinux is, that's how it enhances the 85 00:05:42,312 --> 00:05:44,666 security of your Linux server. 86 00:05:44,798 --> 00:05:48,886 Hopefully this diagram and me explaining this way 87 00:05:48,948 --> 00:05:52,534 makes you understand how SELinux works and 88 00:05:52,572 --> 00:05:55,810 why there's a need of SELinux. 89 00:05:56,310 --> 00:06:00,058 Now, moving on, let's get into the detail of 90 00:06:00,084 --> 00:06:03,538 the functionality of SELinux and how we could make 91 00:06:03,564 --> 00:06:08,770 the use of it. SELinux Options, there are three 92 00:06:08,880 --> 00:06:12,358 SELinux option. Number one by default, when you 93 00:06:12,384 --> 00:06:15,118 have a Linux machine installed, primarily let's say in 94 00:06:15,144 --> 00:06:18,566 Redhat, CentOS, and Fedora type of Linux distributions, 95 00:06:18,758 --> 00:06:22,934 by default SELinux comes as enabled, 96 00:06:22,982 --> 00:06:25,930 meaning it is an enforcing mode. 97 00:06:26,370 --> 00:06:28,174 Then there's another mode that 98 00:06:28,212 --> 00:06:29,846 is called permissive mode. 99 00:06:29,978 --> 00:06:30,938 Permissive mode, 100 00:06:30,974 --> 00:06:35,162 what it does is, it tells the SELinux hey, I'm 101 00:06:35,186 --> 00:06:37,920 not going to enable you so don't do anything. 102 00:06:38,970 --> 00:06:41,662 Only what you should do is, only log 103 00:06:41,736 --> 00:06:44,798 the activity like as if you are enabled. 104 00:06:44,954 --> 00:06:48,070 So this way if you are using the first time 105 00:06:48,120 --> 00:06:52,298 as the Linux, then you should always do permissive. 106 00:06:52,394 --> 00:06:55,354 So you could try and error, trial and error type 107 00:06:55,392 --> 00:06:58,154 of things you could do unless you're fully comfortable. 108 00:06:58,262 --> 00:07:01,090 Then you could go ahead and do enforcing. 109 00:07:01,830 --> 00:07:05,650 Again, always try to do permissive than enforcing. 110 00:07:06,150 --> 00:07:07,762 Then of course the third one would 111 00:07:07,776 --> 00:07:09,242 be as you know, is disabled. 112 00:07:09,266 --> 00:07:11,450 So if you do not want to use SELinux 113 00:07:11,510 --> 00:07:14,782 at all, you could just go ahead and make it 114 00:07:14,856 --> 00:07:19,020 disabled and none of its functionality would work at all. 115 00:07:19,590 --> 00:07:23,110 Now, so far that I know, if I have 116 00:07:23,160 --> 00:07:28,246 to ballpark I would say about 50% to 60% 117 00:07:28,308 --> 00:07:32,870 of the time people have disabled SELinux. 118 00:07:32,990 --> 00:07:36,158 And the reason, number one reason for being SELinux 119 00:07:36,194 --> 00:07:38,482 disabled in the environment is because of course, as 120 00:07:38,496 --> 00:07:41,038 I said, it is complicated, and a lot of 121 00:07:41,064 --> 00:07:44,302 times people do find it complicated, and simply they 122 00:07:44,316 --> 00:07:46,258 could go in and disable it. 123 00:07:46,404 --> 00:07:49,534 But what my take is, that if you are 124 00:07:49,572 --> 00:07:53,570 running any of your Linux machine in a DMZ 125 00:07:53,630 --> 00:07:57,394 environment which is a public facing environment, then you 126 00:07:57,432 --> 00:08:01,330 should definitely consider enabling SELinux. 127 00:08:01,830 --> 00:08:06,802 OK, moving on. To check SELinux status, whether your system 128 00:08:06,876 --> 00:08:10,802 is running SELinux or whether it has SELinux enabled 129 00:08:10,826 --> 00:08:16,106 or not, you would do sestatus or getenforce. 130 00:08:16,178 --> 00:08:19,622 This would tell you if your system has SELinux enabled 131 00:08:19,646 --> 00:08:26,135 or not. Setting SELinux, you will have to do setenforce = 0, to 132 00:08:26,135 --> 00:08:28,918 do permissive or disable mode, or 133 00:08:28,944 --> 00:08:32,182 you could do setenforce = one to enable it. 134 00:08:32,256 --> 00:08:35,433 But again, this will only enable or 135 00:08:35,472 --> 00:08:38,182 disable while you are on the system. 136 00:08:38,316 --> 00:08:40,238 The moment your system reboots 137 00:08:40,332 --> 00:08:41,806 the setting will go away. 138 00:08:41,928 --> 00:08:44,590 Now how you can make those settings permanent? 139 00:08:44,909 --> 00:08:49,226 Just like any service, you have to modify SELinux config 140 00:08:49,298 --> 00:08:53,114 file for permanent setting and that file is etc, 141 00:08:53,222 --> 00:08:57,094 as always, etc is a configuration directory, so you should 142 00:08:57,132 --> 00:09:03,130 have that in /etc/selinux/config file, and there is 143 00:09:03,180 --> 00:09:06,700 a parameters inside of that configuration file that says, 144 00:09:06,700 --> 00:09:13,358 SELINUX=enforcing, SELINUX=disabled, whichever the setting 145 00:09:13,394 --> 00:09:16,570 that you want to pick, of course don't forget permissive. 146 00:09:17,550 --> 00:09:21,934 Then before you modify SELinux config file that is 147 00:09:21,972 --> 00:09:24,994 something definitely I wanted to tell you it is very 148 00:09:25,032 --> 00:09:28,858 important even if you have to write it down, before 149 00:09:28,944 --> 00:09:33,086 you play around with SELinux, please if it's a virtual machine, 150 00:09:33,158 --> 00:09:36,166 create a snapshot of your VM. So stop 151 00:09:36,228 --> 00:09:39,322 everything right now, go ahead and create a 152 00:09:39,336 --> 00:09:43,846 snapshot before you try anything on the SELinux. Why? 153 00:09:44,028 --> 00:09:45,982 The reason I'm saying that again, 154 00:09:46,056 --> 00:09:49,042 SELinux is built around security. 155 00:09:49,176 --> 00:09:53,350 If you make changes, that is not something that you 156 00:09:53,400 --> 00:09:55,942 wanted to do maybe you're going to have a problem 157 00:09:56,016 --> 00:09:58,822 booting up your system or it's going to take a 158 00:09:58,836 --> 00:10:02,290 long time to label every file system. 159 00:10:02,400 --> 00:10:03,598 Now what is labeling means? 160 00:10:03,624 --> 00:10:07,238 We'll cover that later but again, my suggestion 161 00:10:07,274 --> 00:10:10,740 to you right now is to go ahead 162 00:10:11,190 --> 00:10:13,586 and create a snapshot of your virtual machine. 163 00:10:13,658 --> 00:10:16,378 Now if you are running a physical machine, go 164 00:10:16,404 --> 00:10:19,658 ahead and create a backup of your physical machine 165 00:10:19,754 --> 00:10:23,854 or create some type of means where you could 166 00:10:23,892 --> 00:10:27,070 revert back to your original setting. 167 00:10:28,170 --> 00:10:33,130 Then before you reboot your system, let's say if you have enforced 168 00:10:33,130 --> 00:10:42,360 SELinux in your /etc/selinux/config file, always do /.autorelabel. 169 00:10:42,360 --> 00:10:44,842 This is going to tell the system hey, 170 00:10:44,916 --> 00:10:49,810 I have just enabled disable SELinux especially enabling it. 171 00:10:49,920 --> 00:10:52,934 Go ahead and relabel all the files, system directories, 172 00:10:52,982 --> 00:10:55,594 whatever that you have, relabel them right now so 173 00:10:55,632 --> 00:11:00,490 they are aware of SELinux enablement. 174 00:11:01,290 --> 00:11:04,378 So make sure if you don't do that, then you have 175 00:11:04,404 --> 00:11:06,578 to boot, then it has to go through the relabeling 176 00:11:06,614 --> 00:11:09,122 again, it's going to take you really long time and you're 177 00:11:09,146 --> 00:11:11,302 probably going to think your system is not booting up and 178 00:11:11,316 --> 00:11:13,702 then you're going to try different things and you're going to 179 00:11:13,716 --> 00:11:16,140 end up not booting up the system at all. 180 00:11:16,890 --> 00:11:18,502 All right, I'm going to try a couple of 181 00:11:18,516 --> 00:11:23,038 things to show you on my Linux machine how 182 00:11:23,064 --> 00:11:25,222 to show whether it's enforced or not. 183 00:11:25,356 --> 00:11:28,560 So I have my Linux machine open right here. 184 00:11:30,430 --> 00:11:31,878 I am logged in as root. 185 00:11:31,914 --> 00:11:34,322 As you could see, I have a pound sign, but still I 186 00:11:34,336 --> 00:11:37,098 will always check to make sure I'm logged in as root. 187 00:11:37,254 --> 00:11:38,498 So if I wanted to check the 188 00:11:38,524 --> 00:11:41,754 status, I would do status, sestatus. 189 00:11:41,922 --> 00:11:44,994 As you can see right now, it's the status enabled. 190 00:11:45,042 --> 00:11:46,106 But don't go by this. 191 00:11:46,168 --> 00:11:49,130 You have to do is right here, current mode. 192 00:11:49,510 --> 00:11:51,638 It is saying that my current mode is 193 00:11:51,664 --> 00:11:54,578 enforcing, meaning I do have SELinux and it 194 00:11:54,604 --> 00:11:57,806 is enabled and running in my system. 195 00:11:57,868 --> 00:12:01,514 You could also get the same result, not 196 00:12:01,552 --> 00:12:03,962 exactly the same result, but you want to 197 00:12:03,976 --> 00:12:05,894 find out whether it's enforced or not. 198 00:12:05,932 --> 00:12:10,166 You do getenforce, and it will tell you this. 199 00:12:10,228 --> 00:12:11,730 Yes, it is enforcing. 200 00:12:11,910 --> 00:12:15,290 Again, if you wanted to set it to enforcing or 201 00:12:15,340 --> 00:12:19,362 disabling, you have to do setenforce zero to disable, 202 00:12:19,506 --> 00:12:22,598 one to enable. The file that you would need to 203 00:12:22,624 --> 00:12:28,850 modify for permanent setting, that file is located at /etc/selinux. 204 00:12:29,950 --> 00:12:34,910 Let's cat the file out, and file is config. 205 00:12:35,590 --> 00:12:39,494 You can see in the file before I 206 00:12:39,532 --> 00:12:43,470 had only this line SELINUX=enforcing. 207 00:12:43,590 --> 00:12:45,458 I also added this line myself. 208 00:12:45,544 --> 00:12:47,102 You probably don't see this line in 209 00:12:47,116 --> 00:12:50,226 your configuration because I added that manually. 210 00:12:50,358 --> 00:12:51,690 And the reason I added manually, 211 00:12:51,750 --> 00:12:54,546 so this way I don't have to type it the disable 212 00:12:54,618 --> 00:12:57,606 whole again or I don't want to make any mistake. 213 00:12:57,798 --> 00:12:59,798 What I would do is I will go into the 214 00:12:59,824 --> 00:13:03,746 file, take out the pound, add the pound here and 215 00:13:03,808 --> 00:13:07,202 it will make the changes the way I want. 216 00:13:07,396 --> 00:13:09,494 So that's the file you need to keep 217 00:13:09,532 --> 00:13:12,806 in mind that you should make the change 218 00:13:12,928 --> 00:13:16,010 to if you wanted to enforce or disable. 219 00:13:17,410 --> 00:13:18,520 Moving on. 220 00:13:18,910 --> 00:13:21,318 There are two main concepts of SELinux. 221 00:13:21,354 --> 00:13:25,542 One is labeling and the other one is type enforcement. 222 00:13:25,686 --> 00:13:29,370 So SELinux is running it's enforced. 223 00:13:29,490 --> 00:13:32,826 Now, how does SELinux keep track of files, 224 00:13:32,898 --> 00:13:35,500 directories, and all the processes that we talked about? 225 00:13:36,670 --> 00:13:40,250 First thing that SELinux does, it labels every 226 00:13:40,360 --> 00:13:43,360 file and directory in your file system. 227 00:13:43,750 --> 00:13:48,160 Again, it's an enhanced way of enhancing your security, 228 00:13:48,610 --> 00:13:51,882 and let's say if you have a file or a directory, 229 00:13:52,026 --> 00:13:55,410 it creates a label with that, just like a label tag. 230 00:13:55,530 --> 00:13:58,420 And that label has four different types of information. 231 00:13:58,990 --> 00:14:02,306 One is the user, second is the role, third 232 00:14:02,368 --> 00:14:05,200 is a type, and the fourth one is level. 233 00:14:05,590 --> 00:14:07,238 I will mostly focus on the 234 00:14:07,264 --> 00:14:09,782 type because most of the time 235 00:14:09,916 --> 00:14:13,394 type is the one that is used, that keeps all 236 00:14:13,432 --> 00:14:18,340 the files, ownership or security separate from one another. 237 00:14:19,750 --> 00:14:23,174 To list the label of a directory, if you wanted 238 00:14:23,212 --> 00:14:26,678 to see what type of label it has, you have 239 00:14:26,704 --> 00:14:32,994 to do ls -lz, and /usr/sbin/httpd. 240 00:14:33,102 --> 00:14:34,842 It's just the example that I picked. 241 00:14:34,926 --> 00:14:36,902 This is the file and you will see as 242 00:14:36,916 --> 00:14:40,120 a result it will come up as this. 243 00:14:40,810 --> 00:14:44,930 And you see right here where I have highlighted in the 244 00:14:44,980 --> 00:14:51,470 rectangular red object it has system which is for user object 245 00:14:51,640 --> 00:14:57,554 which is for role httpd_exec_t, that's the 246 00:14:57,592 --> 00:15:00,400 type and the last one is the level. 247 00:15:00,970 --> 00:15:06,974 Again the main focus is httpd_exec, you will 248 00:15:07,012 --> 00:15:10,982 find that every file or directory if they are in 249 00:15:10,996 --> 00:15:15,040 a different directory, will have a different type. 250 00:15:15,910 --> 00:15:18,090 As you know, this is executable 251 00:15:18,210 --> 00:15:20,790 /usr/bin/httpd is an executable. 252 00:15:20,850 --> 00:15:22,286 You could run that, it will start up a 253 00:15:22,288 --> 00:15:24,446 script, and it will start your http process. 254 00:15:24,628 --> 00:15:30,580 That is why it's been given the exec executable type. 255 00:15:31,090 --> 00:15:36,218 Similarly, if you do want to list a directory, you would 256 00:15:36,244 --> 00:15:40,070 have to do ls d for directory, and a z 257 00:15:40,120 --> 00:15:42,678 again at /etc/httpd, 258 00:15:42,774 --> 00:15:46,086 this is a directory for configuration file for httpd, 259 00:15:46,218 --> 00:15:48,506 and the result will come up like this. 260 00:15:48,568 --> 00:15:49,814 Again, same thing. 261 00:15:49,852 --> 00:15:52,058 User is the same, role is the 262 00:15:52,084 --> 00:15:54,580 same, but it has changed the type. 263 00:15:54,970 --> 00:15:57,782 Type again is the most important part of 264 00:15:57,796 --> 00:15:59,906 the thing that you have to work with 265 00:16:00,088 --> 00:16:02,850 if you are going to copy the file. 266 00:16:02,910 --> 00:16:08,166 Let's say that is in /usr/sbin/ or let's 267 00:16:08,178 --> 00:16:14,762 say /var/www/html directory, and you move it somewhere else. 268 00:16:14,956 --> 00:16:19,302 Remember one thing, it is not taking the permission 269 00:16:19,386 --> 00:16:23,366 of the other or the source destination, sorry. 270 00:16:23,428 --> 00:16:25,674 It is taking the information of the sources. 271 00:16:25,722 --> 00:16:28,814 So you have to modify the type when you actually move 272 00:16:28,852 --> 00:16:32,500 it, otherwise SELinux will not allow you to read it. 273 00:16:33,670 --> 00:16:37,187 Okay, so let me try all of these commands. 274 00:16:37,187 --> 00:16:39,590 [No audio] 275 00:16:39,590 --> 00:16:41,480 Let me clear my screen. 276 00:16:42,350 --> 00:16:52,894 And the first one I will try on ls -lZ /usr/sbin/httpd. 277 00:16:53,052 --> 00:16:56,962 And as you can see right here, this is 278 00:16:57,036 --> 00:17:02,114 what shows up and this is label of SELinux. 279 00:17:02,222 --> 00:17:05,134 If I had SELinux disabled, it would 280 00:17:05,172 --> 00:17:07,006 not have shown up right here. 281 00:17:07,127 --> 00:17:09,780 Again the first one, all of this 282 00:17:10,230 --> 00:17:13,329 label has four different categories and each 283 00:17:13,380 --> 00:17:16,922 category is separated by the colon. 284 00:17:17,066 --> 00:17:20,674 So first one again is user, second one is role, third 285 00:17:20,712 --> 00:17:24,406 one is the type, and the last one is the level. 286 00:17:24,588 --> 00:17:27,992 And again this is the most important one that you should 287 00:17:28,031 --> 00:17:30,839 be focusing on, that you could make a change to. 288 00:17:31,530 --> 00:17:36,849 All right, try on the directory ls -dZ /etc/httpd. 289 00:17:38,130 --> 00:17:44,453 Again it is labeled as config, httpd_config, 290 00:17:44,453 --> 00:17:47,233 this one was labeled executable. 291 00:17:47,402 --> 00:17:52,450 You see the SELinux keeps the distinction between one 292 00:17:52,500 --> 00:17:55,994 file or directory with another is by assigning these types 293 00:17:56,042 --> 00:17:58,370 that it says hey, this is a config file. 294 00:17:58,430 --> 00:18:00,074 Hey, this is executable file. 295 00:18:00,122 --> 00:18:01,918 Now I'll see who has access to 296 00:18:01,944 --> 00:18:05,170 executable and who has access to config. 297 00:18:05,170 --> 00:18:07,170 [No audio] 298 00:18:07,170 --> 00:18:10,386 If I were to do the same thing in my home directory, let's 299 00:18:10,398 --> 00:18:18,700 say ls -dZ /home/iafzal, you will see it is coming as 300 00:18:19,270 --> 00:18:23,690 user, which every user will have in the home_dir. 301 00:18:24,190 --> 00:18:27,350 That's how you could differentiate as a home directory. 302 00:18:27,790 --> 00:18:30,038 I could also make a change on 303 00:18:30,064 --> 00:18:32,380 the user as well as the object. 304 00:18:33,310 --> 00:18:35,740 All right, let's keep moving on. 305 00:18:35,740 --> 00:18:38,270 [No audio] 306 00:18:38,270 --> 00:18:42,226 As a web server runs, the process is labeled 307 00:18:42,298 --> 00:18:46,038 in memory as well as like httpd _t. 308 00:18:46,184 --> 00:18:50,482 So not only directories or files are labeled 309 00:18:50,506 --> 00:18:53,970 by SELinux, the process is also labeled. 310 00:18:54,350 --> 00:18:56,682 You could check that process label only if 311 00:18:56,696 --> 00:18:59,202 it's running right because kernel starts up the 312 00:18:59,216 --> 00:19:02,010 process and it keeps that process information memory. 313 00:19:02,390 --> 00:19:05,730 Without starting it up, there won't be any label. 314 00:19:06,110 --> 00:19:09,750 So to check while the process is running, you do ps, 315 00:19:10,370 --> 00:19:12,618 ax, or whatever the option that you want to use, and 316 00:19:12,644 --> 00:19:15,620 of course uppercase Z, and then grep for the process. 317 00:19:16,010 --> 00:19:17,622 And you'll see, you get to list the 318 00:19:17,636 --> 00:19:19,986 process depending on how many processes you're running. 319 00:19:20,108 --> 00:19:22,074 And here is information about that 320 00:19:22,112 --> 00:19:24,260 type that we talked about. 321 00:19:25,790 --> 00:19:28,738 I'm sorry, I actually captured the system underscore 322 00:19:28,774 --> 00:19:30,714 r as well, which is not the type. 323 00:19:30,812 --> 00:19:33,680 The type is httpd_t. 324 00:19:34,310 --> 00:19:36,858 All right, to check the this label, if 325 00:19:36,884 --> 00:19:38,670 the label is assigned, it's a socket level. 326 00:19:38,720 --> 00:19:39,738 Yes, it is. 327 00:19:39,884 --> 00:19:42,260 And you'll see right here again, 328 00:19:43,070 --> 00:19:46,386 I actually highlighted the wrong type. 329 00:19:46,568 --> 00:19:48,954 system_r is the role, not the type. 330 00:19:48,992 --> 00:19:51,740 So the type would be httpd_t. 331 00:19:53,270 --> 00:19:55,722 All right, so let me try to look the 332 00:19:55,736 --> 00:20:00,270 same thing for process and for the socket. 333 00:20:01,370 --> 00:20:03,558 So first, before I look for it, I 334 00:20:03,584 --> 00:20:07,520 wanted to make sure my httpd is running. 335 00:20:08,150 --> 00:20:11,058 For those who do not have httpd installed in 336 00:20:11,084 --> 00:20:13,098 your system, you first need to check whether you 337 00:20:13,124 --> 00:20:16,278 have the package installed by running rpm -qa. 338 00:20:16,424 --> 00:20:17,658 First of all, let me clear the 339 00:20:17,684 --> 00:20:21,390 screen rpm -qa grep for http. 340 00:20:21,390 --> 00:20:25,050 [No audio] 341 00:20:25,050 --> 00:20:27,374 Okay, so I do have a package installed. 342 00:20:27,482 --> 00:20:29,998 Now, if I have a package installed, I need to 343 00:20:30,024 --> 00:20:32,222 run it, but of course before I run it, I'll 344 00:20:32,246 --> 00:20:34,234 need to make sure whether it's running already or not. 345 00:20:34,272 --> 00:20:42,526 So systemctl status httpd. Okay, it is not running, 346 00:20:42,588 --> 00:20:45,598 it is inactive, as you can see right here. 347 00:20:45,684 --> 00:20:49,306 So that is why even if I do ps -ef or whatever I 348 00:20:49,308 --> 00:20:52,042 want to do and I type http, it's not going to grep it. 349 00:20:52,056 --> 00:20:53,460 So I need to start it. 350 00:20:54,210 --> 00:20:55,978 To start, I will use the 351 00:20:56,004 --> 00:20:58,658 same command systemctl, instead of status 352 00:20:58,694 --> 00:21:02,326 I'll do start and httpd, it has started now. 353 00:21:02,388 --> 00:21:05,858 Now I will do systemctl status, 354 00:21:05,894 --> 00:21:07,954 and now you'll see that the 355 00:21:08,112 --> 00:21:09,946 status is active and running. 356 00:21:10,128 --> 00:21:15,094 Now let's go to look for the 357 00:21:15,132 --> 00:21:17,482 label SELinux label for that process. 358 00:21:17,556 --> 00:21:23,906 So I'll do ps -axZ, and grep for httpd. 359 00:21:24,098 --> 00:21:28,102 And right here, you'll see it has this entire thing 360 00:21:28,176 --> 00:21:32,566 is the label and the type that I'm saying is 361 00:21:32,748 --> 00:21:37,102 this. This is the type that you could change or 362 00:21:37,176 --> 00:21:41,100 kernel can change if you specify some type of policy. 363 00:21:41,850 --> 00:21:43,810 All right, now let's look at the socket. 364 00:21:43,810 --> 00:21:49,105 netstat -tnlpz, 365 00:21:49,105 --> 00:21:52,105 and grep for httpd. 366 00:21:52,510 --> 00:21:54,506 And again, the socket has the same 367 00:21:54,568 --> 00:21:57,158 label and the type to it. 368 00:21:57,244 --> 00:21:58,660 And this is the type. 369 00:21:58,660 --> 00:22:00,610 [No audio] 370 00:22:00,610 --> 00:22:02,522 All right, so now we talked about already, 371 00:22:02,596 --> 00:22:07,158 how do we check the labels of SELinux 372 00:22:07,194 --> 00:22:10,890 to every file, directory, and program, and sockets. 373 00:22:11,070 --> 00:22:13,430 So let's move on and let's talk 374 00:22:13,480 --> 00:22:17,250 about the commands to manage SELinux settings. 375 00:22:17,430 --> 00:22:21,734 There's a command called semanage to label or change the 376 00:22:21,772 --> 00:22:28,926 label to all of these followings. There is another command chcon 377 00:22:29,118 --> 00:22:31,782 that can be used as well to change labels. 378 00:22:31,806 --> 00:22:37,262 So the labels can be applied to all of 379 00:22:37,336 --> 00:22:41,850 these entities right below login, user, port, interface, module, 380 00:22:41,910 --> 00:22:46,530 node, file context, boolean, permissive state, dontaudit. 381 00:22:46,650 --> 00:22:51,486 I have highlighted boolean in this entire slide. 382 00:22:51,618 --> 00:22:54,098 It's because boolean, I would say, is the one 383 00:22:54,124 --> 00:22:57,530 that is mostly used while you're using SELinux. 384 00:22:58,270 --> 00:22:59,790 Let's talk about boolean. 385 00:22:59,910 --> 00:23:01,014 What is boolean? 386 00:23:01,122 --> 00:23:04,850 Well, boolean is kind of like an on and off switch. 387 00:23:06,070 --> 00:23:09,302 So there are predefined out of the 388 00:23:09,316 --> 00:23:11,838 box boolean that comes with SELinux. 389 00:23:11,994 --> 00:23:14,438 So if you have SELinux installed and 390 00:23:14,464 --> 00:23:17,294 it just started, the boolean is already there. 391 00:23:17,392 --> 00:23:19,038 Now, what is a boolean? Boolean, 392 00:23:19,074 --> 00:23:23,954 as an example, it tells SELinux, hey, do 393 00:23:23,992 --> 00:23:27,050 we allow FTP server to access home directory? 394 00:23:27,550 --> 00:23:31,938 Meaning do we allow FTP user, the user FTP 395 00:23:31,974 --> 00:23:34,226 server when it runs it has a user, right? 396 00:23:34,288 --> 00:23:38,286 FTP user, not just specifically FTP user, but FTP. 397 00:23:38,478 --> 00:23:41,690 Do we allow that user to access the home directories? 398 00:23:42,010 --> 00:23:46,060 Now, if the boolean says on, that means yes. 399 00:23:46,390 --> 00:23:49,994 If the boolean says off, then it means it's off. 400 00:23:50,032 --> 00:23:51,030 It cannot. 401 00:23:51,210 --> 00:23:54,030 You could get a list of boolean, we'll cover that in a minute. 402 00:23:54,090 --> 00:23:57,614 Another example would be can httpd talk 403 00:23:57,652 --> 00:24:01,480 to ldap or any name directory services. 404 00:24:01,990 --> 00:24:03,914 You would have a list of other things too, 405 00:24:03,952 --> 00:24:07,550 like can http talk to send mail, to send 406 00:24:07,600 --> 00:24:11,606 mail or not, whether it's on or off. 407 00:24:11,788 --> 00:24:14,118 So you can make it on or off depending 408 00:24:14,154 --> 00:24:18,110 on your requirement and of course many other booleans. 409 00:24:18,850 --> 00:24:20,930 How to get a list of all booleans. 410 00:24:21,610 --> 00:24:23,574 What do we get when we install Linux? 411 00:24:23,622 --> 00:24:25,180 What do we get out of the box? 412 00:24:25,510 --> 00:24:28,074 To get the list you have to run the command 413 00:24:28,182 --> 00:24:33,460 getsebool and of course -a, a is for all. 414 00:24:33,910 --> 00:24:36,014 Or there's another command that you could get 415 00:24:36,052 --> 00:24:38,990 which is semanage boolean dash list which will 416 00:24:39,040 --> 00:24:41,320 also give you pretty much the same result. 417 00:24:42,370 --> 00:24:45,458 As I said, you should go over every 418 00:24:45,604 --> 00:24:47,980 boolean that you have in your system. 419 00:24:48,490 --> 00:24:51,062 So this way you don't have to create your 420 00:24:51,136 --> 00:24:54,170 own or come up or install on your own. 421 00:24:54,280 --> 00:24:59,414 There are tons of them that SELinux offers you right 422 00:24:59,452 --> 00:25:03,858 off the box. To enable or turn on a boolean. 423 00:25:03,954 --> 00:25:06,758 Now, you have identified this should be 424 00:25:06,784 --> 00:25:08,342 on or this should be off. 425 00:25:08,476 --> 00:25:09,962 Now, how do you enable it or 426 00:25:09,976 --> 00:25:11,726 how do you turn on and off. 427 00:25:11,908 --> 00:25:14,138 Now again, keep in mind this is where we 428 00:25:14,164 --> 00:25:16,938 are making changes only when SELinux is enabled. 429 00:25:16,974 --> 00:25:19,418 Once that is enabled, only then you could 430 00:25:19,444 --> 00:25:22,730 do all those different configuration within SELinux. 431 00:25:24,250 --> 00:25:26,270 Anyway, to turn on the boolean, 432 00:25:27,010 --> 00:25:33,650 you could run the command setsebool -P space 433 00:25:34,330 --> 00:25:38,258 boolean underscore name whichever the name that you will see when 434 00:25:38,284 --> 00:25:41,714 you run the getsebool and of course on for 435 00:25:41,752 --> 00:25:47,258 on, off for off. Check error messages related to SELinux. If 436 00:25:47,284 --> 00:25:49,938 you define anything in your SELinux, 437 00:25:50,034 --> 00:25:54,530 if you set any boolean and there 438 00:25:54,640 --> 00:25:56,390 is an error messages in it, 439 00:25:56,440 --> 00:26:00,654 or if you are running an Apache server 440 00:26:00,702 --> 00:26:06,350 for example and the Apache server supposed to 441 00:26:06,400 --> 00:26:09,534 read a file from a user home directory, 442 00:26:09,582 --> 00:26:13,950 let's say iafzal. You start an Apache server, 443 00:26:14,010 --> 00:26:16,274 and you get an error message that it cannot read 444 00:26:16,312 --> 00:26:19,370 that file, then of course you would go in and 445 00:26:19,420 --> 00:26:24,460 run a command journalctl, journal control. 446 00:26:24,910 --> 00:26:29,954 This command is kind of a log, it keeps track 447 00:26:29,992 --> 00:26:33,642 of everything, every error message that is related to SELinux. 448 00:26:33,786 --> 00:26:37,238 It will tell you hey, the reason you cannot run 449 00:26:37,264 --> 00:26:41,814 that and I've noticed is because Apache server apparently cannot 450 00:26:41,862 --> 00:26:45,878 read the file that you wanted to read that is 451 00:26:45,904 --> 00:26:48,590 located in /home/iafzal directory. 452 00:26:49,126 --> 00:26:50,150 And why is that? 453 00:26:50,200 --> 00:26:52,262 Because you probably have given 454 00:26:52,336 --> 00:26:55,254 everyone to read that file. 455 00:26:55,362 --> 00:26:58,334 Meaning on the other, you have given like r, 456 00:26:58,432 --> 00:27:00,926 to read everyone but still can't read it. Why? 457 00:27:00,988 --> 00:27:05,678 Because as I said, it probably has a label and the 458 00:27:05,704 --> 00:27:09,614 label says that it is only allowed to read for that 459 00:27:09,652 --> 00:27:13,022 only user, so you have to change the label, especially the type 460 00:27:13,156 --> 00:27:17,750 to give it that label to word http. 461 00:27:19,150 --> 00:27:22,214 To change the type in a label you could run the 462 00:27:22,252 --> 00:27:27,940 chcon -t httpd_sys_content_t FILENAME. 463 00:27:28,450 --> 00:27:31,170 If it's a system file, you give that label. 464 00:27:31,290 --> 00:27:34,250 If it's a home directory, you give that home directory label. 465 00:27:34,930 --> 00:27:36,648 You can also run the command, 466 00:27:36,648 --> 00:27:44,500 semanage -t httpd_sys_content_t FILENAME. 467 00:27:44,950 --> 00:27:47,162 So these are the two commands that you 468 00:27:47,176 --> 00:27:52,326 could run to change the labeling of SELinux. 469 00:27:52,518 --> 00:27:55,490 Let me try a few different commands. 470 00:27:56,170 --> 00:28:00,518 Let me clear the screen. To get a list of all booleans, I 471 00:28:00,544 --> 00:28:06,578 getsebool -a. You see, so many of them came up. 472 00:28:06,604 --> 00:28:10,000 Let me try to do more so I'll see one page at a time. 473 00:28:10,870 --> 00:28:13,370 OK cluster_can_network_connect. 474 00:28:13,480 --> 00:28:15,940 Can the cluster connected network, off, no. 475 00:28:17,050 --> 00:28:24,042 Another example daemon_use_tty, no. dhcp_use_ldap 476 00:28:24,126 --> 00:28:32,274 no, off. ftp_use_fusefs, no, off. So FTP 477 00:28:32,382 --> 00:28:36,650 user cannot access the sys and most of them 478 00:28:36,820 --> 00:28:41,790 are disabled or off. httpd_can_connect_ftp server. 479 00:28:41,970 --> 00:28:45,842 Meaning if you go to a web server and 480 00:28:45,976 --> 00:28:48,818 in the web server you probably wanted to give 481 00:28:48,844 --> 00:28:52,974 a functionality to click somewhere and transfer the file. 482 00:28:53,082 --> 00:28:54,834 And the only way to transfer the file 483 00:28:54,882 --> 00:28:56,754 if you have FTP running on your server. 484 00:28:56,802 --> 00:29:00,170 So that is running. All is good, everything is hunky dory, perfect. 485 00:29:00,340 --> 00:29:03,086 But now it's still not working. Why? 486 00:29:03,148 --> 00:29:07,250 Because number one, your SELinux is on. 487 00:29:07,420 --> 00:29:11,538 Number two, the httpd_can_connect_ftp server 488 00:29:11,574 --> 00:29:14,414 is off, so you have to go in and 489 00:29:14,512 --> 00:29:18,902 make it, or turn it on and so on. 490 00:29:18,916 --> 00:29:19,958 There are so many of them. 491 00:29:19,984 --> 00:29:22,802 As I said, you could go into one by one. 492 00:29:22,996 --> 00:29:25,838 And if you really wanted to get yourself familiar with all 493 00:29:25,864 --> 00:29:28,574 of them, you should go through each one of them, read 494 00:29:28,612 --> 00:29:31,142 about it and find out what they are for. 495 00:29:31,276 --> 00:29:35,390 And again, I'm sorry, I cannot go over all of them. 496 00:29:35,440 --> 00:29:39,880 Because if I do, this becomes a course on its own. 497 00:29:40,570 --> 00:29:43,922 And I do not want to waste all those people 498 00:29:43,996 --> 00:29:47,438 time who really don't want to get into details of 499 00:29:47,464 --> 00:29:50,498 SELinux, but they do want to understand how it 500 00:29:50,524 --> 00:29:54,206 works and as a system administrator point of view, can 501 00:29:54,328 --> 00:29:57,086 use SELinux for a regular day to day work. 502 00:29:57,268 --> 00:29:59,982 Anyway, if you want to find out how many booleans 503 00:30:00,006 --> 00:30:02,078 we have, let's say out of the box, you could 504 00:30:02,104 --> 00:30:06,558 do getsebool -a and you could do wc 505 00:30:06,594 --> 00:30:11,030 -l, and you will see there are 110 booleans 506 00:30:11,770 --> 00:30:14,920 that you could actually maintain or manage. 507 00:30:16,210 --> 00:30:19,958 So if you want to set a boolean, so let's say I 508 00:30:19,984 --> 00:30:25,610 wanted to do something with http, so let me do grep http, 509 00:30:26,290 --> 00:30:29,334 this is all with http, what Http 510 00:30:29,382 --> 00:30:31,362 can do and what http cannot. 511 00:30:31,506 --> 00:30:35,318 So let's say I want http to connect to FTP as well. 512 00:30:35,404 --> 00:30:39,974 So first copy this, and right now as you see, it's off. 513 00:30:40,132 --> 00:30:42,366 So before I just do grep, I'll 514 00:30:42,378 --> 00:30:43,838 just grep on that specific one. 515 00:30:43,864 --> 00:30:45,506 It says it's off, right? 516 00:30:45,628 --> 00:30:48,050 We wanted to make it on or turn it on. 517 00:30:48,100 --> 00:30:57,954 So I'll do setsebool -P, boolean, sorry boolean name as we 518 00:30:57,992 --> 00:31:04,878 already know, which is this, and then on, hit Enter. 519 00:31:05,024 --> 00:31:07,974 It could take anywhere from 2 seconds to 520 00:31:08,012 --> 00:31:10,410 10 seconds, depending on your system, of course. 521 00:31:10,520 --> 00:31:13,278 Now, if you want to confirm whether it 522 00:31:13,304 --> 00:31:15,618 turned on or not, what do you do? 523 00:31:15,644 --> 00:31:18,090 You go through the same getsebool, 524 00:31:19,190 --> 00:31:21,630 and you'll see it is on. 525 00:31:21,800 --> 00:31:23,838 Anyway, that is something I just 526 00:31:23,864 --> 00:31:25,990 showed you for the lab purpose. 527 00:31:26,050 --> 00:31:28,280 I'll go ahead and turn it back off 528 00:31:28,280 --> 00:31:30,950 [No audio] 529 00:31:30,950 --> 00:31:33,582 and it should turn it back off. 530 00:31:33,716 --> 00:31:39,222 Now again, getenforce gets you what? 531 00:31:39,296 --> 00:31:45,646 Whether SELinux is enabled or not. If you want to disable 532 00:31:45,718 --> 00:31:51,260 it again, make sure talk to your manager, talk to your 533 00:31:51,590 --> 00:31:55,206 security team, if you want to disable it or not, whether 534 00:31:55,268 --> 00:31:57,762 you wanted to get something out of it. Anyway, 535 00:31:57,836 --> 00:31:59,466 so the point is, if you want to 536 00:31:59,528 --> 00:32:03,990 disable it permanently, you would do vi. 537 00:32:04,550 --> 00:32:06,786 But before I do vi, I said 538 00:32:06,848 --> 00:32:09,034 make sure you take a snapshot. 539 00:32:09,202 --> 00:32:11,785 So I'll make a copy first of all. 540 00:32:13,497 --> 00:32:16,242 /etc/selinux/config to /etc/, 541 00:32:16,436 --> 00:32:24,334 I'll put it in the tmp directory, /tmp/config.orig.. 542 00:32:24,382 --> 00:32:25,590 So I made a copy. Good. 543 00:32:25,640 --> 00:32:32,010 Now I will modify /etc/selinux/config file. Come down, 544 00:32:32,120 --> 00:32:35,790 and now I will put a comment on enforcing, 545 00:32:36,470 --> 00:32:41,038 and I will take out SELINUX=disabled. 546 00:32:41,134 --> 00:32:43,050 Now it should disable it. 547 00:32:43,100 --> 00:32:45,140 I will go ahead and save it. 548 00:32:46,250 --> 00:32:48,318 Once I save it, what do I have to do? 549 00:32:48,404 --> 00:32:51,766 When you do getenforce, it will still say enforcing. 550 00:32:51,898 --> 00:32:55,002 For you to make it change globally or to 551 00:32:55,016 --> 00:32:57,570 the system wide, you have to do a reboot. 552 00:32:58,130 --> 00:33:01,798 So let's see, when I reboot 553 00:33:01,894 --> 00:33:04,366 it says server unexpectedly closed. 554 00:33:04,498 --> 00:33:07,854 Now a connection that's fine, that's perfectly fine because I 555 00:33:07,892 --> 00:33:12,294 am using PuTTY. All right, so from this point on 556 00:33:12,452 --> 00:33:16,758 I am going to wait until system comes back online. 557 00:33:16,904 --> 00:33:23,540 So I am going to fast forward from this point. 558 00:33:23,540 --> 00:33:37,570 [No audio] 559 00:33:37,570 --> 00:33:40,598 Okay, so I got the connection back on, 560 00:33:40,684 --> 00:33:43,286 I'm going to close the other window behind 561 00:33:43,348 --> 00:33:45,350 it and now I got a new connection. 562 00:33:45,350 --> 00:33:48,170 [No audio] 563 00:33:48,170 --> 00:33:49,890 I will log in as root. 564 00:33:49,890 --> 00:33:52,130 [No audio] 565 00:33:52,130 --> 00:33:58,830 Now if I do getenforce, it says disabled. 566 00:34:00,170 --> 00:34:03,510 So that's how you could get the 567 00:34:03,560 --> 00:34:05,602 information about whether it's enabled or disabled. 568 00:34:05,626 --> 00:34:07,878 What was the other command that we would need 569 00:34:07,904 --> 00:34:10,590 to run to check whether it's enabled or disabled? 570 00:34:11,330 --> 00:34:12,750 sestatus. 571 00:34:13,969 --> 00:34:17,998 And now it's saying SELinux status is disabled. 572 00:34:18,094 --> 00:34:25,150 So you could run ls -dZ on my home directory, 573 00:34:25,770 --> 00:34:29,494 and it will still show that it has the 574 00:34:29,532 --> 00:34:34,621 label on it because before it had SELinux enabled. 575 00:34:34,706 --> 00:34:38,373 But this whole label, please make sure 576 00:34:38,411 --> 00:34:40,730 this whole label is not enforced. 577 00:34:40,790 --> 00:34:43,318 Right now you can move this spot anywhere and it 578 00:34:43,344 --> 00:34:48,754 will work based on the permissions which is defined here. 579 00:34:48,792 --> 00:34:50,614 And this permission is what, it is 580 00:34:50,652 --> 00:34:55,078 DAC, discretionary Access Control, not through 581 00:34:55,164 --> 00:34:57,540 MAC, which is mandatory access control. 582 00:34:58,230 --> 00:35:02,469 So anyway, this is the whole topic about SELinux. 583 00:35:02,909 --> 00:35:05,806 Again, as I said, there is a lot more 584 00:35:05,928 --> 00:35:08,565 than what I have covered but it gets into 585 00:35:08,628 --> 00:35:12,350 really nifty and green down in the weeds. 586 00:35:12,469 --> 00:35:14,966 So if you wanted to know more about SELinux, 587 00:35:15,038 --> 00:35:21,373 I have included in this section the entire guide, 588 00:35:21,542 --> 00:35:25,681 the configuration administration user guide on SELinux. 589 00:35:25,766 --> 00:35:27,898 So please, I would definitely recommend you to go 590 00:35:27,924 --> 00:35:31,666 over it, read about it, and hopefully you get 591 00:35:31,788 --> 00:35:33,940 all the answers that you're looking for. 592 00:35:33,940 --> 00:35:35,232 [No audio]