►
From YouTube: Red Hat Enterprise Linux Presents (E15): SELinux Primer
Description
A show that features the people and technology that make Red Hat Enterprise Linux into the world’s leading enterprise Linux platform.
A
B
C
B
Chris
for
the
audience's
benefits.
I
would
like
to
point
out
that
scott
said
literally
10
seconds
before
we
went
on
air
that
what
could
possibly
go
wrong.
So
everything
will.
C
C
So
I
thought
today
we
might
so
last
show
we
talked
about
directories
and
file
systems
a
little
bit,
and
I
thought
that
maybe
a
good
kind
of
dovetail
to
that
subject.
Subject
would
be
se
linux,
because
they're
kind
of
related.
C
Yeah,
so
why
don't
we
just
start
off
with
just
a
little
bit
about
what
sc
linux
is
sc.
Linux
is
a
component
of
the
red
hat
enterprise
linux
kernel
that
applies
contexts
to
files,
ports
and
processes
on
the
system
and
then
has
a
just
enormous
rule
set
that
describes
what
should
be
given
access
to
whom
so
like.
C
If
you
are
a
web
server
process,
you're
running
with
context
and
based
off
of
that
context,
there's
rules
that
say
web
server
processes
should
be
allowed
access
to
the
following
kinds
of
files
and
be
able
to
open
and
connect
to
them.
This
type
of
port
on
the
system.
Yes,
and
so
we
managed
that
just
enormous
set
of
rules
through
something
called
the
essence
policy
and
then
all
the
little
components
kind
of
fall
into
place,
and
so
just
start
diving
into
that.
If
you
would
like.
B
Yeah,
I
just
want
to
point
out
folks
that
the
most
recent
kubernetes
or
run
c
vulnerability
run
c
being
the
container
runtime
underneath
everything
that
basically
runs
in
a
container
these
days.
The
the
vulnerability
was
stopped
dead
in
its
tracks.
If
sc
linux
was
running
in
an
enforced
mode
so
or
enforcing
mode,
I
should
say
sc.
Linux
is
an
awesomely
powerful
tool
and
if.
C
B
C
The
other
thing
that
will
make
your
life
easier
is,
if
you
recognize
that
you
should
just
put
things
where
they're
expected
like,
if
you
do
that,
oh
and
and
run
things
where
they're
expected
right.
So
don't
don't.
Have
your
web
server
attached
to
some
wonky
port
number
because
that's
going
to
create
problems,
but
if
you
attach
it
to
port
80
port
443
things
will
just
work
based
off
of
the
default
sls
policy.
And
if
you
want
to
veer
from
those
defaults,
you
can.
C
But
you
need
to
know
more
yeah.
So.
C
C
Oh
dear
all,
right
so
first
I
will
say:
let's
just
take
a
look
here:
sc.
C
Right,
so
I
think
this
one
is
probably
the
most
important
right
here
right,
we're
running
an
enabled
mode.
The
other
thing
that
would
be
important
is
the
policy
that
you're
using
again.
This
is
the
set
of
rules
that
get
loaded
we
ship
with
several,
but
the
default
policy
that
we
use
is
called
targeted
because
it
targets
specific
services,
but
leaves
anything
outside
of
that
list
as
unconfined
right.
So
right
processes
that
don't
come
with
rel
are
going
to
run
without
any
seonix
context
applied
to
them.
B
B
Not
familiar
with
the
interface
scott's
using
right
now,
this
is
called
cockpit,
it's
part
of
rel
and
has
been
part
of
fedor
for
a
while.
Now
it
gives
you
a
web-based
terminal
as
well
as,
as
you
can
see,
everything
on
the
left,
a
number
of
like
options
that
you
can
choose
from
to
tweak
your
system
as
desired.
C
Yeah
and
you'll
notice
that
there's
an
s
linux
option
down
here
there
is
which
actually
like
gives
you
some
stuff.
So
for
for
this,
one
right,
sc
status
was
what
we
used
on
the
command
line.
You
could
just
look
here
to
see
whether
sc
linux
is
turned
on
or
off
right
and
we'll
get
to
some
of
these
errors
in
a
minute
but
yeah.
C
Wanting
to
look
around
at
kind
of
what
what
the
components
of
system
are,
there's
an
extra
option
included
in
a
lot
of
the
commands
that
would
interact
with
sc
linux,
go
to
capital
z.
That
will
show
you
the
seo
x
context.
So,
for
example,
I
can
ls
dash
capital
z
and
what
that
adds.
Is
this
field
here
to
our
output
and
that's
the
essay
linux
contexts
of
these
files?
So
I
did
a
listing
in
root's
home
and
you
can
see
that
they're
admin,
home
t
type
files
and
if
I
did
something
in.
B
B
C
B
Over
here
uses
a
dot
character
to
indicate
a
file
with
an
sc
linux
security
context.
There
you
go
there,
you
go
so
over.
C
Here
over
here
in
etsy,
we
have
fct
type
files,
we
also
have
system
configuration
or
system
type
files,
and
so
these
are
the
se-linux
contexts
that
have
been
applied
to
files
throughout
the
file
system.
C
C
A
C
C
All
right,
so,
while
that
installs,
let's
see
what
what
other
basics
do
we
have?
Oh
we'll
have
to
know
the
log
file
will
look
in
and
yeah
we'll
get
into
reading
some
of
those
logs
in
a
minute.
C
Oh,
is
that
no,
because
that's
for
audit,
I
think
we
want
to
look
at
far
log
secure,
if
I
remember
correctly,
but
we'll
take
a
look.
B
B
You
need
to
give
your
squirrels
some
stuff.
C
C
And
that
was
going
to
be
and
that's
why
I
was
actually
starting
with
httpd,
because
I
think
that's
a
fairly
common
use
case
where
people
don't
put
stuff
in
var,
www
http.
A
A
C
To
something
like
that,
we
could
use
the
sc
manage
command.
I
think
to
add,
like
what
default
contact
should
be
assigned
to
stuff
put
into
this
weird
directory
that
we
just
created
for
our
web
stuff,
so
so
yeah.
Let's,
let's
see
what
happens
if
we
chase
that
down
the
whole
all
right,
let's
see.
B
B
C
Except
it's
running
on
another
box
which
has
one
browser
tab,
I'm
looking
at
it.
It's
got
one
browser
tab,
it's
debatable!
No,
actually,
the
the
reason
it
takes
so
long
is
because
I've
been
really
terrible
about
being
connected
to
the
vpn
and
making
sure
that
I
have
like
updates
all
the
updates,
yeah
yeah,
and
so
it's.
C
And
I
heard
that
they
push
rel
8.4
into
our
internal
satellite
repos.
C
Epo
is
an
extra
repository
that
I
have
enabled
so
I've
pulled
all
that
that
one's
also
pretty
large-
and
I
think
this
is
the
relate,
including
h4
metadata.
B
B
B
C
Sorry
I
was
I
was
giving
chris.
I
was
harassing
him
because
he
has
physical
keyboards
scattered
around
his
office.
Okay,
scattered
is
probably
over.
B
It's
not
scattered
there,
they
have
a
front
desk
and
a
back
desk.
The
back
desk
is
like
non-main
computer
there's,
there's
a
fedora
box
and
a
mac
back
there.
They
are
used
for
specific
things,
this
desk,
that
is
on
wheels
and
can
move
around
and
has
a
nice
camera
and
mic
attached
to
it
are
used
for
work
things
like
this
channel,
so
I
don't
want
to
use
a
program
that
would
allow
me
to
use
the
mouse
and
keyboard
on
the
screen
behind
me,
because
I
can't
see
it.
A
C
Oh
all
right
so,
finally
we're
back
on
track,
so
I'm
running
apache
and
we
can
see
that
my
apache
demons
are
running
with
http
type
and
let's
do
what's
the
loop
here.
C
All
right
so
apache
is
given
access
to
several
types
of
files
in
its
contact
or
its
sales
policy
rules.
But
one
of
the
types
is
this
httpd
sys
content
t
right.
That
means
it's
for
web
server
content,
and
so
I
don't
remember
who
was
pointing
this
out
in
our
chat.
C
But
if
we
look
at
a
randomly
created
directory
right,
it
is
this
type,
not
httpd,
sys
content,
t
type.
So
if
I
go
in
and
I
update
my
configuration
for
apache-
and
I
tell
it
to
share
content
out
of
this
directory-
it's
not
going
to
work
because
when
it
makes
the
file
open
requests
to
go
into
this
directory
and
start
sharing
files,
it's
going
to
violate
the
select
policy
and,
what's
going
to
happen,
is
the
kernel
will
simply
refuse
to
to
offer
that
action.
C
That
apache
is
requesting
all
right,
and
we
can
see
that.
Let's
do
this,
let's
see
what
I
have
here
in
my
own
directory.
If
I
move.
C
So
on
rel,
eight,
which
is
what
I'm
using
dnf
and
yum,
are
actually
the
same.
C
C
C
That's
not
one
of
the
kinds
of
contexts.
Httpdt
type
processes
are
permitted
and
so
to
the
requesting
application,
the
apache
server,
it
was
simply
told.
No,
you
cannot
have
that
action
and
then
the
apache
server
interpreted
that
return
from
the
kernel
as
forbidden,
which
the
unknowing
might
read
this
error
and
go.
Oh,
it's
a
permissions
thing
right
because
it's
forbidden
and
that's
a
permissions
error,
but
right
when
we.
A
C
A
C
Will
look
at
a
configuration
and
we'll
look
at
the
holding
directory,
in
this
case
var
www.html
and
go
okay?
If
someone
was
to
place
a
new
file
in
this
directory,
what
context
should
it
be
given
and
I'll
just
take
that
context
that
I
would
normally
apply
to
new
files
and
I'll
go
ahead
and
adjust
this
file?
You
pass
me
as
an
argument
to
make
sure
it's
the
same.
B
Is
like
this
is
not
the
first
time
sc.
Linux
has
stopped
kubernetes
vulnerability,
deadness
tracks,
yeah.
C
Right
all
right,
so
we
could
have
also
manually
adjusted
the
context
as
well,
so
for
that
there's
chicon
and
there's
actually
several
components
of
a
context.
There's
the
user
component.
That's
the
first
piece,
the
roll
component.
That's
the
second
piece.
C
The
third
piece
is
the
type
there's
the
three
big
ones
and
then
there's
two
additional
but
optional
contacts,
which
is
sensitivity
and
category
sensitivity
and
category
is
used.
If
you
wanted
to
maybe
have
a
much
more
grandiose
setup
where,
in
addition
to
the
process
being
looked
at,
it
should
be
what
user
is
the
process
running
as
or
does
that
user
have
the
right
security
credentials
to
access
this
sensitivity
of
file
and
so
in
a
place
where
information
might
be
offered
at
various
levels
of
security
clearance,
for
example?
C
That's
where
sensitivity
and
category
could
come
into
place
because
just
because
you
are
certified
for
secret
information,
doesn't
necessarily
mean
you
get
access
to
all
secret
information
across
the
entire
organization.
You
should
still
only
get
secret
information,
that's
in
your
specialty
or
your
like
purview
of
of
ability.
C
C
B
Don't
have
to
remember
all
that
fun
stuff
right,
which
it's
all
very
important
and
valid
at
some
point
in
time,
and
you
know,
while
you're
using
sc
linux
but
like
restore
con,
is
just
like
all
right.
I'm
going
to
make
sure
this
entire
directory
is
good
to
go
now
off.
You
go
right
like
I
can
just
basically
say
inherit
and
go.
C
Right
and
so
there's
not
just
one
context
that
it's
given
access
to,
there's
there's
a
variety
of
them.
C
Man,
oh
public
content,
t
type
files,
that's
something
that
is
just
like
any
service
should
have
access
to
it.
So,
like
ftp
server,
for
example,
has
access
to
pub
content,
t
or
nfs
server
stuff
has
access
to
public
content.
T.
C
I
said
that
if
we
created
this
random
directory
right,
it's
not
in
the
place
that,
where
red
hat
normally
expects
it
to
live,
so
it's
not
going
to
get
contexted
correctly
and
sure
enough
right,
it's
defaulty
and
apache
does
not
have
access
to
that.
We
can
prove
that
by
going
through
and
like
redirecting
stuff
there.
So.
A
C
Mess
around
with
virtual
of
some
stuff
right
now:
okay,
cool!
C
A
C
A
C
A
C
C
All
right
so
earlier,
when
we
created
the
web
directory,
we
had
changes
context
and
then
it
worked
right.
It
was
getting
access
there
and
everything
was
cool
when
I
put
a
file
inside
of
that
directory,
it
also
got
this
default
t
context
which
apache
is
not
given
access
to.
So
what
happened
was
my
client
requested
the
index
html
the
kernel
refused
it
so
apache
then
served
up
the
test
page
instead.
C
C
C
B
C
B
C
Because
it's
not
looking
at
the
context
of
the
directory
that
owns
it
right
make
the
decision.
It's
actually
looking
at
another
set
of
configuration
on
the
system
to
figure
out
what
it
should
do,
because
slash
web
isn't
in
that
other
place,
it's
defaulty
yeah
yeah.
So
let
me
figure
out
the
command
to
look
that
up
s.
B
C
All
right,
it
is
sc,
manage
f
context.
I
think.
A
A
B
C
C
A
B
Yeah,
I
forget
the
syntax.
Now
I
just
saw
you
that's
what's
said.
C
A
B
B
C
B
C
I
create
subdirectories
here
because
like,
but
maybe
have
some
javascript
app
or
something
else
that
should
live
here,
that
directory
and
any
of
its
ch
children
directories
they'll
all
get
contexted
with
https
content
t
and
if
you
need
to
do
something
like
make
those
scripts
types,
you
could
create
an
additional
se
manage
rule
or
a
file
context
rule
for
that
subdirectory.
That
should
get
a
different
context
to
sign
the
stuff
that's
put
in
there.
C
B
C
C
A
A
C
C
Yeah,
let's
do
this
ctrl
c
that
we'll
do
our
list
again
and
graph
it
for
www,
we'll
see
what
it's
currently
set
to
in
regular.
C
A
C
C
A
C
C
A
C
Nope
still
now
all
right.
Well,
I
don't
know
I
have
to
look
it
up
yeah
it's.
What
I
was
thinking
was
that
the
ordering
inside
the
file
context
settings
might
be
wrong
like
we
need
to
do
the
more
specific
directory.
First,
that's
why
I
deleted
them
both
and
then
added
them
back
in
the
wrong
or
in
the
opposite.
A
C
But
that's
not
that's,
not
clearly,
not
the
problem,
so
something
different,
so
yeah,
maybe
that's!
Maybe
that's
foot
down
trying
to
do
multiple
contacts.
Things
get
harder,
or
maybe
it's
that
if
you
do
a
chikan
dash
capital,
r
or
a
restore
con
dash
capital
r
things
can
get
a
little
bit.
Wonky
weird.
B
B
And
I
should
point
out
in
the
docs
it
says
you
can
use.
You
know
individual
domains
to
set
things
as
permissive
versus
not
permissive
or
enforcing.
Again,
that's
another
thing
where
it's
like
you're
playing
with
fire.
If
you
don't
do
that
right,
you
know
so
sc
linux
is
very
flexible.
You
can
configure
it.
However,
you
see
fit,
but
as
you're
doing
that,
you
have
to
make
sure
that
you're
not
creating
a
security
hole
in
the.
C
Process,
sorry
before
we
were
talking
about
looking
at
logs
since
I'm
trying
to
introduce
a
error
state
so
that
we
could
find
where
that
log
is
there,
you
go
because
that's
the
other
piece.
I
think
that's
important
to
know.
B
C
So
this
guy
right
here
this
block.
C
Is
actually
descriptive
about
what
the
what
our
problem
is,
and
so
the
first
thing
is:
it
says
s:
linux
present
preventing
httpd
from
read
access
to
this
file.
It
gives
me
the
file
name
and
then,
if
we
wanted
more
information,
we
could
run
this
sc
alert
command.
C
Nice
all
right,
so
let's
do
this
seo
alert
command.
Every
violation
is
given
a
uuid.
C
C
Is
this
and
then
it
tells
me
that
down
here
at
the
bottom,
that
that
was
denied
the
thing
was
trying
to
do
and
then
gives
me
a
little
bit
further
detail
on
it,
and
so
that's
how
you
can
look
at
your
logs
and
see
that
there
is
an
s
linux
problems,
because
you
see
this
giant
pile
of
selinux
error
message:
are
you
suss
out
that
se
alert
and
just
look
at
the
specific
alert
message
for
your
your
thing,
and
this
is
the
raw
log
message
that
you
might
see
on
older
systems
as
well,
and
what
it's
telling
you
is:
here's
the
command
that
was
making
the
request.
C
C
So-
and
you
know,
let
me
grab
that.
C
So
if
you
are
a
service
according
to
s,
linux
policy,
you're
allowed
to
bind
to
these
ports
nice
and
primarily
it's
these
right.
80
43.
B
B
C
Well,
and-
and
you
had
mentioned
at
the
top
of
the
broadcast
chris-
that
8080-
oh
that's
in
there-
that's
right
and
8443
is
in
there.
But
what
if
we
want
to
do
80.81.
A
B
Let's
that
would
fail
epically
unless
you
did
something.
A
B
A
B
B
Wonder
what
the
log
says
about
that?
Well,
let's
see.
A
C
C
A
A
C
B
A
A
C
C
B
B
A
C
C
So
when
you
know
what
the
primitives
are
right,
if
you're
process
context
type
your
file
context,
type,
your
port
context
type
and
the
policy
that
kind
of
controls,
the
inner
meshings
of
them,
you
can
then
make
better
decisions
on
like
how
to
approach
fixing
this
sc
linux
related
issue.
Besides
set
force,
zero.
C
There's
actually
stop
disabling
selinux.com.
B
I
I've
shared
that
in
chat
a
couple
times
now,
it's
actually
written
on
the
back
of
this
shirt.
The
the
message
behind
it
is
quite
funny,
though,
if
you're
not
familiar
dan
walsh
at
nsa.
B
Well,
while
he
was
working
at
nsa,
he
now
works
at
red
hat.
He
actually
developed
sc
linux
so
that
linux
could
be
used
in
more
secured
environments.
B
If
it
had
not
been
for
dan's
work,
the
clinics
would
not
exist
or
it
would
be
called
something
completely
different
and
work
completely
differently,
maybe
but
yeah.
Thank
you,
dan
walsh,
for
sc
linux.
I
remember
reading
that
original
nsa
brief
when
it
like
dan
first
wrote
it
so
way
back
in
the
early
2000s.
B
C
B
A
C
Yeah
well,
phone
books
are
difficult
to
come
by.
I
don't.
C
So
do
we
have
any
other
questions
in
chat
before
we
close
us
out.
B
B
C
A
C
So
you
can
see.
C
B
C
B
C
Off
you
go,
the
other
stuff
is
we're
looking
at
errors
through
the
command
line,
interface
and
log
files.
B
C
C
Actually
read
an
article
for
what
is
the
periodical
hostingadvice.com.
C
There
we
go
and
the
the
journalist
was
originally
asking
like.
Why
did
you
do
this,
and
how
did
you
come
about
making
these
decisions
and,
like
I
think
at
some
point,
we
realized
that
we
were
trying
to
create
a
windows
like
experience
for
administration,
but
linux
is
not
windows.
B
C
Right
and
at
the
same
time,
you
know,
windows
and
microsoft
were
like
wow
it'd,
be
really
great.
If
we
could
have
like
scripting
language
that
we
can
apply
across
all
our
boxes
and
they
came
up
with
with
the
powershell
and
so
like.
We
were
trying
to
do
things
their
way,
they're
trying
to
do
things
our
way
and
at
some
point
we're
like
wait.
What?
Why
are
we
trying
to
do
things
like
that,
when
our
operating
system
doesn't
actually
kind
of
lend
itself
to
that
method
of
management?
C
A
C
A
B
C
C
The
commands
are
the
same:
yeah
we've
done
a
good
job
of
kind
of
preserving
that
lexicon
and
carrying
it
forward
through
every
version.
B
B
We
are
signing
off
for
the
day,
so
please
tune
in
tomorrow
morning
for
the
data
services
office
hour,
we'll
be
talking
about
encryption
and
using
external
key
management
services
with
the
open
data,
foundations,
toolkit
or
openshift
container
storage,
as
it's
still
called,
but
name
is
changing
in
soon
to
be
released
version
yeah,
so
stay
tuned
tomorrow,
folks
and
when
in
doubt
check
out
the
streaming
calendar,
give
it
a
subscribe,
and
that
way
you
can
know
at
any
given
time
where
to
go
to
tune
in
to
openshift
tv
and
when
to
do
it.