 So welcome everybody. Good morning to all of you. Today, last day of the DEF CON, let me introduce you to Simon and Lukas. They're going to talk about a very interesting workshop about selling news and how to write the policies. So I hope you enjoy it. Thank you very much. Hi everyone. Can you guys hear me in the back? Okay, cool. So my name is Simon Sekite. I'm a solution architect with Red Hat. I work in the federal DOD space. And Lukas is a policy maintainer. So what we're going to do is walk you through how to write a Linux policy. This is pretty much a hands-on class. So if you have a Windows laptop, we have a recycle bin over there. Other than that, we're going to pass out some USB keys so you guys can follow along. So this is actually split into two parts. We have the boring theory and then we actually have the hands-on, which should be the takeaway for most of you guys, because all this other stuff you can probably Google. So whenever you're ready, we can get started. Sorry? You've been ready a long time. Okay, cool. That's awesome. So the materials are available here. But other than that, we have a few USB keys. You can pass them along and just install. It's basically an RPM that we'll be using to write the policy. So I'll start here and then... Oh, okay, sorry. So the people online can probably get this right. It's not found. The link is dead. Oh, come on. Well, at least you have the USB keys. Yeah, all right, let me skip that slide. It will work on Federa 24 and 25. Yeah, 24 is okay. Okay, so it will work on Federa 25, right? It will work on Federa 25. It will work on Rohit. All right, so while you're copying that, let me bore you with the theory part, and then once everybody has the RPM on there, or the topple on their laptops, then we'll get started. All right, so here's the agenda. Basically, we're going to tell you how SLNX works. What SLNX policy actually is. The M4 macro language, which we've been using since REL4, and then the new policy language, which you'll be seeing shortly. And finally, we'll talk about custom modifications and go through the writing policy example. So, I mean, a lot of you guys have heard, you know, people always say, what is SLNX? I think that's the wrong question you should be asking. The right question is, what does SLNX do for me? A lot of people forget that the SE in SLNX stands for Security Enhanced. So, think of it as an added layer of security to whatever you have on your system. In the old model, prior to SLNX, we had the discretionary access control, which was the user groups and others. And then with SLNX, you basically have mandatory access control that adds an extra label to your discretionary access control. So, you have your users, you read write and execute permissions, and then you have the SLNX labels that kind of are appended onto those. Interesting slide, right? So, this is what makes people feel SLNX is complicated. But in reality, it's not, you know. The default policy is to deny. If a rule exists, then whatever you're doing will be allowed. This just basically tells you what happens when a user space process makes a system call, you know. It goes through a few checks and balances, and then you'll either get an allow or deny access. So, it's either or, you know. And also depending on what mode you're in. So, if you're in enforcing mode, default is to deny. If you're in permissive mode, access will be granted, but then the error message will be logged. All right. So, as I indicated earlier, you know, added layer of security. What is this added layer of security? If you've ever done an LS-L, you'll notice that there's a dot at the end of your output. That is an SLNX attribute. And basically what happens is if you run the getR command, as this example shows, it will actually show you what the SLNX context is, what the full label is. So, you have your, we'll break this down further. You have your system, you have your user, you have your role, and then you have your type. And at the end, you have the security level or sensitivity level. In targeted policy, which is the default policy that you ship, you pretty much ignore the user, the role, and only focus on the type. Here's another example of how to get the SLNX context. You can run stats on the Etsy password. I think if you're running Rails 7 or Rails 6, I think you have to add a flag onto the stat command to get this, but other than that, it will list, not only will it list your discretionary access controls, it will also list your mandatory access controls. And then you've probably seen the flag at the bottom, LS-Z, capital Z to get you the same context. Process labeling. You know, SLNX is all about labels. You've heard Dan talk about it, you've had Miroslav talk about it, you've had Lukash talk about it. Always about labels. Labels and everything. Processes, devices, files, everything. This is an example of Apache, the Apache process and the type. So when you start Apache, it technically should end up as HTTPD underscore T. All right, I pretty much covered a bit of this, but we'll go into detail. Quick reminder, you have your user, your role, your type, and the sensitivity. Unless you're dealing with MLS, multi-level security or multi-category security that are enhanced versions of policy, just focus on the type. T underscore T is all you look at, otherwise things get a bit crazy. In multi-category security, we look at roles and users. In MLS, we look at everything plus the sensitivity levels and there's a little more to that. You have your categories in the sensitivity levels, top secret, secret and so forth, but again, that's outside this workshop. Our basic rules have allow, don't audit, and some audit to allow rules, we'll talk about those later, and never allow rules that are usually shipped by distributions. You will not see any never allow rules because they're turned off by default in Infadora. Here are a few examples. An allow rule. Allow a user to read bin T, any program file. Or don't audit CCST writing to program files. Or audit to allow SSH to open files in SSH home. Hopefully by the end of this workshop, you'll be able to understand how you can read this stuff or look at this stuff with a few of the tools we have. This goes to my next slide. I mean, this talk is going to get a bit technical, but my take or my ask for you guys is to do everything you can to remember SE Search. Without SE Search, I wouldn't be able to read policy. I don't know about these two guys, Miroslav of Lukash, but this actually helps break down a better understanding of what it is that an object or a type is doing. This is a clear example. You want to find out, you know, what Apache can do or if Apache can read Apache temp files. And it will actually tell you Apache. This is what Apache can do if presented with an Apache temp file. It can do an IOCTL, it can read, it can do a get header, it can lock, it can execute. It can execute without bringing a transition and it can also open the file. So when you run SE Search, I haven't memorized the flags, we all, S is the source, T is the target, C is the class, and P is the permission. So if you're ever... A is allowing, so we are trying to find just the rules. I've never looked at the man page. Never mind. All right. Here's another example. So T, find the transition rules. Same concept. Now, you can also look for all don't audit rules. Just remove the T and do a dash, dash, don't audit. So if you ever want to know if a file is allowed or if something it's doing is not kosher, run SE Search to actually see what types are allowed or denied by the executing domain. So where do these rules come from? Anybody know? They come from space. They come from space. They're actually from the SLNX policy packages. So when you download an SLNX policy package, it will ship or it will install base, what we call base policy. So we have, you have the base policy but then we have all these layered products. We have OpenStack that ship their own policy. We have containers that ship their own policy. OpenShift and so on and so forth. So if something isn't in base policy, the chances are it's probably shipped as an independent policy package. I believe I covered this piece. All right. So when we talk about base policy, I guess what's missing on this slide is the .pp file because if you compile the type enforcement file which is denoted by the .te, the file context file which is the .fc and the interface file which is .if, you get the .pp file. Type enforcement file is basically what is the heart of the policy. It's what defines what the policy does. File context is the path the policy has access to. The interface file, think of it as a registry or a reference guide to, you know, certain macros and attributes that are part of the actual policy. So, you know, like I indicated, our base policy contains components for kernel system D. Basically any package we ship should have a policy package or should be confined if you've heard that term. And I have to rephrase. You do not ship policy for third-party components. So you're probably in this workshop because you have packages, third-party packages you want to write policy for and that's the whole purpose of this exercise. We'll show you how you can do that and then basically submit it to Lukash or Miroslav and hopefully get it included in the base policy. Or if you're adventurous, you could submit it upstream and again, they're the decision makers. All right, so if you look at a... Let's go back. If you pull down the SELINX policy get tree, basically if you... And you know, this is what you'll see. You'll see that every file has those three types or those three distinctions. You have the file context, the interface file, the type enforcement file. So there are always three files for each one. And today with the M4 macro this is what it looks like. This is what a TE file looks like. A type enforcement file. A lot of complicated stuff but believe me, it's getting easier. You don't need to memorize any of this stuff. Again, I forgot to mention if you have any questions, stop me because I could talk all day. This is an example of a file context, a .fc file. Again, basically it's defining that the path user shared W3C markup validator everything under that directory will be labeled W3C validator content and the quote T with the sensitivity level. And this is an interface file. So the interface file basically defines attributes. So basically the whole objective of the interface file is so that you don't have to type, you know, you kind of cut down the lines you want in your policy file. So I could type a lot of, you know, for example, the MySQL domain trans basically allows MySQL, sorry, when you execute MySQL QD exec T it will transition to the MySQL QD type, you know, so it's just MySQL domain trans and so on and so forth. I guess we didn't include where they can find the definitions for this but, you know, and M4 macro is pretty much what you've seen. I mean M4 has been around a long time if you ever started using Sendmail and had to configure Sendmail from scratch, that is M4. You may not have known it then but same concept here and pretty much this is what it looks like. So when you look at policy and you have something that says read write files pattern and that means it's allowing the domain, the object and the object to basically search directory and permissions or the file to basically read write file permissions. Think of it as a way to shrink policy as opposed to having one long extended line. Here's another example. When we define get attributes file terms that means we're just doing a get attribute. When we do a read inherited file terms that means we're doing a get attribute, read IOCTL lock and so on and so forth. And as I indicated M4 policy needs to be compiled so you have those three files, you have to do a make build the pp file, install the pp file and hope stuff doesn't blow up. But most of the time it doesn't. This is an example of the Sandbox policy file. So we have a request. This is actually the most important statement. This pretty much defines what it is. Then the require basically indicates that this is type Sandbox web underscore T and then the attribute it's a user domain and then what permissions are we, what are we allowing it to do. So remember this is an allow statement. We allow in Sandbox web underscore T to basically connect to any extreme sockets. If you want to know what a user domain is you can use another command called seinfo. Seinfo will basically, if you pass say seinfo-xa user domain it will basically list all the user domains we currently have in policy. All right, and this is an example of how we currently build policy today. So if we make changes to the Sandbox underscore pp we basically run make and then it builds the policy file and then we go ahead and install the pp file. Do you want to talk about still? It's pretty simple. So this is the future. SLNX policy is growing up just like everything in life. So still is the next big thing. If today you're going to struggle with M4 and then once you look at still you'll be like why didn't we think of this before. Still was introduced in user space 2.4 and brings a lot of improvements. I don't know if you've seen the previous talks but improvements in loading policy and basically loading policy is pretty much the biggest. I would let Miroslav expand on this but he has a talk on this. Oh, we have it in the slide. Yes, performance gains, 75% speed up. Easier to provide your own SLNX policies. We assign priorities to modules now. Before you, if you had to edit a pp file you had to remove the original and then if you had to edit it again you remove the original. So you'd lose count as to how many times you've edited the file unless you go back and basically keep changing that number on the top. But now with the priorities we have the base priority. Is it 100? Yes, system priority is 100 and if you load your own module you will get 400 priority. I'll show you. Remember the name, new common intermediate language, SIL. And I think we have an example. Yeah, that's it. So think of SIL as an expanded pp file. Remember the pp file requires the .te, .fc, .if and then you have to compile that. With SIL this alone is just a module and all you have to do is install the module. So our previous command, where was it? This rule we wrote in today's fashion we modified my sandbox and then we had to remove the original my sandbox file then we had to make the file and then we had to install the module. With SIL we just we could cat or echo that one line and it's the same and just install the module. And I pretty much explained these three modes. You have enforcing, which is the default. You can't debug in enforcing mode unless you're really, really good. And then permissive mode, which is the debug mode and in the early days you'd have to put the entire system in permissive mode. Today you could put just the domain in permissive. You don't have to put the entire. You need to work on Apache. Instead of doing a set of force zero you just run scmanage permissive dash some flag and put Apache in permissive mode. And where can we find these logs? This involves troubleshooting. It's usually still the default log, barlog, audit.log. How do you pass these? You do an AU search. I always put a dash i depending on how many you're looking at. You may get a mixed output. We don't have an example, but you guys are probably done. Do you guys all have the package installed? No? Sorry? Can you show a bit of the slide with the package you're using? Yeah. There we go. I'm going to give you SE search. Remember, your take away from this, SE search. And then policy code utils develop will give you all the other stuff that's needed to compile the policy. Any questions before we... All right, I'll let Lukas take over. Okay, so... I created one simple series. It's fictitious, fictitious, and it's in your PCs and computers, sorry. And we will write the policy for it in M4 macro language, and then we will compare it with SEAL. As Simon mentioned, SEAL is still future, and I think it will be better to write it right now in M4, and it's simpler than to switch it to SEAL. So, our daemon will connect to port 18 to my Arizona blog. Then it will log some messages into the journal. It will create a bit file, reading slash broad slash menu 4. And then we have one surprise. Okay. I'll be too fast. Please just stop me. Before we get started, everybody has the package installed. So there are two ways to do this. You can actually do it in real time, or Lukas will kind of give you an example on how to go through it. If you need help, I can walk around the room. Just raise your hand. There are rules on any type of package because of the internals. The Wi-Fi here is... They weren't on this? No, it's true. We have... I get this. Yeah, I can do it. There's quite some differences. Lots of differences. My password is 200 bytes, so... You have a hard wire. Yeah, but there's a lot of dependencies. Each one? Yeah, I have a lot of dependencies. I don't know if we do a DNS download and it will pull them down. And just put them in. It will take a lot of time. I can... Sorry? Okay. Go by. Both are PM package. Which one there has other tools? Six percent. Okay. I guess... I'm afraid that somebody... This looks safer. Alright, so anyone who needs the two packages? We have them on here. That's also the SAE. Yeah. Yeah, I guess it pulls them all and puts it going through the... Yeah, that's... Alright. Anyone else need packages? I think it was a close... I see them explosive... Yeah, thank you. I think it's... Oh, so you should download that... Alright, so any deviant? Oh, sorry. We need... We don't have that policy point. It will develop and as it moves... Once more. Okay. Okay. You stay over here. Is it ours? Yeah. We'll see. It's gonna... We'll probably... We can start. Yeah. Alright, so it's apparent some of you don't have the good toys, so you're going through a dependency hell. I thought you needed two packages. So we'll get started for those of you who have the packages. Again, two sessions recorded. The slides will be available. And whenever you're ready... Here. Okay, so I need to move it to... Let's show slide. Okay, so... Once again, we will create the SNX policy for Victor Linux Demon. Important thing that it will connect to one port, then log some messages into the journal, create a bit file, reading slash crawl slash mem info, and one surprise. So maybe better idea is to switch to console and write it. Okay. Can you see it, guys? Is it okay? Probably. I need to make it bigger. This will be better. Yeah. Just... Control plus. It's not working. Okay, cool. This is better. Okay, so I need to connect to... Virtual machine... Okay, so... I have this demon called DefConf 2017 already installed in my system. We can check for the status. Okay, so it's loaded, but inactive. So SNX is in permissive. Oh, we can switch it to enforcing. 7.1. Okay. Let's start it. Okay, and right now it's inactive and it's running. We can check that it's already writing DTL to the journal. Okay. But what is interesting that we can run this command and check for DefConf process? Yeah, cool. And we don't have policy for our service yet. So it turns in unconfined service domain under 14. Right now SNX is in enforcing mode. I can type it once more time. Yep. But for this service SNX is not in game. Why? Because we don't have policy. Okay, let's... Okay, it's here. Yep. And in the workshop directory there is another sub-directory policy and open DefConf DE file. Cool. So this is some kind of template. So we have the policy head macro. We can call it this way. And here we are declaring the type DefConf 2017 underscore t which is a type for domain, for our process. Then we're also declaring the type DefConf 2017 underscore exact underscore t which is a label for binary file for DefConf. And then this is a macro that indicates that it's the DefConf 2017 underscore t is daemon and it will run in under... If there is a transition, if init underscore t which is a label for domain for system d will execute this file, DefConf 2017 exact underscore t that there will be a transition to DefConf 2017 underscore t. We can... I'll show you with the AC search. So let's type AC search minus t. Sorry, where is the procedure? Sorry, another problem. It's just these few lines so you can rewrite it. But you have it there, yeah? I've got it there. The policy... There's also the dark packages are also on there. All that. Okay, so, do you have it? Yes? No? Okay. So I'll write... I want to create a policy for a service for my system. This is the basic what I need for the service running with the series. Yes, this is the minimum policy with just few rules and it will append our file. This file can be also degenerative but I want to show every line for it so we will show as the policy degenerate to, you know, later. So, can I continue? Yes? Go. So I need my computer. Okay, so let's type... I will... It's a search minus t minus a... Or minus s. S means a subject. Subject type. And we will type in it underscore t. In it underscore t. T is defconf. 2000... Exact. Okay, so... Yeah, there is no defconf label so at first we need to load this policy to kernel so we need to make it a symbol state. User shares... Selenux... file and the name of the module will be defconf2017pp. Okay. Maybe I can clear it and show you the command if you want to go with me. Okay. And now we have a policy also in binary representation. Defconf2017.pp Also make command again. Yes, sure. Okay, can we continue? Yeah. Okay, as I said we have it in binary but we need to load it so the next command is semidule minus e defconf2017.pp Oops. Okay, so again I will clear it and show you just the right command. If... Can I continue? Cool. It normally takes like, I don't know, 20 seconds to load or so. Sorry? Is it normally like it takes 20 seconds to load or so? Yes, because it's a very small... If you looked at the TE file there are very few lines. So if there were like a thousand lines then... Yeah, but I mean it took like, I don't know, 10 to 20 seconds on my laptop to load and execute this command. Because you have a very... Because the policy file is really, really small. Actually, that is a really lucky because I gave similar workshop seven years ago and it took two minutes. So you're saying that 20 seconds is fast? Yeah. Wow. It's fast compared to the previous, eh? It's not. It really took two minutes so... We're evaluating. We are. I think the comparison is really great from two minutes to 10 or 20 seconds. It's not fast. Not quite fast. From the previous stage. I haven't said that yet. And there is still... A bigger area to improve. Thank you very much. Okay. Let's check it if our module is loaded. So I just type minus L and I will grab Defconn 2017 module. And as you can see, it's here. Okay. I won't tell you just one more thing in the TE file. It is this line. Permissive Defconn 2017 underscore T. This is very useful when you are writing policy and it's useful for debugging because the SNUX can be in enforcing mode. As you can see, it's enforcing. But just this domain will be in permissive. So your debugging will be quicker and you will see much more AVCs, which is good. Okay. Let's move on. A quick question. Yep. If you want to add that enforcing, we need to recompile it without the permissive line. Yes. Yes. If you need to remove it, then recompile it. I think... Yes. You can use summonage. Summonage permissive. Let's see. And this should show you the permissive types. As you can see here, Defconn and TLP. This is good too, but I prefer to remove it and recompile it because for future reasons... Yeah. It's just asking because it's permissive all the time and you want to relate it to enforcing mode so that it has to be recompiled without this line. Yeah. So the thing is that when we die, we cannot... Correct. Check this. I would like... Basically, the better option is... Do I want to define the permissive type and define the g-file and just use assume-manage permissive command? Permissive e. Yeah, I know. I understand. Maybe you. Maybe because you define... I'm more worried about it, I understand. Yeah. To be honest, I cannot read it clearly because it's too huge here, so... Okay, so... This was the e-file and let's move on to the file-context file. Oh... Maybe right now I can make it smaller. A little bit. Oh, never mind. Oh, this is better. Okay, here is the path to the binary using slash-user-slash-beam-slash-def-conf-2017 and here is definition of context. So we can see that this file will have this context, SMU, object error, and the most important thing is def-conf-2017-exec-under-score-t. You see? But there is always but. From the policy view, you can use mesh-path-conf-user-beam-def-conf-2017. Policy sees this path with the following context, but if I type LS minus capital Z user-beam-def-conf-2017-exec-under-score-t. You see that the type is being... which is some kind of default type for slash-user-slash-beam. Okay, so... What do we need to do? We need to restore the context. So we do the restore-con... I'm sorry, every user. Okay, and there is some other stuff, but the important for us is this line that restore-con-reset-t label from binty to def-conf-2017-exec-t. Okay? So... I just don't want to write this. Yeah. Yeah, okay. I just need to... It's hard. Yeah, it's really hard. Yep, okay. So right now context looks good. We have a loaded policy here and let's start it again. So system-control-start-def-conf-2017-service. Okay, let's check it with status. Okay, so... Service is active and running, and let's check the context or domain. Okay, cool. So this is output from PS, and you can see that the following demo runs in def-conf-2017-t domain. So right now, we have a domain for SNX, and SNX is in-game for this service. Any questions? Okay, cool. So... Let's say our system right now is in enforcing mode, but this domain runs in permissive, and let's check for AVCs. So I will type our search-mavc. Do you have the command? And we have a lot of AVCs. I need to make it smaller, because we cannot see it one more probably. Okay, this is much better. So let's start with it. As you can see, there is a lot of AVCs. Maybe I can type this recent. So this will show me just AVCs from past 10 minutes. Yeah? It's output from AuditDemon. Who asked it? Sorry. Yeah, it's output from AuditDemon, and it's some kind of message that SNX denies some action. Yeah, okay. Cool. Yeah, but if you want the definition, it's access spectra cache. Yes. If there is a decision, if there is an operation, and there is a decision, as you can see in the panel, we store this decision in an extensor cache. Am I correct? Yes. And all these decisions, if you have been able to audit this one, demo on your system all these decisions from these access spectra cache are loaded in this output, you can see that. See that? Yeah. Okay. Okay. So now, thank you, Mirek. Now we can describe, you know, one simply AVC, but I need to choose some nice one. Probably I can... Okay, cool, I want this one. So this is typical AVC. But it's important that some action was denied. And the name of the command is here, .com 2017. That's important for us. And the source context is here. And the important part is this one. And basically this AVC says that .com 2017 underscore T domain is trying to add some file called .com 2017.p with the following label. var underscore run underscore T. So we can fight where it is. And if you... I have a question. It's Audi, the message that was Audi and this is like a time stop. Can we find the actual time time? I don't know if it works. The Audi block and this time stop of the execution of that deny action. Yes, you can fight, but... I don't know what you are asking. Or Paul? Which one? Sorry, I... Sorry. Yeah. And right now it's here. Cool. Thank you, Paul. Okay, so let's find where is this file. We can see it's some kind of pit file and the target type is var underscore run underscore T. So probably it will be somewhere here. Let's check the label of the following path. And it's... Sorry. Yep. And you can see it... Can you see it? And it's here. So probably somewhere in var run will be our file. Yep, and it's here with following context. And also you can see the AC search from the last time where I put in it T will be DEF CONF 2017. Exactly. Oh, no. It needs to be typed because it's T as a transition. And right now you can see that we have one rule. It's type transition rule. That system D label that in it T will execute following file with this label, DEF CONF 2017 exactly. And process will have DEF CONF 2017 T domain or type. So this is great. Sorry for interrupting. What really means the type transition? Type transition is... I can explain. So let's head and run Ctl status DEF CONF. All right. Sorry. The type transition. So if you look at this, I don't know if it's running or not. But anyway, so DEF CONF 2017 is basically system D executed the file. And then once it executed that file, I don't know why it's saying failed here. I don't know if it's running. It wasn't running. When it executed the file, basically what happened is it transitioned and became a process. Remember the... So if I do a PS-EZ, I will see... If I add more flags, you'll actually see... You'll actually see the path, the executable user label system D system, DEF CONF underscore T. And the type transition means that in it, which system D, once it executed the DEF CONF 2017 underscore exec underscore T, it transitioned to the process DEF CONF 2017 underscore T. That means that if we started the demon manually, it would not have this... Exactly. Exactly. So always start the demon with the service script. That kind of scraps out all the other messes and helps transitions happen. And this is both that in it, demon, domain, or command. Yes. It's better. Yeah. Anyway, if I'm not... For example, I have some service policy which will allow for something that we just already have. Yeah. And by doing from the system style, start service, we have transition stack. But when I do it manually, we do not have the service. Yeah, the transition will not happen. But the signal should also block this kind of operation or not when I do it. So it won't block it, but you won't get DEF CONF 2017 underscore T. Okay. You'll get unconfined service T. Okay. And then there's another thing we could do is you can actually... Like if DEF CONF underscore exact underscore T or DEF CONF 2017 underscore T was to execute another file, we could block... We could just allow it to execute the file but then deny transition. That's why you get the execute no trans. Thank you. I'm struggling with your keyboard. What are you doing? Sorry, man. I wanted to look at your keyboard layout. Yeah, but you need to start it again. Oh, it wasn't running. Yes, sorry. Start service and you can type it again. Okay. It's here. So if you add another flag, I think it's... Just right. What do you want? Yep. So you see the user live system. Mm-hmm. Okay. Yeah, you can continue. Okay, so let's move on with writing. So I tried again and when I type out search, M-A-V-C, it is a send. So we have a lot of A-V-C's here, you know. Let's move it more readable without it to allow... Yeah. This tool is really, really dangerous, you know, because it's generated A-V-C rules, allow A-V-C rules, allow Selenux rules from the A-V-C's. But you need to thinking about these allow rules because you can allow what you don't want to allow, you know. And it's not good yesterday. My colleague, Vitya, has a really, really nice example on our talk. So if you didn't see it, just check it on YouTube. So let's check what's going on with the demo. I start with the last one. You know that we see that DefCon 2017 underscore T is trying to open and write some file in Varan T, and it's file, and we know that it's our pit file. So let's create another transition that this DefCon 2017 T will create this pit file, but with a different type then it's Varan, because as you can see that we have a warning that this is a base time. So, and we don't want to allow the DefCon 2017 underscore T to write to all Varan files, because if you want to see the... Yeah. Why is it? Because the exact T is a label for the executable binary. You see? Check this user. So the part you missed was the transition. SystemD executes exec underscore T to give you DefCon 2017 underscore T. You see? It's here. Yeah, it's the other way out. Yeah. Yeah. And it's again with the SC search. Yeah, you observe that. You see? It's here. Okay. Oh, yeah. Yep. Of course. So that we have some, you know, all of the stuff is out for some reason, but my thing is when we do all DefCon 2017 Varan file, should fix everything regarding this program or not? Technically it should, but that's again... So, remember in the beginning of my talk, the SE in SC Linux is security enhanced. So every time you think about adding something, ask yourself what would happen. So yes, you can go ahead and allow it to write to Varan T, but if you look at all the files that are listed under Varan T, all the other pit files that would mean DefCon 2017 underscore T, if somebody hacked it, they'll be able to see the pit file for Apache because it lives in Varan T. Yeah. Yeah. Cool. Thank you. So what we want, we want to label this file, Varan DefCon pit file, we want it to label different than is base type, a base type of Varan T. So let's do it in our policy. Here, policy, okay, policy DefCon T. Okay, so we have a definition for demon and executable binary, and let's add type DefCon 2017 Varan T. Okay. And we also need this. I will explain it to you. Files, pit file, DefCon 2017. Okay. Do you have it in your TE file? Maybe I can wait a little bit. Okay. Can we continue? Okay. So we have a type just for Varan. I also use this macro, and it's something similar like this that we just add some rules and add it to pit file attribute, this Varan T. But for you, it's important to just write to these lines when you start writing policy. And you can check in our GitHub repo that what exactly means this. You just grab it in base, in base branch, you know, pit branch. So I think that without this file, it also will be not working, yeah? Right now we just define the type. Nothing else. Just define the type. Okay. But let's create the interaction or allow rules. So we have again some macro, manage files pattern. I will write it and then I explain it, okay? 2017 Varan T. No. Thank you. Okay, guys, do you have it? No? Yes? Okay, cool. So let's check this manage files pattern in our repo and I'll show you where you can find these patterns. It's really useful. So, but where is the repo? Huh? Yes, I know, but I need to find it. Okay, can you see it or? Oh, it's too small. Windows layout. It's okay. Minus works, internal data. What? Okay, so this is a Rohite base branch. I can show you. You see, it's here. Rohite branch. And in Rohite branch, we have a policy directory and in policy directory there is a support file and you'll see here the patterns. And we want the file patterns. Sorry. And I write, we can close this. And I write DE, sorry. We write this manage files pattern. Yeah, and we can find it here. Okay, so I hope guys that you can see it. It's here. And here is that manage files pattern and here is the LO rules. And this is a variable. This is the first variable. In our case, it's this one. This is the second variable and also the last one, you know? And now you can see the LO rules. LO DEF CONDOMAIN. DEF CONDOMAIN we can read and write direct permissions for DEF CONVARANTE. You know, these permissions can be found here but it's pretty simple to read it without knowing this file. So it's here. Read, write. Here, read, write. You know? So DEF CONV 2017 can open, read, get attribute logs, surgeon at C, this. Okay, so this is important. And it's good to check these files in support, you know? File patterns and object, object perm sets. It's here. Okay. The last macro, this one, is something really similar to this one and it tells us that this domain can create a file with following label in VARAN. You know, it's our path for pit files. So let's recompile it. We have it in 20 seconds, but okay. So let's remove this file because we want that the demon will create the new file and let's start it. So, okay. The service is running cool and let's check the context of file. We have it here and as you can see that the context right now is DEF CONV VARAN T, not just VARAN T. So this is an example of transition. It's here. Okay, let's move on. So right now we can again run out search and we don't see any record related to VARAN. Yes, we see Syslog D VARAN, but it's something totally different right now. Okay, so any questions? Just a second. Policy DEF CONV VARAN T. It's for you. Thank you very much. What's the question? The question is, do we enable this pit file? To support the fight transition. Now we are doing the same. We are doing a bit to allow. We see that we need to enable more things. Yeah, and this is just one part of it. Just my lecture question. Okay, guys, it's okay. Okay, so this allows the binary to create any file in VARAN T and that's the same. Yeah, if binary in domain DEF CON 2017 will create a file, it needs to be a file because the font is just one. The label will be DEF CON 2017 VARAN T. It could be the pit file. It can be any file. Yes. Just thinking that when we have five pit files, all the pit files in this particular VARAN T. No, it's just the name of the macro. Okay. Okay, so let's check the remaining rules. It's here. Okay, cool. So what is interesting next? So I told you that the demon is trying to write some records to the journal and we see ABC's likes. DEF CON 2017 is trying to read link file, label DEV log T, write to some socket. And there is also this rule. So DEF CON 2017 is searching in directory labeled as syslog D VARAN T. Okay. So what now? We can... Oh, yeah. Thank you. Thank you. Okay, we need to do one more thing with the pit file. Thank you, Simon, for reminder. We didn't add records also here, you know? Because right now the label is good because the demon will create it. But when I run RestoreCon, the RestoreCon will label it back to VARAN because we don't have specified it here. So let's do it. I just copied this one and I need to change the context and it will be VARAN. Okay? So just type it, please. Can I continue? No? No? Okay. I don't know. I don't want to do it. Yeah. Yeah. Because it's dangerous. Sorry? No, no, no, no, no. Better? Yeah, it's unnecessary. It's just for better reading. Okay, can I continue? Because... Okay, so I will compile it. Sorry. Okay, and... Okay, thank you, Simon. But let's move on because... You know, we'll be out of time. Okay, so guys, check these rules. Mainly these two, let it to devlog and syslog VARAN team. Okay? In the beginning, I told you that this demon will write something to the journal. So... maybe it has existing some macro for writing to syslog, you know? So let's check again the policy. And basically the easiest thing is just to grab devlog.t file. Okay, and we have some results. Okay, you see that in policy module systemlogging.t, this type is defined. But let's check the interface file. So policy modules systemlogging interface file. Okay, so... And there is a lot of lines, but you can see the names. Okay, so let's find something similar, I don't know, syslog or... And somewhere here, you find this one, that the macro called LoggingSenseSyslogMessage. And this is probably our macro, what we need. But as you see the body of the macro, you see that there is again some variable. And this variable, this type, will be part of syslog-clean type. Syslog-clean time is attribute, not the type. And basically this is just for easy reading the policy that one attribute can contain more types. Okay, so let's... Yes, for example, is syslog-clean type. So same for... It's another cool tool, x8 syslog-clean. You see, and here is the list of domains, which can send messages to syslog. So it's huge list. But let's check it. Let's check it where is this type defined. And it will be defined in logging.t, but I can't grab it. Oh, grab it. It will be here. So policy, module, system, logging, DE, and it's syslog... How it is? Just here. And you can see that this is all the allow rules for the attribute syslog-clean type. So if we use the macro logging since syslog file, we allow DevConf 2017 domain all these allow rules. You see. So this is a macro for writing to syslog. So let's allow it, the E. And here is the, again, name of the macro. It's logging since syslog message. So logging since syslog message. Okay. Do you have it? Can I continue? No? Okay. I'll wait. Okay. Can I continue? Okay. So let's make it, let's compile it. Okay. And load it. Okay. So it's loaded. That's it. We again start the demon. Check the status. It's running. And again, let's find our AVCs. Oh. What's up? The man is running. And that's weird. Okay. It's good for us because right now the demon can write to syslog. Okay. But I don't know why I don't see the other. Maybe I need to wait a little bit because it's writing and there is some kind of, you see that this is a journal and it's writing. And this is probably the main point of writing policy that you need to find and understand the rules and then you need to find it in our app and find the proper macro for it. And if the macro does not exist, for example, you need to just write the yellow rule. But this is it. And to be honest, we are out of time. So I'll just continue with the slides. So sorry. But this is how look the whole policy for the demon. You know, this we know. Okay. Okay. So previously I told the demon is connecting to DCP port, logging messages, writing pit file and reading maybe info. You know, so here is the yellow rules. So this is a yellow rule for read system state. It's for slash port slash maybe info. This is for connecting to HTTP port. And that's it. To be honest, this is not the actual policy, so please don't check on this yellow rule. Okay. So if you will continue with the checking the ABCs from audit to yellow, you will just append the following macros. And this is an example from a file context file. So this is for binary. And this is for pit file right now. And this is our future. This is the same policy in seal. And you don't see any macros. So we'll just write the low rules. And in the end, you will create a context for the files. Okay. So the takeaway from this is we had three files type enforcement, file context, interface file. With seal, it's just one module. And remember how you are starting and loading the service each time. So once you type this all out, I'm not a typist, but if you can type this all out and then just run SC module DEVCOM 2017.sil. That's it. No more compiling. And it's faster definitely. Okay. I'll show you the surprise. If you add a hack parameter in the service file, you know, it will copy your ATC shadow to temp hack. So who checked the code before the compiler? Oh, good for you guys. I was not using. I don't have ATC shadow anymore. Yeah. But what is important that we don't have right now, we don't have a rule for, you know, reading at C shadow. Right now, as you can see, if you type SC search, there is, there is a no rule. So you can see that right now you have a working, you have a working policy for this. And there will be some, I don't know, evil code and it won't be executed because you don't have the low rule. So this is one of the beauties of SL Linux. Okay. So, yeah. Okay. Let's talk a little bit about SC policy generate. You don't need to write these macros by hand as we did, but I want to show you how to do it to understand it, but you can use SC policy generate and it will help you with a lot of rules. So if you're interested in writing policy, definitely check this. We don't have time for it right now. So, sorry. And yeah, this is the, this is a policy generated, generated also from, from, from set policy generate and I buy hand some rules there. One question regarding this slide. Permission that... Yeah, because... This is like this built in. Sorry. Permission or not? If you compile this policy, the DEF CONF underscore T will be in permissive domains. So even if the SL Linux will be in enforcing mode on the system, yeah, this will be, this domain will be in, in permissive. So, so policy for this will not be enforced. Just, just log to, to audit, audit demon, audit log. Okay. We have also local modifications and using the Semenage. I show it to you, I show it. Using the Semenage command, you just label, just some ports, label objects so you don't need to write a policy for it. If, if you are writing some, some policy or have some issues related to SL Linux, just check Semenage, Semenage command. You know, for example, I should have examples here. Yes, I have it here. Do you see it? It's, it's in gray. Sorry for that. If you can see that I grabbed the all, all, all, all labels, labels related to MySQL.T you see. And also I grab all ports related to MySQL port T. So you know that all TCP port with these numbers has following, following label in, from SNX point of view. So remember the Semenage tool. And also here is some examples how I can add port. For example, I want, I want from FHG to start binding on port 82, not 80 or 81, for example. So I just add following command. And the SNX will label the TCP port 82 with the, with the following label. HTTP port, HTTP port T. You know, so you don't need to write a policy or anything. It's just your local modification and you will fix it with Semenage. And this is also for F context. So if you want label some, some objects, some directory file or something like that, you just switch from port to F context. So this is really helpful for a lot of issues related to SNX on your desktop systems. Yes, because every port has just one, one, one label. So other than recompile policy? No, you need to allow rule. For example, two demos need to have the same rule that they can connect their bind to the port with this label. Yeah, and I mean, there's another way to do that. You can modify the original ports. But how far do you want to go? So how bad does MySQL need to use a port that's already in use, you know? So you say MySQL needs to use port 443. It's never going to happen. So, and we know that Apache uses 443. So you could modify, as long as you're not running Apache on your system, you probably modify and give Apache another port to free up 443 and then assign it to MySQL. But then the question is, we just know that Apache uses 443, but we don't know what other services you have on your system that are also using 443. So use the unassigned ports if you really need to use a free port. And that's all. It was a bit confusing, sorry, and we had problems with Wi-Fi. So I'll put this slide somewhere, publicly, and you can see it on my Twitter. Or try this, I believe it should work, to be honest. I tried yesterday. It works, yeah. It works, right? Cool. So if you have any questions, just send me an email. I should have it somewhere. Okay, now let's do the last slide. Key takeaway? Practice, practice, practice. That's always...