Geekly Articles each Day
📜 ⬆️ ⬇️

Cooking NSA SELinux

NSA logo Hi Habr! With this post, I want to divert the respected community from the NSA on the topic a little bit, and instead fill in the gap in the description of one of their technologies, writing something between “turn off SELinux” and “devote the best years to it to understand a small part”. In fact, both of these points of view are equally far from the truth - the technology is quite simple, transparent and allows you to do a lot. However, I want to warn about the huge number of letters, and rather narrow target audience, because The following will be interesting not for everyone. If you have long wanted to understand what SELinux is, but did not know which side to go for - this article is for you. If you know all this for a long time and successfully apply it, then I made enough inaccuracies so that we could discuss it in the comments. Well, world-class information security experts can boldly go to the very end and start playing, I have plans to continue :-)
I will not deal in this article with topics related to the NSA as a whole, the ability to decipher RSA, wiretapping and other media aspects - no hype, no FUD, only technology. We will, with varying degrees of activity, climb into different sources, add our own conditions to the very heart of the MLS, possibly introducing our vulnerabilities (we also make mistakes), and after that we will try to take off and carry out tests. In other words, I describe what and how, and after that you no longer look at SELinux as an unknown animal and the abode of evil from a potential enemy, but boldly begin to use this technology for good. Especially considering that it is already included in all of your androids (> 4.3) and many distributions.
So, if you are still interested, and you are not afraid to spend a week in one of the many spoilers, then

Preliminary readings

I mean that you already have enough experience with Linux to deploy your favorite distribution in a virtual environment. I will do everything with the example of Debian, but if you decide to repeat this path, then all this can be (and very much needed) done on the most convenient and familiar distribution kit - in the process you will learn a lot about it. I tried to write this article as a teaching material so that anyone could repeat it step by step. I also mean that it will not be difficult for you to read technical documentation in English - information on SELinux in Russian is so far extremely scarce.

General technology information
There are so many rumors around SELinux that you will be surprised how small the introductory volume is, just three links:
  1. RH Guide : if any command is incomprehensible, you will most likely find a description in it. Open it in a separate tab, useful.
  2. Summary of the lecture by Eli Billauer: consider it as the main collection of facts. On it you can quickly understand what's what, and know what to ask Google.
  3. Writing a politician . Despite the document’s ten years ago, it describes enough key points to understand the internal structure of SELinux, and how to pick it.

This is the main thing that I recommend reading before setting up, otherwise you will constantly return to these documents. There are many other resources , but you will definitely get to them if you want to do something different from turning on / off boolean variables.

So, when you read all this, we can check ourselves with simple questions:
  1. What is unconfined_t / unconfined_u, and why SELinux cannot be tested on it?
  2. What is a special case, MLS or MCS?
  3. What is the difference between * .te and * .if and * .fc?
Answers
  1. Unlimited domain / user. With the same success, you can configure SELinux on another machine.
  2. MCS. MLS == MCS with MLS_SENS = 1.
  3. Basically - nothing. Although in txt write, do not forget to fix the main Makefile.

Task setting and pre-setting

Now that we already know what we want, but don’t know how we will implement it, we can formulate the objectives of the experiment:
Server
With your permission, I will remove it under the spoiler. YMMV, you may not be Debian, and the installation in KVM is no different. Any distribution kit installed in the minimum configuration in a virtual environment will do. Virtual - because it is more convenient, minimal - because it is faster.
Details
A typical Debian expert install, small details:
  • Disk layout (as many as 4GB!):
    • / dev / vda1 64MB as / boot, ext2.
    • rest as LUKS: aes256: cbc-essiv: passphrase, all settings as default as possible.
    • inside the remainder - all under LVM.
  • Here at once fstab
    root@sandbox:~# cat /etc/fstab # /etc/fstab: static file system information. # <file system> <mount point> <type> <options> <dump> <pass> /dev/vda1 /boot ext2 defaults 0 2 /dev/mapper/vg0-root / btrfs defaults 0 1 /dev/mapper/vg0-usr /usr btrfs defaults 0 2 /dev/mapper/vg0-var /var btrfs defaults 0 2 /dev/mapper/vg0-tmp /tmp btrfs defaults 0 2 /dev/mapper/vg0-rhome /root btrfs defaults 0 2 /dev/mapper/vg0-swap none swap sw 0 0
  • Separate sections rendered for further convenience testing.
  • We put a minimal system with an SSH server, nothing else.
  • Before completing the installation, we immediately call the shell, and remember the system key:
     root@sandbox:~# ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key 256 f6:9b:ad:dd:93:cb:3d:c2:83:76:45:c3:02:e8:6a:1d root@sandbox (ECDSA)
After installation, we go via ssh, and bring the system to the base version for our experiments, in my case it was like this:
 sed -i 's/wheezy/jessie/g' /etc/apt/sources.list # that's no bloody enterprise aptitude update && aptitude dist-upgrade -VR # let's go testing, it's stable enough aptitude install vim bash-completion deborphan -VR # a little comfort couldn't hurt aptitude install policycoreutils auditd setools selinux-basics -VR # last is just helper scripts, optional vim /etc/network/interfaces # make interfaces static aptitude purge isc-dhcp-client console-setup console-setup-linux kbd iproute module-init-tools $(deborphan)
Create keys for ssh, register them on the server for root:
 @local$ ssh-keygen -b 521 -t ecdsa -f selinux-test @remote# mkdir /root/.ssh && cat selinux-test.pub > /root/.ssh/authorized_keys2 && chown && chmod
Well, by the end of the day, we assemble and install our core - we want support for the latest version of the policy, the minimum required set of modules, experiment with the PaX and GRSecurity patches (which, by the way, get on well with SELinux, but I’ll probably describe this later). In general, the vanilla kernel is best suited for us at the current stage. Yes, I can hear you a voice from the audience talking about the Debian way - but today the samurai’s way is not limited to such a framework. In this experiment, we still have UID = 0 without restrictions, and we are doing everything we want. So, let's heat up a little Arizona (or local virtual machine):
 mkdir src && cd src && wget -c http://kernel.org/pub/linux/kernel/v3.0/linux-3.10.18.tar.bz2 && tar jxf linux*tar.bz2 && cd linux* && make menuconfig && make -j$((2* $(grep processor /proc/cpuinfo | wc -l))) deb-pkg && make clean
At the configuration stage, we enable SELinux (yes, this pun is intended!): selinux kernel opts, sorry for imageshack, habrastorage is not ok with my id
.config
 # if you are lazy to configure yourself, here's my .config, usable on KVM+libvirt wget -O - $aboveimage | dd bs=1 skip=3991 | xzcat
We believe that the basis for the experiments is ready.
Automating policy assembly
It was more convenient for me to build policies on a local machine and, in the form of a deb package, already installed on the server. Therefore, I took the path of least resistance.
up'n'enter style
 wget http://oss.tresys.com/files/refpolicy/refpolicy-2.20130424.tar.bz2 tar jxf refpolicy-2.20130424.tar.bz2 cp -rp refpolicy custom #all our modifications asroot# mkdir /usr/share/selinux/custom # so we can 'make install' here asroot# mkdir /etc/selinux/custom asroot# chown $USER:$USER /etc/selinux/custom /usr/share/selinux/custom asroot# touch /etc/selinux/custom/setrans.conf && chown $USER:$USER /etc/selinux/custom/setrans.conf # we'll need it later asroot# aptitude install selinux-utils python-selinux policycoreutils checkpolicy # these are for policy build
Next, the package build script:
 #!/bin/bash # sample deb build for custom selinux policy # harvests policy from local system version='0.0.1' name='selinux-policy-custom' description='Custom MLS SELinux policy' cf="${name}-control" cc="${name}-Copyright" # depends and conflicts shamessly ripped from selinux-policy-mls read -d '' cheader << EOF Section: non-free Priority: optional Homepage: http://selinux/ Standards-Version: 3.9.2 Package: ${name} Version: ${version} Maintainer: secadm_r <here.can+be@your.email> Pre-Depends: Depends: policycoreutils (>= 2.1.0), libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.35), libsepol1 (>= 2.1.0) Conflicts: cron (<= 3.0pl1-87.2sel), fcron (<= 2.9.3-3), logrotate (<= 3.7.1-1), procps (<= 1:3.1.15-1), selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted, sysvinit (<= 2.86.ds1-1.se1) Architecture: all Copyright: ./selinux-policy-custom-Copyright Description: ${description} EOF read -d '' postinst << "EOF" File: postinst 755 #!/bin/sh -e set -e if [ "$1" = configure ]; then /usr/sbin/semodule -s custom -b /usr/share/selinux/custom/base.pp $(find /usr/share/selinux/custom/ -type f ! -name base.pp | xargs -r -n1 echo -n " -i") fi #DEBHELPER# exit 0 EOF function make_policy() { cd custom make clean rm -rf /usr/share/selinux/custom/* make install cd .. } function make_files() { echo 'SELinux custom policy copyright:TODO' > ${cc} echo -e "$cheader" > ${cf} echo -e "$postinst" >> ${cf} echo -en "\nFiles: " >> ${cf} # our setrans file echo -e " /etc/selinux/custom/setrans.conf /etc/selinux/custom" >> ${cf} # /etc/selinux dir find /etc/selinux/custom -type f ! -name \*LOCK | xargs -r -n1 -If -- sh -c 'echo " f $(dirname f)"' >> ${cf} # /usr/share/selinux/custom dir find /usr/share/selinux/custom -type f | xargs -r -n1 -If -- sh -c 'echo " f $(dirname f)"' >> ${cf} } function cleanup() { rm -f ${cc} ${cf} } function build_deb() { equivs-build ${cf} [ $? -eq 0 ] && cleanup } rm ./${name}*deb # glob is ok make_policy make_files build_deb scp -P 22 -i ~/.ssh/selinux-test selinux*deb root@selinux:/tmp/
The complete reassembly time turned out to be ~ 30 seconds, so the general principle of the script is chosen - “head-on,” which is called, I think, to adapt for assembling rpm work will not be:
  • Make all
  • We collect and set policies (make install)
  • We find everything that is established (we know where to look), we collect the package
  • Fill the server in / tmp
  • In postinst, he himself will find what he has updated, pull semodule and reload policies

SELinux, the first acquaintance.

The server is ready, the build system is ready, the reference policy is loaded, now you can get down to the most interesting. (Approximately at this stage, assessing the already existing volume of the article, a seditious thought crept in to divide it by 2 5 :-).
For the first build, we define the parameters, I chose these:
 $ sed '/^#/d;/^$/d' build.conf TYPE = mls NAME = custom DISTRO = debian UNK_PERMS = reject DIRECT_INITRC = n MONOLITHIC = n UBAC = y CUSTOM_BUILDOPT = MLS_SENS = 4 MLS_CATS = 32 MCS_CATS = 32 QUIET = n
The differences from upstream are minimal: MLS is enabled (this means that all the parameters from policy / mls and config / appconfig-mls will be included during the build); included distro-specific debian macros, which is not really necessary; the policy will not load if permissions that are not reflected in the policy are defined in the kernel — what if we have a much newer kernel; Well, I have significantly reduced the number of levels and categories - we will have only 4 levels of secrecy, each with 32 categories. For now, that's enough for us.
essence numbered uno
As an experiment, try setting MONOLITHIC = y and building a policy without setting it - make policy. The result will be policy.conf, a textual representation of the policy. That's just here, in a simple form, courtesy of the unfolded m4 of all the clutter of macros, described everything that SELinux will allow. In other words (Warning: bad analogy time!): If secadm_r is like a SAT chief approving access levels and tolerances, then SELinux is an ordinary security officer who checks these lists, and in policy.conf, in fact, lists with fields:
1. who (scontext) - where (tcontext) - to whom (class) - why (call) (plus, in the case of MLS: show your tolerance level as well, and if it is less than expected, I will not even look at the rules .)

We create all the necessary configs, which we will edit to fit our needs: make conf . At first, we’re correcting the policy / modules.conf that appeared - I turned off (modulename = off) almost all modules in the contrib group. Plus - faster assembly, fewer modules. Minus - the possible underdefinition of contexts. Let me explain with an example:
contrib_off
 grep -A5 contrib policy/modules.conf | grep "= module$" | wc -l # total number grep -A5 contrib policy/modules.conf | grep "= module$" | sed 's/ = module//' | xargs -r -n1 -I__n -- sh -c 'sed -i "s/^__n = module$/__n = off/" policy/modules.conf' # kekeke # turn some servicess off too (xserver + postgresql) # turn _on_ logrotate,mta,postfix,ulogd, and whatever you think you need
As soon as we started to edit modules.conf , we passed the point of no return, after which we should understand what we are doing and why. Possible underdetermining of contexts is just the first example of how our actions affect the system.
Looking ahead, I’ll immediately say a little about the wonderful audit2allow utility: it eats audit.log, and in a fairly clear form (especially with the -Rev keys) gives us what we need to add in the policy so that these messages no longer appear in the log. So, if you are somewhere (and this is almost everywhere) on the Internet, you will find a recommendation
 grep something-something /var/log/audit/audit.log | audit2allow -M mymegamodule semodule -i mymegamodule
then follow it only if you are aware of what you are doing now - this set of commands means that SELinux will resolve everything that (potentially greedy) something-something has asked for access, and even a little more. Moreover, in the case of MLS, this method does not work at all - because in MLS it is not enough to create an allow rule, it is necessary that the access satisfies all the restrictions imposed on tolerances and categories. Such actions are equivalent to frank confession: “Yes, today I don’t want to think at all with my head, it’s easier for me to allow everything.” Do not make a theater out of your system, and do not tune SELinux in this way - it’s like catching all the packages on a firewall and turning them into permissive rules with a script.
')
Now it's time to run make install , and if everything is fine, then build our package and put it on the server:
 dpkg -i /tmp/selinux-policy-custom*deb sed -i 's/^SELINUX=.*$/SELINUX=enforcing/;s/^SELINUXTYPE=.*$/SELINUXTYPE=custom/' /etc/selinux/config selinux-activate # if you installed helper package selinux-basics # if not: touch /.autorelabel # add 'selinux=1 security=selinux' to cmdline reboot # let's rock!
The system will reboot, apply contexts as defined in the established policy ( / etc / selinux / custom / contexts / files / * ), reboot again and kindly offer to go.

When is rocking "rocking" and when is it "shaking" *

Chef, it's all gone. Nothing works. We can't even log in via ssh - connection closed by host. Meet SELinux. As Eli Billauer remarkably articulated:
What is SELinux?
In a nutshell: denied.
Nevertheless, it is good if you have reached this point. This is exactly the behavior that we need, and now we will begin to understand why we are not allowed to.
the essence of numerically duo, this time without bad analogies
If you carefully read the preliminary documentation, you will surely remember the decision-making procedure:
  1. First DAC. If it is forbidden, then it will not even get to SELinux, permission denied will be the usual, unix, familiar to all of us at times when we just got acquainted with our first * nix system.
  2. Then MAC. If no matching rules are found, permission denied will already be from SELinux. In some distributions (RH), lines containing " SELinux is preventing " will appear in the logs, some will not, but there will be something in all in audit.log.
Total, most likely in RefPolicy there is simply no something that is in the distribution policy. Let's find it and add it.
Oh yeah, I forgot to say that from now on, you will need access to the server not only via ssh, it may not work. Fortunately, in our case it is a virtual server, there is always VNC / SPICE / etc (link special for FSKN). We try to enter locally - it does not allow. Excellent situation to immediately illustrate how from it
go out
  1. Don't panic.
  2. Reboot - for example, by sending Ctrl + Alt + Del, acpid will do everything for us.
  3. We catch grub at the boot stage, change selinux = 1 to selinux = 0
  4. Log in, log in as root.
At this stage, audit.log contains all the reasons for our failures , why we could not enter. Since Now we have booted with disabled SELinux, the first thing that makes sense is to copy audit.log from the last download for further analysis, because with SELinux enabled, we simply cannot do it.
 cp /var/log/audit/audit.log /root wc -l /root/audit.log 195
The scale of the disaster is small, two hundred lines. It is time to slowly descend from the mountain:
So, we have all configured, the system boots in enforcing mode. At this point, as a rule, the attentive reader already has extensive knowledge of modifying the modules, is fluent in the policy structure, sincerely loves (or at least sincerely hates) the m4 syntax, subscribes to the NSA newsletter, knows two dozen sources of information on SELinux and a dozen developers. .
It is time to climb a little deeper, on the territory, not much described in the documentation.

Mls

If you are somewhat familiar with all sorts of criteria for evaluation of security , then you already know that they are, first, the big set (c individual (PDF) profiles (PDF), most of which have developed various kinds of paramilitary organizations), and that the output is a certain the number of parrots , which characterizes the rigidity of the requirements during the passage. Mlsadds to the existing SELinux restrictions two more levels of control, vertical (levels) and horizontal (categories). The first is nothing more than “tolerances”, where the superior permit implies access to a lower level (“top secret” can read documents classified as “secret”), and the second is different categories of the same level, where permission to read one category does not mean permission to read the rest.
Since both of these levels of control can be assigned to any objects that SELinux works with, this allows you to implement almost any requirements for classifying information and its flows:Of course, all this requires careful study, first of all, the system architecture, otherwise we then contract workers will lay out documents with the “Top Secret” stamp on instagrams :-)
For this experiment, I used these levels and categories:
 root@sandbox:~# cat /etc/selinux/custom/setrans.conf Domain=Playbox # levels s0=SystemLow s3:c0.c31=SystemHigh s0-s3:c0.c31=SystemLow-SystemHigh s1=Confidential s2=Secret # employee categories s1.c0=Ninjas s1.c1=Pirates s1.c2=Jesuses # secret stuff s2.c0=Aliens s2.c1=BigBrother
Now we set up our web server, as if it were designed exclusively for internal access, i.e. works strictly at the level of s1 (Confidential). It is not necessary for demonstration, but useful for general development. Of course, we will not configure IPSec and packet marking, otherwise no one will see it, we restrict ourselves to the local context. Since we now only have ssh configured on the test machine, let's choose a server that is not described in RefPolicy:
nginx
nginx, , MCS ( s0). NIH . , , dpkg -L lsof , :
 /usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s1:c0.c2) /etc/init.d/nginx gen_context(system_u:object_r:nginx_initrc_exec_t,s1:c0.c2) /etc/nginx(/.*)? gen_context(system_u:object_r:nginx_etc_t,s1:c0.c2) /var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_var_log_t,s1:c0.c2) /var/run/nginx(/.*)? gen_context(system_u:object_r:nginx_var_run_t,s1:c0.c2) /var/www(/.*)? gen_context(system_u:object_r:nginx_var_www_t,s1:c0.c2) /var/lib/nginx(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s1:c0.c3)
, , (, , ..), . s1 (Confidential), . , . , , ( newrole -r secadm_r ), premissive ( setenforce 0 ), ( restorecon -RFvv / ), nginx sysadm_r ( run_init /etc/init.d/nginx start ). audit.log , . modname.if, , , «» :
 template(`web_server_template',` type $1_t, web_server; allow blah blah; # so we can call web_server_template(nginxN) in modname.te ')
modname.if , «» . . , , :
 root@sandbox:~# cat nginx_local.te policy_module(nginx_local, 0.0.1) ################################################################## type nginx_t; type nginx_exec_t; type nginx_initrc_exec_t; type nginx_etc_t; type nginx_var_log_t; type nginx_var_run_t; type nginx_var_www_t; type nginx_var_lib_t; corecmd_executable_file(nginx_exec_t); init_script_file(nginx_initrc_exec_t) files_type(nginx_etc_t) logging_log_file(nginx_var_log_t) files_pid_file(nginx_var_run_t) files_type(nginx_var_www_t) files_type(nginx_var_lib_t) init_ranged_daemon_domain(nginx_t, nginx_exec_t, s1:c0.c2)
corecommands.if, . — , MLS, , nginx .
, , (grep nginx /var/log/audit/audit.log | grep 'sysctl'), , , sysctl:
 # /read kernel sysctl values require { type sysctl_kernel_t; class dir { search }; class file { open read }; } allow nginx_t sysctl_kernel_t:dir { search }; allow nginx_t sysctl_kernel_t:file { open read };
socket:
 # socket bind require { type node_t; type http_port_t; class tcp_socket { name_bind setopt bind create listen node_bind }; class capability { net_bind_service setuid setgid }; } allow nginx_t http_port_t:tcp_socket { name_bind }; allow nginx_t node_t:tcp_socket { node_bind }; allow nginx_t self:tcp_socket { bind create setopt listen }; allow nginx_t self:capability { net_bind_service setuid setgid };
And so on. audit2allow, MLS. require , , , . , -
such a
 policy_module(nginx_local, 0.0.1) ################################################################## type nginx_t; type nginx_exec_t; type nginx_initrc_exec_t; type nginx_etc_t; type nginx_var_log_t; type nginx_var_run_t; type nginx_var_www_t; type nginx_var_lib_t; corecmd_executable_file(nginx_exec_t); init_script_file(nginx_initrc_exec_t) files_type(nginx_etc_t) logging_log_file(nginx_var_log_t) files_pid_file(nginx_var_run_t) files_type(nginx_var_www_t) files_type(nginx_var_lib_t) init_ranged_daemon_domain(nginx_t, nginx_exec_t, s1:c0.c2) # rules # /sys and /sys/devices/systemcpu/online require { type sysfs_t; class dir { search }; class file { read open }; } allow nginx_t sysfs_t:dir { search }; allow nginx_t sysfs_t:file { read open }; # /read kernel sysctl values require { type sysctl_kernel_t; type sysctl_t; class dir { search }; class file { open read }; } allow nginx_t sysctl_kernel_t:dir { search }; allow nginx_t sysctl_kernel_t:file { open read }; allow nginx_t sysctl_t:dir search; # self configs and symlinks require { type nginx_etc_t; class dir { open read search }; class file { open read getattr }; class lnk_file { read }; } allow nginx_t nginx_etc_t:dir { open read search }; allow nginx_t nginx_etc_t:file { open read getattr }; allow nginx_t nginx_etc_t:lnk_file { read }; # /etc/localtime, /etc/passwc, etc (no pun intended) require { type locale_t; type etc_t; class file { read open getattr }; } allow nginx_t locale_t:file { read open getattr }; allow nginx_t etc_t:file { read open getattr }; # pid file require { type var_run_t; class dir { search write add_name remove_name } ; class file { write read create open unlink }; } allow nginx_t var_run_t: dir { search }; allow nginx_t nginx_var_run_t: file { read write create open unlink }; allow nginx_t nginx_var_run_t: dir { search write add_name remove_name }; # libs require { type var_lib_t; class dir { search getattr }; } allow nginx_t var_lib_t:dir search; allow nginx_t nginx_var_lib_t: dir { search getattr }; # socket bind require { type node_t; type http_port_t; class tcp_socket { name_bind setopt bind create listen node_bind }; class capability { net_bind_service setuid setgid }; } allow nginx_t http_port_t:tcp_socket { name_bind }; allow nginx_t node_t:tcp_socket { node_bind }; allow nginx_t self:tcp_socket { bind create setopt listen }; allow nginx_t self:capability { net_bind_service setuid setgid }; # socket accept require { class tcp_socket { read write accept }; } allow nginx_t self:tcp_socket { read write accept }; # logs require { type var_log_t; class dir { search }; class file { open append }; } allow nginx_t var_log_t:dir { search }; allow nginx_t nginx_var_log_t:dir { search }; allow nginx_t nginx_var_log_t:file { open append }; # www require { class dir { search getattr }; class file { read getattr open }; } allow nginx_t nginx_var_www_t:dir { search getattr }; allow nginx_t nginx_var_www_t:file { read getattr open };
, .
We get users and roles, for example so:
 root/sysadm_r@sandbox:~# adduser alice ...skipped... root/sysadm_r@sandbox:~# adduser bob ...skipped... root/secadm_r@sandbox:~# semanage user -a -R user_r -L s1 -r s1-s1:c0 ninjas root/secadm_r@sandbox:~# semanage user -a -R user_r -L s2 -r s2-s2:c0 aliens root/secadm_r@sandbox:~# semanage login -a -s ninjas alice root/secadm_r@sandbox:~# semanage login -a -s aliens bob # or, ninjas to supervise alice root/secadm_r@sandbox:~# restorecon -RFvv /home/ # thats all, folks.
Total, we get:

Funky time

Well, now, finally, there will be slides. For a full-fledged demonstration, I bought a small Vspku under this article, next to the NSA, and I quickly unfolded everything I had done on it. Directly on this system, you can see what SELinux is, go under the root and type rm -rf / * first of all, without fail, start all sorts of scripts / sploits and rootkits, in general, show this to the NSA motherboard. But before you do this exciting thing, let's go through both assumptions and limitations:
As part of this training course, we:
If there is a term in the IB for the state of security, in the description of which there are words “push apart” and “rolls”, then this is it. All that separates from total compromise is SELinux. Compromise is inevitable, but it is very interesting how long it takes.
But also, there is something for which SELinux is not intended, namely:

I did not start a domain, this is for toy version 0.0.2. Version 0.0.1
here
: http://162.213.198.69
And yes, a separate request - please behave. It is not necessary to kill all root processes and interfere with others, the user is one for all.

Notes

* Tim Minchin, Lullaby

Source: https://habr.com/ru/post/199202/

More articles:


All Articles