SELinux for Mere Mortals - Software Summit...Thomas Cameron — SELinux for Mere Mortals (or,...

© Copyright 2008, Red Hat, Inc.

Thomas Cameron — SELinux for Mere Mortals (or, “Don’t Turn It Off!”)

Colorado Software Summit: October 19 – 24, 2008

Slide 1

SELinux for Mere MortalsOr, “Don't Turn It Off!”

Thomas Cameron

Lead Solutions Architect,

Red Hat




Slide 2

Agenda

What is SELinux

A brief History

Type Enforcement

Role-Based Access Control (RBAC)

Multi-Level Security (MLS)

Mandatory vs. Discretionary AccessControl




Slide 3

Agenda

What Can I Do with SELinux?

Confine Programs' Privileges

Protect from Exploits

Prevent System Access to Users' PrivateDetails




Slide 4

Agenda

SELinux Architecture

Security Context• Users

• Roles

• Domains/Types

• Sensitivity

• Category

Security Policy




Slide 5

What is SELinux?

A brief HistoryCreated by the United States NationalSecurity Agency (NSA) as set of patchesto the Linux kernel using Linux SecurityModules (LSM)

Released by the NSA under the GNUGeneral Public License (GPL) in 2000

Adopted by the upstream Linux kernel in2003




Slide 6

What is SELinux?

Type Enforcement (TE)Enforces Mandatory Access Control (MAC)over Discretionary Access Control (DAC)

Provides control over process execution aswell as domain transition. For example,the init process kicks off various scripts inthe /etc/rc.d directory and those scriptscall executable binaries. TE manages thetransition of those executables from theirparent domain (init) to their own domain(like httpd).




Slide 7

What is SELinux?

Role-Based Access Control (RBAC)Roles defined for various processes

Permissions assigned to roles rather thanindividual users




Slide 8

What is SELinux?

Multi-Level Security (MLS)Allows different access levels to differentdata based on security levels• Top level can access top, middle and low

• Mid level can access mid and low but not top

• Low level can access low but not mid or top

Can even have different windows in theGUI with different levels of security and noway to copy/paste from high to mid




Slide 9

What is SELinux?


DAC – standard mechanism for Linux.• All processes run with a user and group. If

that user/group has access to files, so does theprocess

• Root and users have ability (discretion) tooverride or change security with chmod, chownand related utilities

• Processes which run as root (think applicationservices) can access *everything*




Slide 10

What is SELinux?


MAC – SELinux is a MAC implementation• Fine grained permissions on all processes, files,

devices, sockets, ports, etc.

• Administratively defined policy.

• Security decisions made based on allinformation, not just identity

• Processes running as root can still only accessthose areas of the system which policy allows.




Slide 11

What can I do with it?

Confine Programs' PrivilegesPrograms confined to their own context,even programs running as root can stillnot access information outside of theirown security context




Slide 12


Protects against exploitsRBAC and TE (sandboxing) means thateven if a “bad guy” exploits something likea buffer overflow, since that process runsin a specific context it can't accessanything else on the system.




Slide 13


Prevent System Access to Users'Private Details

Rogue/compromised processes can stillnot access home directories or mail files




Slide 14


Security ContextUsers

Roles

Domains/Types

Sensitivity (optional)

Category (optional)




Slide 15


Security Context (example)




Slide 16

User identity and role

SELinux user account correlated withobject, typically ends in _u, as in thesystem_u identity in the previous slide

Role defines which SELinux useridentities are permitted in whichdomains, typically ends in _r as inobject_r in the previous slide

Role can be changed using newrole

Role has access to types or domains




Slide 17

Domain Type and Role

Processes (subjects) execute indomains

Resources (objects) are in protecteddomains called types

Subjects and objects have a domain ora type, ending in _t as in thehttpd_config_t and etc_t types in theearlier slide




Slide 18

Id, role, domain and type

Example:




Slide 19

Domain Type and Role

For example, the web server binary(httpd) has a type of httpd_exec_t.

The running process (httpd) belongs tothe httpd_t domain

Web server data is of the typehttpd_sys_content_t.

The targeted policy allows subjects inhttpd_t to access files withhttpd_sys_content_t




Slide 20

Sensitivity and categories

Only used in strict and mls policies(think government)

Hierarchical

Category is optional

No read up, no write down




Slide 21

Security Context

Every object and subject has a context

Stored in extended attributes (xattrs)on ext2/3 filesystems

Stored in running kernel for port,network interfaces and so on.




Slide 22

Security Context

Format:user:role:type:sensitivity:category

Can be changed with chcon,restorecon, fixfiles

Defined in:/etc/selinux/targeted/contexts/files/file_contexts

/etc/selinux/targeted/contexts/files/file_contexts.homedirs




Slide 23

SELinux Policy

Set of rules used by SELinuxDefines the security context• User identity

• Role

• Type/domain

• Sensitivity

• Category

Defines how each domain accesses eachtype

Defines transitions and other access




Slide 24

Targeted Policy

Default policy for RHEL, Fedora

Targets only specific services

Available in source or binary

Source policy written with m4




Slide 25

Targeted Policy

Every subject and object runs inunconfined_t domain except for thosewith defined policy




Slide 26

Strict Policy

EVERY subject is in a confined domain

Much more complexFor instance, root has low privileges, mustenter password for system configurationjust like a regular user




Slide 27

MLS Policy

Multi-layer security

Different security levels for differentprocesses and objects

Allows for different apps to run indifferent contexts on the same system

One window might be higher or lowersecurity than another, no read up, nowrite down.




Slide 28

Protected services

There are over 100, including all ofthe standard ones

dhcpd

httpd

mysqld

named

nscd

ntpd

portmap

postmaster

snmpd

squid

syslogd

winbindd

bind

ypbind




Slide 29

SELinux tools

system-config-selinux

chcon

restorecon

setfiles

fixfiles

setenforce

getenforce

newrole

getsebool

setsebool




Slide 30

Policy Location

Look in /etc/selinux/etc/selinux/targeted

/etc/selinux/targeted/policy

/etc/selinux/targeted/contexts




Slide 31

Policy Booleans

Allow runtime policy modification

Each has a default, usually false

getsebool and setsebool to manage

setsebool -P recompiles with change

Writes changes to:/etc/selinux/targeted/modules/active/booleans.local




Slide 32

Policy Booleans

Can display all booleans usinggetsebool -a (there are hundreds ofthem)




Slide 33

Security context info

Almost every command takes the -Zargument

ls -Z

id -Z or secon

ps -Z

mkdir -Z

install -Z

cp -Z

find -context




Slide 34


Note that using su does NOT setcontext correctly!

Example:




Slide 35


In this example, root logs in via ssh:

Example:




Slide 36

SELinux Examples

Checking contexts of various files

/home

/tmp

/etc/httpd

/var/ftp/pub




Slide 37

SELinux Examples

Creating files and noting contexts




Slide 38

SELinux Examples

Changing file contexts

Example - web page created inwrong context and moved




Slide 39

SELinux Examples




Slide 40

SELinux Examples

Use chcon to manually change context




Slide 41

SELinux Examples

Or do it the easy way with restorecon:




Slide 42

SELinux Examples

How to troubleshoot Apache vs.

SELinux issues

For instance, allowing access to~/public_html




Slide 43

SELinux Examples

Set up Apache to allow access to~/public_html

Add a user and have that user set up a~/public_html directory with all theright permissions (711 /home/user,755 /home/user/public_html)

In this example, a simple error ismade:




Slide 44

SELinux Examples




Slide 45

SELinux Examples




Slide 46

SELinux Examples

Use sealert to see what happened.

sealert -a /var/log/audit/audit.log




Slide 47

SELinux Examples




Slide 48

SELinux Examples




Slide 49

SELinux Examples




Slide 50

SELinux Examples

What about something like setting up avirtual host?

Set up the virtual host in httpd.conf,but put it somewhere weird.




Slide 51

SELinux Examples




Slide 52

SELinux Examples

Restart the httpd service




Slide 53

SELinux Examples




Slide 54

SELinux Examples

sealert to the rescue!

Or maybe not...?




Slide 55

SELinux Examples




Slide 56

SELinux Examples

But wait, relabeling the filesystemwon't help here!

You can use chcon --reference to setcontext, then semanage fcontext tomake it permanent (i.e. survive arelabel)




Slide 57

SELinux Examples




Slide 58

SELinux Examples




Slide 59

SELinux Examples

Some examples of booleans

Setting up public_html on NFSmounted home directories

Mount an exported filesystem under/home and set up the home andpublic_html directories andpermissions




Slide 60

SELinux Examples




Slide 61

SELinux Examples

In this case, there are two possiblesets of booleans which might beinterfering.

getsebool -a | grep http

getsebool -a | grep nfs




Slide 62

SELinux Examples




Slide 63

SELinux Examples




Slide 64

SELinux Examples

You can always use sealert to check aswell




Slide 65

SELinux Examples




Slide 66

SELinux Examples




Slide 67

SELinux Examples




Slide 68

SELinux Examples

How about mounting an ISO image ordrive so that Apache can export it?

It's common to mount an ISO imageunder /var/www/html so that it can beused as an installation source




Slide 69

SELinux Examples




Slide 70

SELinux Examples




Slide 71

SELinux Examples




Slide 72

SELinux Examples

ZOMG!!! WTF?!?!




Slide 73

SELinux Examples

This will happen for things like USBdrives and ISO images.

The key is to tell mount what contextto mount the device under




Slide 74

SELinux Examples




Slide 75

SELinux Examples




Slide 76

setroubleshoot browser

Graphical tool which does the samething as sealert.

Available from the desktop or via thecommand sealert -b




Slide 77

setrouble browser




Slide 78

setrouble browser




Slide 79

Activating SELinux

SELinux is enabled or disabled in/etc/sysconfig/selinux (which isactually just a link to/etc/selinux/config)




Slide 80

Activating SELinux




Slide 81

Activating SELinux

To activate SELinux on your machine,there are a couple of ways to do it.

Set SELINUX=enforcing

touch /.autorelabel

reboot




Slide 82

Activating SELinux




Slide 83

Activating SELinux

Alternatively, you can issue thecommand "fixfiles relabel" as root

Reboot after it's done

Don't do it in runlevel 5 since itdeletes everything in /tmp includingfiles the X server needs




Slide 84

Activating SELinux




Slide 85

Activating SELinux

You can also run SELinux in permissivemode, where it will not block anythingbut it will still log AVC errors.

Do this in development environmentand set policy or booleans as neededon production machines.




Slide 86

Creating basic policies

audit2why and audit2allow are twoutlities to tell you why something wasdenied and how to allow it

Note that just because audit2allow willcreate a policy, that does not mean itis the smartest thing to do! Considersecurity implications before applyingpolicies.




Slide 87


In this example, the VPN client on mylaptop causes an AVC denial




Slide 88





Slide 89


Use audit2why to see why the alertwas triggered




Slide 90





Slide 91


Use audit2allow see what needs to bechanged




Slide 92





Slide 93


Use audit2allow -M [policyname] tocreate a .te and a .pp file




Slide 94





Slide 95


As indicated, run the commandsemodule -i [policyname.pp] to installthe policy module




Slide 96





Slide 97





Slide 98

Final Thoughts

Don't turn it off!

SELinux can really save you in theevent of a breach.

It's *much* easier to use SELinuxtoday than it was just a few monthsago

NSA grade security is available at noextra cost - use it!




Slide 99

Questions?




Slide 100

Contact Info

Thomas Cameron([email protected])

512-241-0774

http://people.redhat.com/tcameron

SELinux for Mere Mortals - Software Summit...Thomas Cameron — SELinux for Mere Mortals (or,...

Documents

Transcript of SELinux for Mere Mortals - Software Summit...Thomas Cameron — SELinux for Mere Mortals (or,...