SELinux

Security Enhanced Linux

Patience !!!

SELinux is a different way of handling access control than many

administrators and users are familiar with.

Agenda

• Introduction• What is SELinux?• Background• Terminology• Access Control Philosophies• LSM Architecture• SELinux Policy• SELinux Modes• Controlling SELinux

Introduction

• Wikipedia says:

“….Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.”

What is SELinux?

• A kernel level MAC (Mandatory Access Control) implementation for Linux

• Originally commissioned and built by/for the NSA• A head-ache for the uninitiated• Very effective if done right• Adopted into 2.6 kernel series

Background

1985: LOCK system(early Type Enforcement)– Secure Ada project through Honeywell1990: DTMach / DTOS DTMach – Mach-based prototypeDTOS (Distributed Trusted Operating System)1995: Utah Fluke / Flask Fluke* - University of Utah's research operating system1999: 2.2 Linux Kernel (patch)2001: 2.4 Linux Kernel (patch)2002: LSM2003: 2.6 Linux Kernel (mainline)2006: Full network labeling

Terminology

• Subject: A domain or process.• Object: A resource (file, directory, socket, etc.).• Types: A security attribute for files and other objects.• Roles: A way to define what “types” a user can use.• Identities: Like a username, but specific to SELinux.• Contexts: Using a type, role and identity is a “Context.”

Access Control Philosophies

DAC• A traditional permission model• The owner of a particular file can change

the permissions of an object.• Can be changed at the discretionary of

the owner.• Inherent security flaws

Access Control Philosophies

DAC

• Used to control access by restricting a subject's access to an object. Subject object

Processes file,network socket

• A user can expose a file or directory to a security or confidentiality breach with a misconfigured chmod command and an unexpected propagation of access rights.

• there are really only two major categories of users, administrators and non-administrators

• It is generally used to limit a user's access to a file.• In this type of access control it is the owner of the file who controls other users'

accesses to the file.”

Ex: ls –l-rw-rw-r– 1 vmware vmware 2645 May 05 08:48 personnel.txt

Access Control Philosophies

MAC

• Acess control decisions are not at the descretion of individual users or even system administrators.

• allows you to define permissions for how all processes (called subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (called objects in SELinux).

• This is done through an administratively-defined security policy over all processes and object .

• MACs cannot be overridden by the owner of the object.

LSM architecture

SELinux Complete Diagram

SELinux Complete Diagram

1. The policy server gathers the security context from the subject and object, and sends the pair of labels to the security server, which is responsible for policy decision making. 2. The policy server first checks the AVC, and returns a decision to the enforcement server. 3. If the AVC does not have a policy decision cached, it turns to the security server, which uses the binary policy that is loaded into the kernel during initialization. The AVC caches the decision, and returns the decision to the policy server. 4. If the policy permits the subject to perform the desired operation on the object, the operation is allowed to proceed. 5. If the policy does not permit the subject to perform the desired operation, the action is denied, and one or more avc: denied messages are logged to $AUDIT_LOG, which is typically /var/log/messages.

SELinux Complete Diagram

• Object management includes labeling objects with a security context, managing object labels in memory.

• Object managers are there to obtain security policy decisions from the security server and to apply the decisions to label and control access to their objects

SELinux Complete Diagram

• Object management includes labeling objects with a security context, managing object labels in memory.

• Object managers are there to obtain security policy decisions from the security server and to apply the decisions to label and control access to their objects

Type Enforcement

• Certain attributes are applied to all objects and subjects.

• These attributes are termed as Security Contexts.

• Each process and file/directory/port on the system is assigned a Security Context based on which the Type Enforcement policy allow/disallow access.

Type Enforcement• Security context are stored in Extended Attributes(xattrs) on

ext2/ext3 filesystem.• A typical SELinux security context is of the form:

User Identity:Role:Type/Domain

• Users ( 3 in number)• Roles ( 6 in number)• Types(1,513 in number)

• Any object or subject in the SELinux Policy installed in the system can have one of these user identities,one of six roles and one of the available 1,513 types

Targeted Policy• To list user identities defined in the SELinux Targeted Policy:

#seinfo –u

Users:3system_urootuser_u

• To check the available roles:

# seinfo –r

Roles:6

Staff_rUser_rObject_rsecadm_rSysadm_rSystem_r

SELinux Modes

• DisabledSELinux is not implemented on the hostA Common choice during the installation,

• PermissiveSimilar to Debugging ModePolicies and Rules are applied to objects and subjects, but actions are not effected.Examples:If SELInux policy would prevent the httpd subject from accessing the object folder /webdata on my system,implementing SELinux in Permissive mode would let Apache WebServer access the folder /webdata but log a denial in the log files.

• Enforcing

SELinux in actionAll the production servers ,when hardened, should enable SELinux in Enforcing Mode

SELinux Modes

• EnforcingSELinux in actionAll the production servers ,when hardened, should enable SELinux in Enforcing Mode.

Controlling SELinux

getenforce:gets the current mode of SELinux.

Example:

#getenforceDisabled

Setenforce:modifes the mode SELinux is running in.It toggles in between Permissive and Enforcing mode when SELinux is enabled.

Example:#setenforce 0It activates Permissive SELinux Mode#setenforce 1It activates Enforcing SELinux Mode.

Controlling SELinux

• Sestatus:Used to get the status of a system running SELinux.Displays more information about SELinux Policy

Example:#sestatus

SELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: permissiveMode from config file: permissivePolicy version: 21Policy from config file: targeted

Controlling SELinux

#echo 1 > /selinux/enforceYou can change the run parameters of the SELinux system.#echo 0 > /selinux/enforceTo return back to Permissive Mode.

Understanding the targeted policy

• Seinfo: to view the various rules defined in an SELinux Policy

#seinfo

• Default policy loaded in my system:

82,756 Allow Rules1,399 Type Transition Rules5,086 Don’t Audit Rules

Understanding the targeted policy

• Allow RulesSpecifically allow “access” to an “object” by a “subject”

access defined by• Access permission – read, write,execute

Object defined by:• The security context called the target context (tcontext)• Class of the object called the target class(tclass)

Subject defined by:- The security context called the source context(scontext)

Understanding the targeted policy

• A typical allow rule• Allow the Web process (Apache server) to read the file

(/var/www/html/index.html)

Evaluation Factor:

Access Permission Required: readTarget Context (tcontext): ls –Z /var/www/html/index.html=> system_u:object_r:httpd_sys_content_t:s0Target Class(tclass): fileSource context(scontext): ps axZ | grep httpd=> user_u:system_r:httpd_t:s0

Understanding the targeted policy

• Allow the Source Context – user_u:system_r:httpd_t:s0 permission to read on the class file bearing a Target Context of system_u:object_r:httpd_sys_content_t:s0

Understanding the targeted policy