SELinux(5)
-
Upload
ajeet-singh-raina -
Category
Documents
-
view
26 -
download
2
Transcript of SELinux(5)
SELinux
Security Enhanced Linux
Patience !!!
SELinux is a different way of handling access control than many
administrators and users are familiar with.
Agenda
• Introduction• What is SELinux?• Background• Terminology• Access Control Philosophies• LSM Architecture• SELinux Policy• SELinux Modes• Controlling SELinux
Introduction
• Wikipedia says:
“….Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.”
What is SELinux?
• A kernel level MAC (Mandatory Access Control) implementation for Linux
• Originally commissioned and built by/for the NSA• A head-ache for the uninitiated• Very effective if done right• Adopted into 2.6 kernel series
Background
1985: LOCK system(early Type Enforcement)– Secure Ada project through Honeywell1990: DTMach / DTOS DTMach – Mach-based prototypeDTOS (Distributed Trusted Operating System)1995: Utah Fluke / Flask Fluke* - University of Utah's research operating system1999: 2.2 Linux Kernel (patch)2001: 2.4 Linux Kernel (patch)2002: LSM2003: 2.6 Linux Kernel (mainline)2006: Full network labeling
Terminology
• Subject: A domain or process.• Object: A resource (file, directory, socket, etc.).• Types: A security attribute for files and other objects.• Roles: A way to define what “types” a user can use.• Identities: Like a username, but specific to SELinux.• Contexts: Using a type, role and identity is a “Context.”
Access Control Philosophies
DAC• A traditional permission model• The owner of a particular file can change
the permissions of an object.• Can be changed at the discretionary of
the owner.• Inherent security flaws
Access Control Philosophies
DAC
• Used to control access by restricting a subject's access to an object. Subject object
Processes file,network socket
• A user can expose a file or directory to a security or confidentiality breach with a misconfigured chmod command and an unexpected propagation of access rights.
• there are really only two major categories of users, administrators and non-administrators
• It is generally used to limit a user's access to a file.• In this type of access control it is the owner of the file who controls other users'
accesses to the file.”
Ex: ls –l-rw-rw-r– 1 vmware vmware 2645 May 05 08:48 personnel.txt
Access Control Philosophies
MAC
• Acess control decisions are not at the descretion of individual users or even system administrators.
• allows you to define permissions for how all processes (called subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (called objects in SELinux).
• This is done through an administratively-defined security policy over all processes and object .
• MACs cannot be overridden by the owner of the object.
LSM architecture
SELinux Complete Diagram
SELinux Complete Diagram
1. The policy server gathers the security context from the subject and object, and sends the pair of labels to the security server, which is responsible for policy decision making. 2. The policy server first checks the AVC, and returns a decision to the enforcement server. 3. If the AVC does not have a policy decision cached, it turns to the security server, which uses the binary policy that is loaded into the kernel during initialization. The AVC caches the decision, and returns the decision to the policy server. 4. If the policy permits the subject to perform the desired operation on the object, the operation is allowed to proceed. 5. If the policy does not permit the subject to perform the desired operation, the action is denied, and one or more avc: denied messages are logged to $AUDIT_LOG, which is typically /var/log/messages.
SELinux Complete Diagram
• Object management includes labeling objects with a security context, managing object labels in memory.
• Object managers are there to obtain security policy decisions from the security server and to apply the decisions to label and control access to their objects
SELinux Complete Diagram
• Object management includes labeling objects with a security context, managing object labels in memory.
• Object managers are there to obtain security policy decisions from the security server and to apply the decisions to label and control access to their objects
Type Enforcement
• Certain attributes are applied to all objects and subjects.
• These attributes are termed as Security Contexts.
• Each process and file/directory/port on the system is assigned a Security Context based on which the Type Enforcement policy allow/disallow access.
Type Enforcement• Security context are stored in Extended Attributes(xattrs) on
ext2/ext3 filesystem.• A typical SELinux security context is of the form:
User Identity:Role:Type/Domain
• Users ( 3 in number)• Roles ( 6 in number)• Types(1,513 in number)
• Any object or subject in the SELinux Policy installed in the system can have one of these user identities,one of six roles and one of the available 1,513 types
Targeted Policy• To list user identities defined in the SELinux Targeted Policy:
#seinfo –u
Users:3system_urootuser_u
• To check the available roles:
# seinfo –r
Roles:6
Staff_rUser_rObject_rsecadm_rSysadm_rSystem_r
SELinux Modes
• DisabledSELinux is not implemented on the hostA Common choice during the installation,
• PermissiveSimilar to Debugging ModePolicies and Rules are applied to objects and subjects, but actions are not effected.Examples:If SELInux policy would prevent the httpd subject from accessing the object folder /webdata on my system,implementing SELinux in Permissive mode would let Apache WebServer access the folder /webdata but log a denial in the log files.
• Enforcing
SELinux in actionAll the production servers ,when hardened, should enable SELinux in Enforcing Mode
SELinux Modes
• EnforcingSELinux in actionAll the production servers ,when hardened, should enable SELinux in Enforcing Mode.
Controlling SELinux
getenforce:gets the current mode of SELinux.
Example:
#getenforceDisabled
Setenforce:modifes the mode SELinux is running in.It toggles in between Permissive and Enforcing mode when SELinux is enabled.
Example:#setenforce 0It activates Permissive SELinux Mode#setenforce 1It activates Enforcing SELinux Mode.
Controlling SELinux
• Sestatus:Used to get the status of a system running SELinux.Displays more information about SELinux Policy
Example:#sestatus
SELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: permissiveMode from config file: permissivePolicy version: 21Policy from config file: targeted
Controlling SELinux
#echo 1 > /selinux/enforceYou can change the run parameters of the SELinux system.#echo 0 > /selinux/enforceTo return back to Permissive Mode.
Understanding the targeted policy
• Seinfo: to view the various rules defined in an SELinux Policy
#seinfo
• Default policy loaded in my system:
82,756 Allow Rules1,399 Type Transition Rules5,086 Don’t Audit Rules
Understanding the targeted policy
• Allow RulesSpecifically allow “access” to an “object” by a “subject”
access defined by• Access permission – read, write,execute
Object defined by:• The security context called the target context (tcontext)• Class of the object called the target class(tclass)
Subject defined by:- The security context called the source context(scontext)
Understanding the targeted policy
• A typical allow rule• Allow the Web process (Apache server) to read the file
(/var/www/html/index.html)
Evaluation Factor:
Access Permission Required: readTarget Context (tcontext): ls –Z /var/www/html/index.html=> system_u:object_r:httpd_sys_content_t:s0Target Class(tclass): fileSource context(scontext): ps axZ | grep httpd=> user_u:system_r:httpd_t:s0
Understanding the targeted policy
• Allow the Source Context – user_u:system_r:httpd_t:s0 permission to read on the class file bearing a Target Context of system_u:object_r:httpd_sys_content_t:s0
Understanding the targeted policy