Insight into SELInux- Securing Linux

8/9/2019 Insight into SELInux- Securing Linux

1/28

SELinuxSELinuxSecurity Enhanced Linux


2/28

Patience !!!

SELinux is a different way of handling access control than many

administrators and users are familiar with.


3/28

Agenda

Introduction

What is SELinux?

Background

Terminology

Access Control Philosophies

LSM Architecture

SELinux Policy

SELinux Modes

Controlling SELinux


4/28

Introduction

Wikipedia says:

..SecuritySecurity--Enhanced Linux (SELinux) is an implementationEnhanced Linux (SELinux) is an implementationofofmandatory access controlmandatory access control usingusing Linux Security ModulesLinux Security Modules(LSM) in the Linux kernel, based on the principle of least privilege. It(LSM) in the Linux kernel, based on the principle of least privilege. Itis not a Linux distribution, but rather a set of modifications that canis not a Linux distribution, but rather a set of modifications that canbe applied to Unixbe applied to Unix--like operating systems, such as Linux and BSD.like operating systems, such as Linux and BSD.


5/28

What is SELinux?

A kernel level MAC (Mandatory Access Control) implementation forA kernel level MAC (Mandatory Access Control) implementation for

LinuxLinux

Originally commissioned and built by/for the NSAOriginally commissioned and built by/for the NSA

A headA head--ache for the uninitiatedache for the uninitiated

Very effective if done rightVery effective if done right

Adopted into 2.6 kernel seriesAdopted into 2.6 kernel series


6/28

Background

1985: LOCK system(early Type Enforcement)

Secure Ada project through Honeywell

1990: DTMach / DTOS

DTMach Mach-based prototypeDTOS (Distributed Trusted Operating System)

1995: Utah Fluke / Flask

Fluke* - University of Utah's research operating system

1999: 2.2 Linux Kernel (patch)2001: 2.4 Linux Kernel (patch)

2002: LSM

2003: 2.6 Linux Kernel (mainline)

2006: Full network labeling


7/28

Terminology

Subject:Subject: A domain or process.A domain or process.

Object:Object: A resource (file, directory, socket, etc.).A resource (file, directory, socket, etc.).

Types:Types: A security attribute for files and other objects.A security attribute for files and other objects.

Roles:Roles: A way to define what types a user can use.A way to define what types a user can use.

Identities:Identities: Like a username, but specific to SELinux.Like a username, but specific to SELinux.

Contexts:Contexts: Using a type, role and identity is a Context.Using a type, role and identity is a Context.


8/28


DAC

A traditional permission model

The owner of a particular file can changethe permissions of an object.

Can be changed at the discretionary of the

owner. Inherent security flaws


9/28


DAC

Used to control access by restricting a subject's access to an object.Subject object

Processes file,network socket

A user can expose a file or directory to a security or confidentiality breach with amisconfigured chmod command and an unexpected propagation of access rights.

there are really only two major categories of users, administrators and non-administrators

It is generally used to limit a user's access to a file.

In this type of access control it is the owner of the file who controls other users'accesses to the file.

Ex: ls l-rw-rw-r 1 vmware vmware 2645 May 05 08:48 personnel.txt


10/28


MAC

Acess control decisions are not at the descretion of individual users or evensystem administrators.

allows you to define permissions for how all processes (called subjects) interactwith other parts of the system such as files, devices, sockets, ports, and otherprocesses (called objects in SELinux).

This is done through an administratively-defined security policy over allprocesses and object .

MACs cannot be overridden by the owner of the object.


11/28

LSM architecture


12/28

SELinux Complete Diagram


13/28


1. The policy server gathers the security context from the subject andobject, and sends the pair of labels to the security server, which isresponsible for policy decision making.

2. The policy server first checks the AVC, and returns a decision to theenforcement server.

3. If the AVC does not have a policy decision cached, it turns to thesecurity server, which uses the binary policy that is loaded into thekernel during initialization. The AVC caches the decision, andreturns the decision to the policy server.

4. If the policy permits the subject to perform the desired operation onthe object, the operation is allowed to proceed.

5. If the policy does not permit the subject to perform the desiredoperation, the action is denied, and one or more avc: deniedmessages are logged to $AUDIT_LOG, which is typically/var/log/messages.


14/28


Object management includes labeling objects with a securitycontext, managing object labels in memory.

Object managers are there to obtain security policy decisions fromthe security server and to apply the decisions to label and control

access to their objects


15/28


Object management includes labelingobjects with a security context, managingobject labels in memory.

Object managers are there to obtainsecurity policy decisions from the securityserver and to apply the decisions to label

and control access to their objects


16/28

Type Enforcement

Certain attributes are applied to all objectsand subjects.

These attributes are termed as SecurityContexts.

Each process and file/directory/port on thesystem is assigned a Security Contextbased on which the Type Enforcementpolicy allow/disallow access.


17/28

Type Enforcement Security context are stored in Extended Attributes(xattrs) on

ext2/ext3 filesystem.

A typical SELinux security context is of the form:

User Identity:Role:Type/Domain

Users ( 3 in number)

Roles ( 6 in number)

Types(1,513 in number)

Any object or subject in the SELinux Policy installed in the systemcan have one of these user identities,one of six roles and one of theavailable 1,513 types


18/28

Targeted Policy To list user identities defined in the SELinux Targeted Policy:

#seinfo u

Users:3

system_u

root

user_u

To check the available roles:

# seinfo r

Roles:6

Staff_rUser_rObject_r

secadm_rSysadm_rSystem_r


19/28

SELinux Modes

DisabledSELinux is not implemented on the hostACommon choice during the installation,

PermissiveSimilar to Debugging ModePolicies and Rules are applied to objects and subjects, but actions are not effected.Examples:If SELInux policy would prevent the httpd subject from accessing the object folder/webdata on my system,implementing SELinux in Permissive mode would let ApacheWebServer access the folder /webdata but log a denial in the log files.

Enforcing

SELinux in actionAll the production servers ,when hardened, should enable SELinux in Enforcing Mode


20/28

SELinux Modes

Enforcing

SELinux in action

All the production servers ,when hardened, should enable SELinux in

Enforcing Mode.


21/28

Controlling SELinux

getenforce:gets the current mode of SELinux.

Example:

#getenforce

Disabled

Setenforce:modifes the mode SELinux is running in.It toggles in between Permissive and Enforcing mode when SELinux is enabled.

Example:

#setenforce 0It activates Permissive SELinux Mode

#setenforce 1It activates Enforcing SELinux Mode.


22/28

Controlling SELinux

Sestatus:

Used to get the status of a system running SELinux.

Displays more information about SELinux Policy

Example:#sestatus

SELinux status: enabled

SELinuxfs mount: /selinux

Current mode: permissiveMode from config file: permissive

Policy version: 21

Policy from config file: targeted


23/28

Controlling SELinux

#echo 1 > /selinux/enforce

You can change the run parameters of the SELinux system.

#echo 0 > /selinux/enforce

To return back to Permissive Mode.


24/28

Understanding the targeted policy

Seinfo: to view the various rules defined in an SELinux Policy

#seinfo


25/28

Default policy loaded in my system:

82,756Allow Rules

1,399 Type Transition Rules

5,086 Dont Audit Rules



26/28

Allow Rules

Specifically allow access to an object by a subject

access defined by

- Access permission read, write,execute

Object defined by:

- The security context called the target context (tcontext)

- Class of the object called the target class(tclass)

Subject defined by:

- The security context called the source context(scontext)



27/28

A typical allow rule

Allow the Web process (Apache server) to read the file

(/var/www/html/index.html)

Evaluation Factor:

Access Permission Required: read

Target Context (tcontext): ls Z /var/www/html/index.html

=> system_u:object_r:httpd_sys_content_t:s0Target Class(tclass): file

Source context(scontext): ps axZ | grep httpd

=> user_u:system_r:httpd_t:s0



28/28

Allow the Source Context user_u:system_r:httpd_t:s0 permission toread on the class file bearing a TargetContext ofsystem_u:object_r:httpd_sys_content_t:s0


Insight into SELInux- Securing Linux

Documents

Transcript of Insight into SELInux- Securing Linux