Introduction To SELinux

1.An Introduction to SELinux

Rene Cunningham

SELinux Introduction

Access Control Mechanisms

SELinux Policy

SELinux Administration

SELinux in Action

SELinux Benefits

Security Enhanced

Released by the NSA on 22/12/2000

GPL License

Implements MAC based security policies

Shipped in RHEL, Fedora, Debian, OpenSuSE and SLES

Merged into kernel 2.6.0-test3 on 08/08/2003

Supported in RHEL4 and RHEL5

Enablement in SLES11

A type groups objects such as files and directories together based on their fundamental security sameness.

httpd_sys_content_t

objects located in the /var/www directory

/etc directory

Every process runs in a domain which directly determines what access to types the process has

named_t

named daemon

initrc_t

init scripts

unconfined_t

processes that are not explicitly confined within SELinux policy.

Roles define which user or process can access what domain (processes) and what type (files, directories, device nodes)

Users and processes can transition to a new role in order to gain access to domains and types.

Rules that determine these transitions are defined within the SELinux Policy

user_r

ordinary system users

sysadm_r

system administrators

system_r

every process starts off under the system_r role

Roles can force system accounts such as root into a lesser privileged role.

To transition to arole thenewrolecommand is used

# newrole -r sysadm_r

Identities are applied to user accounts

Generally a user's SELinux identity does not change

Identities determine what roles user's can enter

user_u

generic unprivileged user identity

special root account

Every process or object on a system has a security context applied to it

The security context consists of three fields which are delimited by colons

identity:role:domain

identity:role:type

system_u:system_r:httpd_t

apache daemon

system_u:object_r:etc_t

/etc/passwd

Security context can be displayed by passing the 'Z' argument to the ls, ps and id commands.

Application separation

Control 'super user' privileges

Principle of least privileged

Ability to control access to system calls

Domains and types

Users are authorised for roles

Roles are authorised for domains and types

RBAC coupled with TE defines the SELinux security model

The ability to permit or deny the use of a particular resource by a particular entity

Unix groups, permission bits and file system extended attributes.

Owner who controls access to an object

user root owns the /etc/passwd file.

group root owns the /etc/passwd file.

owner can read/write, group and everyone else can read the file.

Central security policy.

Users unable to modify the security policy.

System Administrator can define just enough permissions for how processes access objects and other processes.

Security decisions first go through DAC and then MAC

(Image courtesy of Graham White's blog post - https://w3.tap.ibm.com/weblogs/Gibba/entry/selinux_permissive_vs_enforcing_mode)

Defines amongst other things, the rules that determine what access each domain has to each type

Defines

Domains

Identities

Access and Transitions

SELinux policy is distributed as binary

Compile once and distribute many

RHEL5 introduced SELinux policy modules

2 SELinux Policies are available in RHEL5

StrictandTargeted

audit daemon

kernel optionsCONFIG_AUDITandCONFIG_AUDITSYSCALLto be enabled

/var/log/audit/audit.log

type=AVC msg=audit(1230566507.214:106): avc:denied{ write }forpid=1560comm="mkdir"name="grep-2.5.1" dev=dm-0 ino=565574scontext=root:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0tclass=dir

write operation was denied

Command mkdir raised the violation

Source context was root:system_r:httpd_sys_script_t:s0

Target context was system_u:object_r:usr_t:s0

Obtain SELinux denials from the log file

audit2allowcreates Type Enforcement allow rules

Compile withcheckmodule

semodule_packagewill create the SELinux module package

Load the SELinux module package withsemodule

enforcing=1as a kernel boot parameter

Set theSELINUXvariable in /etc/sysconfig/selinux toenforcing

Runsetenforce 1 during runtime

To disable SELinux, put it intopermissivemode

Permissive mode will continue to log SELinux violations though will not enforce SELinux policy.

Security Contexts are still applied to the filesystem when in permissive mode.

Not a good idea to fully disable SELinux

Relabling a filesystem applies the SELinux security contexts to all objects on the filesystem.

Usingfixfilescould render a system unstable

Booleans allow System Administrators to disable/enable optional SELinux policy during runtime.

Displayed withgetsebooland enabled/disabled withsetsebool

httpd_can_network_connect

httpd_enable_homedirs

samba_enable_home_dirs

Attacker has got access to /var/www/cgi-bin/ through a vulnerable web application and uploaded a cgi-bin script calledcracker

Attack on a server without SELinux

Attacker opens thecracker cgi-bin script in a web browser executingthe cgi-bin script, downloading the crackserver.pl script and executing it.

The same attack ona server withSELinux

Access to the /sbin/ip command is denied

What do the SELinux audit logs tell us about the attempted attack?

Same scenario but with the SELinux booleanhttpd_can_network_connectset to0 .

What do the SELinux audit logs tell us about the attempted attack?

Ability to confine services

Auditing logs for reporting

Application debugging

Provide fine grained access control

Strengthen the security of the servers IBM deploys

http://danwalsh.livejournal.com/

http://www.nsa.gov/selinux/

http://www.coker.com.au/selinux/

http://www.selinux-symposium.org/

http://selinux.sourceforge.net/

http://fedoraproject.org/wiki/SELinux

http://ibmurl.hursley.ibm.com/568

http://ibmurl.hursley.ibm.com/567

Whats next?

What can I do?

Thanksfor yourtimeandattention !

Introduction To SELinux

Technology

Transcript of Introduction To SELinux