Introduction To SELinux
-
Upload
rene-cunningham -
Category
Technology
-
view
11.035 -
download
3
description
Transcript of Introduction To SELinux
- 1.An Introduction to SELinux
-
- Rene Cunningham
-
2. Presentation Overview
- SELinux Introduction
- Access Control Mechanisms
- SELinux Policy
- SELinux Administration
- SELinux in Action
- SELinux Benefits
3. General Introduction
- Security Enhanced
- Released by the NSA on 22/12/2000
- GPL License
- Implements MAC based security policies
- Shipped in RHEL, Fedora, Debian, OpenSuSE and SLES
4. Linux Specific
- Merged into kernel 2.6.0-test3 on 08/08/2003
- Supported in RHEL4 and RHEL5
- Enablement in SLES11
5. Terminology :: Types
- A type groups objects such as files and directories together based on their fundamental security sameness.
6. Terminology :: Types
- httpd_sys_content_t
- objects located in the /var/www directory
- etc_t
- /etc directory
7. Terminology :: Domains
- Every process runs in a domain which directly determines what access to types the process has
8. Terminology :: Domains
- named_t
- named daemon
- initrc_t
- init scripts
- unconfined_t
- processes that are not explicitly confined within SELinux policy.
9. Terminology :: Roles
- Roles define which user or process can access what domain (processes) and what type (files, directories, device nodes)
- Users and processes can transition to a new role in order to gain access to domains and types.
- Rules that determine these transitions are defined within the SELinux Policy
10. Terminology :: Roles
- user_r
- ordinary system users
- sysadm_r
- system administrators
- system_r
- every process starts off under the system_r role
11. Terminology :: Roles
- Roles can force system accounts such as root into a lesser privileged role.
- To transition to arole thenewrolecommand is used
- # newrole -r sysadm_r
12. Terminology :: Identity
- Identities are applied to user accounts
- Generally a user's SELinux identity does not change
- Identities determine what roles user's can enter
13. Terminology :: Identity
- user_u
- generic unprivileged user identity
- root
- special root account
14. Terminology :: Security Context
- Every process or object on a system has a security context applied to it
- The security context consists of three fields which are delimited by colons
- identity:role:domain
- or
- identity:role:type
15. Terminology :: Security Context
- system_u:system_r:httpd_t
- apache daemon
- system_u:object_r:etc_t
- /etc/passwd
16. Terminology :: Security Context
- Security context can be displayed by passing the 'Z' argument to the ls, ps and id commands.
17. Type Enforcement
- Application separation
- Control 'super user' privileges
- Principle of least privileged
- Ability to control access to system calls
- Domains and types
18. Role Based Access Control
- Users are authorised for roles
- Roles are authorised for domains and types
- RBAC coupled with TE defines the SELinux security model
19. Access Control Mechanisms
- The ability to permit or deny the use of a particular resource by a particular entity
20. Discretionary Access Control
- Unix groups, permission bits and file system extended attributes.
- Owner who controls access to an object
21. Discretionary Access Control
- user root owns the /etc/passwd file.
- group root owns the /etc/passwd file.
- owner can read/write, group and everyone else can read the file.
$ ls -la /etc/passwd -rw-r--r-- 1 root root 2505 2008-12-10 13:03 /etc/passwd 22. Mandatory Access Control
- Central security policy.
- Users unable to modify the security policy.
- System Administrator can define just enough permissions for how processes access objects and other processes.
23. Mandatory Access Control
- Security decisions first go through DAC and then MAC
- (Image courtesy of Graham White's blog post - https://w3.tap.ibm.com/weblogs/Gibba/entry/selinux_permissive_vs_enforcing_mode)
24. SELinux Policy
- Defines amongst other things, the rules that determine what access each domain has to each type
25. SELinux Policy
- Defines
- Types
- Domains
- Identities
- Roles
- Access and Transitions
26. SELinux Policy
- SELinux policy is distributed as binary
- Compile once and distribute many
- RHEL5 introduced SELinux policy modules
- 2 SELinux Policies are available in RHEL5
- StrictandTargeted
27. SELinux Logs
- audit daemon
- kernel optionsCONFIG_AUDITandCONFIG_AUDITSYSCALLto be enabled
- /var/log/audit/audit.log
28. SELinux Violations
-
- type=AVC msg=audit(1230566507.214:106): avc:denied{ write }forpid=1560comm="mkdir"name="grep-2.5.1" dev=dm-0 ino=565574scontext=root:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0tclass=dir
- write operation was denied
- Command mkdir raised the violation
- Source context was root:system_r:httpd_sys_script_t:s0
- Target context was system_u:object_r:usr_t:s0
29. Creating Policy
- Obtain SELinux denials from the log file
- audit2allowcreates Type Enforcement allow rules
- Compile withcheckmodule
- semodule_packagewill create the SELinux module package
- Load the SELinux module package withsemodule
30. Creating Policy 31. Listing SELinux Policy Modules 32. Enabling SELinux
- enforcing=1as a kernel boot parameter
33. Enabling SELinux
- Set theSELINUXvariable in /etc/sysconfig/selinux toenforcing
- Runsetenforce 1 during runtime
34. Disabling SELinux
- To disable SELinux, put it intopermissivemode
- Permissive mode will continue to log SELinux violations though will not enforce SELinux policy.
- Security Contexts are still applied to the filesystem when in permissive mode.
- Not a good idea to fully disable SELinux
35. Relabeling a Filesystem
- Relabling a filesystem applies the SELinux security contexts to all objects on the filesystem.
- Usingfixfilescould render a system unstable
36. Booleans
- Booleans allow System Administrators to disable/enable optional SELinux policy during runtime.
- Displayed withgetsebooland enabled/disabled withsetsebool
- httpd_can_network_connect
- httpd_enable_homedirs
- samba_enable_home_dirs
37. SELinux in Action
- Attacker has got access to /var/www/cgi-bin/ through a vulnerable web application and uploaded a cgi-bin script calledcracker
38. SELinux in Action
- Attack on a server without SELinux
- Attacker opens thecracker cgi-bin script in a web browser executingthe cgi-bin script, downloading the crackserver.pl script and executing it.
39. SELinux in Action
- The same attack ona server withSELinux
- Access to the /sbin/ip command is denied
40. SELinux in Action
- What do the SELinux audit logs tell us about the attempted attack?
41. SELinux in Action
- Same scenario but with the SELinux booleanhttpd_can_network_connectset to0 .
42. SELinux in Action
- What do the SELinux audit logs tell us about the attempted attack?
43. SELinux Benefits
- Ability to confine services
- Auditing logs for reporting
- Application debugging
- Provide fine grained access control
- Strengthen the security of the servers IBM deploys
44. Resources
- http://danwalsh.livejournal.com/
- http://www.nsa.gov/selinux/
- http://www.coker.com.au/selinux/
- http://www.selinux-symposium.org/
- http://selinux.sourceforge.net/
- http://fedoraproject.org/wiki/SELinux
- http://ibmurl.hursley.ibm.com/568
- http://ibmurl.hursley.ibm.com/567
45. End Of Presentation
- Whats next?
- What can I do?
- Thanksfor yourtimeandattention !