Security Enhanced Linux (Selinux) A cura di : De Pascale Filippo 1.
SELinux Johannesburg Linux User Group (JoziJUg)
-
Upload
jumping-bean -
Category
Technology
-
view
610 -
download
0
description
Transcript of SELinux Johannesburg Linux User Group (JoziJUg)
![Page 1: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/1.jpg)
Jozi LUG - SELinux
Introduction to Security Enhanced Linux26th March 2012
Sponsored byLPI South Africa
![Page 2: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/2.jpg)
Topics
● What is SELinux?● Computer Security Models● Mandatory Access Control & Discretionary
Access Control● SELinux Policy● Object Classes and actions/permissions
![Page 3: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/3.jpg)
Topics
● Security Context● File Security Context● Troubleshooting & Tools● SELinux Booleans● SELinux Managing Ports● SELinux Writing Policy
![Page 4: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/4.jpg)
What is SELinux
● A mechanism for supporting mandatory access control (mac),role based access control (rbac) & multi-level security (msl/mcs)
● Implemented as a Linux Security Module(LSM)● LSM allows kernel to support different security
models used by:● AppArmor,Smack,SELinux
![Page 5: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/5.jpg)
Computer Security Models
● Three security models possible with SELinux● MLS/MCS – multilevel security, multi category
security. Mainly about file access. Every subject must have clearance level and also every file (not covered) Top Secret, Secret, Confidential and Unclassified
● RBAC – role base access control, how users transition between roles and domains to which roles have rights, roles aggregate permissions
![Page 6: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/6.jpg)
Computer Security Models
● Mandatory Access Control via Type Enforcement – First step before MLS/MCS. Good for daemons, services
● This presentations focuses on MAC via TE in SELinux. Although other security models can be used they are too restrictive for most situation there limited TE used. MAC mainly useful for daemons and processes not users
![Page 7: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/7.jpg)
Mandatory Access Control Definition
● Mandatory Access Control (MAC) – security policy sets access controls and cannot be changed by system users or processes,
● Discretionary Access Control (DAC) – underlying unix permissions can be changed at the discretion of the file owner
![Page 8: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/8.jpg)
Mandatory/Discretionary Access Control
● DAC makes system vulnerable, users can change permissions and no protection from broken software, i.e. process has complete control over all resources owned by user,
● MAC - provides control over interactions of software by defined policies and does not allow users to do anything that breaks these policies. Prevents compromised processes from affecting other processes and files
![Page 9: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/9.jpg)
Mandatory Access Control
● Subject performs actions on an object● Subject always a process● Object can be file, device,users,
processes,sockets,x_cursor..● Action is a system function call, i.e
permissions
![Page 10: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/10.jpg)
How is MAC Implemented?
● How is MAC implemented?● Security context given to objects and
processes aka labeling for file system● A Security context just free format strings “label”● By policy file which contain rules about what
domains/type enforcements subject and object must have to allow requested action. I.e provides meaning to security context strings. Policies limit what a daemon can access and how
![Page 11: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/11.jpg)
SELinux Policy
● Rules for how source context of subject evaluated against target security context of object
● By default if not defined, then deny action. Difficult for general purpose computing. To improve use less restrictive policy provided,
![Page 12: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/12.jpg)
SELinux Policy
● Two policies packages – ● Targeted – doesn't use users & roles, only
restricts certain services, uses type enforcement only. Unaffected subjects and objects run in unconfined_t domain
● Strict – deny all by default lots of tweaking
● We will look at a policy file later
![Page 13: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/13.jpg)
Objects Classes
● Object classes (categories) – more then 70@ ● Object classes have set of permissions
(actions)– dir,– socket– tcp_socket– filesystem– node– x_cursor
![Page 14: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/14.jpg)
Object Class Permissions (Actions)
● Each object class has its list of permissions or actions e.g. dir: (see slide on seinfo later)
● getattr/setattr,● unlink● execute● read● search● rmdir
![Page 15: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/15.jpg)
Security Context
● Security Context or labels set of security attributes associated with a subject or an object
● <user>:<role>:<type> ● e.g system_u:object_r:httpd_exec_t
● system_u – standard for system daemon● object_r standard for system objects such as
devices and files● Targets policy – unrestricted_u, unrestricted_r
![Page 16: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/16.jpg)
Security Context
● User – individual or process, SELinux maintains own list of users. For subjects the user is the user the process is run as, for objects its the owner of the object,
● Role – similar to group, but user can only have 1 role at a time, can switch roles if authorised to do so
● Type/Domain -Type used for files, domain used for processes. Manages access control
![Page 17: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/17.jpg)
Security Context
● Standard command come with add -Z option to see security context
● ls -Z● ps -Z● netstat -Z
![Page 18: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/18.jpg)
File Security Context
● Most common SELinux problem – file labels● restorecon – restores defined context for a file● chcon -t $tye ${file|dir} name – temporary● semanage fcontext -a -t $type ${file|dir} name
● /etc/selinux/targeted/contexts/files/files_contexts
![Page 19: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/19.jpg)
Troubleshooting & Tools
● /var/log/audit/audit.log● Create policy files from audit2allow● avc = access vector cache
![Page 20: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/20.jpg)
SELinux Tools
● setroubleshooter – can help with friendlier error messages and suggestions of how to fix the problem
● “cat /var/log/audit/audit.log | sedispatch” → will send the error messages to setroubleshooter for lookup & formatting
![Page 21: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/21.jpg)
SELinux Tools
● Seinfo● List all classes “seinfo -c”● List all permissions for a class “seinfo -cdir -x”
for dir premissions/actions● List all types with permissions “seinfo -txx -x”● List all users/roles with permissions “seinfo -{u|
r}xx -x”● List all port context “seinfo --portcon”
![Page 22: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/22.jpg)
SELinux - Booleans
● Booleans● getsebool -a● semanage boolean -l● setsebool xxx on| off● setsebool -P xxx on|off
![Page 23: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/23.jpg)
Manage Ports
● semanage port -l● Add a port
● semanage port -at [-p proto] port |port-range
● Delete a port● semanage port -dt [-p proto] port|port-range
![Page 24: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/24.jpg)
Writing SELinux Policy
● The policy is compiled in user space● The m4 macro preprocessor is used prior to
compilation (optional)● The initial policy binary is loaded by init at boot● Policy modules (binaries) can be loaded and
unloaded at any time
![Page 25: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/25.jpg)
Writing SELinux Policy
● “cat /var/log/audit/audit.log | audit2allow -m mymod > mymod.te
● checkmodule -M -m -o mymod.mod mymod.te● semodule package -o mymod.pp -m
mymod.mod● semodule -i mymod.p
![Page 26: SELinux Johannesburg Linux User Group (JoziJUg)](https://reader033.fdocuments.net/reader033/viewer/2022052619/5553a320b4c9054e0a8b59ad/html5/thumbnails/26.jpg)
Questions?
● Visit us at – www.JumpingBean.co.za– www.LinuxCertification.co.za