Transcript SELinux

SELinux
http://www.nsa.gov/research/selinux/index.shtml
http://docs.fedoraproject.org/enUS/Fedora/13/html/Security-Enhanced_Linux/
Outline
•
•
•
•
What is the problem?
What is SELinux?
What is it trying to do?
How does it work?
cs490ns - cotter
2
The Problem:
•
•
•
•
Virus / security attacks - up
System complexity – up
Network connectivity – up
Code sophistication – up
– More active content
– More mobile code
cs490ns - cotter
3
The Problem:
• Patch cycle
– Attackers find a vulnerability and develop
an exploit
– Users / testers discover an exploit and
develop a patch to negate the exploit
– Protecting the systems in the period
between when the exploit is developed and
when the patch is distributed is called the
0-Day problem
cs490ns - cotter
4
The Issue :
• The Problem:
– How do you defend against an exploit that
hasn’t been developed?
• A Possible Solution:
– Control access to resources to limit exposure
– and thus the chances for an exploit
– Also manage access controls such that, if an
exploit is successful, there is a strict limit on
the resources available to the exploit
cs490ns - cotter
5
Access Control
• Linux (and most other OSs) implement discretionary
access control over resources
– Users have the discretion to allow or deny access to resources
that they control
• If a process is compromised, it operates with the
access controls given to that process (those of the
user/owner).
• Higher level security implements access control in the
system (mandatory access control).
– Access to resources is managed by a security policy, not user
decisions.
cs490ns - cotter
6
SELinux History
• Mandatory access controls (MAC) used in
high security systems (military) for years.
• NSA began work on embedding MAC into
existing operating systems
– 1991 -1992 – Mach OS
– 1993 -1995 – Distributed Trusted OS
– 1998 -1999 – Flux Advanced Security Kernel
(FLASK)
– 2000 - ? – Security Enhanced Linux
cs490ns - cotter
7
SELinux Terminology
• Identity
– Similar to, but separate from user ID. They are separate items.
– su command changes user ID, but not identity (??)
• Domain
– A list of what actions a process can perform
– Examples: sysadmn_t, user_t, named_t
• Type
– A list of actions that can be performed on an object (file,
directory, etc.). Similar to domain
• Role
– Defines what domains a user is allowed to access
– Examples: user_r, staff_r
cs490ns - cotter
8
Security Context
• A combination of user, role and type
– Who is the user?
– What is their role?
– What can they do?
• Example
[rcotter@kc-sce-450p2 ~]$ ls -l ssh.ps
-rw-r----- 1 rcotter rcotter 67014 Feb 10 14:16 ssh.ps
[rcotter@kc-sce-450p2 ~]$ ls -Z ssh.ps
-rw-r----- rcotter rcotter user_u:object_r:user_home_t
[rcotter@kc-sce-450p2 ~]$
cs490ns - cotter
ssh.ps
9
Security Model
• Security Context analysis:
– Similar to sentence diagramming
John
Subject
Hit
Verb (action)
Baseball
Object
user_u
User
object_r
Role
user_home_t
Type (domain)
cs490ns - cotter
10
Updates in Fedora
• 4th element of context – level
– Multi-level security / multi-category security
– Allows the identification of multiple levels of security
• Original design was to allow multiple levels and multiple categories. In most
systems, only multiple categories re supported. Level S0 is used by default.
– Allow the use of multiple categories.
• Text file (/etc/selinux/targeted/settrans.conf) used to provide a human
readable form for contexts.
• Example file:
–
–
–
–
S0:c0=CompanyConfidential
S0:c1=PatientRecord
S0:c2 unclassified
Etc.
– Designed to secure information in levels (no read up or write down)
• Bell-LaPadula security model.
cs490ns - cotter
11
Security Context in Fedora10
[rcotter@fedora10-sce-bobc Pictures]$ ls -Z
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.png
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_file_label.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_status.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_translation.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_user.jpeg
[rcotter@fedora10-sce-bobc Pictures]$
cs490ns - cotter
12
SELinux Security Models
• Type Enforcement (TE)
– Confine processes (subjects) to domains by using security
contexts.
• Role-based Access Control (RBAC)
– Recognizes that users often need to move from 1 domain to
another. RBAC rules explicitly allow roles to move from one
domain to another
• Multi-Level Security
– Enforce Bell-LaPadula security model.
– Users allowed to read at one level cannot read at higher
levels. Also users allowed to write at 1 level are not allowed to
write at a lower level. (Ensures that secure information does
not propagate to lower levels.
cs490ns - cotter
13
TE Security Model
• Each process is associated with a domain
– A “sandbox” to limit or control its interactions
• Each domain is associated with a security
context
– A combination of a resource and the actions allowed
on that resource (read a file, execute a program,
etc.)
• Each resource (file, etc.) has a security
context.
– Processes can only act on resources if the security
contexts specifically grant access.
cs490ns - cotter
14
SELinux Policy
• Security Context determined by system policy file
– Policy is a compiled file, based on a text file that you
define (or a default file that you use). This defines all
of the various file and user contexts that you want to
be active in your system
– Compiled policy stored in /etc/selinux/targeted/policy
– Based on contexts in /etc/selinux/targeted/contexts
cs490ns - cotter
15
file_contexts.homedirs
Default file context for regular user’s home directory
/home/[^/]*
-d
/home/[^/]*/.+
user_u:object_r:user_home_dir_t
user_u:object_r:user_home_t
/home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t
/home/[^/]*/.*/plugins/libflashplayer\.so.*
-- user_u:object_r:texrel_shlib_t
(Also contains default context for root user)
cs490ns - cotter
16
SELinux Usage
• Enable / Disable SELinux
– selinuxenabled
• Set enforcement policy permissive / disabled
– Setenforce / getenforce
• Set Policy type
– Targeted (only monitor specific services and files)
– Strict (monitor everything)
– Defined in /etc/selinux/config
• If targeted, select policies for each service
cs490ns - cotter
17
SELinux Commands
• Global Commands
–
–
–
–
–
selinuxenabled
getenforce
setenforce
sestatus
fixfiles
• SELinux Files
– /etc/selinux/config
– /selinux/booleans
cs490ns - cotter
18
SELinux Commands
• Security Context Control (file contexts)
–
–
–
–
–
checkpolicy
load_policy
setfiles
restorecon
chcon
• Targeted policy overrides
– getsebool
– setsebool
– togglesebool
cs490ns - cotter
19
SELinux Commands
• Policy Control
–
–
–
–
–
–
checkpolicy (check and create a new policy)
load_policy
setfiles
restorecon
chcon
semanage
cs490ns - cotter
20
SELinux Commands
• Process related context information (in man)
–
–
–
–
–
–
–
–
–
ftpd_selinux
named_selinux
rsync_selinux
httpd_selinux
nfs_selinux
samba_selinux
kerberos_selinux
nis_selinux
ypbind_selinux
cs490ns - cotter
21
Setting Security Level –
Fedora 14 / CentOS
cs490ns - cotter
22
SELinux tool – F14/CentOS
cs490ns - cotter
23
SELinux Troubleshooter(old)
cs490ns - cotter
24
SELinux Alert Tool – F14/CentOS
cs490ns - cotter
25
SELinux
Alert Tool
– Details
cs490ns - cotter
26
SELinux Alert Tool – Fix
cs490ns - cotter
27
SELinux Policy Gen Tool
cs490ns - cotter
28
MAC in Ubuntu
• SELinux is available, but not installed by default
• Default approach uses AppArmor
– Focus is not at system level (as in SELinux), but at
the application level.
– Theory is that most of the security issues arise as the
applications level.
– It is easier to protect (and constrain) an application
with AppArmor, as long as you don’t have a lot of
applications to protect.
cs490ns - cotter
29
SELinux Status
• SELinux is still very complex.
– There are many commands and tools available to
manage file and process contexts, and the overall
system policy.
– Default policies and contexts provide a significant
level of protection, but adjusting the default policy for
individual requirements is still a challenge
– SELinux troubleshooter offers some help in
addressing SELinux issues.
cs490ns - cotter
30
References
• SELinux: NSA’s Open Source Security Enhanced
Linux – McCarty – O’Reilly Books 2004
• CentOS 5
– http://wiki.centos.org/HowTos/SELinux
• Red Hat Fedora Linux Secrets – Barkakati – Wiley
Press – 2005
• Configuring the SELinux Policy –
– http://www.nsa.gov/selinux/papers/policy2-abs.cfm
• Fedora 10 SELinux manual
– http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
• CentOS 5 SELinux guide
– http://www.centos.org/docs/5/html/5.1/Deployment_Guide/rhlc
ommon-chapter-0017.html
cs490ns - cotter
31
Summary
• SELinux provides a new layer of protection for
Linux.
• Provides fine grained mandatory access
controls that work in addition to existing
discretionary access controls (mode bits)
• Policy file configuration complex (and not yet
well documented)
• Default policy file provides secure operating
environment
– If anything, it is likely to be more restrictive than a
user might wish.
cs490ns - cotter
32