1 / 32

SELinux

SELinux. http://www.nsa.gov/research/selinux/index.shtml http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/. Outline. What is the problem? What is SELinux? What is it trying to do? How does it work?. The Problem:. Virus / security attacks - up

ryann
Download Presentation

SELinux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SELinux http://www.nsa.gov/research/selinux/index.shtml http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

  2. Outline • What is the problem? • What is SELinux? • What is it trying to do? • How does it work?

  3. The Problem: • Virus / security attacks - up • System complexity – up • Network connectivity – up • Code sophistication – up • More active content • More mobile code

  4. The Problem: • Patch cycle • Attackers find a vulnerability and develop an exploit • Users / testers discover an exploit and develop a patch to negate the exploit • Protecting the systems in the period between when the exploit is developed and when the patch is distributed is called the 0-Day problem

  5. The Issue : • The Problem: • How do you defend against an exploit that hasn’t been developed? • A Possible Solution: • Control access to resources to limit exposure – and thus the chances for an exploit • Also manage access controls such that, if an exploit is successful, there is a strict limit on the resources available to the exploit

  6. Access Control • Linux (and most other OSs) implement discretionary access control over resources • Users have the discretion to allow or deny access to resources that they control • If a process is compromised, it operates with the access controls given to that process (those of the user/owner). • Higher level security implements access control in the system (mandatory access control). • Access to resources is managed by a security policy, not user decisions.

  7. SELinux History • Mandatory access controls (MAC) used in high security systems (military) for years. • NSA began work on embedding MAC into existing operating systems • 1991 -1992 – Mach OS • 1993 -1995 – Distributed Trusted OS • 1998 -1999 – Flux Advanced Security Kernel (FLASK) • 2000 - ? – Security Enhanced Linux

  8. SELinux Terminology • Identity • Similar to, but separate from user ID. They are separate items. • su command changes user ID, but not identity (??) • Domain • A list of what actions a process can perform • Examples: sysadmn_t, user_t, named_t • Type • A list of actions that can be performed on an object (file, directory, etc.). Similar to domain • Role • Defines what domains a user is allowed to access • Examples: user_r, staff_r

  9. Security Context • A combination of user, role and type • Who is the user? • What is their role? • What can they do? • Example [rcotter@kc-sce-450p2 ~]$ ls -l ssh.ps -rw-r----- 1 rcotter rcotter 67014 Feb 10 14:16 ssh.ps [rcotter@kc-sce-450p2 ~]$ ls -Z ssh.ps -rw-r----- rcotter rcotter user_u:object_r:user_home_t ssh.ps [rcotter@kc-sce-450p2 ~]$

  10. Security Model • Security Context analysis: • Similar to sentence diagramming

  11. Updates in Fedora • 4th element of context – level • Multi-level security / multi-category security • Allows the identification of multiple levels of security • Original design was to allow multiple levels and multiple categories. In most systems, only multiple categories re supported. Level S0 is used by default. • Allow the use of multiple categories. • Text file (/etc/selinux/targeted/settrans.conf) used to provide a human readable form for contexts. • Example file: • S0:c0=CompanyConfidential • S0:c1=PatientRecord • S0:c2 unclassified • Etc. • Designed to secure information in levels (no read up or write down) • Bell-LaPadula security model.

  12. Security Context in Fedora10 [rcotter@fedora10-sce-bobc Pictures]$ ls -Z -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0selinux_boolean.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.png -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_file_label.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_status.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_translation.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_user.jpeg [rcotter@fedora10-sce-bobc Pictures]$

  13. SELinux Security Models • Type Enforcement (TE) • Confine processes (subjects) to domains by using security contexts. • Role-based Access Control (RBAC) • Recognizes that users often need to move from 1 domain to another. RBAC rules explicitly allow roles to move from one domain to another • Multi-Level Security • Enforce Bell-LaPadula security model. • Users allowed to read at one level cannot read at higher levels. Also users allowed to write at 1 level are not allowed to write at a lower level. (Ensures that secure information does not propagate to lower levels.

  14. TE Security Model • Each process is associated with a domain • A “sandbox” to limit or control its interactions • Each domain is associated with a security context • A combination of a resource and the actions allowed on that resource (read a file, execute a program, etc.) • Each resource (file, etc.) has a security context. • Processes can only act on resources if the security contexts specifically grant access.

  15. SELinux Policy • Security Context determined by system policy file • Policy is a compiled file, based on a text file that you define (or a default file that you use). This defines all of the various file and user contexts that you want to be active in your system • Compiled policy stored in /etc/selinux/targeted/policy • Based on contexts in /etc/selinux/targeted/contexts

  16. file_contexts.homedirs Default file context for regular user’s home directory /home/[^/]* -d user_u:object_r:user_home_dir_t /home/[^/]*/.+ user_u:object_r:user_home_t /home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t /home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:texrel_shlib_t (Also contains default context for root user)

  17. SELinux Usage • Enable / Disable SELinux • selinuxenabled • Set enforcement policy permissive / disabled • Setenforce / getenforce • Set Policy type • Targeted (only monitor specific services and files) • Strict (monitor everything) • Defined in /etc/selinux/config • If targeted, select policies for each service

  18. SELinux Commands • Global Commands • selinuxenabled • getenforce • setenforce • sestatus • fixfiles • SELinux Files • /etc/selinux/config • /selinux/booleans

  19. SELinux Commands • Security Context Control (file contexts) • checkpolicy • load_policy • setfiles • restorecon • chcon • Targeted policy overrides • getsebool • setsebool • togglesebool

  20. SELinux Commands • Policy Control • checkpolicy (check and create a new policy) • load_policy • setfiles • restorecon • chcon • semanage

  21. SELinux Commands • Process related context information (in man) • ftpd_selinux • named_selinux • rsync_selinux • httpd_selinux • nfs_selinux • samba_selinux • kerberos_selinux • nis_selinux • ypbind_selinux

  22. Setting Security Level – Fedora 14 / CentOS

  23. SELinux tool – F14/CentOS

  24. SELinux Troubleshooter(old)

  25. SELinux Alert Tool – F14/CentOS

  26. SELinux Alert Tool – Details

  27. SELinux Alert Tool – Fix

  28. SELinux Policy Gen Tool

  29. MAC in Ubuntu • SELinux is available, but not installed by default • Default approach uses AppArmor • Focus is not at system level (as in SELinux), but at the application level. • Theory is that most of the security issues arise as the applications level. • It is easier to protect (and constrain) an application with AppArmor, as long as you don’t have a lot of applications to protect.

  30. SELinux Status • SELinux is still very complex. • There are many commands and tools available to manage file and process contexts, and the overall system policy. • Default policies and contexts provide a significant level of protection, but adjusting the default policy for individual requirements is still a challenge • SELinux troubleshooter offers some help in addressing SELinux issues.

  31. References • SELinux: NSA’s Open Source Security Enhanced Linux – McCarty – O’Reilly Books 2004 • CentOS 5 • http://wiki.centos.org/HowTos/SELinux • Red Hat Fedora Linux Secrets – Barkakati – Wiley Press – 2005 • Configuring the SELinux Policy – • http://www.nsa.gov/selinux/papers/policy2-abs.cfm • Fedora 10 SELinux manual • http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ • CentOS 5 SELinux guide • http://www.centos.org/docs/5/html/5.1/Deployment_Guide/rhlcommon-chapter-0017.html

  32. Summary • SELinux provides a new layer of protection for Linux. • Provides fine grained mandatory access controls that work in addition to existing discretionary access controls (mode bits) • Policy file configuration complex (and not yet well documented) • Default policy file provides secure operating environment • If anything, it is likely to be more restrictive than a user might wish.

More Related