Implementation of Security-Enhanced Linux

CMSC 691X Project 2—Summer 02 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song

Presentation Outline • Overview • Security-Enhanced Linux Concept • Installation • Customizing the Policy

Overview • What we did in this project • Research work on a linux-based research operating system called Security-Enhanced Linux(SELinux) • Implementation of Security-Enhanced Linux • Frequently showed keywords • SELinux, Type Enforcement(TE), Role-based Access Control(RBAC), Policy, etc.

Presentation Outline • Overview • Security-Enhanced Linux Concept • SELinux Vs. traditional Linux • Security model in SELinux • Benefit of SELinux’s new features • Installation • Customizing the Policy

Security-Enhanced Linux Concept • Security-Enhanced Linux (SELinux) • is a research project by NSA • is an implementation of a flexible and fine-grained mandatory access control(MAC) architecture called Flask in the Linux kernel • provides general support for the enforcement of many kinds of MAC policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security

SELinux Vs. traditional Linux • SELinux enforces MAC policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs • The ability of these user programs and system daemons to cause harm when compromised(via buffer overflow for example) is reduced or eliminated.

SELinux Vs. traditional Linux(cont.) • The confinement mechanism operates independently of the traditional Linux access control mechanisms • It has no concept of a “root” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms(such as a dependence on setuid/setgid binaries)

SELinux Vs. traditional Linux(cont.) • The security of an unmodified Linux • Depends on the correctness of the kernel, all the privileged applications, and each of their configurations • A problem in any one of these areas may allow the compromise of the entire system • The security of SELinux • Depends on the correctness of the kernel and its security policy configuration • While problems may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole

Security Model in SELinux • Type Enforcement (TE) model • Provides fine-grained control over processes and objects in the sytem • Role-Based Access Control (RBAC) model • Provides a higher level of abstraction to simplify user management

TE model • Traditional TE model • Binds a security attribute called a domain to each process and a type to each object • Treats all processes in the same domain identically and all objects that have the same type identically • A pair of access matrices specify how domains can access types and how domains can interact with other domains • Each user is authorized to operate in certain domains

TE model • SELinux TE model • Uses a single type attribute in the security context for both processes and objects • Uses the security class information provided by the Flask architecture • Does not directly associate users with domains; uses RBAC model to provide an additional layer of abstraction between users and domains

RBAC model • Traditional RBAC model • authorizes users to act in certain roles and assigns a set of permissions to each role • SELinux RBAC model • authorizes each user for a set of roles, each role for a set of TE domains • maintains a role attribute in the security context of each process

Benefit of SELinux’s new features • The SELinux’s new features are designed to • Enforce the separation of information based on confidentiality and integrity requirements • Prevent processes from reading data and programs, tampering with data and programs, executing untrustworthy programs, or interfering with other processes in violation of the system security policy

Installation • Where to get the copy? • Free download from http://www.nsa.gov/selinux/ • Components of SELinux Distribution • Patches to the Linux kernel (based on kernel 2.4.18) • Patches to a number of standard tools and utilities, support files, and documentation

Installation • Need to have an existing Redhat Linux • Redhat 7.2 or later will be better • SELinux does not provide a modified xdm/gdm/kdm to set the security context for the user session • Environment we use: • Redhat 7.3

Installation • Download the installation package (lsm-2.4-selinux-2002053110.tgz) • Unzip the file, we got two folders # /lsm2.4 and /selinux • The quick installation steps are as followings

Installation • Edit policy/users for your users • Be sure to authorize at least one user for the system administrator role (sysadm_r) • Edit the default_context and cron_context files in utils/appconfig for your users • security context has the syntax user:role:domain or user:role:type • e.g. root:sysadm_r:sysadm_t or root:user_r:user_t

Installation • Edit policy/file_contexts/ {types.fc,program/*.fc} for your site • Check the pathnames against your file system layout • Ensure that your current configuration is not set up to run an X Display Manager (xdm, gdm, kdm) • he default runlevel specified in • /etc/inittab should be runlevel 3 (Full multiuser mode)

Installation • Perform the quick install • make quickinstall • When the kernel configuration menu is displayed, configure the kernel for your hardware as appropriate • Configure your boot manager to boot the SELinux kernel • e.g. if you use the LILO boot manager, configure /etc/lilo.conf, and run /sbin/lilo

Installation • Boot the SELinux kernel and login in the sysadm_r role and sysadm_t domain(e.g. using “root”) • Run setfiles again to ensure that files created by the old kernel during the shutdown are properly labeled • cd policy • make relabel • Add /usr/local/selinux/bin and /usr/local/selinux/sbin to your path for the modified utilities

Installation • After installation, we can try the following commands to see if it is installed correctly • ‘ ps -e --context ‘ • The second column should show the security context of each process • Has the syntax user:role:domain or user:role:type • ‘ ls -- context / ‘ • The fourth column should show the security context of each file or directory in /

Installation • ps -e --context PID SID CONTEXT COMMAND 1 7 system_u:system_r:init_t init [3] 2 7 system_r:system_r:init_t [keventd] ... … … … 855 245 system_u:system_r:local_login_t login --root 856 244 system_u:system_r:getty_t /sbin/mingetty tty2 857 244 system_u:system_r:getty_t /sbin/mingetty tty3 858 244 system_u:system_r:getty_t /sbin/mingetty tty4 859 244 system_u:system_r:getty_t /sbin/mingetty tty5 860 244 system_u:system_r:getty_t /sbin/mingetty tty6 863 246 root:sysadm_r:sysadm_t -bash 910 246 root:sysadm_r:sysadm_t ps -e --context

Installation • ls -- context / drwxr-xr-x root root system_u:object_r:bin_t bin drwxr-xr-x root root system_u:object_r:boot_t boot drwxr-xr-x root root system_u:object_r:device_t dev drwxr-xr-x root root system_u:object_r:etc_t etc drwxr-xr-x root root system_u:object_r:user_home_t home drwxr-xr-x root root system_u:object_r:file_t initrd drwxr-xr-x root root system_u:object_r:lib_t lib drwxr-xr-x root root system_u:object_r:lost_found_t lost+found drwxr-xr-x root root system_u:object_r:file_t misc drwxr-xr-x root root system_u:object_r:file_t mnt drwxr-xr-x root root system_u:object_r:file_t opt dr-xr-xr-x root root system_u:object_r:proc_t proc drwxr-x--- root root system_u:object_r:sysadm_home_t root drwxr-xr-x root root system_u:object_r:sbin_t sbin drwxrwxrwx root root system_u:object_r:tmp_t tmp drwxr-xr-x root root system_u:object_r:usr_t usr drwxr-xr-x root root system_u:object_r:var_t var

Customizing the policy • What we can do • Adding users • Adding permissions • Adding programs to an existing domain • Creating a new domain • Creating a new type • Creating a new role

Customizing the policy • Adding users • If we want to add a user steve to the system who should be authorized for both the user_r and sysadm_r roles • Add an entry to the policy/users files: user steve roles { user_r sysadm_r } • Run make load to reload the policy

Customizing the policy • Adding programs to an existing domain • Locate an appropriate domain by • examining the existing programs domains under policy/domains/program • examining how existing programs are associated with the executable types for those domains in policy/file_contexts/program • Relabel the program by # make relabel

Customizing the policy • Creating a new role • Create a new domain to be used as the initial login domain for the role • Define role declaration in policy/rbac • Reload the policy # make load • Add an entry for the role in /etc/security/default_type

References • SELinux installation help • Stephen Smalley, “Configuring the SELinux Policy”, 2002 • Stephen Smalley and Timothy Fraser, “A Security Policy Configuration for the Security-Enhanced Linux”, 2001 • http://www.nsa.gov/selinux

Questions? Thank You !

Implementation of Security-Enhanced Linux

Implementation of Security-Enhanced Linux

Presentation Transcript

LINUX Security

SELinux Security Enhanced Linux

Security-Enhanced Linux

Linux Security

Linux Security

Linux security

Security Enhanced Linux

SECURITY ENHANCED LINUX

Security-Enhanced Linux

Linux Security

SELinux (Security-Enhanced Linux)

Security Enhanced Linux (SELinux)

NSA Security-Enhanced Linux (SELinux)

Security Enhanced Linux

Linux Security

Linux Security

New architecture for enhanced security system in linux

Linux security

NSA Security-Enhanced Linux (SELinux)

Linux Security

Security Enhanced Linux

SELinux (Security Enhanced Linux)