Presentation is loading. Please wait.

Presentation is loading. Please wait.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Published byAnne Kimberly Gibson Modified over 7 years ago

Similar presentations

Presentation on theme: "MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses."— Presentation transcript:

1 MLS/MCS on SE Linux Russell Coker

2 What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses features of role-based and domain-type access control Removes the power of UID 0, I have run several machines with root as the guest account Offers restrictive controls only – can not grant any access that is denied by Unix permissions

3 What is wrong with Unix security? Programs have full control over the access given to files they create (DAC) Therefore no protection against malicious software, “social engineering”, and bugs in privileged software which may result in the software granting inappropriate access to files (EG creating a mode 777 file in /tmp) Too coarse grained - root vs non-root gives boolean security model for many cases Security model does not allow tracking of identity across change of UID Does not separate integrity and secrecy controls

4 Domain Type access control Every process has a domain, every object (file, directory, socket, etc) has a type. The domains are a sub-set of the types (IE types that can apply to processes). A domain is the type for a process, SE Linux does not strongly distinguish between domains and types. The domain of a process will be used as a target context for operations such as sending signals Each object that a process may act on has a type Policy rules determine what access every domain has to each type

5 Role Based Access Control Each role has a list of domains that may exist in it At login time the security context is changed (identity, role, and domain), also the newrole program may be used to change roles (comparable to an su operation) A role doesn’t often change, unlike the domain which may change often automatically without the user noticing The role determines which domains are permitted Roles may also be changed through role_transition rules in some situations, this is currently only used for the administrator to launch daemons

6 Identities The Identity is usually the Unix account name and is compiled into the policy database Identity controls the available roles which controls the available domains – but this level of control is not used in the Targetted policy

7

8 Policy Written at a high level with M4 macros In future it will be written in XML Compiled into a binary form that is understood by the kernel Loaded by /sbin/init at the start of the boot process before any other programs are executed A modified policy can be loaded at any time by the administrator

9 Multi Level Security SE Linux also includes support for Multi-Level Security (MLS) Implemented in a flexible manner which is under the control of policy Expected that the DT model protects the system integrity while MLS protects data secrecy MLS support includes levels (equivalent to Top Secret, Secret, Classified, and Unclassified), there may be an arbitrary number of levels which are numbered Also includes categories which may be used for departments, projects, etc. Categories are also numbered and there may be an arbitrary number of them. Support for preventing “read-up” and “write-down”

10 MLS data flows Squares are files, ellipses are processes

11 LSPP Certification Working with IBM and HP to get Common Criteria LSPP (Labeled Security Protection Profile) and RBAC (Role Based Access Control) certification for RHEL 5 at EAL 4+ level of assurance Roughly comparable to B1 in the old “Rainbow Book” Trusted Computer Systems evaluation Certification applies to hardware platform. Some customers will use RHEL on other hardware trusting that it is equivalent, but the certifications will strictly only be applied to HP and IBM hardware. Requires MLS support in the print server (labeled print jobs and controls to prevent an insecure printer from receiving classified data) Requires significantly greater auditing support (some of which is being put into RHEL4)

12 Auditing RHEL4U2 includes auditd, the daemon for storing audit data. In RHEL4 the kernel can be instructed to audit file/directory access based on the PID of the process, the name of the file/directory, and some other criteria. For RHEL5 we will have auditing functionality in every security critical application (for LSPP). A system process that runs a program on behalf of a user (mail server delivering email or login program) will set the loginuid so that all actions can be audited to the user responsible. SE Linux audit messages go to the auditd in RHEL4 (if it is installed) and in RHEL5

13 Multi Category Security (MCS) Policy developed by James Morris of Red Hat using a sub-set of the MLS features MLS is too complex for most users and administrators. Most systems do not have the secrecy requirements to justify the work. Only has a single level so levels play no part in determining access Categories used to determine access, login programs will assign an appropriate set of categories to the user Only applies to file access at this time For each file the MCS policy will permit full read/write access to every process that has a set of capabilities that is a super-set of it’s capabilities. This allows information leaks, but is required by the expectations of most Unix administrators and users. MCS does not implement the Bell la Padula model (MLS), it is not a sub-set of the MLS functionality, it is a different policy that uses the same kernel and policy features that MLS uses

14 Q/A http://www.nsa.gov/selinux/http://www.nsa.gov/selinux/Main NSA SE Linux site http://www.coker.com.au/selinux/http://www.coker.com.au/selinux/My SE Linux web pages Russell Coker

Download ppt "MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses."

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.

Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Security at the VMM Layer Theodore Winograd OWASP June 14, 2007.

Security at the VMM Layer Theodore Winograd OWASP June 14, 2007.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
User Domain Policies.

User Domain Policies.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
The University of Akron Summit College Business Technology Dept.

The University of Akron Summit College Business Technology Dept.

Similar presentations

Ads by Google