SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh dwalsh@redhat.com SELinux Lead Engineer Red Hat Dan Walsh
What is SELinux? Mandatory Method (MAC) Current systems use DAC (Discretionary Access Control) Ability to confine applications based on least privilege Define rules about how an application is supposed to run Enforcement by the kernel MAC History defined in 1970's Belle and LaPadula Roles Based Access Control Type Enforcement
What is SELinux? Type Enforcement Define policy on what an application is supposed to do. Enforce it with the kernel Least Privilege Access based on Subjects and Objects Every process, file, directory, device labeled with Security Context Process Labels – Domains File Labels – File Context
Developed by the NSA NSA’s OS security research Cleanly separates policy from enforcement using well-defined policy interfaces Fine-grained controls over kernel services Transparent to applications and users Removes power of root, several machines running root as guest account
Where should you run SELinux? Corporate Network Internet Intranet Red Hat Enterprise Linux ES Red Hat Enterprise Linux ES DNS Web FTP NFS NIS Red Hat Enterprise Linux AS Firewall VPN Database CRM ERP DNS Web FTP Red Hat Enterprise Linux ES Red Hat Enterprise Linux WS Red Hat Enterprise Linux ES DMZ App Server Farm
SELinux History at Red Hat Introduced with Fedora 2 Excellent example of Open Source principals First policy “Strict” not very supportable Not Ready for prime time Redesigned for Fedora 3 Targeted Policy Target domains we want to confine Allow other domains to run “unconfined”
SELinux History at Red Hat Red Hat Enterprise Linux 4 First Main line Operating System with Type Enforcement 15 Targets Confined (apache, bind, syslog, dhcpd, ...) Fedora 4, 5, 6 Redesigned SELinux policy to support Modules Expand Number Targets Lock down all of System Space. Improved Usability GUI audit2allow policy generation
SELinux History at Red Hat Red Hat Enterprise Linux 5 Over 200 domains locked down MLS Policy EAL4+, LSPP, RBAC Easy Policy Generation Labeled Networking support CIPSO IPSEC
SELinux History at Red Hat Fedora 9 Introduction of X Windows controls Permissive Domain Confinement of users guest_t xguest_t user_t staff_t unconfined_t
SELinux History at Red Hat Fedora 7, 8, Begin confining the user Introduction of guest and xguest user combine targeted/strict policy Policy generation tools
Easier - Troubleshooting What the H**L is going on???? tail /var/log/audit/audit.log type=AVC msg=audit(1176392795.244:2036): avc: denied { getattr } for pid=6705 comm="httpd" name="index.html" dev=dm-0 ino=3180003 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
Easier Management
Easier Policy Generation
How does SELinux enforce policy? Every process and file tagged with a security context Files tagged via extended attributes New files context assigned via policy New files get assigned container directories security context Policy can override. Files created in /var/log by named_t get named_log_t Certain Applications, such as login, are allowed by policy to set the context of the next executed program Kernel assigns context to processes via policy
SELinux Key Components Kernel Patch implementing security hooks Uses Linux Security Module (LSM) Framework for security enhancements to Linux
SELinux Key Components Applications Most user applications and server applications unchanged SELinux aware applications Applications used to view or manipulate security contexts Programs required to set user session security context Examples: login/sshd, ls, cp, ps, setfilecon, logrotate, cron ... Covered in Section 2
SELinux Key Components Policy Targeted policy By default processes run in unconfined_t unconfined processes have the same access they would have without SELinux running Daemons with defined policy transition to locked down domains httpd started from initrc_t transitions to httpd_t which has limited access.
SELinux Key Components
Open Source in Action
Ultra Trusted Standards Controlled Access Protection Profile - EAL4/CAPP Labeled Security Protection Profile - EAL4+/LSPP Multi Level Security (MLS) SELinux is the only mainstream OS in the world with MLS AND Type Enforcement. SELinux used all over Department of Defense including War Zones. Unlike All other Trusted OS's SELinux == Red Hat Enterprise Linux