SELinux US/Fedora/13/html/Security-Enhanced_Linux/

cs490ns - cotter2 Outline What is the problem? What is SELinux? What is it trying to do? How does it work?

cs490ns - cotter3 The Problem: Virus / security attacks - up System complexity – up Network connectivity – up Code sophistication – up –More active content –More mobile code

cs490ns - cotter4 The Problem: Patch cycle –Attackers find a vulnerability and develop an exploit –Users / testers discover an exploit and develop a patch to negate the exploit –Protecting the systems in the period between when the exploit is developed and when the patch is distributed is called the 0-Day problem

cs490ns - cotter5 The Issue : The Problem: –How do you defend against an exploit that hasn’t been developed? A Possible Solution: –Control access to resources to limit exposure – and thus the chances for an exploit –Also manage access controls such that, if an exploit is successful, there is a strict limit on the resources available to the exploit

cs490ns - cotter6 Access Control Linux (and most other OSs) implement discretionary access control over resources –Users have the discretion to allow or deny access to resources that they control If a process is compromised, it operates with the access controls given to that process (those of the user/owner). Higher level security implements access control in the system (mandatory access control). –Access to resources is managed by a security policy, not user decisions.

cs490ns - cotter7 SELinux History Mandatory access controls (MAC) used in high security systems (military) for years. NSA began work on embedding MAC into existing operating systems – – Mach OS – – Distributed Trusted OS – – Flux Advanced Security Kernel (FLASK) – ? – Security Enhanced Linux

cs490ns - cotter8 SELinux Terminology Identity –Similar to, but separate from user ID. They are separate items. –su command changes user ID, but not identity (??) Domain –A list of what actions a process can perform –Examples: sysadmn_t, user_t, named_t Type –A list of actions that can be performed on an object (file, directory, etc.). Similar to domain Role –Defines what domains a user is allowed to access –Examples: user_r, staff_r

cs490ns - cotter9 Security Context A combination of user, role and type –Who is the user? –What is their role? –What can they do? Example ~]$ ls -l ssh.ps -rw-r rcotter rcotter Feb 10 14:16 ssh.ps ~]$ ls -Z ssh.ps -rw-r----- rcotter rcotter user_u:object_r:user_home_t ssh.ps ~]$

cs490ns - cotter10 Security Model Security Context analysis: –Similar to sentence diagramming JohnHitBaseball SubjectVerb (action)Object user_uobject_ruser_home_t UserRoleType (domain)

cs490ns - cotter11 Updates in Fedora 4 th element of context – level –Multi-level security / multi-category security –Allows the identification of multiple levels of security Original design was to allow multiple levels and multiple categories. In most systems, only multiple categories re supported. Level S0 is used by default. – Allow the use of multiple categories. Text file (/etc/selinux/targeted/settrans.conf) used to provide a human readable form for contexts. Example file: –S0:c0=CompanyConfidential –S0:c1=PatientRecord –S0:c2 unclassified –Etc. –Designed to secure information in levels (no read up or write down) Bell-LaPadula security model.

cs490ns - cotter12 Security Context in Fedora10 Pictures]$ ls -Z -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.png -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_file_label.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_status.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_translation.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_user.jpeg Pictures]$

cs490ns - cotter13 SELinux Security Models Type Enforcement (TE) –Confine processes (subjects) to domains by using security contexts. Role-based Access Control (RBAC) –Recognizes that users often need to move from 1 domain to another. RBAC rules explicitly allow roles to move from one domain to another Multi-Level Security –Enforce Bell-LaPadula security model. –Users allowed to read at one level cannot read at higher levels. Also users allowed to write at 1 level are not allowed to write at a lower level. (Ensures that secure information does not propagate to lower levels.

cs490ns - cotter14 TE Security Model Each process is associated with a domain –A “sandbox” to limit or control its interactions Each domain is associated with a security context –A combination of a resource and the actions allowed on that resource (read a file, execute a program, etc.) Each resource (file, etc.) has a security context. –Processes can only act on resources if the security contexts specifically grant access.

cs490ns - cotter15 SELinux Policy Security Context determined by system policy file –Policy is a compiled file, based on a text file that you define (or a default file that you use). This defines all of the various file and user contexts that you want to be active in your system –Compiled policy stored in /etc/selinux/targeted/policy –Based on contexts in /etc/selinux/targeted/contexts

cs490ns - cotter16 file_contexts.homedirs Default file context for regular user’s home directory /home/[^/]* -d user_u:object_r:user_home_dir_t /home/[^/]*/.+ user_u:object_r:user_home_t /home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t /home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:texrel_shlib_t (Also contains default context for root user)

cs490ns - cotter17 SELinux Usage Enable / Disable SELinux –selinuxenabled Set enforcement policy permissive / disabled –Setenforce / getenforce Set Policy type –Targeted (only monitor specific services and files) –Strict (monitor everything) –Defined in /etc/selinux/config If targeted, select policies for each service

cs490ns - cotter18 SELinux Commands Global Commands –selinuxenabled –getenforce –setenforce –sestatus –fixfiles SELinux Files –/etc/selinux/config –/selinux/booleans

cs490ns - cotter19 SELinux Commands Security Context Control (file contexts) –checkpolicy –load_policy –setfiles –restorecon –chcon Targeted policy overrides –getsebool –setsebool –togglesebool

cs490ns - cotter20 SELinux Commands Policy Control –checkpolicy (check and create a new policy) –load_policy –setfiles –restorecon –chcon –semanage

cs490ns - cotter21 SELinux Commands Process related context information (in man) –ftpd_selinux –named_selinux –rsync_selinux –httpd_selinux –nfs_selinux –samba_selinux –kerberos_selinux –nis_selinux –ypbind_selinux

Setting Security Level – Fedora 14 / CentOS cs490ns - cotter22

cs490ns - cotter23 SELinux tool – F14/CentOS

cs490ns - cotter24 SELinux Troubleshooter(old)

SELinux Alert Tool – F14/CentOS cs490ns - cotter25

SELinux Alert Tool – Details cs490ns - cotter26

SELinux Alert Tool – Fix cs490ns - cotter27

SELinux Policy Gen Tool cs490ns - cotter28

cs490ns - cotter29 MAC in Ubuntu SELinux is available, but not installed by default Default approach uses AppArmor –Focus is not at system level (as in SELinux), but at the application level. –Theory is that most of the security issues arise as the applications level. –It is easier to protect (and constrain) an application with AppArmor, as long as you don’t have a lot of applications to protect.

cs490ns - cotter30 SELinux Status SELinux is still very complex. –There are many commands and tools available to manage file and process contexts, and the overall system policy. –Default policies and contexts provide a significant level of protection, but adjusting the default policy for individual requirements is still a challenge –SELinux troubleshooter offers some help in addressing SELinux issues.

cs490ns - cotter31 References SELinux: NSA’s Open Source Security Enhanced Linux – McCarty – O’Reilly Books 2004 CentOS 5 – Red Hat Fedora Linux Secrets – Barkakati – Wiley Press – 2005 Configuring the SELinux Policy – – Fedora 10 SELinux manual – CentOS 5 SELinux guide – ommon-chapter-0017.html

cs490ns - cotter32 Summary SELinux provides a new layer of protection for Linux. Provides fine grained mandatory access controls that work in addition to existing discretionary access controls (mode bits) Policy file configuration complex (and not yet well documented) Default policy file provides secure operating environment –If anything, it is likely to be more restrictive than a user might wish.