Upload
annabel-walsh
View
216
Download
0
Embed Size (px)
Citation preview
Security-Enhanced LinuxSecurity-Enhanced Linux
ReferencesReferences
1.1. Implementation of Security-Implementation of Security-Enhanced Linux by Yue Cui, Xiang Enhanced Linux by Yue Cui, Xiang Sha, Li SongSha, Li Song
2.2. Security Enhanced Linux by David Security Enhanced Linux by David Quigley (Fedora)Quigley (Fedora)
3.3. Security-Enhanced Linux by Joseph Security-Enhanced Linux by Joseph A LaConteA LaConte
BackgroundBackground
Security-Enhanced Linux is a NSA (National Security-Enhanced Linux is a NSA (National Security Agency) backed research project.Security Agency) backed research project.
Goals:Goals: Promote Security ResearchPromote Security Research Address OS SecurityAddress OS Security Demonstrate MAC (Mandatory Access Controls) through Demonstrate MAC (Mandatory Access Controls) through
Type Enforcement® technologyType Enforcement® technology in a mainstream osin a mainstream os
NoteNote: SELinux project is : SELinux project is notnot intended as a intended as a complete security solution for Linux complete security solution for Linux
SELinux BackgroundSELinux Background1985:1985: LOCK system(early Type Enforcement)LOCK system(early Type Enforcement)
– – Secure Ada project through HoneywellSecure Ada project through Honeywell
1990: DTMach / DTOS 1990: DTMach / DTOS
DTMach – Mach-based prototypeDTMach – Mach-based prototype
DTOS (Distributed Trusted Operating System)DTOS (Distributed Trusted Operating System)
1995: Utah Fluke / Flask 1995: Utah Fluke / Flask
Fluke* - University of Utah's research operating systemFluke* - University of Utah's research operating system
1999: 1999: 2.2 Linux Kernel (patch)2.2 Linux Kernel (patch)
2001: 2001: 2.4 Linux Kernel (patch)2.4 Linux Kernel (patch)
2002:2002: LSMLSM
2003:2003: 2.6 Linux Kernel (mainline)2.6 Linux Kernel (mainline)
2006: 2006: Full network labelingFull network labeling
Why Linux?Why Linux?
Linux is an open source project with many Linux is an open source project with many developers; therefore:developers; therefore:
Provides an opportunity for more Provides an opportunity for more research.research.
Allows application/testing in a Allows application/testing in a mainstream os.mainstream os.
Improves security in an existing os.Improves security in an existing os.
SELinuxSELinux
Security-Enhanced Linux Security-Enhanced Linux (SELinux)(SELinux) Uses the Linux Security Modules (LSM) Uses the Linux Security Modules (LSM)
framework to implement flexible Mandatory framework to implement flexible Mandatory Access Control (MAC) in the Linux kernel.Access Control (MAC) in the Linux kernel.
Restricts privileges of user programs and Restricts privileges of user programs and system servers using security labels and an system servers using security labels and an administratively-defined policy.administratively-defined policy.
MAC versus DACMAC versus DAC
Discretionary Access Control (DAC) is the Discretionary Access Control (DAC) is the standard security model for Linux. In this standard security model for Linux. In this model, access privileges are based on the model, access privileges are based on the user identity and object ownership.user identity and object ownership.
Mandatory Access Control (MAC) limits Mandatory Access Control (MAC) limits privileges for subjects (processes) and privileges for subjects (processes) and objects (file, socket, device, etc).objects (file, socket, device, etc).
Please note: SELinux does not change any existing security in the Linux Please note: SELinux does not change any existing security in the Linux environment; rather, SELinux extends the security model to include environment; rather, SELinux extends the security model to include Mandatory Access Control (i.e. both MAC and DAC are enforced in Mandatory Access Control (i.e. both MAC and DAC are enforced in the SELinux environment).the SELinux environment).
SELinux vs. traditional LinuxSELinux vs. traditional Linux
SELinux enforces MAC policies that SELinux enforces MAC policies that confine user programs and system confine user programs and system servers to the minimum amount of servers to the minimum amount of privilege they require to do their jobsprivilege they require to do their jobs
The ability of these user programs and The ability of these user programs and system daemons to cause harm when system daemons to cause harm when compromised(via buffer overflow for compromised(via buffer overflow for example) is reduced or eliminated.example) is reduced or eliminated.
SELinux vs. traditional LinuxSELinux vs. traditional Linux
The confinement mechanism operates The confinement mechanism operates independently of the traditional Linux independently of the traditional Linux access control mechanismsaccess control mechanisms
It has no concept of a “root” super-It has no concept of a “root” super-user, and does not share the well-user, and does not share the well-known shortcomings of the traditional known shortcomings of the traditional Linux security mechanisms(such as a Linux security mechanisms(such as a dependence on setuid/setgid binaries)dependence on setuid/setgid binaries)
SELinux vs. traditional LinuxSELinux vs. traditional Linux The security of traditional LinuxThe security of traditional Linux
Depends on the correctness of the kernel, all the Depends on the correctness of the kernel, all the privileged applications, and each of their privileged applications, and each of their configurationsconfigurations
A problem in any one of these areas may allow the A problem in any one of these areas may allow the compromise of the entire systemcompromise of the entire system
The security of SELinuxThe security of SELinux Depends on the correctness of the kernel and its Depends on the correctness of the kernel and its
security policy configurationsecurity policy configuration While problems may allow the limited compromise While problems may allow the limited compromise
of individual user programs and system daemons, of individual user programs and system daemons, they do not pose a threat to the security of other they do not pose a threat to the security of other user programs and system daemons or to the user programs and system daemons or to the security of the system as a wholesecurity of the system as a whole
Security-Enhanced LinuxSecurity-Enhanced Linux
Security Policies are Security Policies are implemented usingimplemented using:: Type EnforcementType Enforcement®® (TE) (TE)
((introduced in 1985 by Boebert and Kain)introduced in 1985 by Boebert and Kain) Role-based access control (RBAC)Role-based access control (RBAC) Multi-level SecurityMulti-level Security
Security Model in SELinuxSecurity Model in SELinux
Type Enforcement (TE) modelType Enforcement (TE) model Provides fine-grained control over Provides fine-grained control over
processes and objects in the systemprocesses and objects in the system Role-Based Access Control (RBAC) Role-Based Access Control (RBAC)
modelmodel Provides a higher level of abstraction Provides a higher level of abstraction
to simplify user managementto simplify user management
TE modelTE model Traditional TE modelTraditional TE model
Binds a security attribute called a Binds a security attribute called a domain to each process and a type to domain to each process and a type to each objecteach object
Treats all processes in the same domain Treats all processes in the same domain identically and all objects that have the identically and all objects that have the same type identicallysame type identically
A pair of access matrices specify how A pair of access matrices specify how domains can access types and how domains can access types and how domains can interact with other domainsdomains can interact with other domains
Each user is authorized to operate in Each user is authorized to operate in certain domainscertain domains
TE modelTE model SELinux TE modelSELinux TE model
Uses a single type attribute in the security Uses a single type attribute in the security context for both processes and objectscontext for both processes and objects
A domain is simply a type that can be A domain is simply a type that can be associated with a process. associated with a process.
Uses the security class information provided by Uses the security class information provided by the Flask architecture the Flask architecture
Security classes can distinguish objects of the Security classes can distinguish objects of the same type.same type.
Does not directly associate users with domains; Does not directly associate users with domains; uses RBAC model to provide an additional layer uses RBAC model to provide an additional layer of abstraction between users and domainsof abstraction between users and domains
Type EnforcementType Enforcement
Object(s):Object(s): items in a system that are acted upon (files, IPC, items in a system that are acted upon (files, IPC, sockets, etc….)sockets, etc….)
Subject(s):Subject(s): process that are requesting access to an object process that are requesting access to an object All Objects and Subjects contain a security contextAll Objects and Subjects contain a security context Security Context(s)Security Context(s) are composed of four parts are composed of four parts All Security Context components are checked against the policy All Security Context components are checked against the policy
to see if access is allowed. to see if access is allowed. Type is the base component while role and user are used to Type is the base component while role and user are used to
further restrict type enforcementfurther restrict type enforcement
Security ContextsSecurity Contexts
system_u:object_r:passwd_exec_t:s0:c0.c2-s2:c0.c1system_u:object_r:passwd_exec_t:s0:c0.c2-s2:c0.c1
user:role:type:sensitivity[:category,…][-sensitivity[:category,…]]
TE Access ControlTE Access Control
Source type(s):Source type(s): The domain type of the process accessing the The domain type of the process accessing the objectobject
Target type(s):Target type(s): The type of the object being accessed by the The type of the object being accessed by the processprocess
Object class(es):Object class(es): The class of object to permit access to The class of object to permit access to Permission(s):Permission(s): The kind of access permitted for the indicated The kind of access permitted for the indicated
object classobject class
allow user_t bin_t : file {read execute write getattr setattr}
Domain TransitionsDomain Transitions Analogous to SetUID programsAnalogous to SetUID programs Joe running as user_t (untrusted user) needs to change his Joe running as user_t (untrusted user) needs to change his
password. How does Joe change his password?password. How does Joe change his password? allow user_t passwd_exec_t : file {getattr execute}allow user_t passwd_exec_t : file {getattr execute} allow passwd_t passwd_exec_t : file entrypointallow passwd_t passwd_exec_t : file entrypoint allow user_t passwd_t : process transitionallow user_t passwd_t : process transition
What does this solve? Restricts trusted domain passwd_t What does this solve? Restricts trusted domain passwd_t and allows user_t to transition to it.and allows user_t to transition to it.
Implicit domain transitions provided via type_transition.Implicit domain transitions provided via type_transition.
Users & RolesUsers & Roles
First and second component of a security contextFirst and second component of a security context SELinux usernames and DAC usernames are not SELinux usernames and DAC usernames are not
synonymoussynonymous Semanage is used to maintain mappings of DAC to Semanage is used to maintain mappings of DAC to
SELinux usernames.SELinux usernames. Roles are collections of types geared towards a purposeRoles are collections of types geared towards a purpose Roles can be used to further restrict actions on the systemRoles can be used to further restrict actions on the system SELinux usernames are granted roles in the systemSELinux usernames are granted roles in the system
Role-Based Access Role-Based Access ControlControl
Each user gets a set of rolesEach user gets a set of roles
Each role is assigned a set of TE Each role is assigned a set of TE domains.domains.
Note: users are not identified by Linux uids; instead Note: users are not identified by Linux uids; instead a user identity attribute is used in the security a user identity attribute is used in the security context.context.
RBAC modelRBAC model
Traditional RBAC modelTraditional RBAC model authorizes users to act in certain roles authorizes users to act in certain roles
and assigns a set of permissions to each and assigns a set of permissions to each rolerole
SELinux RBAC modelSELinux RBAC model authorizes each user for a set of roles, authorizes each user for a set of roles,
each role for a set of TE domainseach role for a set of TE domains maintains a role attribute in the security maintains a role attribute in the security
context of each processcontext of each process
PoliciesPolicies
Configuration consists Configuration consists
ofof: : Flask definitionsFlask definitions TE and RBAC TE and RBAC
declarations and rulesdeclarations and rules User declarationsUser declarations Constraint definitionsConstraint definitions Security context Security context
specifications.specifications.
PoliciesPolicies
TE StatementsTE Statements Attribute Attribute
DeclarationsDeclarations Type DeclarationsType Declarations TE Transition RulesTE Transition Rules TE Change RulesTE Change Rules TE Access Vector TE Access Vector
RulesRules TE Access Vector TE Access Vector
AssertionsAssertions Type Member RulesType Member Rules
RBAC StatementsRBAC Statements Role Declarations and Role Declarations and
DominanceDominance Role Allow RulesRole Allow Rules Role Transition RulesRole Transition Rules
PoliciesPolicies
Syntax for TE and RBAC declarations*
Syntax for type declarations*
* Smally, Stephen January 2003.
PoliciesPolicies
Bleher, Thomas November 30, 2004
LimitationsLimitations
Performance OverheadPerformance Overhead – approximately 7%. – approximately 7%.
ComplexityComplexity – requires in-depth knowledge of the – requires in-depth knowledge of the operating system, the security policies, and the operating system, the security policies, and the operating environment.operating environment.
MaintenanceMaintenance – policy fine-tuning, changes required – policy fine-tuning, changes required for changes to the system.for changes to the system.
Benefit of SELinuxBenefit of SELinux
The SELinux’s new features are The SELinux’s new features are designed todesigned to Enforce the separation of information Enforce the separation of information
based on confidentiality and integrity based on confidentiality and integrity requirementsrequirements
Prevent processes from Prevent processes from reading data and programs, reading data and programs, tampering with data and programs,tampering with data and programs, executing untrustworthy programs, or executing untrustworthy programs, or interfering with other processes in violation interfering with other processes in violation
of the system security policy of the system security policy
MLSMLS MLS portion of Security Context is composed of 4 MLS portion of Security Context is composed of 4
partsparts Low/HighLow/High Sensitivity/CategorySensitivity/Category
Includes syntax to define dominance of security Includes syntax to define dominance of security levelslevels
Subjects with range of levels considered Subjects with range of levels considered trusted trusted subjectssubjects
Implements a variation of Bell-La PadulaImplements a variation of Bell-La Padula
Linux Security Modules Linux Security Modules (LSM)(LSM)
Kernel framework for security modulesKernel framework for security modules Provides a set of hooks to implement further Provides a set of hooks to implement further
security checkssecurity checks Usually placed after existing DAC checks and Usually placed after existing DAC checks and
before resource accessbefore resource access Implications? SELinux check is not called if the Implications? SELinux check is not called if the
DAC failsDAC fails Makes auditing difficult at times.Makes auditing difficult at times.
SELinux LSM ModuleSELinux LSM Module
User Space
Kernel Space
Selinux Filesystem
Access
Vector
Cache
Security Server
(Policy Rules and
Access Decision Logic)LSM Hooks
Various Kernel
Object Managers
Cache Miss
Yes or No?
SELinux LSM Module
Policy Management
Interface
Figure taken from SELinux by
Example
Userspace Object ManagersUserspace Object Managers
Access
Vector
Cache
libselinux
User-Space
Object Manager
Figure taken from SELinux by
Example
User Space
Kernel Space
Selinux Filesystem
Policy Management
Interface
Allow
access?
Yes or No?
Access
Vector
Cache
Security Server
(Policy Rules and
Access Decision Logic)
Cache Miss
Yes or No?
Policy ServerPolicy Server
Access
Vector
Cache
libselinux
User-Space
Object Manager
Figure taken from SELinux by
Example
User Space
Kernel Space
Selinux Filesystem
Policy
Management
Interface
Cache Miss?
Yes or No?
User-Space
Security Server
Policy
Management
Server
Load
User
Policy
Policy Server
Access
Vector
Cache
Security Server
(Policy Rules and
Access Decision Logic)
Cache Miss
Yes or No?
Policy LanguagePolicy Language
Make, Scripts,
M4, and so on
Type Enforcement
Statements
(Types, TE Rules,
Roles, Users)
Constraints
Resource labeling
Specifications
Classes and Permissions
Checkpolicy
Binary Policy
File
Kernel Space
Selinux Filesystem
Access
Vector
Cache
Security Server
(Policy Rules and
Access Decision Logic)
Cache Miss
Yes or No?
SELinux LSM Module
load_policy
Policy Source
Modules
policy.conf
Figure taken from SELinux by
Example
Object ClassesObject Classes
Represents resources of a certain kindRepresents resources of a certain kind Policy must include declarations for all object Policy must include declarations for all object
classesclasses ClassesClasses
File related (blk_file, chr_file, dir, fd …)File related (blk_file, chr_file, dir, fd …) Network related (socket, packet_socket, rawip_socket, …)Network related (socket, packet_socket, rawip_socket, …) IPC related (ipc, msg, msgq, sem, shm)IPC related (ipc, msg, msgq, sem, shm) Misc Classes (capability, process, security, system)Misc Classes (capability, process, security, system)
PermissionsPermissions
Specific to a particular Object ClassSpecific to a particular Object Class Includes traditional Linux permissionsIncludes traditional Linux permissions Extends existing permissions to be finer Extends existing permissions to be finer
grainedgrained Includes SELinux specific permissions for Includes SELinux specific permissions for
labelinglabeling
Type EnforcementType Enforcement
Several major keywordsSeveral major keywords typetype attributeattribute typeattributetypeattribute typealiastypealias allowallow dontauditdontaudit auditallowauditallow neverallowneverallow
Type EnforcementType Enforcementattribute file_type;attribute httpdcontent;
#These two statements...type httpd_user_content_t;typeattribute httpd_user_content_t file_type, httpdcontent;
#are equivalent to this onetype httpd_user_content_t, file_type, httpdcontent;
#These two statements...type mozilla_t, domain;typealias mozilla_t alias netscape_t;
#are equivalent to this onetype mozilla_t alias netscape_t, domain;
Type EnforcementType Enforcementrule_name src_type_set target_type_set : class_set perm_set;#validallow user_t bin_t : file { read getattr } ;allow user_t bin_t : dir { read getattr search } ;
#invalid since file does not have a search permissionallow user_t bin_t { file dir } {read getattr search } ;
#don’t audit when this access is denieddontaudit httpd_t etc_t : dir search ;
#audit when this access is allowed#by default allowed access is not auditedauditallow domain shadow_t : file write ;
#This statement may never be allowed by any ruleneverallow user_t shadow_t : file write
allow user_t bin_t : { file dir } * ;allow user_t bin_t : file ~{ write setattr ioctl };
Type EnforcementType EnforcementType Transitions
type_transitiontype_change
#These two statements...type_transition user_t passwd_exec_t : process passwd_t;type_transition sysadm_t passwd_exec_t : process passwd_t;
#are equivalent to this onetype_transition { user_t sysadm_t } : process passwd_t;
#This domain transition rule…type_transition init_t apache_exec_t : process apache_t ;
#would require at least the follow 3 allow rules to succeedallow init_t apache_exec_t : file execute ;allow init_t apache_t : process transition;allow apache_t apache_exec_t : file entrypoint ;
RBACRBAC
Adds 2 components to security contextAdds 2 components to security context useruser rolerole
Adds 3 policy language keywordsAdds 3 policy language keywords allowallow (different than AVC allow) (different than AVC allow) role_transitionrole_transition (similar to (similar to
type_transition)type_transition) dominancedominance
RBAC ExampleRBAC Example#valid security context
joe:user_r:passwd_t
#role user_r assigned to user joe
user joe roles { user_r };
#equivalent to this one
role user_r types { user_t passwd_t };
allow staff_r sysadm_r;
role_transition sysadm_r http_exec_t system_r;
#super_r inherits all types from sysadm_r and secadm_r
dominance { role super_r { role sysadm_r; role secadm_r; }}
Multilevel SecurityMultilevel Security
Policy Declares Levels and categoriesPolicy Declares Levels and categories applies constraints on objects and applies constraints on objects and
permissions with MLS dominance keywordspermissions with MLS dominance keywords ==, !=, eq, dom, domby, incomp==, !=, eq, dom, domby, incomp mlsconstrain file {create relabelto } { l2 eq mlsconstrain file {create relabelto } { l2 eq h2 }h2 }
mlsvalidatetransmlsvalidatetrans transitions between transitions between levelslevels
Still requires a lot of workStill requires a lot of work
Conditional PoliciesConditional Policies Allows enabling/disabling portions of policyAllows enabling/disabling portions of policy Booleans define in policyBooleans define in policy Logical operations allowedLogical operations allowed
&&&& |||| ^̂ !! ==== !=!=
Does not support nested conditionalsDoes not support nested conditionals Booleans modified through special applications or Booleans modified through special applications or
SELinuxfsSELinuxfs
Configuration for running insmod
Figure 4 shows a portion of the policy Figure 4 shows a portion of the policy configuration that allows the configuration that allows the administrator domain (sysadm_t) to administrator domain (sysadm_t) to run the insmod program to insert run the insmod program to insert kernel modules. kernel modules.
The insmod program is labeled with The insmod program is labeled with the insmod_exec_t type and runs in the insmod_exec_t type and runs in the insmod_t domain. the insmod_t domain.
Figure 4: Configuration for running insmod
Configuration for running insmod
allow sysadm_t insmod_exec_t :file allow sysadm_t insmod_exec_t :file x_file_perms;x_file_perms; allows the sysadm_t domain to run the insmod allows the sysadm_t domain to run the insmod
programprogram. . allow sysadm_t insmod_t :process allow sysadm_t insmod_t :process
transition;transition; allows the sysadm_t domain to transition to the allows the sysadm_t domain to transition to the
insmod_t domain.insmod_t domain. allow insmod_t insmod_exec_t :process allow insmod_t insmod_exec_t :process
{entrypoint, execute }{entrypoint, execute } allows the insmod_t domain to be entered by allows the insmod_t domain to be entered by
the insmod program and to execute code from the insmod program and to execute code from this program. this program.
Configuration for running insmod
allow insmod_t sysadm_t :fd allow insmod_t sysadm_t :fd inherit_fd_perms;inherit_fd_perms; allows the insmod_t domain to inherit and use file allows the insmod_t domain to inherit and use file
descriptors from the sysadm_t domain. descriptors from the sysadm_t domain. allow insmod_t self :capability allow insmod_t self :capability
sys_module;sys_module; allows the insmod_t domain to use the allows the insmod_t domain to use the
CAP_SYS_MODULE capability.CAP_SYS_MODULE capability. allow insmod_t sysadm_t :process sigchild; allow insmod_t sysadm_t :process sigchild;
allows the insmod_t domain to send the SIGCHLD allows the insmod_t domain to send the SIGCHLD signal to sysadm_t when it exits. signal to sysadm_t when it exits.
Reference PolicyReference Policy Maintained by NSA and FC Mailing ListsMaintained by NSA and FC Mailing Lists Compiles into three versionsCompiles into three versions
Strict, Targeted, MLSStrict, Targeted, MLS StatsStats
Version .18Version .18 Object Classes 55Object Classes 55 Common Permissions 3, Permission 205Common Permissions 3, Permission 205 Types 1589Types 1589 allow 372755, auditallow 12, dontaudit 238663allow 372755, auditallow 12, dontaudit 238663 type_transition 2657, type_change 68type_transition 2657, type_change 68 roles 6, RBAC allow 6, role_transition 97, users 3roles 6, RBAC allow 6, role_transition 97, users 3 bools 70bools 70
ComponentsComponents
checkpolicycheckpolicy libselinuxlibselinux libsemanagelibsemanage libsepollibsepol policycoreutilspolicycoreutils
libselinuxlibselinux
Used by SELinux aware applicationsUsed by SELinux aware applications Houses user space AVCHouses user space AVC Contains functions to Contains functions to
calculate AVCscalculate AVCs get/set/create contextsget/set/create contexts query policy enginequery policy engine
libsemanagelibsemanage
Used to query and configure state of a Used to query and configure state of a running systemrunning system
Provides functions to query/modifyProvides functions to query/modify login nameslogin names usersusers network ports/interfacesnetwork ports/interfaces file contextsfile contexts level translationslevel translations rolesroles etc.etc.
SELinuxfsSELinuxfs
Interface between userspace and kernelInterface between userspace and kernel Used by libselinux and libsemanage to Used by libselinux and libsemanage to
communicate requests with the kernelcommunicate requests with the kernel Provides a quick and easy interface for Provides a quick and easy interface for
humanshumans Usually not used directly from programsUsually not used directly from programs
policycoreutilspolicycoreutils SELinux Management and policy analysis toolsSELinux Management and policy analysis tools
audit2allowaudit2allow audit2whyaudit2why load_policyload_policy newrolenewrole restoreconrestorecon semanagesemanage semodulesemodule sestatussestatus setboolsetbool etc...etc...
DistributionsDistributions
Fedora Core 3 and laterFedora Core 3 and later DebianDebian GentooGentoo SuSeSuSe SE-BSDSE-BSD SE-MACHSE-MACH
InstallationInstallation
Where to get the copy?Where to get the copy? Free download fromFree download from
http://www.nsa.gov/selinux/http://www.nsa.gov/selinux/
Components of SELinux DistributionComponents of SELinux Distribution Patches to the Linux kernel (based on Patches to the Linux kernel (based on
kernel 2.4.18)kernel 2.4.18) Patches to a number of standard tools and Patches to a number of standard tools and
utilities, support files, and documentationutilities, support files, and documentation
InstallationInstallation
Need to have an existing Redhat Need to have an existing Redhat LinuxLinux Redhat 7.2 or later will be betterRedhat 7.2 or later will be better
SELinux does not provide a modified SELinux does not provide a modified xdm/gdm/kdm to set the security xdm/gdm/kdm to set the security context for the user sessioncontext for the user session
Environment we use:Environment we use: Redhat 7.3Redhat 7.3
InstallationInstallation
Download the installation package Download the installation package
(lsm-2.4-selinux-2002053110.tgz)(lsm-2.4-selinux-2002053110.tgz) Unzip the file, we got two foldersUnzip the file, we got two folders
# /lsm2.4 and /selinux# /lsm2.4 and /selinux The quick installation steps are as The quick installation steps are as
followingsfollowings
InstallationInstallation
Edit policy/users for your usersEdit policy/users for your users Be sure to authorize at least one user for the Be sure to authorize at least one user for the
system administrator role (sysadm_r)system administrator role (sysadm_r) Edit the default_context and cron_context Edit the default_context and cron_context
files in utils/appconfig for your usersfiles in utils/appconfig for your users security context has the syntax security context has the syntax
user:role:domain or user:role:typeuser:role:domain or user:role:type e.g. root:sysadm_r:sysadm_t or e.g. root:sysadm_r:sysadm_t or
root:user_r:user_troot:user_r:user_t
InstallationInstallation
Edit policy/file_contexts/ Edit policy/file_contexts/ {types.fc,program/*.fc} for your site{types.fc,program/*.fc} for your site Check the pathnames against your file system Check the pathnames against your file system
layoutlayout Ensure that your current configuration is Ensure that your current configuration is
not set up to run an X Display Manager not set up to run an X Display Manager (xdm, gdm, kdm)(xdm, gdm, kdm) he default runlevel specified inhe default runlevel specified in /etc/inittab should be runlevel 3 (Full multiuser /etc/inittab should be runlevel 3 (Full multiuser
mode)mode)
InstallationInstallation
Perform the quick installPerform the quick install make quickinstallmake quickinstall When the kernel configuration menu is When the kernel configuration menu is
displayed, configure the kernel for your displayed, configure the kernel for your hardware as appropriatehardware as appropriate
Configure your boot manager to boot Configure your boot manager to boot the SELinux kernelthe SELinux kernel e.g. if you use the LILO boot manager, e.g. if you use the LILO boot manager,
configure /etc/lilo.conf, and run /sbin/liloconfigure /etc/lilo.conf, and run /sbin/lilo
InstallationInstallation Boot the SELinux kernel and login in the Boot the SELinux kernel and login in the
sysadm_r role and sysadm_t domain(e.g. using sysadm_r role and sysadm_t domain(e.g. using “root”)“root”)
Run setfiles again to ensure that files created Run setfiles again to ensure that files created by the old kernel during the shutdown are by the old kernel during the shutdown are properly labeledproperly labeled cd policycd policy make relabel make relabel
Add /usr/local/selinux/bin and Add /usr/local/selinux/bin and /usr/local/selinux/sbin to your path for the /usr/local/selinux/sbin to your path for the modified utilitiesmodified utilities
InstallationInstallation
After installation, we can try the following After installation, we can try the following commands to see if it is installed correctlycommands to see if it is installed correctly
‘ ‘ ps -e --context ‘ps -e --context ‘ The second column should show the security The second column should show the security
context of each processcontext of each process Has the syntax user:role:domain or user:role:typeHas the syntax user:role:domain or user:role:type
‘ ‘ ls -- context / ‘ls -- context / ‘ The fourth column should show the security The fourth column should show the security
context of each file or directory in /context of each file or directory in /
InstallationInstallation ps -e --contextps -e --context
PIDPID SIDSID CONTEXTCONTEXT COMMANDCOMMAND
11 7 7 system_u:system_r:init_tsystem_u:system_r:init_t init [3]init [3]
22 7 7 system_r:system_r:init_tsystem_r:system_r:init_t [keventd][keventd]
...... …… …… ……
855855 245245 system_u:system_r:local_login_tsystem_u:system_r:local_login_t login --rootlogin --root
856856 244244 system_u:system_r:getty_tsystem_u:system_r:getty_t /sbin/mingetty tty2/sbin/mingetty tty2
857857 244244 system_u:system_r:getty_tsystem_u:system_r:getty_t /sbin/mingetty tty3/sbin/mingetty tty3
858858 244244 system_u:system_r:getty_tsystem_u:system_r:getty_t /sbin/mingetty tty4/sbin/mingetty tty4
859859 244244 system_u:system_r:getty_tsystem_u:system_r:getty_t /sbin/mingetty tty5/sbin/mingetty tty5
860860 244244 system_u:system_r:getty_tsystem_u:system_r:getty_t /sbin/mingetty tty6/sbin/mingetty tty6
863863 246246 root:sysadm_r:sysadm_troot:sysadm_r:sysadm_t -bash-bash
910910 246246 root:sysadm_r:sysadm_troot:sysadm_r:sysadm_t ps -e --contextps -e --context
InstallationInstallation ls -- context /ls -- context /drwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:bin_tsystem_u:object_r:bin_t binbindrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:boot_tsystem_u:object_r:boot_t bootbootdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:device_tsystem_u:object_r:device_t devdevdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:etc_tsystem_u:object_r:etc_t etcetcdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:user_home_tsystem_u:object_r:user_home_thomehomedrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t initrdinitrddrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:lib_tsystem_u:object_r:lib_t liblibdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:lost_found_tsystem_u:object_r:lost_found_t lost+foundlost+founddrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t miscmiscdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t mntmntdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t optoptdr-xr-xr-x rootdr-xr-xr-x root rootroot system_u:object_r:proc_tsystem_u:object_r:proc_t procprocdrwxr-x--- rootdrwxr-x--- root rootroot system_u:object_r:sysadm_home_tsystem_u:object_r:sysadm_home_t rootrootdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:sbin_tsystem_u:object_r:sbin_t sbinsbindrwxrwxrwx rootdrwxrwxrwx root rootroot system_u:object_r:tmp_tsystem_u:object_r:tmp_t tmptmpdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:usr_tsystem_u:object_r:usr_t usrusrdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:var_tsystem_u:object_r:var_t varvar
Customizing the policyCustomizing the policy
What we can doWhat we can do Adding usersAdding users Adding permissionsAdding permissions Adding programs to an existing domainAdding programs to an existing domain Creating a new domainCreating a new domain Creating a new typeCreating a new type Creating a new roleCreating a new role
Customizing the policyCustomizing the policy
Adding usersAdding users If we want to add a user If we want to add a user stevesteve to the to the
system who should be authorized for system who should be authorized for both the both the user_ruser_r and and sysadm_rsysadm_r roles roles
Add an entry to the Add an entry to the policy/userspolicy/users files: files:user steve roles { user_r sysadm_r }user steve roles { user_r sysadm_r }
Run Run make loadmake load to reload the policy to reload the policy
Customizing the policyCustomizing the policy
Adding programs to an existing domainAdding programs to an existing domain Locate an appropriate domain by Locate an appropriate domain by
examining the existing programs domains under examining the existing programs domains under policy/domains/programpolicy/domains/program
examining how existing programs are examining how existing programs are associated with the executable types for those associated with the executable types for those domains in domains in policy/file_contexts/programpolicy/file_contexts/program
Relabel the program byRelabel the program by# make relabel# make relabel
Customizing the policyCustomizing the policy
Creating a new roleCreating a new role Create a new domain to be used as the Create a new domain to be used as the
initial login domain for the roleinitial login domain for the role Define role declaration in Define role declaration in policy/rbacpolicy/rbac Reload the policyReload the policy
# # make loadmake load Add an entry for the role inAdd an entry for the role in
/etc/security/default_type/etc/security/default_type
ReferencesReferences
SELinux installation helpSELinux installation help
Stephen Smalley, “Configuring the SELinux Policy”, Stephen Smalley, “Configuring the SELinux Policy”,
20022002
Stephen Smalley and Timothy Fraser, “A Security Stephen Smalley and Timothy Fraser, “A Security
Policy Configuration for the Security-Enhanced Policy Configuration for the Security-Enhanced
Linux”, 2001Linux”, 2001
http://www.nsa.gov/selinuxhttp://www.nsa.gov/selinux
ReferencesReferences
National Security Agency. National Security Agency. Security Enhanced LinuxSecurity Enhanced Linux, December , December 8, 2004. http://www.nsa.gov/selinux/index.cfm8, 2004. http://www.nsa.gov/selinux/index.cfm
Thompson, Kerry. Thompson, Kerry. The UnOfficial SELinux FAQThe UnOfficial SELinux FAQ, June 15, 2004. , June 15, 2004. http://www.crypt.gen.nz/selinux/faq.htmlhttp://www.crypt.gen.nz/selinux/faq.html
Wade, Karsten. Wade, Karsten. Fedora Core 3 SELinux FAQFedora Core 3 SELinux FAQ, November 9, 2004. , November 9, 2004. http://fedora.redhat.com/docs/selinux-faq-fc3/index.htmlhttp://fedora.redhat.com/docs/selinux-faq-fc3/index.html
Smally, Stephen. Smally, Stephen. Configuring the SELinux PolicyConfiguring the SELinux Policy, February , February 2002, revised January 2003. NAI Labs. 2002, revised January 2003. NAI Labs. <URL:http://www.nsa.gov/selinux/papers/policy2-abs.cfm><URL:http://www.nsa.gov/selinux/papers/policy2-abs.cfm>
Secure Computing Corporation. Secure Computing Corporation. The Origin of SidewinderThe Origin of Sidewinder®® G2 G2 FirewallFirewall, December 8, 2004. , December 8, 2004. http://www.securecomputing.com/index.cfm?skey=1024http://www.securecomputing.com/index.cfm?skey=1024
ReferencesReferences
OSDGroup LLC. OSDGroup LLC. Module 13 – SELinux OverviewModule 13 – SELinux Overview, December 8, , December 8, 2004. 2004. http://www.bradfordlearning.com/en/courseware/sample_chahttp://www.bradfordlearning.com/en/courseware/sample_chapters/se_linux_sample_chapter.pdfpters/se_linux_sample_chapter.pdf
SourceFORGE.net. SourceFORGE.net. SELinux BackgroundSELinux Background, December 8, 2004. , December 8, 2004. http://selinux.sourceforge.net/background.php3http://selinux.sourceforge.net/background.php3
Hallyn, Serge Edward. Hallyn, Serge Edward. Domain and Type Enforcement in LinuxDomain and Type Enforcement in Linux. . The College of William and Mary in Virginia. The College of William and Mary in Virginia. <URL:http://www.cs.wm.edu/~kearns/dissertations.d/serge.p<URL:http://www.cs.wm.edu/~kearns/dissertations.d/serge.pdf> df>
Bleher, Thomas. Source file: domains/program/Bleher, Thomas. Source file: domains/program/apache.teapache.te (patch), November 30, 2004. (patch), November 30, 2004. <URL:http://www.cip.ifi.lmu.de/~bleher/cgi-bin/archzoom.cgi/<URL:http://www.cip.ifi.lmu.de/~bleher/cgi-bin/archzoom.cgi/[email protected]/policy--suse--0--patch-12?log>[email protected]/policy--suse--0--patch-12?log>
More InformationMore Information
SELinux Homepage: SELinux Homepage: www.nsa.gov/selinuxwww.nsa.gov/selinux SELinux Mailing list: SELinux Mailing list:
http://www.nsa.gov/selinux/info/list.cfm?Mhttp://www.nsa.gov/selinux/info/list.cfm?MenuID=41.1.1.9enuID=41.1.1.9
Redhat SELinux Mailing List: Redhat SELinux Mailing List: http://www.redhat.com/mailman/listinfo/fehttp://www.redhat.com/mailman/listinfo/fedora-selinux-listdora-selinux-list
Fedora SELinux Wiki: Fedora SELinux Wiki: http://fedoraproject.org/wiki/SELinuxhttp://fedoraproject.org/wiki/SELinux