7/31/2019 SELINUX 1
1/2
Understanding SELinux, Part 1From the 6th century BC, around the
time the Art of War was written by Sun Tzu, till today, the
basictenets of warfare attack (offence) and security (defence)
remain the same. What has changedsignificantly from those days is
the terrain. It has evolved from land and sea, to air and into
cyberspace.
Securing cyberspace, especially in this connected world of the
Internet, is of prime concern togovernments, organisations and
individuals. In a knowledge economy, the real wealth is in
informationand the bits of data that provide it.
Securing access to that data is of fundamental importance to the
very existence of an organisation.CIOs and IT managers worldwide
therefore look at security as one of their main areas of concern.
ITsecurity is a vast subject and covers many areasthe foremost
being network security (firewalls), datasecurity (encryption,
backup, etc), computing security (restricting physical access,
patching OSvulnerabilities, etc) and application security. Much
attention has been paid to network security, datasecurity and
computing security, and thus there are a lot of products in the
market competing with eachother providing security solutions in
these spaces.
But simply buying and implementing the security products in not
enough. As Bruce Schneier states inhis remarkable book, Secrets and
Lies: Digital Security in a Networked World, the two
fundamentalprinciples about digital security are:
Security is a chain; its only as secure as the weakest link.
Security is a process, not a product.
The application is a very important link in the IT security
chain. It is the application that the end-userconsumes and it is
the application interface that is exposed to all users (even those
without proper logincredentials). These applications control the
use of resources granted to them by the OSmemory,storage, networks,
etc. Most applications are complex and run into tens of thousands
of lines of codeand can contain innumerable vulnerabilities.
Moreover, typically, multiple applications are executed on the
same operating system instance. To givea simple example, a mail
server running SMTP/POP/IMAP will, in all probability, also be
running aWeb server. The Web server interface could be used for
configuration or even for Web mail purposes.
Vulnerabilities in one application could bring down the entire
system affecting other services andprocesses, or worse, lead an
attacker to a storehouse of confidential information.
Why SE-Linux?
Application software will have its flaws and bugs, and will
remain like that in the near future,depending on the nature of the
application and the constraints/awareness of the developers.
If multiple applications running on the same OS have to be
secured, the OS has to play a crucial role indefining the confines
of these applications. Security can only be achieved with better
underlyingoperating system security that can isolate applications
and files used by each, thus protecting theintegrity of the entire
system.
In most organizations that have implemented some form of
security and have a security policy in place,the weakest link in
the security chain are the systems administrators. They generally
have access tomost files in the system and canby accident or
designperform operations on confidential files.Confidentiality of
data in modern systems is another pressing requirement.
7/31/2019 SELINUX 1
2/2
The NSA (National Security Agency) of the US, which originally
developed SELinux, states: TheSecurity-enhanced Linuxs new features
are designed to enforce the separation of information, based
onconfidentiality and integrity requirements. They are designed for
preventing processes from readingdata and programs, tampering with
data and programs, bypassing application security
mechanisms,executing untrustworthy programs, or interfering with
other processes in violation of the systemssecurity policy. They
also help to confine the potential damage that can be caused by
malicious or
flawed programs. They should also be useful for enabling a
single system to be used by users withdiffering security
authorisations to access multiple kinds of information with
differing securityrequirements without compromising those security
requirements.
In other words, SELinux does implement some kind of Access
Control Mechanism to achieve theabove. Traditional UNIX-like
operating systems have had an Access Control Mechanism that
hasremained, and still remains, one of the strongest security
features of this family of operating systems.
We are all aware of the rwx bits set on files and folders along
with some special permissions. Thesepermissions, along with user
identity (UID) and group identity (GID), form the basis of
traditionalaccess control. This access control prevents
unauthorised access to files and processes. chroot jailsfurther
confine filesystem access to a running process.
Is there a flaw in this age-old time-tested Access Control
Mechanism? If no, what is the need forSELinux?
The inherent flaw in the traditional permissions model is that
of DISCRETION. The owner of aparticular file, for example, can
change the permissions of an object, at will. Just imagine the
followingscenario: /etc/passwd, the file that contains the user
database, has default permissions of 644 andthe file is owned by
the root user, whoby accident or designassigns it 666 permissions
(global readand write). Any user could write into the user
database, thus changing UIDs, home directories, etc.Imagine the
security breach if the root user were to do such a thing.
The traditional Access Control Mechanism of permissions on files
and processes is thus discretionaryit can be changed at the
discretion of the owner and is often termed as Discretionary Access
Control
(DAC). Herein lies an inherent security flaw.By contrast,
SELinux implements Mandatory Access Control (MAC), where access
control decisionsare not at the discretion of individual users or
even systems administrators.
