Embed Size (px)
Citation preview
SELinux
http://www.nsa.gov/research/selinux/index.shtml
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
cs490ns - cotter 2
Outline
• What is the problem?
• What is SELinux?
• What is it trying to do?
• How does it work?
cs490ns - cotter 3
The Problem:
• Virus / security attacks - up
• System complexity – up
• Network connectivity – up
• Code sophistication – up– More active content– More mobile code
cs490ns - cotter 4
The Problem:
• Patch cycle– Attackers find a vulnerability and develop
an exploit– Users / testers discover an exploit and
develop a patch to negate the exploit– Protecting the systems in the period
between when the exploit is developed and when the patch is distributed is called the 0-Day problem
cs490ns - cotter 5
The Issue :
• The Problem:– How do you defend against an exploit that
hasn’t been developed?
• A Possible Solution:– Control access to resources to limit exposure
– and thus the chances for an exploit– Also manage access controls such that, if an
exploit is successful, there is a strict limit on the resources available to the exploit
cs490ns - cotter 6
Access Control
• Linux (and most other OSs) implement discretionary access control over resources– Users have the discretion to allow or deny access to resources
that they control
• If a process is compromised, it operates with the access controls given to that process (those of the user/owner).
• Higher level security implements access control in the system (mandatory access control).– Access to resources is managed by a security policy, not user
decisions.
cs490ns - cotter 7
SELinux History
• Mandatory access controls (MAC) used in high security systems (military) for years.
• NSA began work on embedding MAC into existing operating systems– 1991 -1992 – Mach OS– 1993 -1995 – Distributed Trusted OS– 1998 -1999 – Flux Advanced Security Kernel
(FLASK)– 2000 - ? – Security Enhanced Linux
cs490ns - cotter 8
SELinux Terminology
• Identity– Similar to, but separate from user ID. They are separate items.– su command changes user ID, but not identity (??)
• Domain– A list of what actions a process can perform– Examples: sysadmn_t, user_t, named_t
• Type– A list of actions that can be performed on an object (file,
directory, etc.). Similar to domain
• Role– Defines what domains a user is allowed to access– Examples: user_r, staff_r
cs490ns - cotter 9
Security Context
• A combination of user, role and type– Who is the user?– What is their role?– What can they do?
• Example[rcotter@kc-sce-450p2 ~]$ ls -l ssh.ps
-rw-r----- 1 rcotter rcotter 67014 Feb 10 14:16 ssh.ps
[rcotter@kc-sce-450p2 ~]$ ls -Z ssh.ps
-rw-r----- rcotter rcotter user_u:object_r:user_home_t ssh.ps
[rcotter@kc-sce-450p2 ~]$
cs490ns - cotter 10
Security Model
• Security Context analysis:– Similar to sentence diagramming
John Hit Baseball
Subject Verb (action) Object
user_u object_r user_home_t
User Role Type (domain)
cs490ns - cotter 11
Updates in Fedora• 4th element of context – level
– Multi-level security / multi-category security – Allows the identification of multiple levels of security
• Original design was to allow multiple levels and multiple categories. In most systems, only multiple categories re supported. Level S0 is used by default.
– Allow the use of multiple categories. • Text file (/etc/selinux/targeted/settrans.conf) used to provide a human
readable form for contexts.• Example file:
– S0:c0=CompanyConfidential– S0:c1=PatientRecord– S0:c2 unclassified– Etc.
– Designed to secure information in levels (no read up or write down)• Bell-LaPadula security model.
cs490ns - cotter 12
Security Context in Fedora10
[rcotter@fedora10-sce-bobc Pictures]$ ls -Z
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.png
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_file_label.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_status.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_translation.jpeg
-rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_user.jpeg
[rcotter@fedora10-sce-bobc Pictures]$
cs490ns - cotter 13
SELinux Security Models
• Type Enforcement (TE)– Confine processes (subjects) to domains by using security
contexts.
• Role-based Access Control (RBAC)– Recognizes that users often need to move from 1 domain to
another. RBAC rules explicitly allow roles to move from one domain to another
• Multi-Level Security– Enforce Bell-LaPadula security model. – Users allowed to read at one level cannot read at higher
levels. Also users allowed to write at 1 level are not allowed to write at a lower level. (Ensures that secure information does not propagate to lower levels.
cs490ns - cotter 14
TE Security Model
• Each process is associated with a domain– A “sandbox” to limit or control its interactions
• Each domain is associated with a security context– A combination of a resource and the actions allowed
on that resource (read a file, execute a program, etc.)
• Each resource (file, etc.) has a security context.– Processes can only act on resources if the security
contexts specifically grant access.
cs490ns - cotter 15
SELinux Policy
• Security Context determined by system policy file– Policy is a compiled file, based on a text file that you
define (or a default file that you use). This defines all of the various file and user contexts that you want to be active in your system
– Compiled policy stored in /etc/selinux/targeted/policy– Based on contexts in /etc/selinux/targeted/contexts
cs490ns - cotter 16
file_contexts.homedirs
Default file context for regular user’s home directory
/home/[^/]* -d user_u:object_r:user_home_dir_t
/home/[^/]*/.+ user_u:object_r:user_home_t
/home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t
/home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:texrel_shlib_t
(Also contains default context for root user)
cs490ns - cotter 17
SELinux Usage
• Enable / Disable SELinux– selinuxenabled
• Set enforcement policy permissive / disabled– Setenforce / getenforce
• Set Policy type– Targeted (only monitor specific services and files)– Strict (monitor everything)– Defined in /etc/selinux/config
• If targeted, select policies for each service
cs490ns - cotter 18
SELinux Commands
• Global Commands– selinuxenabled– getenforce– setenforce– sestatus– fixfiles
• SELinux Files– /etc/selinux/config– /selinux/booleans
cs490ns - cotter 19
SELinux Commands
• Security Context Control (file contexts)– checkpolicy– load_policy– setfiles– restorecon– chcon
• Targeted policy overrides– getsebool– setsebool– togglesebool
cs490ns - cotter 20
SELinux Commands
• Policy Control– checkpolicy (check and create a new policy)– load_policy– setfiles– restorecon– chcon– semanage
cs490ns - cotter 21
SELinux Commands
• Process related context information (in man)– ftpd_selinux– named_selinux– rsync_selinux– httpd_selinux– nfs_selinux– samba_selinux– kerberos_selinux– nis_selinux– ypbind_selinux
Setting Security Level – Fedora 14 / CentOS
cs490ns - cotter 22
cs490ns - cotter 23
SELinux tool – F14/CentOS
cs490ns - cotter 24
SELinux Troubleshooter(old)
SELinux Alert Tool – F14/CentOS
cs490ns - cotter 25
SELinux Alert Tool – Details
cs490ns - cotter 26
SELinux Alert Tool – Fix
cs490ns - cotter 27
SELinux Policy Gen Tool
cs490ns - cotter 28
cs490ns - cotter 29
MAC in Ubuntu• SELinux is available, but not installed by default• Default approach uses AppArmor
– Focus is not at system level (as in SELinux), but at the application level.
– Theory is that most of the security issues arise as the applications level.
– It is easier to protect (and constrain) an application with AppArmor, as long as you don’t have a lot of applications to protect.
cs490ns - cotter 30
SELinux Status
• SELinux is still very complex. – There are many commands and tools available to
manage file and process contexts, and the overall system policy.
– Default policies and contexts provide a significant level of protection, but adjusting the default policy for individual requirements is still a challenge
– SELinux troubleshooter offers some help in addressing SELinux issues.
cs490ns - cotter 31
References• SELinux: NSA’s Open Source Security Enhanced Linux
– McCarty – O’Reilly Books 2004• CentOS 5
– http://wiki.centos.org/HowTos/SELinux• Red Hat Fedora Linux Secrets – Barkakati – Wiley
Press – 2005• Configuring the SELinux Policy –
– http://www.nsa.gov/selinux/papers/policy2-abs.cfm• Fedora 10 SELinux manual
– http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/• CentOS 5 SELinux guide
– http://www.centos.org/docs/5/html/5.1/Deployment_Guide/rhlcommon-chapter-0017.html
cs490ns - cotter 32
Summary
• SELinux provides a new layer of protection for Linux.
• Provides fine grained mandatory access controls that work in addition to existing discretionary access controls (mode bits)
• Policy file configuration complex (and not yet well documented)
• Default policy file provides secure operating environment– If anything, it is likely to be more restrictive than a
user might wish.
