SELinux presentation given at the Jozi Lug in March. If you are in Johannesburg, South Africa and want to join us see our page on meetup.com. Search for JLug.
http://www.meetup.com/Jozi-Linux-User-Group-JLUG/
4. What is SELinux
● A mechanism for supporting mandatory
access control (mac),role based access
control (rbac) & multi-level security (msl/mcs)
● Implemented as a Linux Security Module(LSM)
● LSM allows kernel to support different security
models used by:
● AppArmor,Smack,SELinux
5. Computer Security Models
● Three security models possible with SELinux
● MLS/MCS – multilevel security, multi category
security. Mainly about file access. Every
subject must have clearance level and also
every file (not covered) Top Secret, Secret,
Confidential and Unclassified
● RBAC – role base access control, how users
transition between roles and domains to which
roles have rights, roles aggregate permissions
6. Computer Security Models
● Mandatory Access Control via Type
Enforcement – First step before MLS/MCS.
Good for daemons, services
● This presentations focuses on MAC via TE in
SELinux. Although other security models can
be used they are too restrictive for most
situation there limited TE used. MAC mainly
useful for daemons and processes not users
7. Mandatory Access Control Definition
● Mandatory Access Control (MAC) – security
policy sets access controls and cannot be
changed by system users or processes,
● Discretionary Access Control (DAC) –
underlying unix permissions can be changed at
the discretion of the file owner
8. Mandatory/Discretionary Access
Control
● DAC makes system vulnerable, users can
change permissions and no protection from
broken software, i.e. process has complete
control over all resources owned by user,
● MAC - provides control over interactions of
software by defined policies and does not allow
users to do anything that breaks these policies.
Prevents compromised processes from
affecting other processes and files
9. Mandatory Access Control
● Subject performs actions on an object
● Subject always a process
● Object can be file, device,users,
processes,sockets,x_cursor..
● Action is a system function call, i.e
permissions
10. How is MAC Implemented?
● How is MAC implemented?
● Security context given to objects and
processes aka labeling for file system
● A Security context just free format strings “label”
● By policy file which contain rules about what
domains/type enforcements subject and
object must have to allow requested action.
I.e provides meaning to security context
strings. Policies limit what a daemon can
access and how
11. SELinux Policy
● Rules for how source context of subject
evaluated against target security context of
object
● By default if not defined, then deny action.
Difficult for general purpose computing. To
improve use less restrictive policy provided,
12. SELinux Policy
● Two policies packages –
● Targeted – doesn't use users & roles, only
restricts certain services, uses type
enforcement only. Unaffected subjects and
objects run in unconfined_t domain
● Strict – deny all by default lots of tweaking
● We will look at a policy file later
13. Objects Classes
● Object classes (categories) – more then 70@
● Object classes have set of permissions
(actions)
– dir,
– socket
– tcp_socket
– filesystem
– node
– x_cursor
14. Object Class Permissions (Actions)
● Each object class has its list of permissions or
actions e.g. dir: (see slide on seinfo later)
● getattr/setattr,
● unlink
● execute
● read
● search
● rmdir
15. Security Context
● Security Context or labels set of security
attributes associated with a subject or an object
● <user>:<role>:<type>
● e.g system_u:object_r:httpd_exec_t
● system_u – standard for system daemon
● object_r standard for system objects such as
devices and files
● Targets policy – unrestricted_u, unrestricted_r
16. Security Context
● User – individual or process, SELinux
maintains own list of users. For subjects the
user is the user the process is run as, for
objects its the owner of the object,
● Role – similar to group, but user can only have
1 role at a time, can switch roles if authorised
to do so
● Type/Domain -Type used for files, domain
used for processes. Manages access control
17. Security Context
● Standard command come with add -Z option to
see security context
● ls -Z
● ps -Z
● netstat -Z
18. File Security Context
● Most common SELinux problem – file labels
● restorecon – restores defined context for a file
● chcon -t $tye ${file|dir} name – temporary
● semanage fcontext -a -t $type ${file|dir} name
● /etc/selinux/targeted/contexts/files/files_contexts
20. SELinux Tools
● setroubleshooter – can help with friendlier
error messages and suggestions of how to fix
the problem
● “cat /var/log/audit/audit.log | sedispatch” → will
send the error messages to setroubleshooter
for lookup & formatting
21. SELinux Tools
● Seinfo
● List all classes “seinfo -c”
● List all permissions for a class “seinfo -cdir -x”
for dir premissions/actions
● List all types with permissions “seinfo -txx -x”
● List all users/roles with permissions “seinfo -{u|
r}xx -x”
● List all port context “seinfo --portcon”
23. Manage Ports
● semanage port -l
● Add a port
● semanage port -at [-p proto] port |port-range
● Delete a port
● semanage port -dt [-p proto] port|port-range
24. Writing SELinux Policy
● The policy is compiled in user space
● The m4 macro preprocessor is used prior to
compilation (optional)
● The initial policy binary is loaded by init at boot
● Policy modules (binaries) can be loaded and
unloaded at any time