Transcript SELinux
SELinux http://www.nsa.gov/research/selinux/index.shtml http://docs.fedoraproject.org/enUS/Fedora/13/html/Security-Enhanced_Linux/ Outline • • • • What is the problem? What is SELinux? What is it trying to do? How does it work? cs490ns - cotter 2 The Problem: • • • • Virus / security attacks - up System complexity – up Network connectivity – up Code sophistication – up – More active content – More mobile code cs490ns - cotter 3 The Problem: • Patch cycle – Attackers find a vulnerability and develop an exploit – Users / testers discover an exploit and develop a patch to negate the exploit – Protecting the systems in the period between when the exploit is developed and when the patch is distributed is called the 0-Day problem cs490ns - cotter 4 The Issue : • The Problem: – How do you defend against an exploit that hasn’t been developed? • A Possible Solution: – Control access to resources to limit exposure – and thus the chances for an exploit – Also manage access controls such that, if an exploit is successful, there is a strict limit on the resources available to the exploit cs490ns - cotter 5 Access Control • Linux (and most other OSs) implement discretionary access control over resources – Users have the discretion to allow or deny access to resources that they control • If a process is compromised, it operates with the access controls given to that process (those of the user/owner). • Higher level security implements access control in the system (mandatory access control). – Access to resources is managed by a security policy, not user decisions. cs490ns - cotter 6 SELinux History • Mandatory access controls (MAC) used in high security systems (military) for years. • NSA began work on embedding MAC into existing operating systems – 1991 -1992 – Mach OS – 1993 -1995 – Distributed Trusted OS – 1998 -1999 – Flux Advanced Security Kernel (FLASK) – 2000 - ? – Security Enhanced Linux cs490ns - cotter 7 SELinux Terminology • Identity – Similar to, but separate from user ID. They are separate items. – su command changes user ID, but not identity (??) • Domain – A list of what actions a process can perform – Examples: sysadmn_t, user_t, named_t • Type – A list of actions that can be performed on an object (file, directory, etc.). Similar to domain • Role – Defines what domains a user is allowed to access – Examples: user_r, staff_r cs490ns - cotter 8 Security Context • A combination of user, role and type – Who is the user? – What is their role? – What can they do? • Example [rcotter@kc-sce-450p2 ~]$ ls -l ssh.ps -rw-r----- 1 rcotter rcotter 67014 Feb 10 14:16 ssh.ps [rcotter@kc-sce-450p2 ~]$ ls -Z ssh.ps -rw-r----- rcotter rcotter user_u:object_r:user_home_t [rcotter@kc-sce-450p2 ~]$ cs490ns - cotter ssh.ps 9 Security Model • Security Context analysis: – Similar to sentence diagramming John Subject Hit Verb (action) Baseball Object user_u User object_r Role user_home_t Type (domain) cs490ns - cotter 10 Updates in Fedora • 4th element of context – level – Multi-level security / multi-category security – Allows the identification of multiple levels of security • Original design was to allow multiple levels and multiple categories. In most systems, only multiple categories re supported. Level S0 is used by default. – Allow the use of multiple categories. • Text file (/etc/selinux/targeted/settrans.conf) used to provide a human readable form for contexts. • Example file: – – – – S0:c0=CompanyConfidential S0:c1=PatientRecord S0:c2 unclassified Etc. – Designed to secure information in levels (no read up or write down) • Bell-LaPadula security model. cs490ns - cotter 11 Security Context in Fedora10 [rcotter@fedora10-sce-bobc Pictures]$ ls -Z -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_boolean.png -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_file_label.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_status.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_translation.jpeg -rw-rw-r-- rcotter rcotter unconfined_u:object_r:user_home_t:s0 selinux_user.jpeg [rcotter@fedora10-sce-bobc Pictures]$ cs490ns - cotter 12 SELinux Security Models • Type Enforcement (TE) – Confine processes (subjects) to domains by using security contexts. • Role-based Access Control (RBAC) – Recognizes that users often need to move from 1 domain to another. RBAC rules explicitly allow roles to move from one domain to another • Multi-Level Security – Enforce Bell-LaPadula security model. – Users allowed to read at one level cannot read at higher levels. Also users allowed to write at 1 level are not allowed to write at a lower level. (Ensures that secure information does not propagate to lower levels. cs490ns - cotter 13 TE Security Model • Each process is associated with a domain – A “sandbox” to limit or control its interactions • Each domain is associated with a security context – A combination of a resource and the actions allowed on that resource (read a file, execute a program, etc.) • Each resource (file, etc.) has a security context. – Processes can only act on resources if the security contexts specifically grant access. cs490ns - cotter 14 SELinux Policy • Security Context determined by system policy file – Policy is a compiled file, based on a text file that you define (or a default file that you use). This defines all of the various file and user contexts that you want to be active in your system – Compiled policy stored in /etc/selinux/targeted/policy – Based on contexts in /etc/selinux/targeted/contexts cs490ns - cotter 15 file_contexts.homedirs Default file context for regular user’s home directory /home/[^/]* -d /home/[^/]*/.+ user_u:object_r:user_home_dir_t user_u:object_r:user_home_t /home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t /home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:texrel_shlib_t (Also contains default context for root user) cs490ns - cotter 16 SELinux Usage • Enable / Disable SELinux – selinuxenabled • Set enforcement policy permissive / disabled – Setenforce / getenforce • Set Policy type – Targeted (only monitor specific services and files) – Strict (monitor everything) – Defined in /etc/selinux/config • If targeted, select policies for each service cs490ns - cotter 17 SELinux Commands • Global Commands – – – – – selinuxenabled getenforce setenforce sestatus fixfiles • SELinux Files – /etc/selinux/config – /selinux/booleans cs490ns - cotter 18 SELinux Commands • Security Context Control (file contexts) – – – – – checkpolicy load_policy setfiles restorecon chcon • Targeted policy overrides – getsebool – setsebool – togglesebool cs490ns - cotter 19 SELinux Commands • Policy Control – – – – – – checkpolicy (check and create a new policy) load_policy setfiles restorecon chcon semanage cs490ns - cotter 20 SELinux Commands • Process related context information (in man) – – – – – – – – – ftpd_selinux named_selinux rsync_selinux httpd_selinux nfs_selinux samba_selinux kerberos_selinux nis_selinux ypbind_selinux cs490ns - cotter 21 Setting Security Level – Fedora 14 / CentOS cs490ns - cotter 22 SELinux tool – F14/CentOS cs490ns - cotter 23 SELinux Troubleshooter(old) cs490ns - cotter 24 SELinux Alert Tool – F14/CentOS cs490ns - cotter 25 SELinux Alert Tool – Details cs490ns - cotter 26 SELinux Alert Tool – Fix cs490ns - cotter 27 SELinux Policy Gen Tool cs490ns - cotter 28 MAC in Ubuntu • SELinux is available, but not installed by default • Default approach uses AppArmor – Focus is not at system level (as in SELinux), but at the application level. – Theory is that most of the security issues arise as the applications level. – It is easier to protect (and constrain) an application with AppArmor, as long as you don’t have a lot of applications to protect. cs490ns - cotter 29 SELinux Status • SELinux is still very complex. – There are many commands and tools available to manage file and process contexts, and the overall system policy. – Default policies and contexts provide a significant level of protection, but adjusting the default policy for individual requirements is still a challenge – SELinux troubleshooter offers some help in addressing SELinux issues. cs490ns - cotter 30 References • SELinux: NSA’s Open Source Security Enhanced Linux – McCarty – O’Reilly Books 2004 • CentOS 5 – http://wiki.centos.org/HowTos/SELinux • Red Hat Fedora Linux Secrets – Barkakati – Wiley Press – 2005 • Configuring the SELinux Policy – – http://www.nsa.gov/selinux/papers/policy2-abs.cfm • Fedora 10 SELinux manual – http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ • CentOS 5 SELinux guide – http://www.centos.org/docs/5/html/5.1/Deployment_Guide/rhlc ommon-chapter-0017.html cs490ns - cotter 31 Summary • SELinux provides a new layer of protection for Linux. • Provides fine grained mandatory access controls that work in addition to existing discretionary access controls (mode bits) • Policy file configuration complex (and not yet well documented) • Default policy file provides secure operating environment – If anything, it is likely to be more restrictive than a user might wish. cs490ns - cotter 32