An Introduction to SELinux Rene Cunningham <rene.cunningham@au1.ibm.com>

Rene Cunningham

<rene.cunningham@au1.ibm.com>

Presentation Overview SELinux Introduction Access Control Mechanisms SELinux Policy SELinux Administration SELinux in Action SELinux Benefits

SELinux Introduction

Access Control Mechanisms

SELinux Policy

SELinux Administration

SELinux in Action

SELinux Benefits

General Introduction Security Enhanced Released by the NSA on 22/12/2000 GPL License Implements MAC based security policies Shipped in RHEL, Fedora, Debian, OpenSuSE and SLES

Security Enhanced

Released by the NSA on 22/12/2000

GPL License

Implements MAC based security policies

Shipped in RHEL, Fedora, Debian, OpenSuSE and SLES

Linux Specific Merged into kernel 2.6.0-test3 on 08/08/2003 Supported in RHEL4 and RHEL5 Enablement in SLES11

Merged into kernel 2.6.0-test3 on 08/08/2003

Supported in RHEL4 and RHEL5

Enablement in SLES11

Terminology :: Types A type groups objects such as files and directories together based on their fundamental security sameness.

A type groups objects such as files and directories together based on their fundamental security sameness.

Terminology :: Types httpd_sys_content_t objects located in the /var/www directory etc_t /etc directory

httpd_sys_content_t

objects located in the /var/www directory

etc_t

/etc directory

Terminology :: Domains Every process runs in a domain which directly determines what access to types the process has

Every process runs in a domain which directly determines what access to types the process has

Terminology :: Domains named_t named daemon initrc_t init scripts unconfined_t processes that are not explicitly confined within SELinux policy.

named_t

named daemon

initrc_t

init scripts

unconfined_t

processes that are not explicitly confined within SELinux policy.

Terminology :: Roles Roles define which user or process can access what domain (processes) and what type (files, directories, device nodes)‏ Users and processes can transition to a new role in order to gain access to domains and types. Rules that determine these transitions are defined within the SELinux Policy

Roles define which user or process can access what domain (processes) and what type (files, directories, device nodes)‏

Users and processes can transition to a new role in order to gain access to domains and types.

Rules that determine these transitions are defined within the SELinux Policy

Terminology :: Roles user_r ordinary system users sysadm_r system administrators system_r every process starts off under the system_r role

user_r

ordinary system users

sysadm_r

system administrators

system_r

every process starts off under the system_r role

Terminology :: Roles Roles can force system accounts such as root into a lesser privileged role. To transition to a role the newrole command is used # newrole -r sysadm_r

Roles can force system accounts such as root into a lesser privileged role.

To transition to a role the newrole command is used

# newrole -r sysadm_r

Terminology :: Identity Identities are applied to user accounts Generally a user's SELinux identity does not change Identities determine what roles user's can enter

Identities are applied to user accounts

Generally a user's SELinux identity does not change

Identities determine what roles user's can enter

Terminology :: Identity user_u generic unprivileged user identity root special root account

user_u

generic unprivileged user identity

root

special root account

Terminology :: Security Context Every process or object on a system has a security context applied to it The security context consists of three fields which are delimited by colons identity:role:domain or identity:role:type

Every process or object on a system has a security context applied to it

The security context consists of three fields which are delimited by colons

identity:role:domain

or

identity:role:type

Terminology :: Security Context system_u:system_r:httpd_t apache daemon system_u:object_r:etc_t /etc/passwd

system_u:system_r:httpd_t

apache daemon

system_u:object_r:etc_t

/etc/passwd

Terminology :: Security Context Security context can be displayed by passing the 'Z' argument to the ls, ps and id commands.

Security context can be displayed by passing the 'Z' argument to the ls, ps and id commands.

Type Enforcement Application separation Control 'super user' privileges Principle of least privileged Ability to control access to system calls Domains and types

Application separation

Control 'super user' privileges

Principle of least privileged

Ability to control access to system calls

Domains and types

Role Based Access Control Users are authorised for roles Roles are authorised for domains and types RBAC coupled with TE defines the SELinux security model

Users are authorised for roles

Roles are authorised for domains and types

RBAC coupled with TE defines the SELinux security model

Access Control Mechanisms The ability to permit or deny the use of a particular resource by a particular entity

The ability to permit or deny the use of a particular resource by a particular entity

Discretionary Access Control Unix groups, permission bits and file system extended attributes. Owner who controls access to an object

Unix groups, permission bits and file system extended attributes.

Owner who controls access to an object

Discretionary Access Control user root owns the /etc/passwd file. group root owns the /etc/passwd file. owner can read/write, group and everyone else can read the file. $ ls -la /etc/passwd -rw-r--r-- 1 root root 2505 2008-12-10 13:03 /etc/passwd

user root owns the /etc/passwd file.

group root owns the /etc/passwd file.

owner can read/write, group and everyone else can read the file.

Mandatory Access Control Central security policy. Users unable to modify the security policy. System Administrator can define just enough permissions for how processes access objects and other processes.

Central security policy.

Users unable to modify the security policy.

System Administrator can define just enough permissions for how processes access objects and other processes.

Mandatory Access Control Security decisions first go through DAC and then MAC (Image courtesy of Graham White's blog post - https://w3.tap.ibm.com/weblogs/Gibba/entry/selinux_permissive_vs_enforcing_mode)‏

Security decisions first go through DAC and then MAC

(Image courtesy of Graham White's blog post - https://w3.tap.ibm.com/weblogs/Gibba/entry/selinux_permissive_vs_enforcing_mode)‏

SELinux Policy Defines amongst other things, the rules that determine what access each domain has to each type

Defines amongst other things, the rules that determine what access each domain has to each type

SELinux Policy Defines Types Domains Identities Roles Access and Transitions

Defines

Types

Domains

Identities

Roles

Access and Transitions

SELinux Policy SELinux policy is distributed as binary Compile once and distribute many RHEL5 introduced SELinux policy modules 2 SELinux Policies are available in RHEL5 Strict and Targeted

SELinux policy is distributed as binary

Compile once and distribute many

RHEL5 introduced SELinux policy modules

2 SELinux Policies are available in RHEL5

Strict and Targeted

SELinux Logs audit daemon kernel options CONFIG_AUDIT and CONFIG_AUDITSYSCALL to be enabled /var/log/audit/audit.log

audit daemon

kernel options CONFIG_AUDIT and CONFIG_AUDITSYSCALL to be enabled

/var/log/audit/audit.log

SELinux Violations type=AVC msg=audit(1230566507.214:106): avc: denied { write } for pid=1560 comm=&quot;mkdir&quot; name=&quot;grep-2.5.1&quot; dev=dm-0 ino=565574 scontext=root:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir “ write ” operation was denied Command “ mkdir ” raised the violation Source context was “ root:system_r:httpd_sys_script_t:s0 ” Target context was “ system_u:object_r:usr_t:s0 ”

type=AVC msg=audit(1230566507.214:106): avc: denied { write } for pid=1560 comm=&quot;mkdir&quot; name=&quot;grep-2.5.1&quot; dev=dm-0 ino=565574 scontext=root:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

“ write ” operation was denied

Command “ mkdir ” raised the violation

Source context was “ root:system_r:httpd_sys_script_t:s0 ”

Target context was “ system_u:object_r:usr_t:s0 ”

Creating Policy Obtain SELinux denials from the log file audit2allow creates Type Enforcement allow rules Compile with checkmodule semodule_package will create the SELinux module package Load the SELinux module package with semodule

Obtain SELinux denials from the log file

audit2allow creates Type Enforcement allow rules

Compile with checkmodule

semodule_package will create the SELinux module package

Load the SELinux module package with semodule

Creating Policy

Listing SELinux Policy Modules

Enabling SELinux enforcing=1 as a kernel boot parameter

enforcing=1 as a kernel boot parameter

Enabling SELinux Set the SELINUX variable in /etc/sysconfig/selinux to enforcing Run setenforce 1 during runtime

Set the SELINUX variable in /etc/sysconfig/selinux to enforcing

Run setenforce 1 during runtime

Disabling SELinux To disable SELinux, put it into permissive mode Permissive mode will continue to log SELinux violations though will not enforce SELinux policy. Security Contexts are still applied to the filesystem when in permissive mode. Not a good idea to fully disable SELinux

To disable SELinux, put it into permissive mode

Permissive mode will continue to log SELinux violations though will not enforce SELinux policy.

Security Contexts are still applied to the filesystem when in permissive mode.

Not a good idea to fully disable SELinux

Relabeling a Filesystem Relabling a filesystem applies the SELinux security contexts to all objects on the filesystem. Using fixfiles could render a system unstable

Relabling a filesystem applies the SELinux security contexts to all objects on the filesystem.

Using fixfiles could render a system unstable

Booleans Booleans allow System Administrators to disable/enable optional SELinux policy during runtime. Displayed with getsebool and enabled/disabled with setsebool httpd_can_network_connect httpd_enable_homedirs samba_enable_home_dirs

Booleans allow System Administrators to disable/enable optional SELinux policy during runtime.

Displayed with getsebool and enabled/disabled with setsebool

httpd_can_network_connect

httpd_enable_homedirs

samba_enable_home_dirs

SELinux in Action Attacker has got access to /var/www/cgi-bin/ through a vulnerable web application and uploaded a cgi-bin script called cracker

Attacker has got access to /var/www/cgi-bin/ through a vulnerable web application and uploaded a cgi-bin script called cracker

SELinux in Action Attack on a server without SELinux Attacker opens the cracker cgi-bin script in a web browser executing the cgi-bin script, downloading the crackserver.pl script and executing it.

Attack on a server without SELinux

Attacker opens the cracker cgi-bin script in a web browser executing the cgi-bin script, downloading the crackserver.pl script and executing it.

SELinux in Action The same attack on a server with SELinux Access to the /sbin/ip command is denied

The same attack on a server with SELinux

Access to the /sbin/ip command is denied

SELinux in Action What do the SELinux audit logs tell us about the attempted attack?

What do the SELinux audit logs tell us about the attempted attack?

SELinux in Action Same scenario but with the SELinux boolean httpd_can_network_connect set to 0 .

Same scenario but with the SELinux boolean httpd_can_network_connect set to 0 .

SELinux in Action What do the SELinux audit logs tell us about the attempted attack?

What do the SELinux audit logs tell us about the attempted attack?

SELinux Benefits Ability to confine services Auditing logs for reporting Application debugging Provide fine grained access control Strengthen the security of the servers IBM deploys

Ability to confine services

Auditing logs for reporting

Application debugging

Provide fine grained access control

Strengthen the security of the servers IBM deploys

Resources http://danwalsh.livejournal.com/ http://www.nsa.gov/selinux/ http://www.coker.com.au/selinux/ http://www.selinux-symposium.org/ http://selinux.sourceforge.net/ http://fedoraproject.org/wiki/SELinux http://ibmurl.hursley.ibm.com/568 http://ibmurl.hursley.ibm.com/567

http://danwalsh.livejournal.com/

http://www.nsa.gov/selinux/

http://www.coker.com.au/selinux/

http://www.selinux-symposium.org/

http://selinux.sourceforge.net/

http://fedoraproject.org/wiki/SELinux

http://ibmurl.hursley.ibm.com/568

http://ibmurl.hursley.ibm.com/567

End Of Presentation Whats next? What can I do? Thanks for your time and attention !

Whats next?

What can I do?

Thanks for your time and attention !