Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security Enhanced Linux:
SELinux
Emre Can Kucukoglu
eckucukoglu@gmail.com
Research & Development Engineer
05.02.2015
Outline
What is SELinux
What can SELinux do
What can not SELinux do
Why should SELinux be used
Getting SELinux
SELinux mod...
What is SELinux (1/1)
Internal firewall between programs.
Linux security module (LSM)
Others are smack, tomoyo, apparmor.
...
What can SELinux do (1/2)
Prevents
processes from reading data and programs,
bypassing application security mechanisms,
ex...
What can SELinux do (2/2)
Type enforcement
focuses on the SELinux type within a SELinux security context.
Role-based acces...
What can not SELinux do (1/1)
Resource limits are outside the scope of an access control
systems.
grsecurity, cgroups, pam...
Why should SELinux be used (1/1)
In multifunctional systems, to seperate
functionalities
e.g. For webserver, email and dns...
Getting SELinux (1/5)
SELinux support is already included in the
mainline Linux 2.6 kernel available from
kernel.org
8
Getting SELinux (2/5)
SE-enabled Linux kernel
CONFIG_SECURITY_SELINUX
NSA SELinux support.
DEFAULT_SECURITY_SELINUX
Set de...
Getting SELinux (3/5)
SELinux userland packages [gse]
checkpolicy
policy compiler.
uses libsepol.
libselinux
library for s...
Getting SELinux (4/5)
SELinux userland packages [gse]
libsepol
library for binary policy manipulation.
no dependency.
poli...
Getting SELinux (5/5)
Policy
SELinux reference policy project [rpp]
12
SELinux modes (1/2)
Permissive
Log warnings instead of enforcing.
CONFIG_SECURITY_SELINUX_DEVELOP
extra: Permissive domain...
SELinux modes (2/2)
Temporarily switch:
# setenforce 1 /* Enforcing */
# setenforce 0 /* Permissive */
Permanently:
edit /...
Basic concepts (1/5)
Security context
Every process and object has a context.
Syntax: user:role:type[:range]
MLS range is ...
Basic concepts (2/5)
Roles
A SELinux user may be allowed to take on one or more roles.
suffix: *_r. e.g. user_r
associated...
Basic concepts (3/5)
17
Ranges
Security level.
if policy supports MCS / MLS.
Object classes
Categories of objects.
# ls /s...
Basic concepts (4/5)
18
Booleans
are used to enable/disable policies.
# getsebool -a
# sesearch -b selinuxuser_execheap -A...
Basic concepts (5/5)
19
Type transition
for objects (files):
# sesearch -T
type_transition [Creating Subject type] [Parent...
Linux user mapping (1/1)
20
Map a linux user to only one
SELinux user. [ual]
Multiple linux users can be
mapped to same SE...
Logging (1/1)
Denials are logged in the audit subsystem.
/var/log/audit/audit.log
Permissive mode generates more log
messa...
Multi-level security and MCS (1/2)
22
based on the Bell-La Padula model
“no write down” and “no read up”
user:role:type:se...
Multi-level security and MCS (2/2)
23
utilization for android:
app running on behalf of one user cannot read or write file...
SELinux policies (1/3)
Compiled in a binary format.
smaller memory requirements.
Type enforcement file (*.te)
mandatory.
n...
SELinux policies (2/3)
3 steps to configure policy for embedded devices:
obtain reference policy,
remove unnecessary rules...
SELinux policies (3/3)
Reference policy project [rpp]
basis for creating other policies.
well-written and good enough for ...
Userland tools (1/4)
id, ls, ps, netstat -Z
display context of shell, file, process, network.
audit2allow
read SELinux den...
Userland tools (2/4)
getenforce
return status of SELinux.
newrole
change role, type or level.
newrole -r system_r -t uncon...
Userland tools (3/4)
setenforce
modify the mode.
seinfo
policy query tool.
setsebool
set the state of an SELinux boolean e...
Userland tools (4/4)
restorecon, restorecond*
restores default context of a file.
customizable types [wct]
context is not ...
Performance (1/1)
Hard to measure.
Overhead app~ 7% for completely untuned
code. [faq] [ffq]
31
License (1/1)
GNU General Public License (GPL) [sel]
32
SELinux demo on Fedora (1/1)
33
Questions about SELinux (1/1)
Can I use SELinux with grsecurity (and PaX)?
Yes, even recommended. However grsecurity’s ACL...
References (1/2)
[faq] http://www.crypt.gen.nz/selinux/faq.html
[gse] https://github.com/SELinuxProject/selinux
[gs] http:...
References (2/2)
[sel] https://www.nsa.gov/research/selinux/l...
[ual] http://wiki.gentoo.org/wiki/SELinux/Use...
[wct] ht...
Upcoming SlideShare
Loading in …5
×

Security Enhanced Linux Overview

2,191 views

Published on

These topics are covered in presentation:
What is SELinux, What can SELinux do, What can not SELinux do, Why should SELinux be used, Getting SELinux, SELinux modes, Basic concepts, Linux user mapping, Logging, MLS and MCS, SELinux policies, Userland tools, Performance, License

Published in: Software
  • Be the first to comment

Security Enhanced Linux Overview

  1. 1. Security Enhanced Linux: SELinux Emre Can Kucukoglu eckucukoglu@gmail.com Research & Development Engineer 05.02.2015
  2. 2. Outline What is SELinux What can SELinux do What can not SELinux do Why should SELinux be used Getting SELinux SELinux modes Basic concepts Linux user mapping Logging MLS and MCS SELinux policies Userland tools Performance License SELinux demo on Fedora Questions about SELinux References 2
  3. 3. What is SELinux (1/1) Internal firewall between programs. Linux security module (LSM) Others are smack, tomoyo, apparmor. Mandatory Access Control (MAC) What subjects can access which objects. Subjects: users, programs. Objects: files, devices, sockets, etc. 3
  4. 4. What can SELinux do (1/2) Prevents processes from reading data and programs, bypassing application security mechanisms, executing untrustworthy programs, interfering with other processes in violation of the system security policy. Confine the potential damage that can be caused by malicious or flawed programs. 4
  5. 5. What can SELinux do (2/2) Type enforcement focuses on the SELinux type within a SELinux security context. Role-based access control decides which types (for processes) a role is allowed to have. Multi-level security classification of data. 5
  6. 6. What can not SELinux do (1/1) Resource limits are outside the scope of an access control systems. grsecurity, cgroups, pam are recommended. 6
  7. 7. Why should SELinux be used (1/1) In multifunctional systems, to seperate functionalities e.g. For webserver, email and dns server, e.g. For Arcelik smart tv, money transaction and entertainment processes. e.g. For Arcelik yazarkasa, aygaz app. and yapikredi app. 7
  8. 8. Getting SELinux (1/5) SELinux support is already included in the mainline Linux 2.6 kernel available from kernel.org 8
  9. 9. Getting SELinux (2/5) SE-enabled Linux kernel CONFIG_SECURITY_SELINUX NSA SELinux support. DEFAULT_SECURITY_SELINUX Set default security mode as SELinux. SECURITY_SELINUX_AVC_STATS Collect access vector caches. CONFIG_SECURITY_SELINUX_BOOTPARAM Allows SELinux to be disabled at boot. SECURITY_SELINUX_DEVELOP Experiment with SELinux and develop policies. CONFIG_SECURITY_SELINUX_DISABLE Allows SELinux to be disabled at runtime. 9
  10. 10. Getting SELinux (3/5) SELinux userland packages [gse] checkpolicy policy compiler. uses libsepol. libselinux library for security-aware applications. uses libsepol. libsemanage library for policy management tools. uses libsepol, libselinux. 10
  11. 11. Getting SELinux (4/5) SELinux userland packages [gse] libsepol library for binary policy manipulation. no dependency. policycoreutils several policy-related utilities. uses libselinux, libsepol, libsemanage. sepolgen python library that forms the core of modern audit2allow. 11
  12. 12. Getting SELinux (5/5) Policy SELinux reference policy project [rpp] 12
  13. 13. SELinux modes (1/2) Permissive Log warnings instead of enforcing. CONFIG_SECURITY_SELINUX_DEVELOP extra: Permissive domain recipe [pdr] Enforced Security policy is enforced. Disabled Do not load security policy. CONFIG_SECURITY_SELINUX_BOOTPARAM Add selinux=0 to kernel bootline. 13
  14. 14. SELinux modes (2/2) Temporarily switch: # setenforce 1 /* Enforcing */ # setenforce 0 /* Permissive */ Permanently: edit /etc/selinux/config SELINUX=enforcing SELINUX=permissive SELINUX=disabled edit boot parameters (overrides configuration file) enforcing=0 /* Permissive */ enforcing=1 /* Enforcing */ 14
  15. 15. Basic concepts (1/5) Security context Every process and object has a context. Syntax: user:role:type[:range] MLS range is optional. Inherited from processes (on fork) or parent files/directories. Users Diff. from linux users* SELinux users do not change during a user session, whereas a Linux user might change via su or sudo. suffix: *_u. e.g. user_u associated to one or more roles that the SELinux user is allowed to use. 15
  16. 16. Basic concepts (2/5) Roles A SELinux user may be allowed to take on one or more roles. suffix: *_r. e.g. user_r associated to one or more types the SELinux user is allowed to access. Types Determine access permission. suffix: *_t. e.g. music_t associated with processes or objects. Attributes Group types with similar properties. 16
  17. 17. Basic concepts (3/5) 17 Ranges Security level. if policy supports MCS / MLS. Object classes Categories of objects. # ls /sys/fs/selinux/class Each class has a set of permissions. [ocp] # ls /sys/fs/selinux/class/tcp_socket/perms/ Rules Specified using the type of the process and object. e.g. allow user_t user_home_t:file { create read write };
  18. 18. Basic concepts (4/5) 18 Booleans are used to enable/disable policies. # getsebool -a # sesearch -b selinuxuser_execheap -AC ET allow user_t kernel_t : system syslog_read ; [ user_dmesg ] Rule will be allowed if corresponding boolean is true (T). And boolean is now enabled. (E) Constraints under which circumstances an operation is allowed. circumstances that don't match are disallowed. # seinfo --constrain e.g. constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity );
  19. 19. Basic concepts (5/5) 19 Type transition for objects (files): # sesearch -T type_transition [Creating Subject type] [Parent Object/Subject Type] : [Class of new Object/Subject] [New Object/Subject Type] for subjects (process): # pstree -Z # sesearch -T -c process type_transtion [Parent process type] [Type of process] : process [New type of the process created]
  20. 20. Linux user mapping (1/1) 20 Map a linux user to only one SELinux user. [ual] Multiple linux users can be mapped to same SELinux user. # semanage login -l # semanage login -a -s staff_u emrecan
  21. 21. Logging (1/1) Denials are logged in the audit subsystem. /var/log/audit/audit.log Permissive mode generates more log messages. # cat /var/log/audit/audit.log | audit2allow -r 21
  22. 22. Multi-level security and MCS (1/2) 22 based on the Bell-La Padula model “no write down” and “no read up” user:role:type:sensitivity [:category,...] - sensitivity [:category,...] | LEVEL | - | LEVEL | | RANGE | sensitivity: s0 lowest, s15 maximum category: optional, c0.c255. unordered and unrelated lists of "compartments". level: combination of sensitivity and category. translate to human readable form in setrans.conf s0 = unclassified, s15 = top secret c0 = finance, c100 = commercial, c255 = book
  23. 23. Multi-level security and MCS (2/2) 23 utilization for android: app running on behalf of one user cannot read or write files created by the same app running on behalf of another user. in fact, MLS reference policy does not allow write-up, read- down. default is to use equal levels.
  24. 24. SELinux policies (1/3) Compiled in a binary format. smaller memory requirements. Type enforcement file (*.te) mandatory. name, version of the module. types, rules, booleans, etc. File contexts file (*.fc) contains the default security contexts to be provided for files created/used by the application for which we are creating the policy module. Interface file (*.if) generally would contain macro definitions that assist in creating type enforcement rules. 24
  25. 25. SELinux policies (2/3) 3 steps to configure policy for embedded devices: obtain reference policy, remove unnecessary rules, have to remove too many rules. add necessary rules. 25
  26. 26. SELinux policies (3/3) Reference policy project [rpp] basis for creating other policies. well-written and good enough for PC distros. many dependencies: checkpolicy policycoreutils libsepol libsemanage python 26
  27. 27. Userland tools (1/4) id, ls, ps, netstat -Z display context of shell, file, process, network. audit2allow read SELinux denials, show corresponding rules. audit2why determine why a denial occured. chcon change context of a file. chcon -t user_home_t /tmp/osman chcat change categories of a file. change authorized categories for a user. 27
  28. 28. Userland tools (2/4) getenforce return status of SELinux. newrole change role, type or level. newrole -r system_r -t unconfined_t semanage change boolean settings, change roles and levels for SELinux users, change context of a file persistently (restorecon) semanage fcontext -a -t user_home_t /tmp/osman semodule insert, delete and list SELinux policy modules on the running system. 28
  29. 29. Userland tools (3/4) setenforce modify the mode. seinfo policy query tool. setsebool set the state of an SELinux boolean either temporarily or persistently. sestatus status tool. 29
  30. 30. Userland tools (4/4) restorecon, restorecond* restores default context of a file. customizable types [wct] context is not reset during a standard relabel operation. # cat /etc/selinux/targeted/contexts/customizable_types runcon change context of a program when started (temporary) runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash run_init [gs] start services in the correct domain run_init /etc/init.d/ssh start 30
  31. 31. Performance (1/1) Hard to measure. Overhead app~ 7% for completely untuned code. [faq] [ffq] 31
  32. 32. License (1/1) GNU General Public License (GPL) [sel] 32
  33. 33. SELinux demo on Fedora (1/1) 33
  34. 34. Questions about SELinux (1/1) Can I use SELinux with grsecurity (and PaX)? Yes, even recommended. However grsecurity’s ACL support is not used together w/ SELinux. [gfq] If root user can change, for example booleans, how is selinux more secure than DAC of linux? i.e. setsebool -P allow_execheap on/off We don't need to have conditional policy. If we do, the enabled/disabled rules are defined in the policy. DAC doesn't have predefined conditions like that. Can we write a policy that doesn’t allow setenforce? Yes, moreover we can even compile the kernel so permissive mode is disabled no matter what the policy says. 34
  35. 35. References (1/2) [faq] http://www.crypt.gen.nz/selinux/faq.html [gse] https://github.com/SELinuxProject/selinux [gs] http://selinuxproject.org/page/Guide/Services [rpp] https://github.com/TresysTechnology/… [ocp] http://selinuxproject.org/page/ObjectCl… [pdr] http://selinuxproject.org/page/Permissi… [sqp] http://www.cs.virginia.edu/~jcg8f/SELi… 35
  36. 36. References (2/2) [sel] https://www.nsa.gov/research/selinux/l... [ual] http://wiki.gentoo.org/wiki/SELinux/Use... [wct] http://wiki.gentoo.org/wiki/SELinux/Tuto... [gfq] http://wiki.gentoo.org/wiki/SELinux/FAQ [ffq] http://docs.fedoraproject.org/en-US/Fed… [use] http://www.fosteringlinux.com/category/… [nb4] http://taiga.selinuxproject.org/~rhaines/ [mls] http://selinuxproject.org/page/MLSStat... 36

×