Introduction To SELinux


Published on

An general introduction to Security Enhanced Linux

Published in: Technology, News & Politics
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction To SELinux

  1. 1. An Introduction to SELinux <ul><ul><li>Rene Cunningham </li></ul></ul><ul><ul><li><> </li></ul></ul>
  2. 2. Presentation Overview <ul><li>SELinux Introduction </li></ul><ul><li>Access Control Mechanisms </li></ul><ul><li>SELinux Policy </li></ul><ul><li>SELinux Administration </li></ul><ul><li>SELinux in Action </li></ul><ul><li>SELinux Benefits </li></ul>
  3. 3. General Introduction <ul><li>Security Enhanced </li></ul><ul><li>Released by the NSA on 22/12/2000 </li></ul><ul><li>GPL License </li></ul><ul><li>Implements MAC based security policies </li></ul><ul><li>Shipped in RHEL, Fedora, Debian, OpenSuSE and SLES </li></ul>
  4. 4. Linux Specific <ul><li>Merged into kernel 2.6.0-test3 on 08/08/2003 </li></ul><ul><li>Supported in RHEL4 and RHEL5 </li></ul><ul><li>Enablement in SLES11 </li></ul>
  5. 5. Terminology :: Types <ul><li>A type groups objects such as files and directories together based on their fundamental security sameness. </li></ul>
  6. 6. Terminology :: Types <ul><li>httpd_sys_content_t </li></ul><ul><li>objects located in the /var/www directory </li></ul><ul><li>etc_t </li></ul><ul><li>/etc directory </li></ul>
  7. 7. Terminology :: Domains <ul><li>Every process runs in a domain which directly determines what access to types the process has </li></ul>
  8. 8. Terminology :: Domains <ul><li>named_t </li></ul><ul><li>named daemon </li></ul><ul><li>initrc_t </li></ul><ul><li>init scripts </li></ul><ul><li>unconfined_t </li></ul><ul><li>processes that are not explicitly confined within SELinux policy. </li></ul>
  9. 9. Terminology :: Roles <ul><li>Roles define which user or process can access what domain (processes) and what type (files, directories, device nodes)‏ </li></ul><ul><li>Users and processes can transition to a new role in order to gain access to domains and types. </li></ul><ul><li>Rules that determine these transitions are defined within the SELinux Policy </li></ul>
  10. 10. Terminology :: Roles <ul><li>user_r </li></ul><ul><li>ordinary system users </li></ul><ul><li>sysadm_r </li></ul><ul><li>system administrators </li></ul><ul><li>system_r </li></ul><ul><li>every process starts off under the system_r role </li></ul>
  11. 11. Terminology :: Roles <ul><li>Roles can force system accounts such as root into a lesser privileged role. </li></ul><ul><li>To transition to a role the newrole command is used </li></ul><ul><li># newrole -r sysadm_r </li></ul>
  12. 12. Terminology :: Identity <ul><li>Identities are applied to user accounts </li></ul><ul><li>Generally a user's SELinux identity does not change </li></ul><ul><li>Identities determine what roles user's can enter </li></ul>
  13. 13. Terminology :: Identity <ul><li>user_u </li></ul><ul><li>generic unprivileged user identity </li></ul><ul><li>root </li></ul><ul><li>special root account </li></ul>
  14. 14. Terminology :: Security Context <ul><li>Every process or object on a system has a security context applied to it </li></ul><ul><li>The security context consists of three fields which are delimited by colons </li></ul><ul><li>identity:role:domain </li></ul><ul><li>or </li></ul><ul><li>identity:role:type </li></ul>
  15. 15. Terminology :: Security Context <ul><li>system_u:system_r:httpd_t </li></ul><ul><li>apache daemon </li></ul><ul><li>system_u:object_r:etc_t </li></ul><ul><li>/etc/passwd </li></ul>
  16. 16. Terminology :: Security Context <ul><li>Security context can be displayed by passing the 'Z' argument to the ls, ps and id commands. </li></ul>
  17. 17. Type Enforcement <ul><li>Application separation </li></ul><ul><li>Control 'super user' privileges </li></ul><ul><li>Principle of least privileged </li></ul><ul><li>Ability to control access to system calls </li></ul><ul><li>Domains and types </li></ul>
  18. 18. Role Based Access Control <ul><li>Users are authorised for roles </li></ul><ul><li>Roles are authorised for domains and types </li></ul><ul><li>RBAC coupled with TE defines the SELinux security model </li></ul>
  19. 19. Access Control Mechanisms <ul><li>The ability to permit or deny the use of a particular resource by a particular entity </li></ul>
  20. 20. Discretionary Access Control <ul><li>Unix groups, permission bits and file system extended attributes. </li></ul><ul><li>Owner who controls access to an object </li></ul>
  21. 21. Discretionary Access Control <ul><li>user root owns the /etc/passwd file. </li></ul><ul><li>group root owns the /etc/passwd file. </li></ul><ul><li>owner can read/write, group and everyone else can read the file. </li></ul>$ ls -la /etc/passwd -rw-r--r-- 1 root root 2505 2008-12-10 13:03 /etc/passwd
  22. 22. Mandatory Access Control <ul><li>Central security policy. </li></ul><ul><li>Users unable to modify the security policy. </li></ul><ul><li>System Administrator can define just enough permissions for how processes access objects and other processes. </li></ul>
  23. 23. Mandatory Access Control <ul><li>Security decisions first go through DAC and then MAC </li></ul><ul><li>(Image courtesy of Graham White's blog post -‏ </li></ul>
  24. 24. SELinux Policy <ul><li>Defines amongst other things, the rules that determine what access each domain has to each type </li></ul>
  25. 25. SELinux Policy <ul><li>Defines </li></ul><ul><li>Types </li></ul><ul><li>Domains </li></ul><ul><li>Identities </li></ul><ul><li>Roles </li></ul><ul><li>Access and Transitions </li></ul>
  26. 26. SELinux Policy <ul><li>SELinux policy is distributed as binary </li></ul><ul><li>Compile once and distribute many </li></ul><ul><li>RHEL5 introduced SELinux policy modules </li></ul><ul><li>2 SELinux Policies are available in RHEL5 </li></ul><ul><li>Strict and Targeted </li></ul>
  27. 27. SELinux Logs <ul><li>audit daemon </li></ul><ul><li>kernel options CONFIG_AUDIT and CONFIG_AUDITSYSCALL to be enabled </li></ul><ul><li>/var/log/audit/audit.log </li></ul>
  28. 28. SELinux Violations <ul><ul><li>type=AVC msg=audit(1230566507.214:106): avc: denied { write } for pid=1560 comm=&quot;mkdir&quot; name=&quot;grep-2.5.1&quot; dev=dm-0 ino=565574 scontext=root:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir </li></ul></ul><ul><li>“ write ” operation was denied </li></ul><ul><li>Command “ mkdir ” raised the violation </li></ul><ul><li>Source context was “ root:system_r:httpd_sys_script_t:s0 ” </li></ul><ul><li>Target context was “ system_u:object_r:usr_t:s0 ” </li></ul>
  29. 29. Creating Policy <ul><li>Obtain SELinux denials from the log file </li></ul><ul><li>audit2allow creates Type Enforcement allow rules </li></ul><ul><li>Compile with checkmodule </li></ul><ul><li>semodule_package will create the SELinux module package </li></ul><ul><li>Load the SELinux module package with semodule </li></ul>
  30. 30. Creating Policy
  31. 31. Listing SELinux Policy Modules
  32. 32. Enabling SELinux <ul><li>enforcing=1 as a kernel boot parameter </li></ul>
  33. 33. Enabling SELinux <ul><li>Set the SELINUX variable in /etc/sysconfig/selinux to enforcing </li></ul><ul><li>Run setenforce 1 during runtime </li></ul>
  34. 34. Disabling SELinux <ul><li>To disable SELinux, put it into permissive mode </li></ul><ul><li>Permissive mode will continue to log SELinux violations though will not enforce SELinux policy. </li></ul><ul><li>Security Contexts are still applied to the filesystem when in permissive mode. </li></ul><ul><li>Not a good idea to fully disable SELinux </li></ul>
  35. 35. Relabeling a Filesystem <ul><li>Relabling a filesystem applies the SELinux security contexts to all objects on the filesystem. </li></ul><ul><li>Using fixfiles could render a system unstable </li></ul>
  36. 36. Booleans <ul><li>Booleans allow System Administrators to disable/enable optional SELinux policy during runtime. </li></ul><ul><li>Displayed with getsebool and enabled/disabled with setsebool </li></ul><ul><li>httpd_can_network_connect </li></ul><ul><li>httpd_enable_homedirs </li></ul><ul><li>samba_enable_home_dirs </li></ul>
  37. 37. SELinux in Action <ul><li>Attacker has got access to /var/www/cgi-bin/ through a vulnerable web application and uploaded a cgi-bin script called cracker </li></ul>
  38. 38. SELinux in Action <ul><li>Attack on a server without SELinux </li></ul><ul><li>Attacker opens the cracker cgi-bin script in a web browser executing the cgi-bin script, downloading the script and executing it. </li></ul>
  39. 39. SELinux in Action <ul><li>The same attack on a server with SELinux </li></ul><ul><li>Access to the /sbin/ip command is denied </li></ul>
  40. 40. SELinux in Action <ul><li>What do the SELinux audit logs tell us about the attempted attack? </li></ul>
  41. 41. SELinux in Action <ul><li>Same scenario but with the SELinux boolean httpd_can_network_connect set to 0 . </li></ul>
  42. 42. SELinux in Action <ul><li>What do the SELinux audit logs tell us about the attempted attack? </li></ul>
  43. 43. SELinux Benefits <ul><li>Ability to confine services </li></ul><ul><li>Auditing logs for reporting </li></ul><ul><li>Application debugging </li></ul><ul><li>Provide fine grained access control </li></ul><ul><li>Strengthen the security of the servers IBM deploys </li></ul>
  44. 44. Resources <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  45. 45. End Of Presentation <ul><li>Whats next? </li></ul><ul><li>What can I do? </li></ul><ul><li>Thanks for your time and attention ! </li></ul>