Embed Size (px)
Citation preview
Security Enhanced Linux:SELinux
Emre Can [email protected]
Research & Development Engineer05.02.2015
OutlineWhat is SELinuxWhat can SELinux doWhat can not SELinux doWhy should SELinux be usedGetting SELinuxSELinux modesBasic conceptsLinux user mappingLogging
MLS and MCSSELinux policiesUserland toolsPerformanceLicenseSELinux demo on FedoraQuestions about SELinuxReferences
2
What is SELinux (1/1)Internal firewall between programs.Linux security module (LSM)
Others are smack, tomoyo, apparmor.Mandatory Access Control (MAC)
What subjects can access which objects.Subjects: users, programs.Objects: files, devices, sockets, etc.
3
What can SELinux do (1/2)Prevents
processes from reading data and programs,bypassing application security mechanisms,executing untrustworthy programs,interfering with other processes in violation of the system security
policy.Confine the potential damage that can be caused by
malicious or flawed programs.
4
What can SELinux do (2/2)Type enforcement
focuses on the SELinux type within a SELinux security context.
Role-based access controldecides which types (for processes) a role is allowed to have.
Multi-level securityclassification of data.
5
What can not SELinux do (1/1)Resource limits are outside the scope of an access control
systems.grsecurity, cgroups, pam are recommended.
6
Why should SELinux be used (1/1)In multifunctional systems, to seperate
functionalitiese.g. For webserver, email and dns server,e.g. For Arcelik smart tv, money transaction and
entertainment processes.e.g. For Arcelik yazarkasa, aygaz app. and yapikredi
app.
7
Getting SELinux (1/5)SELinux support is already included in the
mainline Linux 2.6 kernel available from kernel.org
8
Getting SELinux (2/5)SE-enabled Linux kernel
CONFIG_SECURITY_SELINUXNSA SELinux support.
DEFAULT_SECURITY_SELINUXSet default security mode as SELinux.
SECURITY_SELINUX_AVC_STATSCollect access vector caches.
CONFIG_SECURITY_SELINUX_BOOTPARAMAllows SELinux to be disabled at boot.
SECURITY_SELINUX_DEVELOPExperiment with SELinux and develop policies.
CONFIG_SECURITY_SELINUX_DISABLEAllows SELinux to be disabled at runtime.
9
Getting SELinux (3/5)SELinux userland packages [gse]
checkpolicypolicy compiler.uses libsepol.
libselinuxlibrary for security-aware applications.uses libsepol.
libsemanagelibrary for policy management tools.uses libsepol, libselinux.
10
Getting SELinux (4/5)SELinux userland packages [gse]
libsepollibrary for binary policy manipulation.no dependency.
policycoreutilsseveral policy-related utilities.uses libselinux, libsepol, libsemanage.
sepolgenpython library that forms the core of modern audit2allow.
11
Getting SELinux (5/5)Policy
SELinux reference policy project [rpp]
12
SELinux modes (1/2)Permissive
Log warnings instead of enforcing.CONFIG_SECURITY_SELINUX_DEVELOPextra: Permissive domain recipe [pdr]
EnforcedSecurity policy is enforced.
DisabledDo not load security policy.CONFIG_SECURITY_SELINUX_BOOTPARAMAdd selinux=0 to kernel bootline.
13
SELinux modes (2/2)Temporarily switch:
# setenforce 1 /* Enforcing */# setenforce 0 /* Permissive */
Permanently:edit /etc/selinux/config
SELINUX=enforcingSELINUX=permissiveSELINUX=disabled
edit boot parameters (overrides configuration file)enforcing=0 /* Permissive */enforcing=1 /* Enforcing */selinux=0 /* Disabled */
SELINUX=enforcing
14
Basic concepts (1/5)Security context
Every process and object has a context.Syntax: user:role:type[:range]
MLS range is optional.Inherited from processes (on fork) or parent files/directories.
UsersDiff. from linux users*
SELinux users do not change during a user session, whereas a Linux user might change via su or sudo.
suffix: *_u. e.g. user_uassociated to one or more roles that the SELinux user is allowed
to use.15
Basic concepts (2/5)Roles
A SELinux user may be allowed to take on one or more roles.suffix: *_r. e.g. user_rassociated to one or more types the SELinux user is allowed to
access.Types
Determine access permission.suffix: *_t. e.g. music_tassociated with processes or objects.
AttributesGroup types with similar properties.
16
Basic concepts (3/5)
17
RangesSecurity level.if policy supports MCS / MLS.
Object classesCategories of objects.
# ls /sys/fs/selinux/classEach class has a set of permissions. [ocp]
# ls /sys/fs/selinux/class/tcp_socket/perms/
RulesSpecified using the type of the process and object.e.g. allow user_t user_home_t:file { create read write };
Basic concepts (4/5)
18
Booleansare used to enable/disable policies.# getsebool -a# sesearch -b selinuxuser_execheap -AC
ET allow user_t kernel_t : system syslog_read ; [ user_dmesg ]Rule will be allowed if corresponding boolean is true (T). And boolean is now enabled. (E)
Constraintsunder which circumstances an operation is allowed.circumstances that don't match are disallowed.# seinfo --constraine.g. constrain dir_file_class_set { create relabelto relabelfrom } (
u1 == u2 or t1 == can_change_object_identity );
Basic concepts (5/5)
19
Type transitionfor objects (files):
# sesearch -Ttype_transition [Creating Subject type] [Parent Object/Subject Type] : [Class
of new Object/Subject] [New Object/Subject Type]for subjects (process):
# pstree -Z# sesearch -T -c processtype_transtion [Parent process type] [Type of process] : process [New type of
the process created]
Linux user mapping (1/1)
20
Map a linux user to only one SELinux user. [ual]
Multiple linux users can be mapped to same SELinux user.
# semanage login -l# semanage login -a -s staff_u
emrecan
Logging (1/1)Denials are logged in the audit subsystem.
/var/log/audit/audit.logPermissive mode generates more log
messages.# cat /var/log/audit/audit.log | audit2allow -r
21
Multi-level security and MCS (1/2)
22
based on the Bell-La Padula model“no write down” and “no read up”
user:role:type:sensitivity [:category,...] - sensitivity [:category,...] | LEVEL | - | LEVEL | | RANGE |sensitivity: s0 lowest, s15 maximumcategory: optional, c0.c255.
unordered and unrelated lists of "compartments".
level: combination of sensitivity and category.
translate to human readable form in setrans.confs0 = unclassified, s15 = top secretc0 = finance, c100 = commercial, c255 = book
Multi-level security and MCS (2/2)
23
utilization for android:app running on behalf of one user cannot read or write files created by the same
app running on behalf of another user.
in fact, MLS reference policy does not allow write-up, read-down.default is to use equal levels.
SELinux policies (1/3)Compiled in a binary format.
smaller memory requirements.
Type enforcement file (*.te)mandatory.name, version of the module.types, rules, booleans, etc.
File contexts file (*.fc)contains the default security contexts to be provided for files created/used by the
application for which we are creating the policy module.
Interface file (*.if)generally would contain macro definitions that assist in creating type enforcement
rules. 24
SELinux policies (2/3)3 steps to configure policy for embedded devices:
obtain reference policy,remove unnecessary rules,
have to remove too many rules.
add necessary rules.
25
SELinux policies (3/3)Reference policy project [rpp]
basis for creating other policies.well-written and good enough for PC distros.many dependencies:
checkpolicypolicycoreutilslibsepollibsemanagepython
26
Userland tools (1/4)id, ls, ps, netstat -Z
display context of shell, file, process, network.audit2allow
read SELinux denials, show corresponding rules.audit2why
determine why a denial occured.chcon
change context of a file.chcon -t user_home_t /tmp/osman
chcatchange categories of a file.change authorized categories for a user.
27
Userland tools (2/4)getenforce
return status of SELinux.newrole
change role, type or level.newrole -r system_r -t unconfined_t
semanagechange boolean settings,change roles and levels for SELinux users,change context of a file persistently (restorecon)
semanage fcontext -a -t user_home_t /tmp/osmansemodule
insert, delete and list SELinux policy modules on the running system.
28
Userland tools (3/4)setenforce
modify the mode.seinfo
policy query tool.setsebool
set the state of an SELinux boolean either temporarily or persistently.sestatus
status tool.
29
Userland tools (4/4)restorecon, restorecond*
restores default context of a file.customizable types [wct]
context is not reset during a standard relabel operation.# cat /etc/selinux/targeted/contexts/customizable_types
runconchange context of a program when started (temporary)
runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bashrun_init [gs]
start services in the correct domainrun_init /etc/init.d/ssh start
30
Performance (1/1)Hard to measure.Overhead app~ 7% for completely untuned
code. [faq] [ffq]
31
License (1/1)GNU General Public License (GPL) [sel]
32
SELinux demo on Fedora (1/1)
33
Questions about SELinux (1/1)Can I use SELinux with grsecurity (and PaX)?
Yes, even recommended. However grsecurity’s ACL support is not used together w/ SELinux. [gfq]
If root user can change, for example booleans, how is selinux more secure than DAC of linux?
i.e. setsebool -P allow_execheap on/offWe don't need to have conditional policy. If we do, the enabled/disabled rules are
defined in the policy. DAC doesn't have predefined conditions like that.Can we write a policy that doesn’t allow setenforce?
Yes, moreover we can even compile the kernel so permissive mode is disabled no matter what the policy says.
34
References (1/2)[faq] http://www.crypt.gen.nz/selinux/faq.html[gse] https://github.com/SELinuxProject/selinux[gs] http://selinuxproject.org/page/Guide/Services[rpp] https://github.com/TresysTechnology/…[ocp] http://selinuxproject.org/page/ObjectCl…[pdr] http://selinuxproject.org/page/Permissi…[sqp] http://www.cs.virginia.edu/~jcg8f/SELi…
35
References (2/2)[sel] https://www.nsa.gov/research/selinux/l...[ual] http://wiki.gentoo.org/wiki/SELinux/Use...[wct] http://wiki.gentoo.org/wiki/SELinux/Tuto...[gfq] http://wiki.gentoo.org/wiki/SELinux/FAQ[ffq] http://docs.fedoraproject.org/en-US/Fed…[use] http://www.fosteringlinux.com/category/…[nb4] http://taiga.selinuxproject.org/~rhaines/[mls] http://selinuxproject.org/page/MLSStat...
36
