Security-Enhanced Linux

1
Security-Enhanced Linux
2
References

• Implementation of Security-Enhanced Linux by Yue
  Cui, Xiang Sha, Li Song
• Security Enhanced Linux by David Quigley (Fedora)
• Security-Enhanced Linux by Joseph A LaConte

3
Background

• Security-Enhanced Linux is a NSA (National
  Security Agency) backed research project.
• Goals
• Promote Security Research
• Address OS Security
• Demonstrate MAC (Mandatory Access Controls)
  through Type Enforcement technology in a
  mainstream os
• Note SELinux project is not intended as a
  complete security solution for Linux

4
SELinux Background

• 1985 LOCK system(early Type Enforcement)
• Secure Ada project through Honeywell
• 1990 DTMach / DTOS
• DTMach Mach-based prototype
• DTOS (Distributed Trusted Operating
  System)
• 1995 Utah Fluke / Flask
• Fluke - University of Utah's research operating
  system
• 1999 2.2 Linux Kernel (patch)
• 2001 2.4 Linux Kernel (patch)
• 2002 LSM
• 2003 2.6 Linux Kernel (mainline)
• 2006 Full network labeling

5
Why Linux?

• Linux is an open source project with many
  developers therefore
• Provides an opportunity for more research.
• Allows application/testing in a mainstream os.
• Improves security in an existing os.

6
SELinux

• Security-Enhanced Linux (SELinux)
• Uses the Linux Security Modules (LSM) framework
  to implement flexible Mandatory Access Control
  (MAC) in the Linux kernel.
• Restricts privileges of user programs and system
  servers using security labels and an
  administratively-defined policy.

7
MAC versus DAC

• Discretionary Access Control (DAC) is the
  standard security model for Linux. In this
  model, access privileges are based on the user
  identity and object ownership.
• Mandatory Access Control (MAC) limits privileges
  for subjects (processes) and objects (file,
  socket, device, etc).
• Please note SELinux does not change any existing
  security in the Linux environment rather,
  SELinux extends the security model to include
  Mandatory Access Control (i.e. both MAC and DAC
  are enforced in the SELinux environment).

8
SELinux vs. traditional Linux

• SELinux enforces MAC policies that confine user
  programs and system servers to the minimum amount
  of privilege they require to do their jobs
• The ability of these user programs and system
  daemons to cause harm when compromised(via buffer
  overflow for example) is reduced or eliminated.

9
SELinux vs. traditional Linux

• The confinement mechanism operates independently
  of the traditional Linux access control
  mechanisms
• It has no concept of a root super-user, and
  does not share the well-known shortcomings of the
  traditional Linux security mechanisms(such as a
  dependence on setuid/setgid binaries)

10
SELinux vs. traditional Linux

• The security of traditional Linux
• Depends on the correctness of the kernel, all the
  privileged applications, and each of their
  configurations
• A problem in any one of these areas may allow the
  compromise of the entire system
• The security of SELinux
• Depends on the correctness of the kernel and its
  security policy configuration
• While problems may allow the limited compromise
  of individual user programs and system daemons,
  they do not pose a threat to the security of
  other user programs and system daemons or to the
  security of the system as a whole

11
Security-Enhanced Linux

• Security Policies are implemented using
• Type Enforcement (TE)
• (introduced in 1985 by Boebert and Kain)
• Role-based access control (RBAC)
• Multi-level Security

12
Security Model in SELinux

• Type Enforcement (TE) model
• Provides fine-grained control over processes and
  objects in the system
• Role-Based Access Control (RBAC) model
• Provides a higher level of abstraction to
  simplify user management

13
TE model

• Traditional TE model
• Binds a security attribute called a domain to
  each process and a type to each object
• Treats all processes in the same domain
  identically and all objects that have the same
  type identically
• A pair of access matrices specify how domains can
  access types and how domains can interact with
  other domains
• Each user is authorized to operate in certain
  domains

14
TE model

• SELinux TE model
• Uses a single type attribute in the security
  context for both processes and objects
• A domain is simply a type that can be associated
  with a process.
• Uses the security class information provided by
  the Flask architecture
• Security classes can distinguish objects of the
  same type.
• Does not directly associate users with domains
  uses RBAC model to provide an additional layer of
  abstraction between users and domains

15
Type Enforcement

• Object(s) items in a system that are acted upon
  (files, IPC, sockets, etc.)
• Subject(s) process that are requesting access to
  an object
• All Objects and Subjects contain a security
  context
• Security Context(s) are composed of four parts
• All Security Context components are checked
  against the policy to see if access is allowed.
• Type is the base component while role and user
  are used to further restrict type enforcement

16
Security Contexts

• system_uobject_rpasswd_exec_ts0c0.c2-s2c0.c1

userroletypesensitivitycategory,-sensitivi
tycategory,
17
TE Access Control
allow user_t bin_t file read execute write
getattr setattr

• Source type(s) The domain type of the process
  accessing the object
• Target type(s) The type of the object being
  accessed by the process
• Object class(es) The class of object to permit
  access to
• Permission(s) The kind of access permitted for
  the indicated object class

18
Domain Transitions

• Analogous to SetUID programs
• Joe running as user_t (untrusted user) needs to
  change his password. How does Joe change his
  password?
• allow user_t passwd_exec_t file getattr
  execute
• allow passwd_t passwd_exec_t file entrypoint
• allow user_t passwd_t process transition
• What does this solve? Restricts trusted domain
  passwd_t and allows user_t to transition to it.
• Implicit domain transitions provided via
  type_transition.

19
Users Roles

• First and second component of a security context
• SELinux usernames and DAC usernames are not
  synonymous
• Semanage is used to maintain mappings of DAC to
  SELinux usernames.
• Roles are collections of types geared towards a
  purpose
• Roles can be used to further restrict actions on
  the system
• SELinux usernames are granted roles in the system

20
Role-Based Access Control

• Each user gets a set of roles
• Each role is assigned a set of TE domains.
• Note users are not identified by Linux uids
  instead a user identity attribute is used in the
  security context.

21
RBAC model

• Traditional RBAC model
• authorizes users to act in certain roles and
  assigns a set of permissions to each role
• SELinux RBAC model
• authorizes each user for a set of roles, each
  role for a set of TE domains
• maintains a role attribute in the security
  context of each process

22
Policies

• Configuration consists of
• Flask definitions
• TE and RBAC declarations and rules
• User declarations
• Constraint definitions
• Security context specifications.

23
Policies

• TE Statements
• Attribute Declarations
• Type Declarations
• TE Transition Rules
• TE Change Rules
• TE Access Vector Rules
• TE Access Vector Assertions
• Type Member Rules

• RBAC Statements
• Role Declarations and Dominance
• Role Allow Rules
• Role Transition Rules

24
Policies
Syntax for TE and RBAC declarations
Syntax for type declarations
Smally, Stephen January 2003.
25
Policies
Bleher, Thomas November 30, 2004
26
Limitations

• Performance Overhead approximately 7.
• Complexity requires in-depth knowledge of the
  operating system, the security policies, and the
  operating environment.
• Maintenance policy fine-tuning, changes
  required for changes to the system.

27
Benefit of SELinux

• The SELinuxs new features are
• designed to
• Enforce the separation of information based on
  confidentiality and integrity requirements
• Prevent processes from
• reading data and programs,
• tampering with data and programs,
• executing untrustworthy programs, or
• interfering with other processes in violation of
  the system security policy

28
MLS

• MLS portion of Security Context is composed of 4
  parts
• Low/High
• Sensitivity/Category
• Includes syntax to define dominance of security
  levels
• Subjects with range of levels considered trusted
  subjects
• Implements a variation of Bell-La Padula

29
Linux Security Modules (LSM)

• Kernel framework for security modules
• Provides a set of hooks to implement further
  security checks
• Usually placed after existing DAC checks and
  before resource access
• Implications? SELinux check is not called if the
  DAC fails
• Makes auditing difficult at times.

30
(No Transcript)
31
SELinux LSM Module
Policy Management Interface
User Space
Kernel Space
Selinux Filesystem
Access Vector Cache
Security Server (Policy Rules and Access Decision
Logic)
Various Kernel Object Managers
Cache Miss
LSM Hooks
Yes or No?
SELinux LSM Module
Figure taken from SELinux by Example
32
Userspace Object Managers
User-Space Object Manager
Allow access?
Access Vector Cache
Yes or No?
libselinux
Policy Management Interface
User Space
Kernel Space
Selinux Filesystem
Access Vector Cache
Security Server (Policy Rules and Access Decision
Logic)
Cache Miss
Yes or No?
Figure taken from SELinux by Example
33
Policy Server
User-Space Object Manager
Policy Management Interface
Load User Policy
User-Space Security Server
Policy Management Server
Cache Miss?
Access Vector Cache
Yes or No?
libselinux
Policy Server
User Space
Kernel Space
Selinux Filesystem
Access Vector Cache
Security Server (Policy Rules and Access Decision
Logic)
Cache Miss
Yes or No?
Figure taken from SELinux by Example
34
Policy Language
Policy Source Modules
Checkpolicy
policy.conf
Classes and Permissions
Type Enforcement Statements (Types, TE
Rules, Roles, Users)
Binary Policy File
Make, Scripts, M4, and so on
load_policy
Kernel Space
Selinux Filesystem
Constraints
Resource labeling Specifications
Access Vector Cache
Security Server (Policy Rules and Access Decision
Logic)
Cache Miss
Yes or No?
SELinux LSM Module
Figure taken from SELinux by Example
35
Object Classes

• Represents resources of a certain kind
• Policy must include declarations for all object
  classes
• Classes
• File related (blk_file, chr_file, dir, fd )
• Network related (socket, packet_socket,
  rawip_socket, )
• IPC related (ipc, msg, msgq, sem, shm)
• Misc Classes (capability, process, security,
  system)

36
Permissions

• Specific to a particular Object Class
• Includes traditional Linux permissions
• Extends existing permissions to be finer grained
• Includes SELinux specific permissions for
  labeling

37
Type Enforcement

• Several major keywords
• type
• attribute
• typeattribute
• typealias
• allow
• dontaudit
• auditallow
• neverallow

38
Type Enforcement
attribute file_type attribute httpdcontent The
se two statements... type httpd_user_content_t ty
peattribute httpd_user_content_t file_type,
httpdcontent are equivalent to this one type
httpd_user_content_t, file_type,
httpdcontent These two statements... type
mozilla_t, domain typealias mozilla_t alias
netscape_t are equivalent to this one type
mozilla_t alias netscape_t, domain
39
Type Enforcement
rule_name src_type_set target_type_set
class_set perm_set valid allow user_t bin_t
file read getattr allow user_t bin_t dir
read getattr search invalid since file
does not have a search permission allow user_t
bin_t file dir read getattr search
dont audit when this access is
denied dontaudit httpd_t etc_t dir search
audit when this access is allowed by default
allowed access is not audited auditallow domain
shadow_t file write This statement may
never be allowed by any rule neverallow user_t
shadow_t file write allow user_t bin_t
file dir allow user_t bin_t file write
setattr ioctl
40
Type Enforcement

• Type Transitions
• type_transition
• type_change
• These two statements...
• type_transition user_t passwd_exec_t process
  passwd_t
• type_transition sysadm_t passwd_exec_t process
  passwd_t
• are equivalent to this one
• type_transition user_t sysadm_t process
  passwd_t
• This domain transition rule
• type_transition init_t apache_exec_t process
  apache_t
• would require at least the follow 3 allow rules
  to succeed
• allow init_t apache_exec_t file execute
• allow init_t apache_t process transition
• allow apache_t apache_exec_t file entrypoint

41
RBAC

• Adds 2 components to security context
• user
• role
• Adds 3 policy language keywords
• allow (different than AVC allow)
• role_transition (similar to type_transition)
• dominance

42
RBAC Example
valid security context joeuser_rpasswd_t role
user_r assigned to user joe user joe roles
user_r equivalent to this one role user_r
types user_t passwd_t allow staff_r
sysadm_r role_transition sysadm_r http_exec_t
system_r super_r inherits all types from
sysadm_r and secadm_r dominance role super_r
role sysadm_r role secadm_r
43
Multilevel Security

• Policy Declares Levels and categories
• applies constraints on objects and permissions
  with MLS dominance keywords
• , !, eq, dom, domby, incomp
• mlsconstrain file create relabelto l2 eq h2
  
• mlsvalidatetrans transitions between levels
• Still requires a lot of work

44
Conditional Policies

• Allows enabling/disabling portions of policy
• Booleans define in policy
• Logical operations allowed
• !
• !
• Does not support nested conditionals
• Booleans modified through special applications or
  SELinuxfs

45
Configuration for running insmod

• Figure 4 shows a portion of the policy
  configuration that allows the administrator
  domain (sysadm_t) to run the insmod program to
  insert kernel modules.
• The insmod program is labeled with the
  insmod_exec_t type and runs in the insmod_t
  domain.

46
Figure 4 Configuration for running insmod
47
Configuration for running insmod

• allow sysadm_t insmod_exec_t file x_file_perms
• allows the sysadm_t domain to run the insmod
  program.
• allow sysadm_t insmod_t process transition
• allows the sysadm_t domain to transition to the
  insmod_t domain.
• allow insmod_t insmod_exec_t process
  entrypoint, execute
• allows the insmod_t domain to be entered by the
  insmod program and to execute code from this
  program.

48
Configuration for running insmod

• allow insmod_t sysadm_t fd inherit_fd_perms
• allows the insmod_t domain to inherit and use
  file descriptors from the sysadm_t domain.
• allow insmod_t self capability sys_module
• allows the insmod_t domain to use the
  CAP_SYS_MODULE capability.
• allow insmod_t sysadm_t process sigchild
• allows the insmod_t domain to send the SIGCHLD
  signal to sysadm_t when it exits.

49
Reference Policy

• Maintained by NSA and FC Mailing Lists
• Compiles into three versions
• Strict, Targeted, MLS
• Stats
• Version .18
• Object Classes 55
• Common Permissions 3, Permission 205
• Types 1589
• allow 372755, auditallow 12, dontaudit 238663
• type_transition 2657, type_change 68
• roles 6, RBAC allow 6, role_transition 97, users
  3
• bools 70

50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
68
(No Transcript)
69
Components

• checkpolicy
• libselinux
• libsemanage
• libsepol
• policycoreutils

70
(No Transcript)
71
libselinux

• Used by SELinux aware applications
• Houses user space AVC
• Contains functions to
• calculate AVCs
• get/set/create contexts
• query policy engine

72
libsemanage

• Used to query and configure state of a running
  system
• Provides functions to query/modify
• login names
• users
• network ports/interfaces
• file contexts
• level translations
• roles
• etc.

73
(No Transcript)
74
SELinuxfs

• Interface between userspace and kernel
• Used by libselinux and libsemanage to communicate
  requests with the kernel
• Provides a quick and easy interface for humans
• Usually not used directly from programs

75
policycoreutils

• SELinux Management and policy analysis tools
• audit2allow
• audit2why
• load_policy
• newrole
• restorecon
• semanage
• semodule
• sestatus
• setbool
• etc...

76
Distributions

• Fedora Core 3 and later
• Debian
• Gentoo
• SuSe
• SE-BSD
• SE-MACH

77
Installation

• Where to get the copy?
• Free download from
• http//www.nsa.gov/selinux/
• Components of SELinux Distribution
• Patches to the Linux kernel (based on kernel
  2.4.18)
• Patches to a number of standard tools and
  utilities, support files, and documentation

78
Installation

• Need to have an existing Redhat Linux
• Redhat 7.2 or later will be better
• SELinux does not provide a modified xdm/gdm/kdm
  to set the security context for the user session
• Environment we use
• Redhat 7.3

79
Installation

• Download the installation package
• (lsm-2.4-selinux-2002053110.tgz)
• Unzip the file, we got two folders
• /lsm2.4 and /selinux
• The quick installation steps are as followings

80
Installation

• Edit policy/users for your users
• Be sure to authorize at least one user for the
  system administrator role (sysadm_r)
• Edit the default_context and cron_context files
  in utils/appconfig for your users
• security context has the syntax userroledomain
  or userroletype
• e.g. rootsysadm_rsysadm_t or rootuser_ruser_t

81
Installation

• Edit policy/file_contexts/ types.fc,program/.fc
  for your site
• Check the pathnames against your file system
  layout
• Ensure that your current configuration is not set
  up to run an X Display Manager (xdm, gdm, kdm)
• he default runlevel specified in
• /etc/inittab should be runlevel 3 (Full multiuser
  mode)

82
Installation

• Perform the quick install
• make quickinstall
• When the kernel configuration menu is displayed,
  configure the kernel for your hardware as
  appropriate
• Configure your boot manager to boot the SELinux
  kernel
• e.g. if you use the LILO boot manager, configure
  /etc/lilo.conf, and run /sbin/lilo

83
Installation

• Boot the SELinux kernel and login in the sysadm_r
  role and sysadm_t domain(e.g. using root)
• Run setfiles again to ensure that files created
  by the old kernel during the shutdown are
  properly labeled
• cd policy
• make relabel
• Add /usr/local/selinux/bin and /usr/local/selinux/
  sbin to your path for the modified utilities

84
Installation

• After installation, we can try the following
  commands to see if it is installed correctly
• ps -e --context
• The second column should show the security
  context of each process
• Has the syntax userroledomain or userroletype
• ls -- context /
• The fourth column should show the security
  context of each file or directory in /

85
Installation

• ps -e --context
• PID SID CONTEXT COMMAND
• 1 7 system_usystem_rinit_t init 3
• 2 7 system_rsystem_rinit_t keventd
• ...
• 855 245 system_usystem_rlocal_login_t login
  --root
• 856 244 system_usystem_rgetty_t /sbin/mingetty
  tty2
• 857 244 system_usystem_rgetty_t /sbin/mingetty
  tty3
• 858 244 system_usystem_rgetty_t /sbin/mingetty
  tty4
• 859 244 system_usystem_rgetty_t /sbin/mingetty
  tty5
• 860 244 system_usystem_rgetty_t /sbin/mingetty
  tty6
• 863 246 rootsysadm_rsysadm_t -bash
• 910 246 rootsysadm_rsysadm_t ps -e --context

86
Installation

• ls -- context /
• drwxr-xr-x root root system_uobject_rbin_t b
  in
• drwxr-xr-x root root system_uobject_rboot_t
  boot
• drwxr-xr-x root root system_uobject_rdevice_t
  dev
• drwxr-xr-x root root system_uobject_retc_t e
  tc
• drwxr-xr-x root root system_uobject_ruser_hom
  e_t home
• drwxr-xr-x root root system_uobject_rfile_t
  initrd
• drwxr-xr-x root root system_uobject_rlib_t l
  ib
• drwxr-xr-x root root system_uobject_rlost_fou
  nd_t lostfound
• drwxr-xr-x root root system_uobject_rfile_t
  misc
• drwxr-xr-x root root system_uobject_rfile_t
  mnt
• drwxr-xr-x root root system_uobject_rfile_t
  opt
• dr-xr-xr-x root root system_uobject_rproc_t
  proc
• drwxr-x--- root root system_uobject_rsysadm_hom
  e_t root
• drwxr-xr-x root root system_uobject_rsbin_t
  sbin
• drwxrwxrwx root root system_uobject_rtmp_t tmp
  
• drwxr-xr-x root root system_uobject_rusr_t u
  sr
• drwxr-xr-x root root system_uobject_rvar_t v
  ar

87
Customizing the policy

• What we can do
• Adding users
• Adding permissions
• Adding programs to an existing domain
• Creating a new domain
• Creating a new type
• Creating a new role

88
Customizing the policy

• Adding users
• If we want to add a user steve to the system who
  should be authorized for both the user_r and
  sysadm_r roles
• Add an entry to the policy/users files
• user steve roles user_r sysadm_r
• Run make load to reload the policy

89
Customizing the policy

• Adding programs to an existing domain
• Locate an appropriate domain by
• examining the existing programs domains under
  policy/domains/program
• examining how existing programs are associated
  with the executable types for those domains in
  policy/file_contexts/program
• Relabel the program by
• make relabel

90
Customizing the policy

• Creating a new role
• Create a new domain to be used as the initial
  login domain for the role
• Define role declaration in policy/rbac
• Reload the policy
• make load
• Add an entry for the role in
• /etc/security/default_type

91
References

• SELinux installation help
• Stephen Smalley, Configuring the SELinux
  Policy, 2002
• Stephen Smalley and Timothy Fraser, A Security
  Policy Configuration for the Security-Enhanced
  Linux, 2001
• http//www.nsa.gov/selinux

92
References

• National Security Agency. Security Enhanced
  Linux, December 8, 2004. http//www.nsa.gov/selinu
  x/index.cfm
• Thompson, Kerry. The UnOfficial SELinux FAQ, June
  15, 2004. http//www.crypt.gen.nz/selinux/faq.html
  
• Wade, Karsten. Fedora Core 3 SELinux FAQ,
  November 9, 2004. http//fedora.redhat.com/docs/se
  linux-faq-fc3/index.html
• Smally, Stephen. Configuring the SELinux Policy,
  February 2002, revised January 2003. NAI Labs.
  ltURLhttp//www.nsa.gov/selinux/papers/policy2-abs
  .cfmgt
• Secure Computing Corporation. The Origin of
  Sidewinder G2 Firewall, December 8, 2004.
  http//www.securecomputing.com/index.cfm?skey1024
  

93
References

• OSDGroup LLC. Module 13 SELinux Overview,
  December 8, 2004. http//www.bradfordlearning.com/
  en/courseware/sample_chapters/se_linux_sample_chap
  ter.pdf
• SourceFORGE.net. SELinux Background, December 8,
  2004. http//selinux.sourceforge.net/background.ph
  p3
• Hallyn, Serge Edward. Domain and Type Enforcement
  in Linux. The College of William and Mary in
  Virginia. ltURLhttp//www.cs.wm.edu/kearns/disser
  tations.d/serge.pdfgt
• Bleher, Thomas. Source file domains/program/apach
  e.te (patch), November 30, 2004.
  ltURLhttp//www.cip.ifi.lmu.de/bleher/cgi-bin/arc
  hzoom.cgi/tbleher_at_gmx.de--selinux/policy--suse--0-
  -patch-12?loggt

94
More Information

• SELinux Homepage www.nsa.gov/selinux
• SELinux Mailing list http//www.nsa.gov/selinux/i
  nfo/list.cfm?MenuID41.1.1.9
• Redhat SELinux Mailing List http//www.redhat.com
  /mailman/listinfo/fedora-selinux-list
• Fedora SELinux Wiki http//fedoraproject.org/wiki
  /SELinux