%include "default.mgp" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %size 7, font "standard", fore "black", vgap 20, back "white" SE Linux Concepts %center %size 4 Russell Coker http://etbe.coker.com.au/ My Blog %left I prefer an interactive format for my presentations, please ask questions at any time. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What is SE Linux? A system for Mandatory Access Control (MAC) Uses features of role-based and domain-type access control, and MLS Removes the power of UID 0, I have run several machines on the Internet with root as the guest account Deny by default when writing policy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SE Linux Support SE Linux in Red Hat since Fedora Core 2, Red Hat Enterprise Linux 4, and CentOS 4 Moduler SE Linux support (with MLS as an option) since Fedora Core 5, RHEL 5, and CentOS 5 SE Linux support included in Debian since the release of Etch More complete SE Linux support planned for Debian/Lenny (including usable strict policy and MLS) Gentoo has had SE Linux support for years Ubuntu SE Linux support is a work in progress %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What is wrong with Unix security? Programs have full control over the access given to files they create (DAC) Therefore no protection against malicious software, "social engineering", and bugs in privileged software which may result in the software granting inappropriate access to files (EG creating a mode 777 file in /tmp) Too coarse grained - root vs non-root gives boolean security model for many cases Security model does not allow tracking of identity across change of UID %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Benefits of SE Linux Deny by default. When writing policy everything that is not explicitely permitted is denied. Access is by type not file name. Renaming a file does not change the access that is granted to it. When you have a hard-link to a file both names have the same level of access. Several levels of protection, "targeted" is easy to use (default on RHEL, CentOS and Fedora), "strict" offers more protection, and "MLS" strongly compartmentalises data to prevent all inappropriate communication between levels. MLS policy is part of Common Criteria certified configurations from HP and IBM Policy changes don't require changes to binaries %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page How SE Linux separates programs %image "separation.png" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Domain Type Access Control Every process has a domain, every object (file, directory, socket, etc) has a type. The domains are a sub-set of the types (IE types that can apply to processes). A domain is the type for a process, SE Linux does not strongly distinguish between domains and types. The domain of a process will be used as a target context for operations such as sending signals The domain of a process may be changed at exec time either automatically through policy or through code in login type programs Different domains have different access rights, no domain is required to have a superset of the access of other domains %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page MLS MLS model is that data can only be written to a file/process that that is of an equal or higher "level". Any process or file that receives data from one of your processes must have MLS clearance that is equal or higher than yours. Not very usable but good for getting certification As MLS is widely and cheaply usable in Fedora the number of applications which work with it and the number of sys-admins who know how to use it are increased. These factors make it cheaper to use than proprietary MLS systems. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Security Contexts Security context has the form Identity:Role:Type:LowLevel-HighLevel The levels are of the form Classification:Categories Classification and Categories are only used by MLS/MCS, if not using MLS/MCS then it's only Identity:Role:Type. At this time MLS/MCS are not used much. For disk objects the role is always "object_r" The same form of security context is used for processes and for objects that they may access %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Policy Written at a high level with interfaces (conceptually similar to functions) Compiled into a binary form that is understood by the kernel May have multiple binary modules of policy that are linked as part of the load process Loaded by /sbin/init at the start of the boot process before any other programs are executed A modified policy can be loaded at any time by the administrator (if permitted) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SE Linux Aware Applications An application can request a specific context for a file or directory that it creates. The policy determines which contexts the application may request. An application can specify the context for a program that it executes. The policy determines which contexts the application may request and which types of file may be executed to enter the domains in question. All login programs and crond use this interface. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Kernel interfaces 1/3 selinuxfs file system (almost always mounted on /selinux) used for loading policy, enabling/disabling SE Linux, and querying the kernel policy database Display whether SE Linux is in enforcing mode: $ /usr/sbin/getenforce Enforcing $ cat /selinux/enforce 1 /proc/PID/attr/* files are used for discovering the current and previous contexts of a process and for a process to request that a non-default context be used for a program it executes or a file it creates %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Kernel interfaces 2/3 Querying the context of a file system object requires reading the security.selinux XATTR. The XATTR interface is supported by devpts and all other pseudo file systems. $ ls -Z foo -rw-rw-r-- rjc rjc user_u:object_r:tmp_t foo $ getfattr -n security.selinux foo # file: foo security.selinux="user_u:object_r:tmp_t:s0\\000" Setting the context of a file system object involves setting the value of the security.selinux XATTR $ setfattr -n security.selinux -v "rjc:object_r:tmp_t:s0\\000" foo $ ls -Z foo -rw-rw-r-- rjc rjc rjc:object_r:tmp_t foo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Kernel interfaces 3/3 Specifying part of a context is possible with the chcon command: $ chcon -u user_u foo $ ls -Z foo -rw-rw-r-- rjc rjc user_u:object_r:tmp_t foo Can specify that a file should have the same context as another file: $ chcon --reference /var/www/html foo $ ls -Z foo -rw-rw-r-- rjc rjc system_u:object_r:httpd_sys_content_t foo To fix contexts for a directory tree: # restorecon -R /etc %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Booleans Change the operation of the policy Currently one boolean for every daemon to allow it to run unconfined in the targeted policy Booleans to customise various aspects of the policy operation, including whether programs are confined and whether the boolean can be turned off %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Play Machines At various times I and other people have run machines live on the net with an open root password, only SE Linux was used to control access to the machine Several improvements were made to the policy as a result of such testing Many people thought that they could crack the machine by killing the shells of other users Some people thought that they 0wned the machine and tried installing root-kits Next Play Machine will go online next week %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Q/A #selinux on irc.freenode.net http://www.coker.com.au/selinux/ My SE Linux web pages http://etbe.coker.com.au/ My Blog Russell Coker