UP | HOME
../../

SELinux

1 DAC

  1. Linux has Discretionary Access Control as a default permissions model
  2. Examples: File permissions (chmod)
  3. Examples: Process ownership
  4. The user (subject) has discretion to set or not security policies.

2 MAC

  1. Mandatory Access Control enforces a central policy on a system
  2. MAC enforcement requires all policies to be specified by an administrator. Users cannot change these policies

3 Principles

  1. privilege of least authority
    1. The principle of least authority says you should only give the minimum privilege needed
  2. fine-grained access control permission to kernel objects
    1. Read/write permissions are coarse

4 SELinux

  1. Disables root user priviledges
  2. Several administrative roles with limited extra privileges
  3. Example: Changing passwords does not require root access to setting up firewalls
  1. Multi-level security: Declassified, Secret, Top-Secret, etc.
    1. In MLS, only a trusted declassifier can lower the secrecy of a file
    2. Users with appropriate privilege can read classified files, but cannot output their contents to lower secrecy levels

4.1 SELinux Example

  1. Suppose I want to read a secret file
  2. In SELinux, I transition to a secret role to do this
    1. This role is restricted:
      1. Cannot write to the network
      2. Cannot write to declassified files
    2. Secret files cannot be read in a declassified role
  3. Idea: Policies often require applications/users to give up some privileges (network) for others (access to secrets) General principles
  4. Secrecy (Bell-LaPadula)
    1. No read up, no write down
    2. In secret mode, you can’t write a declassified file, or read top-secret data
  5. Integrity (Biba)
    1. No write up, no read down
    2. A declassified user can’t write garbage into a secret file
    3. A top-secret application can’t read input/load libraries from an untrusted source (reduce risk of compromise)

4.2 SELinux Policies

  1. Written by an administrator in a SELinux-specific language
    1. Often written by an expert at Red Hat and installed wholesale
    2. Difficult to modify or write from scratch
  2. Very expansive—covers all sorts of subjects, objects, and verbs Key Points of Interest
  3. Role-Based Access Control (RBAC)
  4. Type Enforcement
  5. Linux Security Modules (LSM)
    1. Labeling and persistence Role-Based Access

4.3 Control

  1. Idea: Extend or restrict user rights with a role that captures what they are trying to do
  2. Example: I may browse the web, grade labs, and administer a web server
    1. Create a role for each, with different privileges
    2. My grader role may not have network access, except to blackboard
    3. My web browsing role may not have access to my home directory files
    4. My admin role and web roles can’t access students’ labs Roles vs. Restricted

4.4 Context

  1. Win2k ACLs allow a user to create processes with a subset of his/her privileges
  2. Roles provide the same functionality
    1. But also allow a user to add privileges, such as administrative rights
  3. Roles may also have policy restrictions on who/when/ how roles are changed
    1. Not just anyone (or any program) can get admin privileges

5 The power of RBAC

  1. Conditional access control
  2. Example: Don’t let this file go out on the internet
    1. Create secret file role
      1. No network access, can’t write any files except other secret files
      2. Process cannot change roles, only exit
      3. Process can read secret files
    2. I challenge you to express this policy in Unix permissions!

    Roles vs. Specific Users

  3. Policies are hard to write
  4. Roles allow policies to be generalized
    1. Users everywhere want similar restrictions on their browser
  5. Roles eliminate the need to re-tailor the policy file for every user
    1. Anyone can transition to the browser role

6 Type Enforcement

  1. Very much like the fine-grained ACLs we saw last time
  2. Rather than everything being a file, objects are given a more specific type
    1. Type includes a set of possible actions on the object
      1. E.g., Socket: create, listen, send, recv, close
    2. Type includes ACLs based on roles

7 Type examples

  1. Device types:
    1. agpdevicet - AGP device (/dev/agpgart)
    2. consoledevicet - Console device (/dev/console)
    3. mousedevicet - Mouse (/dev/mouse)
  2. File types:
    1. fst - Defaults file type
    2. etcaliasest - /etc/aliases and related files
    3. bint - Files in /bin More type examples
  3. Networking:
    1. netifeth0t – Interface eth0
    2. portt – TCP/IP port
    3. tcpsockett – TCP socket
  4. /proc types
    1. proct - /proc and related files
    2. sysctlt - /proc/sys and related files
    3. sysctlfst - /proc/sys/fs and related files

8 Detailed example

  1. pingexect type associated with ping binary
  2. Policies for pingexect:
    1. Restrict who can transition into pingt domain
      1. Admins for sure, and init scripts
      2. Regular users: admin can configure
    2. pingt domain (executing process) allowed to:
      1. Use shared libraries
      2. Use the network
      3. Call ypbind (for hostname lookup in YP/NIS)

8.1 Ping cont.

  1. pingt domain process can also:
    1. Read certain files in /etc
    2. Create Unix socket streams
    3. Create raw ICMP sockets + send/recv on them on any interface
    4. setuid (Why? Don’t know)
    5. Access the terminal
    6. Get file system attributes and search /var (mostly harmless operations that would pollute the logs if disallowed)
      1. Violate least privilege to avoid modification!

9 Full ping policy

01 type pingt, domain, privlog; 02 type pingexect, filetype, sysadmfile, exectype; 19 03 role sysadmr types pingt; 20 auditallow pingt anysockett:rawipsocket 04 role systemr types pingt; sendto; 05 21 06 # Transition into this domain when you run this 22 # Let ping receive ICMP replies. program. 23 allow pingt { self icmpsockett }:rawipsocket 07 domainautotrans(sysadmt, pingexect, pingt) recvfrom;

  1. domainautotrans(initrct, pingexect, pingt) 24

09 25 # Use capabilities. 10 usesshlib(pingt) 26 allow pingt self:capability { netraw setuid }; 11 cannetwork(pingt) 27 12 generaldomainaccess(pingt) 28 # Access the terminal. 13 allow pingt { etct resolvconft }:file { getattr 29 allow pingt adminttytype:chrfile read }; rwfileperms; 14 allow pingt self:unixstreamsocket 30 ifdef(`gnome-pty-helper.te', `allow pingt createsocketperms; sysadmgpht:fd use;') 15 31 allow pingt privfd:fd use; 16 # Let ping create raw ICMP packets. 32 17 allow pingt self:rawipsocket {create ioctl read 33 dontaudit pingt fst:filesystem getattr; write bind getopt setopt}; 34 18 allow pingt anysockett:rawipsocket sendto; 35 # it tries to access /var/run 36 dontaudit pingt vart:dir search;

10 Linux Security Modules

  1. Culturally, top Linux developers care about writing a good kernel
    1. Not as much about security
    2. Different specializations
  2. Their goal: Modularize security as much as humanly possible
    1. Security folks write modules that you can load if you care about security; kernel developers don’t have to worry about understanding security

11 Basic deal

  1. Linux Security Modules API:
    1. Linux developers put dozens of access control hooks all over the kernel
      1. See include/linux/security.h
    2. LSM writer can implement access control functions called by these hooks that enforce arbitrary policies
    3. Linux also adds opaque “security” pointer that LSM can use to store security info they need in processes, inodes, sockets, etc.

12 SELinux example

  1. A task has an associated security pointer
    1. Stores current role
  2. An inode also has a security pointer
    1. Stores type and policy rules
  3. Initialization hooks for both called when created SELinux example, cont.
  4. A task reads the inode
    1. VFS function calls LSM hook, with inode and task pointer
    2. LSM reads policy rules from inode
  5. Suppose the file requires a role transition for read
    1. LSM hook modifies task’s security data to change its role
    2. Then read allowed to proceed Problem: Persistence
  6. All of these security hooks are great for in memory data structures
    1. E.g., VFS inodes
  7. How do you ensure the policy associated with a given file persists across reboots? Extended Attributes
  8. In addition to 9+ standard Unix attributes, associate a small key/value store with an on-disk inode
    1. User can tag a file with arbitrary metadata
    2. Key must be a string, prefixed with a domain
      1. User, trusted, system, security
    3. Users must use ‘user’ domain
    4. LSM uses ‘security’ domain
  9. Only a few file systems support extended attributes
    1. E.g., ext2/3/4; not NFS, FAT32

13 Persistence

  1. All ACLs, type information, etc. are stored in extended attributes for persistence
  2. Each file must be labeled for MAC enforcement
    1. Labeling is the generic problem of assigning a type or security context to each object/file in the system
    2. Can be complicated
  3. SELinux provides some tools to help, based on standard system file names and educated guesses

14 Summary

  1. SELinux augments Linux with a much more restrictive security model
    1. MAC vs. DAC
  2. Understand Roles and Types
  3. Basic ideas of LSM
    1. Labeling and extended attributes

15 References

16 End

Copyright © 2017 www.wright.edu/~pmateti • 2017-09-11