Multi-Category Security (MCS)

Slides:

Advertisements

Similar presentations

Extern name server - translates addresses of s messages - enables users to use aliases - … ID cards system - controls entrance to buildings,

Advertisements

Module 12: Auditing SQL Server Environments

World Class Financial Reporting with FRx Report Writer Elisa R. Vick

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Common Services in a network Server : provide services Type of Services (= type of servers) –file servers –print servers –application servers –domain servers.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Security Enhanced Linux (SELinux)

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Configuring Encryption and Advanced Auditing

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Linux Networking and Security

Module 5: Configuring Internet Explorer and Supporting Applications.

© 2006 Cisco Systems, Inc. All rights reserved.1 Connection 7.0 Serviceability Reports Todd Blaisdell.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Computer Literacy for IC 3 Unit 2: Using Productivity Software Chapter 3: Formatting and Organizing Paragraphs and Documents © 2010 Pearson Education,

Trusted Operating Systems

The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

LINUXCHIX WEBMAIL. Software run by an ISP or online service that provides access to send, receive, and review using only your Web browser. Users.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

The Web Web Design. 3.2 The Web Focus on Reading Main Ideas A URL is an address that identifies a specific Web page. Web browsers have varying capabilities.

All about Eugene Teo Linux Users' Group (Singapore) April 2006 Meeting Core 5.

1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)

How to live with SELinux

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

SELinux Sandbox Daniel Walsh Red Hat. What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes.

Arklio Studija 2007 File: / / Page 1 Automated web application testing using Selenium

Overview of NSA Security Enhanced Linux Russell Coker.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007.

What is SELinux trying to tell me? The 4 key causes of SELinux errors.

10/2/2016 Secure Virtualization Using SELinux Daniel J Walsh

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

OpenShift & SELinux Dan Walsh Twitter: #rhatdan

Data Visualization with Tableau

Introduction to Operating Systems

10/09/2018 The eFolio Arrives John Sewell.

Demystifying SELinux: WTF is it saying?

Computer Software Lecture 5.

BASIC INFORMATION ABOUT DATABASE MANAGEMENT SOFTWARE

Joseph JaJa, Mike Smorul, and Sangchul Song

Fedora Kiosk Spin Daniel Walsh Red Hat.

Dan Walsh Red Hat, Inc. Sandbox Dan Walsh Red Hat, Inc.

SELinux Daniel J Walsh SELinux Lead Engineer.

SE Linux Implementation

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

SELinux RHEL5: A benchmark

Avaya Professional Services (APS) Tools ProVision

New Features in Fedora Core 5

Central Document Library Quick Reference User Guide View User Guide

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Introduction Are you currently using Dimensions? Did you know they are not just for Financial Reporting? Even though Dimensions are primarily used in.

C/S Windows Overview Nigel Pilsbury.

ILogic What’s New.

Exploring Microsoft Office Access 2010

Tazin Afrin October 24, 2013 Day 19: Access Chapter 4 Tazin Afrin October 24, 2013.

PLANNING A SECURE BASELINE INSTALLATION

FileMaker Pro: Using Advanced Features & Working with Layouts

Exploring Microsoft® Office 2016 Series Editor Mary Anne Poatsy

Designing IIS Security (IIS – Internet Information Service)

OBJECT STORAGE AND INTEROPERABILITY

New Features in Security Management

Presentation transcript:

Multi-Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@redhat.com

Oops!!!!

Setting the record straight Example Policy -> Reference Policy Base policies package used by distributions to build shipping policy targeted, strict, MLS MCS Is not a new policy package MCS is a optional way to build targeted or strict Fedora/Red Hat will ship in FC5/RHEL5: selinux-policy-targeted == targeted-mcs selinux-policy-strict == strict-mcs selinux-policy-mls == strict-mls

What is MCS? MCS Is MLS with a single Sensitivity MLS/MCS flag is the fourth field of the SELinux context system_u:object_r:user_home_t:s0:c1 MLS runs with up to 16 sensitivities, s0-s15 MCS runs with single sensitivity, s0 MLS/MCS support 256 category combinations, c0-c255 Discretionary/advisory scheme User-oriented Prevent Accidental Leakage by user, not malicious Targeted domains will be prevented by TE by default

Benefits of MLS for a Mainstream OS Can MCS do for MLS what targeted policy did for SELinux? Potentially useful to more people Mainstream use of technology Higher overall quality User-innovation Currently in Rawhide MCS labeling for files MLS kernel flag enabled by default

MCS/MLS Infrastucture Needed a way to make categories human readable libsetrans optional library used by libselinux to translate MLS Level of security context into Human readable context

/etc/selinux/POLICYTYPE/setrans.conf # Multi-Category Security translation table for SELinux # Uncomment the following to disable translation libary # disable=1 # Objects can be categorized with 0-256 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c255. Users can use this # table to translate the categories into a more meaningful output. # Examples: s0= s0:c0=CompanyConfidential s0:c1=PatientRecord s0:c2=Unclassified s0:c3=TopSecret s0:c1,c3=CompanyConfidentialRedHat s0-s0:c0.c255=SystemLow-SystemHigh s0:c0.c255=SystemHigh

Translation system_u:object_r:user_home_t:s0:c1 system_u:object_r:user_home_t:PatientRecord system_u:object_r:user_home_t:s0 system_u:object_r:user_home_t

Setting MLS/MCS Flag chcon chcon -l PatientRecord /opt/patients/dwalsh chcat wrapper around chcon chcat +PatientRecord /opt/patients/dwalsh chcat +CompanyConfidential /opt/patients/dwalsh user_r:object_r:type_t:PatientRecord,CompanyConfidential Nautilus, Mailers, OpenOffice, Web Browsers

Setting Users MLS/MCS Range /etc/selinux/POLICYTYPE/seuser semanage login -m -r s0-PatientRecord,CompanyConfidential dwalsh chcat -l +PatientRecord dwalsh chcat -L -l dwalsh dwalsh: PatientRecord id -Z user_u:system_r:unconfined_t:s0-PatientRecord

Graphical Tools

What Next? Labeled Printing lpr -P ReceptionistPrinter /opt/patients/dwalsh.pdf Error: You are not allowed to print this doc on ReceptionistPrinter lpr -P LabTech /opt/patients/dwalsh.pdf Header and footer will identify document as a “PatientRecord” Labeled Mail Mail List associated with MCS Framework Mail domain (redhat.com) associated with MCS Framework. Auditing? How do I run multiple Apache servers to display different categories? MLS Challange as well

Fedora and MCS LSPP/MLS infrastructure re-use Potentially useful to more people Mainstream use of technology Higher overall quality User-innovation Currently in Rawhide MCS labeling for files MLS enabled by default