Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)

Published byThomas Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)"— Presentation transcript:

1 1 Introduction to SELinux David P. Quigley dpquigl@tycho.nsa.gov National Security Agency National Information Assurance Research Laboratory (NIARL)

2 2 Flawed Software ● Do you run any of the following? – Firefox: CVE-2010-0159, -0160 – OpenOffice: CVE-2010-0136 – Java: CVE-2010-0886, CVE-2010-0887, CVE-2010- 0094, CVE-2010-0840 (Javacalypse!) – Samba: CVE-2010-0926 – Apache Tomcat: CVE-2009-2902 ● Applications will always have flaws ● We shouldn't need to trust them with complete access to our data

3 3 The Problem: A Flawed Foundation ● Security of computing systems fundamentally limited by an insecure foundation ● Operating system (OS) provides the foundation – Separating data and processes – Protecting application security mechanisms ● Mainstream OSes lack adequate security mechanisms – No protection against flawed or malicious applications – Weak mechanisms for separation

4 4 Why secure the OS? ● Can't we just use virtualization instead? – Doesn't address the need for controlled sharing – Doesn't protect the data as it is being processed – Still need to protect shared services and control plane – Limited scalability and flexibility – Secure OS still plays a critical role in overall solution ● Virtualization can be useful in combination with a secure OS, not as a substitute for it

5 5 Discretionary Access Control (DAC) ● Typical form of access control in operating systems. ● Decisions based on user identity/ownership. ● Users and their programs are free to change access rules (e.g. file modes, ACLs). ● No protection against malicious and flawed software. ● Coarse-grained privilege, prone to escalation.

6 6 Mandatory Access Control (MAC) ● Historically limited to separate “trusted” operating systems. ● Decisions based on security labels. ● Access rules defined by admin/organization. ● Control over all processes and objects. ● Can confine malicious and flawed software. ● Can enforce system-wide security requirements.

7 7 Flexible MAC: Uses ● Contain the damage from 0-day exploits. ● Reduce the need for immediate security patching. ● Enable safe co-location of services. ● Sandbox applications. ● Enforce legal restrictions on data. ● Protect the integrity of data and applications. ● Enforce invocation of critical processing. ● Enforce separation of duty requirements.

8 8 How do I get SELinux? ● SELinux isn't a distribution by itself but a security enhancement to Linux that can be enabled by your distribution or vendor (or yourself if you are very motivated)

9 9 How Do I know if SELinux is on? ● /usr/sbin/getenforce [user@localhost ~]# getenforce Enforcing ● /usr/sbin/sestatus [user@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted

10 10 Enforcing vs Permissive ● Enforcing – Perform access checks and enforce failures – Reports each failure in audit logs ● Permissive – Perform access checks but does not enforce denials – Reports access failures in audit logs only once per type of failure – Does not provide real protection

11 11 Abstractions ● Security context – Contains all security attributes relevant to policy – Only interpreted by security server ● Object security class – Identifies the kind of object, e.g. regular file, directory, device, local socket, TCP socket, etc ● Access vector – Related set of permissions for the operations on a given class, e.g. read, write, execute, connect,...

12 12 SELinux Context -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd DAC Components Security Context system_u:object_r:etc_t:s0 UserRoleTypeMLS

13 13 Displaying Contexts ● Your Shell: ● Files: ● Processes ● Also netstat -Z and pstree -Z $ id -Z staff_u:staff_r:staff_t:s0 $ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash $ ps -Z LABEL PID TTY TIME CMD staff_u:staff_r:staff_t:s0 17166 pts/7 00:00:00 bash staff_u:staff_r:staff_t:s0 17207 pts/7 00:00:00 ps

14 14 Changing Contexts (Files) ● Files ● Files (Across relabeling) $ touch /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_tmp_t:s0 /tmp/myfile $ chcon -t user_home_t /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_home_t:s0 /tmp/myfile $ touch /var/cache/myfile $ ls -Z /var/cache/myfile unconfined_u:object_r:var_t:s0 /var/cache/myfile $ semanage fcontext -a -t user_home_t /var/cache/myfile $ restorecon /var/cache/myfile $ ls -Z /var/cache/myfile system_u:object_r:user_home_t:s0 /var/cache/myfile

15 15 Changing Contexts (Other) ● Your Shell ● A program (temporarily) $ id -Z staff_u:staff_r:staff_t:s0 $ newrole -r sysadm_r Password: $ id -Z staff_u:sysadm_r:sysadm_t:s0 $ runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash $ id -Z system_u:system_r:crond_t:s0:c0.c255

16 16 Policy ● What is it? – Rules governing interactions on the system – Information about initial label states – Mappings of roles and users ● Where is it? – /etc/selinux/

17 17 Dissecting a Policy Directory ● policy/ – Contains compiled policy loaded into the kernel ● modules/ – Policy store containing all modules and local modifications – Manipulate only using semodule and semanage ● contexts/ – Initial labeling information for security aware user space applications

18 18 4 key causes of SELinux errors ● Labeling Problems ● A confined process is configured in a way different then the default SELinux expected ● Bug in Policy or an Application ● Your machine has been compromised

19 19 Labeling Problems ● Every process and object on the system is labeled ● If labels are not correct access may be denied ● Causes – Alternative paths (semanage fcontext) – Files created in wrong context (restorecon) – Processes started in wrong context

20 20 Non-Default Behavior ● SELinux needs to know how a confined daemon is configured ● Booleans – Allow option functionality to be enabled ● Non-default directories – Need to ensure files are labeled properly ● Non-default ports – Need to ensure ports labeled properly

21 21 Bugs in Policy/Apps ● SELinux policy bugs – Incomplete policy (unusual code path) – Unknown application configuration ● Application bugs – Leaked File Descriptors – Executable Memory (execmem) – Badly built libraries (execmem and others)

22 22 Bugs in Policy/Apps (2) ● Options – Report bugs in bugzilla ( Best long term solution) – Create a policy module ( Temporary fix) ● Labeling is correct? No appropriate booleans? – Use audit2allow to create a policy module ● Examing resulting policy – Make sure it's safe – Ask for help (#fedora-selinux and mailing lists) #grep httpd /var/log/audit/audit.log | audit2allow -M myhttpd # semodule -i myhttpd.pp

23 23 Your machine has been compromised ● Current tools not good at differentiating – Warning signs: a confined domain tries to: ● Load a kernel module ● Turn off SELinux enforcing mode ● Write to etc_t or shadow_t ● Modify iptables rules ● Sendmail ● others – You might be compromised

24 24 Tools ● Auditing – ausearch, aureport, auditctl, audit2why ● Policy Management tools – semodule, semanage, {get,set}sebool ● Policy Querying Tools – sesearch, sediff, apol ● Policy Generation Tools – audit2allow, sepolgen ● GUI Tools – setroubleshoot, system-config-selinux, apol

25 25 Common SELinux Recipies ● Move files to non-default locations ● Adding an audit rule ● Apache configuration ● Samba configuration ● FTP configuration

26 26 Files in Non-default Locations ● Problem: Labels on new directories might not match what the policy expects for the program ● Solution: semanage fcontext Add a new equivalence $ semanage fcontext -a -e /var/www /srv/www Modify an existing equivalence $ semanage fcontext -m -e /var/www/myweb.com/htdocs /srv/www Delete an equivalence $ semanage fcontext -d /srv/www Restore the file labels to test $ restorecon /src/www

27 27 Getting Full Paths in AVC Denials ● Problem: AVC denials only list the last path component. This is a problem in the case of directories like public_html. ● Solution: Adding an audit rule will turn on full path resolution ● Set once at runtime: ● Set Persistently $ auditctl -w /etc/shadow -p wa $ echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules $ service auditd restart

28 28 Apache Configuration ● To the console!! – Labeling the public_html directory correctly – Allow the Apache HTTP Server to connect to your database server – Allow the Apache HTTP Server to run CGI scripts – Allow the Apache HTTP Server to send mail – Using an NFS or CIFS home directory

29 29 Samba Configuration ● To the console!! – Sharing non-home directory files – Sharing files with Apache, FTP, and Samba – Sharing home directories with Samba – Home directories are on a Samba server

30 30 FTP Configuration ● To the console!! – Executing a FTP daemon in the ftpd_t SELinux domain for FTP servers – Reading and writing objects through FTP – Hosting user directories using FTP – Storing virtual FTP users in a database

31 31 Policy Development ● Starting with sepolgen ● Per domain permissive mode ● Adding rules with audit2allow

32 32 SEPolgen ● CLI and GUI program to generate a simple policy module ● Questions asked to include common policy sections ● Creates a script for generating more policy rules using audit2allow

33 33 Permissive Domains ● Allows a single domain to be placed in permissive mode instead of the entire system ● In policy – permissive myapp_t; ● At runtime $ semanage permissive -a myapp_t $ semanage permissive -d myapp_t

34 34 Audit2allow ● Generates rules based on AVC denials ● Can inspect rules in generated te file ● Never run with the same -M name twice (will override old module) # audit2allow -l -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i local.pp

35 35 Resources ● SELinux Project Wiki – http://www.selinuxproject.org ● Dan Walsh's Blog – http://danwalsh.livejournal.com/ http://danwalsh.livejournal.com/ ● Fedora SELinux Mailing List – https://www.redhat.com/mailman/listinfo/fedora-selinux-list https://www.redhat.com/mailman/listinfo/fedora-selinux-list ● NSA SELinux Mailing List – http://www.nsa.gov/research/selinux/list.shtml

36 36 Questions?

Download ppt "1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)"

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Controlling Files Richard Newman based on Smith “Elementary Information Security”

Controlling Files Richard Newman based on Smith “Elementary Information Security”
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.
OS Hardening Justin Whitehead Francisco Robles. ECE 4112 - Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.

OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Similar presentations

Ads by Google