Presentation is loading. Please wait.

Presentation is loading. Please wait.

Demystifying SELinux Part II: Who’s Policy Is It Anyway

Published byValerie Burke Modified over 7 years ago

Similar presentations

Presentation on theme: "Demystifying SELinux Part II: Who’s Policy Is It Anyway"— Presentation transcript:

1 Demystifying SELinux Part II: Who’s Policy Is It Anyway
Dave Quigley SELinux Ninja/Linux Kernel Developer

2 Outline The Basics SELinux Fundamentals Identifying Problems
Policy Basics ftransferd Policy Development Basics Extras Questions

3 The Basics

4 Access Controls determine who/what can access system resources
What is Access Control? Access Controls determine who/what can access system resources

5 What You're Use To Web Content Home Directory Files Sensitive
Credit Card Data Dave (Apache) Dave (Firefox)

6 A “New” Type of Access Controls
Web Content TCP Port 80 Sensitive Credit Card Data Database Socket Apache Logs Dave (Apache) Dave (PostgreSQL) Database Files

7 DEMO: Who’s File is it Anyway?
Two services both running as the same user httpd Mysqld A bug in either may allow access to the shared files How do we keep access separate? Assign the services some sort of identifier Create access rules based on these identifiers

8 What is SELinux? SELinux is a label based security system
Every process has a label, every object on the system has a label Files, Directories, network ports … The SELinux policy controls how process labels interact with other labels on the system The kernel enforces the policy rules

9 apt-get install selinux
How do I get SELinux? SELinux isn't a distribution by itself but a security enhancement to Linux that can be enabled by your distribution or vendor (or yourself if you are very motivated) Distribution How to get it RHEL 4+ Default Fedora 2+ Ubuntu apt-get install selinux Debian Gentoo Hardened Gentoo OpenSUSE 13.1 Basic support

10 How Do I know if SELinux is on?
/usr/sbin/sestatus ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: Policy from config file: targeted /usr/sbin/getenforce ~]# getenforce Enforcing

11 Enforcing vs Permissive
Perform access checks and enforce failures Reports each failure in audit logs Permissive Perform access checks but does not enforce denials Reports access failures in audit logs only once per type of failure Does not provide real protection

12 Setting Enforcing Mode
Two ways to set at boot-time: enforcing=0 or enforcing=1 on kernel command line (grub.conf) SELINUX=permissive or SELINUX=enforcing in /etc/selinux/config To set at runtime: /usr/sbin/setenforce 0 | 1 | Enforcing | Permissive echo 0 > /selinux/enforce

13 LAB: Set Enforcing Mode
Check the current mode of your machine What does it say? Set the current mode to permissive Check the status again Set the mode back to enforcing This is important to ensure later labs work

14 All information needed for SELinux to make an access control decision
What is a Label? -rw-r--r-- root root system_u:object_r:etc_t:s /etc/passwd DAC Components Security Label system_u:object_r:etc_t:s0 User Role Type MLS All information needed for SELinux to make an access control decision

15 How do I see Labels? Files ls -Z Processes ps -Z, pstree -Z Ports
netstat -Z, semanage ports -l

16 LAB: Viewing Contexts Use ls -Z to look around common system directories. Use ps -Z to look at the contexts of running processes. Look at network socket labeling with netstat -Z

17 Setting File Contexts Determining Labels matchpathcon Setting Labels
chcon semanage fcontext Restoring Labels restorecon fixfiles

18 LAB: Setting File Contexts
Try using some of the commands we just saw. Try setting labels with chcon and then restoring the label with restorecon Identify the context for a path with matchpathcon Look at network socket labeling with netstat -Z

19 SELinux Fundamentals

20 SELinux Security Models
The SELinux security server implements 3 security models. Type Enforcement(TE) Role-Based Access Control (RBAC) Multi-Level Security (MLS).

21 Type Enforcement (TE) Core security model of SELinux.
Supports binding permissions to specific programs/code. Supports least privilege, integrity, and assured invocation. No rigid model - driven by customizable policy configuration.

22 TE: Domains Each subject (e.g. process, applet) is labeled with a “domain”. Simple string tag identifying the subject from a security point of view. Subjects that should have the same permissions to the same objects can share same domain. Examples: user_t (unprivileged user shell), passwd_t (passwd process)

23 TE: Types Each object (e.g. file, socket) is labeled with a “type”.
Simple string tag identifying the object from a security point of view. Objects that should be accessible in the same way by the same subjects can share the same type. Examples: passwd_exec_t (/bin/passwd), shadow_t (/etc/shadow).

24 TE: Domains vs. Types Domains and types are both equivalence classes.
A domain might be used as an object, e.g. recipient of a signal or IPC /proc/pid files A domain is just a kind of type, one that can be applied to processes. SELinux uses “type” for both.

25 Object Classes Identify the kind of object being accessed. Class name
Description process A process file A regular file dir A directory chr_file A character device blk_file A block device tcp_socket A TCP socket rawip_socket A raw IP socket capability A Linux capability

26 Permissions Identify the operation being performed.
Defined on a per-class basis. File permissions Socket permissions create read write rename bind unlink connect execute accept

27 Access Vectors A set of permissions. Represented as a bitmap.
Computed by the security server. Cached by the Access Vector Cache (AVC). Used to represent: What is allowed What is to be audited

28 Running /bin/passwd passwd process passwd_t transition user shell
user_t entrypoint read write execute /bin/passwd passwd_exec_t /etc/shadow shadow_t

29 Domain Transition Example
Only authorized domains (e.g. passwd_t) can write to shadow_t. passwd_t can only be entered by running a program labeled with passwd_exec_t. passwd_t cannot execute any other programs. Only authorized domains (e.g. user_t) can transition to passwd_t. passwd_t can only read and write authorized types (e.g. shadow_t).

30 LAB: Observe Domain Transition (passwd)
Start two terminals and view their contexts (id -Z) What is the terminals domain? Run passwd in one terminal In the second terminal ps -AZ | grep passwd What domain is passwd running in? Then run pstree -Z | less and find passwd What domain is passwd's parent running in?

31 Role Based Access Control (RBAC)
Each process is labeled with a role. Object security contexts just use “object_r”. Organizes TE domains into roles. Each role authorized for certain domain types. role staff_r types { staff_t passwd_t }; Each SELinux user authorized for certain roles. user staff_u roles { staff_r system_r };

32 Multi-Level Security Each process and object is labeled with a single level or a range (low-high). A level consists of a sensitivity and category set. Configurable constraints define how different levels may interact, using the dominance relation. Red Hat uses it for “Multi-Category Security” (MCS), leveraged by sandbox and SVirt. Traditional MLS via separate -mls policy.

33 Identifying Problems

34 How to tell if something is wrong?
Logged to /var/log/messages if no auditd or during early boot before auditd. grep avc /var/log/messages Logged to /var/log/audit/audit.log if running auditd. /sbin/ausearch -mAVC,SELINUX_ERR -i Notification via setroubleshoot if running. /var/log/audit/audit.log, desktop pop-up

35 Example Permission Denial
type=AVC msg=audit(09/07/ :06:38.240:54981) : avc: denied { read } for pid=4866 comm=bash name=.bash_history dev=dm-0 ino=138 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file An attempt by a bash process to read a .bash_history file was denied, where the bash process was running in the httpd_t domain and the .bash_history file was labeled with admin_home_t (i.e. under /root).

36 Silent Denials Permission denials may be silenced by dontaudit rules in the policy. Used to avoid filling audit logs with noise from harmless application probing. May hide the cause of a denial when developing policy. Use semodule -DB to strip dontaudit rules. Use semodule -B to restore them.

37 Getting Full Paths in AVC Denials
Problem: AVC denials only list the last path component. This is a problem in the case of directories like public_html. Solution: Adding an audit rule will turn on full path resolution Set once at runtime: $ auditctl -w /etc/shadow -p wa Set Persistently $ echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules $ service auditd restart

38 Augmented Denial type=PATH msg=audit(09/07/ :06:38.240:54981) : item=0 name=/root/.bash_history inode=138 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 type=CWD msg=audit(09/07/ :06:38.240:54981) : cwd=/home/sds Now we get to see the current working directory (CWD) of the process and the full pathname (PATH) that was passed to the system call.

39 Most Common SELinux Problems
Incorrect Labeling Non-Default Configuration of a Confined Program Bug in Policy or an Application Your machine may have been compromised

40 Labeling Problems Every process and object on the system is labeled
If labels are not correct access may be denied Causes Alternative paths (semanage fcontext) Files created in wrong context (restorecon) Processes started in wrong context

41 Usecase: Move instead of copy
Administrator uploads and extracts a tarball of static web content to his home directory Administrator moves the files into the document root for Administrator tries to access site Access fails, why?

42 Lab: Move instead of copy
Create A file in your home directory Observe its label Move it to the document root for labels.com Observe is label, did it change? Use chcon or restorecon to fix the label

43 Non-Default Configuration
SELinux needs to know how a confined daemon is configured Non-default directories Need to ensure files are labeled properly Booleans Allow optional functionality to be enabled Non-default ports Need to ensure ports labeled properly

44 Usecase: Non Default Location
Administrator decides to setup a website with the location of /opt/www Administrator creates the directory and copies files into it. Administrator tries to access site Page access fails, why?

45 Lab: Non Default Locaton
Copy the original docroot files over to a new location Modify the apache config to read from this new location Try to access Fails why? Set up equivalence mapping with semanage fcontext

46 Usecase: Web content in user home directories
Administrator decides to setup a website to allow users to host personal webpages. Administrator enables Userdirs to public_html. Administrator tries to access site userhome.com/~sedemo Page access fails, why?

47 Lab: Web content in user home directories
Create a public_html directory in your home directory and ensure its labeled properly Create a file under it Try to access the file at userhome.com/~username/filename Why does it fail Enable httpd to read home directories using getsebool/setsebool

48 Usecase: Apache on a non-standard port
Administrator decides to change the port his apache server at to to heighten security. Administrator changes the listening port in the config. Administrator tries start httpd. Server fails to start, why?

49 Lab: Apache on a non-standard port
Change port in Apache config to read on port 10321 Attempt to restart Apache Why does this fail? Identify the port label for Apache Use semanage port or sepolicy network if on a new enough system Create new mapping for port to the appropriate context using semanage port

50 Bugs in Policy/Apps SELinux policy bugs
Incomplete policy (unusual code path) Unknown application configuration Application bugs Leaked File Descriptors Executable Memory (execmem) Badly built libraries (execmem and others)

51 Bugs in Policy/Apps (2) Options
Report bugs in bugzilla (Best long term solution) Create a policy module (Temporary fix) Labeling is correct? No appropriate booleans? Use audit2allow to create a policy module Examine resulting policy Make sure it's safe Ask for help (#fedora-selinux and mailing lists)

52 Your machine may have been compromised
Current tools not good at differentiating Warning signs: a confined domain tries to: Load a kernel module Turn off SELinux enforcing mode Write to etc_t or shadow_t Modify iptables rules Sendmail others You may be compromised

53 Policy Basics

54 Policy What is it? Rules governing interactions on the system
Information about initial label states Mappings of roles and users Where is it? /etc/selinux/<policy_name>

55 Dissecting a Policy Directory
Contains compiled policy loaded into the kernel modules/ Policy store containing all modules and local modifications Manipulate only using semodule and semanage contexts/ Initial labeling information for security aware user space applications

56 TE: Allow Rules Everything not explicitly allowed is denied. Syntax:
allow source-type target-type : class { permissions }; Examples: allow user_t passwd_exec_t:file execute; allow passwd_t passwd_exec_t:file entrypoint; allow user_t passwd_t:process transition;

57 TE: Transition Rules Default assignment of types on program execution and object creation. Syntax: type_transition source-type target-type:class default_type; Examples: type_transition user_t passwd_exec_t:process passwd_t; type_transition passwd_t etc_t:file shadow_t;

58 ftransferd

59 What is ftransferd? Simple file transfer daemon
Uses file in the user’s home directory to host files Can access the directory for any user Has a small vulnerability in it for fun!

60 What does it do? Reads from a directory in the user’s home directory
Writes output to syslog Binds and communicates through TCP ports

61 Policy Development Basics

62 Writing New Policy: Dependencies
Need policy headers (/usr/share/selinux/devel). selinux-policy-devel in RHEL5. Folded into selinux-policy in modern Fedora. Need checkpolicy. May want a copy of the policy sources for reference. selinux-policy.src.rpm oss.tresys.com/projects/refpolicy

63 Writing New Policy: Understanding Interfaces
Existing policy makes extensive use of interfaces/macros. The interface files (*.if) are installed under /usr/share/selinux/devel/include. Documentation for the interfaces can be viewed using /usr/share/selinux/devel/policyhelp.

64 Policy Writing Tools SELinux Policy IDE (SLIDE), Eclipse plugin.
eclipse-slide in Fedora >= 9, RHEL 6. Policy generation tools /usr/share/selinux/devel/policygentool (old) system-config-selinux new module wizard /usr/bin/sepolgen vi/emacs for the rest of us!

65 Writing new policy Typically generate an initial stub domain using your favorite tool (or by hand) Load the policy module, label the relevant files Run the program in permissive mode (or use a permissive domain) Collect denials Augment policy Rinse and repeat

66 SEPolgen CLI and GUI program to generate a simple policy module
Questions asked to include common policy sections Creates a script for generating more policy rules using audit2allow

67 Lab: Create Initial Policy
Use sepolgen or eclipse-slide to create a new policy module Select items for what we currently know about ftransferd Inspect created polcy

68 Permissive Domains Fedora >= 10, RHEL 6
Allows a single domain to be placed in permissive mode instead of the entire system In policy permissive myapp_t; At runtime $ semanage permissive -a myapp_t $ semanage permissive -d myapp_t

69 Lab: Make new domain permissive
Identify the domain type for ftransferd Decide whether you want long or shor term permissive policy semanage permissive Make the appropriate change

70 Audit2allow Tool for generating policy rules based on AVC messages (Use with caution!) Can inspect rules in generated te file Never run with the same -M name twice (will override old module) # audit2allow -l -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i local.pp

71 Audit2allow Examples Create and insert a local policy module that allows all logged denials since the last reload. audit2allow -l -a -M mypolicy semodule -i mypolicy.pp Create and insert a local policy module that allows all denials logged on the httpd program. ausearch -m avc -c httpd | audit2allow -M myhttpd semodule -i myhttpd

72 Audit2allow -R By default, audit2allow emits raw policy rules.
Existing policy is written using macros (interfaces). Audit2allow -R will try to find the right interface and use it. audit2allow -l -a -R -M mypolicy Imperfect, but can be helpful.

73 Lab: Generate Denials & Policy
Clear your audit logs Restart auditd Run ftransferd Transfer a few files with the client Look for generated AVC denials Run them through audit2allow Don't forge to use a different module name each time Merge the policy modules

74 Extras

75 Tools Auditing ausearch, aureport, auditctl, audit2why
Policy Management tools semodule, semanage, {get,set}sebool Policy Querying Tools sesearch, sediff, apol Policy Generation Tools audit2allow, sepolgen GUI Tools setroubleshoot, system-config-selinux, apol

76 External Resources Fedora Docs, http://docs.fedoraproject.org
SELinux FAQ Security-Enhanced Linux User Guide Managing Confined Services SELinux wiki, Tresys OSS site, SELinux By Example: Using Security Enhanced Linux

77 Resources SELinux Project Wiki http://www.selinuxproject.org
Dan Walsh's Blog Fedora SELinux Mailing List NSA SELinux Mailing List

78 Questions?

79 Survey Thank you for listening to me talk. Please help improve the talk by filling out a quick survey at

Download ppt "Demystifying SELinux Part II: Who’s Policy Is It Anyway"

Similar presentations

JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Linux Operations and Administration

Linux Operations and Administration
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.
Linux Operations and Administration

Linux Operations and Administration

Similar presentations

Ads by Google