1. Security-Enhanced Linux

2. References  Implementation of Security-Enhanced Linux by Yue Cui, Xiang Sha, Li Song  Security Enhanced Linux by David Quigley (Fedora)  Security-Enhanced Linux by Joseph A LaConte

3. Background Security-Enhanced Linux is a NSA (National Security Agency) backed research project. Goals: Promote Security Research Promote Security Research Address OS Security Address OS Security Demonstrate MAC (Mandatory Access Controls) through Type Enforcement® technology in a mainstream os Demonstrate MAC (Mandatory Access Controls) through Type Enforcement® technology in a mainstream os Note: SELinux project is not intended as a complete security solution for Linux

4. SELinux Background 1985:LOCK system(early Type Enforcement) – Secure Ada project through Honeywell 1990: DTMach / DTOS DTMach – Mach-based prototype DTMach – Mach-based prototype DTOS (Distributed Trusted Operating System) DTOS (Distributed Trusted Operating System) 1995: Utah Fluke / Flask Fluke* - University of Utah's research operating system 1999: 2.2 Linux Kernel (patch) 2001: 2.4 Linux Kernel (patch) 2002:LSM 2003:2.6 Linux Kernel (mainline) 2006: Full network labeling

5. Why Linux? Linux is an open source project with many developers; therefore: Provides an opportunity for more research. Provides an opportunity for more research. Allows application/testing in a mainstream os. Allows application/testing in a mainstream os. Improves security in an existing os. Improves security in an existing os.

6. SELinux Security-Enhanced Linux (SELinux) Uses the Linux Security Modules (LSM) framework to implement flexible Mandatory Access Control (MAC) in the Linux kernel. Uses the Linux Security Modules (LSM) framework to implement flexible Mandatory Access Control (MAC) in the Linux kernel. Restricts privileges of user programs and system servers using security labels and an administratively-defined policy. Restricts privileges of user programs and system servers using security labels and an administratively-defined policy.

7. MAC versus DAC Discretionary Access Control (DAC) is the standard security model for Linux. In this model, access privileges are based on the user identity and object ownership. Mandatory Access Control (MAC) limits privileges for subjects (processes) and objects (file, socket, device, etc). Please note: SELinux does not change any existing security in the Linux environment; rather, SELinux extends the security model to include Mandatory Access Control (i.e. both MAC and DAC are enforced in the SELinux environment).

8. SELinux vs. traditional Linux SELinux enforces MAC policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs SELinux enforces MAC policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs The ability of these user programs and system daemons to cause harm when compromised(via buffer overflow for example) is reduced or eliminated. The ability of these user programs and system daemons to cause harm when compromised(via buffer overflow for example) is reduced or eliminated.

9. SELinux vs. traditional Linux The confinement mechanism operates independently of the traditional Linux access control mechanisms The confinement mechanism operates independently of the traditional Linux access control mechanisms It has no concept of a “ root ” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms(such as a dependence on setuid/setgid binaries) It has no concept of a “ root ” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms(such as a dependence on setuid/setgid binaries)

10. SELinux vs. traditional Linux The security of traditional Linux The security of traditional Linux Depends on the correctness of the kernel, all the privileged applications, and each of their configurations Depends on the correctness of the kernel, all the privileged applications, and each of their configurations A problem in any one of these areas may allow the compromise of the entire system A problem in any one of these areas may allow the compromise of the entire system The security of SELinux The security of SELinux Depends on the correctness of the kernel and its security policy configuration Depends on the correctness of the kernel and its security policy configuration While problems may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole While problems may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole

11. Security-Enhanced Linux Security Policies are implemented using: Type Enforcement® (TE) Type Enforcement® (TE) (introduced in 1985 by Boebert and Kain) Role-based access control (RBAC) Role-based access control (RBAC) Multi-level Security Multi-level Security

12. Security Model in SELinux Type Enforcement (TE) model Type Enforcement (TE) model Provides fine-grained control over processes and objects in the system Provides fine-grained control over processes and objects in the system Role-Based Access Control (RBAC) model Role-Based Access Control (RBAC) model Provides a higher level of abstraction to simplify user management Provides a higher level of abstraction to simplify user management

13. TE model Traditional TE model Traditional TE model Binds a security attribute called a domain to each process and a type to each object Binds a security attribute called a domain to each process and a type to each object Treats all processes in the same domain identically and all objects that have the same type identically Treats all processes in the same domain identically and all objects that have the same type identically A pair of access matrices specify how domains can access types and how domains can interact with other domains A pair of access matrices specify how domains can access types and how domains can interact with other domains Each user is authorized to operate in certain domains Each user is authorized to operate in certain domains

14. TE model SELinux TE model SELinux TE model Uses a single type attribute in the security context for both processes and objects Uses a single type attribute in the security context for both processes and objects A domain is simply a type that can be associated with a process. A domain is simply a type that can be associated with a process. Uses the security class information provided by the Flask architecture Uses the security class information provided by the Flask architecture Security classes can distinguish objects of the same type. Security classes can distinguish objects of the same type. Does not directly associate users with domains; uses RBAC model to provide an additional layer of abstraction between users and domains Does not directly associate users with domains; uses RBAC model to provide an additional layer of abstraction between users and domains

15. Type Enforcement Object(s): items in a system that are acted upon (files, IPC, sockets, etc ….) Object(s): items in a system that are acted upon (files, IPC, sockets, etc ….) Subject(s): process that are requesting access to an object Subject(s): process that are requesting access to an object All Objects and Subjects contain a security context All Objects and Subjects contain a security context Security Context(s) are composed of four parts Security Context(s) are composed of four parts All Security Context components are checked against the policy to see if access is allowed. All Security Context components are checked against the policy to see if access is allowed. Type is the base component while role and user are used to further restrict type enforcement Type is the base component while role and user are used to further restrict type enforcement

16. Security Contexts system_u:object_r:passwd_exec_t:s0:c0.c2-s2:c0.c1 user:role:type:sensitivity[:category,…][-sensitivity[:category,…]]

17. TE Access Control Source type(s): The domain type of the process accessing the object Source type(s): The domain type of the process accessing the object Target type(s): The type of the object being accessed by the process Target type(s): The type of the object being accessed by the process Object class(es): The class of object to permit access to Object class(es): The class of object to permit access to Permission(s): The kind of access permitted for the indicated object class Permission(s): The kind of access permitted for the indicated object class allow user_t bin_t : file {read execute write getattr setattr}

18. Domain Transitions Analogous to SetUID programs Analogous to SetUID programs Joe running as user_t (untrusted user) needs to change his password. How does Joe change his password? Joe running as user_t (untrusted user) needs to change his password. How does Joe change his password? allow user_t passwd_exec_t : file {getattr execute} allow user_t passwd_exec_t : file {getattr execute} allow passwd_t passwd_exec_t : file entrypoint allow passwd_t passwd_exec_t : file entrypoint allow user_t passwd_t : process transition allow user_t passwd_t : process transition What does this solve? Restricts trusted domain passwd_t and allows user_t to transition to it. What does this solve? Restricts trusted domain passwd_t and allows user_t to transition to it. Implicit domain transitions provided via type_transition. Implicit domain transitions provided via type_transition.

19. Users & Roles First and second component of a security context First and second component of a security context SELinux usernames and DAC usernames are not synonymous SELinux usernames and DAC usernames are not synonymous Semanage is used to maintain mappings of DAC to SELinux usernames. Semanage is used to maintain mappings of DAC to SELinux usernames. Roles are collections of types geared towards a purpose Roles are collections of types geared towards a purpose Roles can be used to further restrict actions on the system Roles can be used to further restrict actions on the system SELinux usernames are granted roles in the system SELinux usernames are granted roles in the system

20. Role-Based Access Control Each user gets a set of roles Each role is assigned a set of TE domains. Note: users are not identified by Linux uids; instead a user identity attribute is used in the security context.

21. RBAC model Traditional RBAC model Traditional RBAC model authorizes users to act in certain roles and assigns a set of permissions to each role authorizes users to act in certain roles and assigns a set of permissions to each role SELinux RBAC model SELinux RBAC model authorizes each user for a set of roles, each role for a set of TE domains authorizes each user for a set of roles, each role for a set of TE domains maintains a role attribute in the security context of each process maintains a role attribute in the security context of each process

22. Policies Configuration consists of : Flask definitions Flask definitions TE and RBAC declarations and rules TE and RBAC declarations and rules User declarations User declarations Constraint definitions Constraint definitions Security context specifications. Security context specifications.

23. Policies TE Statements Attribute Declarations Attribute Declarations Type Declarations Type Declarations TE Transition Rules TE Transition Rules TE Change Rules TE Change Rules TE Access Vector Rules TE Access Vector Rules TE Access Vector Assertions TE Access Vector Assertions Type Member Rules Type Member Rules RBAC Statements Role Declarations and Dominance Role Allow Rules Role Transition Rules

24. Policies Syntax for TE and RBAC declarations* Syntax for type declarations* * Smally, Stephen January 2003.

25. Policies Bleher, Thomas November 30, 2004

26. Limitations Performance Overhead – approximately 7%. Complexity – requires in-depth knowledge of the operating system, the security policies, and the operating environment. Maintenance – policy fine-tuning, changes required for changes to the system.

27. Benefit of SELinux The SELinux ’ s new features are The SELinux ’ s new features are designed to Enforce the separation of information based on confidentiality and integrity requirements Enforce the separation of information based on confidentiality and integrity requirements Prevent processes from Prevent processes from reading data and programs, reading data and programs, tampering with data and programs, tampering with data and programs, executing untrustworthy programs, or executing untrustworthy programs, or interfering with other processes in violation of the system security policy interfering with other processes in violation of the system security policy

28. MLS MLS portion of Security Context is composed of 4 parts MLS portion of Security Context is composed of 4 parts Low/High Low/High Sensitivity/Category Sensitivity/Category Includes syntax to define dominance of security levels Includes syntax to define dominance of security levels Subjects with range of levels considered trusted subjects Subjects with range of levels considered trusted subjects Implements a variation of Bell-La Padula Implements a variation of Bell-La Padula

29. Linux Security Modules (LSM) Kernel framework for security modules Kernel framework for security modules Provides a set of hooks to implement further security checks Provides a set of hooks to implement further security checks Usually placed after existing DAC checks and before resource access Usually placed after existing DAC checks and before resource access Implications? SELinux check is not called if the DAC fails Implications? SELinux check is not called if the DAC fails Makes auditing difficult at times. Makes auditing difficult at times.

31. SELinux LSM Module User Space Kernel Space Selinux Filesystem Access Vector Cache Security Server (Policy Rules and Access Decision Logic) LSM Hooks Various Kernel Object Managers Cache Miss Yes or No? SELinux LSM Module Policy Management Interface Figure taken from SELinux by Example

32. Userspace Object Managers Access Vector Cache libselinux User-Space Object Manager Figure taken from SELinux by Example User Space Kernel Space Selinux Filesystem Policy Management Interface Allow access? Yes or No? Access Vector Cache Security Server (Policy Rules and Access Decision Logic) Cache Miss Yes or No?

33. Policy Server Access Vector Cache libselinux User-Space Object Manager Figure taken from SELinux by Example User Space Kernel Space Selinux Filesystem Policy Management Interface Cache Miss? Yes or No? User-Space Security Server Policy Management Server Load User Policy Policy Server Access Vector Cache Security Server (Policy Rules and Access Decision Logic) Cache Miss Yes or No?

34. Policy Language Make, Scripts, M4, and so on Type Enforcement Statements (Types, TE Rules, Roles, Users) Constraints Resource labeling Specifications Classes and Permissions Checkpolicy Binary Policy File Kernel Space Selinux Filesystem Access Vector Cache Security Server (Policy Rules and Access Decision Logic) Cache Miss Yes or No? SELinux LSM Module load_policy Policy Source Modules policy.conf Figure taken from SELinux by Example

35. Object Classes Represents resources of a certain kind Represents resources of a certain kind Policy must include declarations for all object classes Policy must include declarations for all object classes Classes Classes File related (blk_file, chr_file, dir, fd … ) File related (blk_file, chr_file, dir, fd … ) Network related (socket, packet_socket, rawip_socket, … ) Network related (socket, packet_socket, rawip_socket, … ) IPC related (ipc, msg, msgq, sem, shm) IPC related (ipc, msg, msgq, sem, shm) Misc Classes (capability, process, security, system) Misc Classes (capability, process, security, system)

36. Permissions Specific to a particular Object Class Specific to a particular Object Class Includes traditional Linux permissions Includes traditional Linux permissions Extends existing permissions to be finer grained Extends existing permissions to be finer grained Includes SELinux specific permissions for labeling Includes SELinux specific permissions for labeling

37. Type Enforcement Several major keywords Several major keywords type type attribute attribute typeattribute typeattribute typealias typealias allow allow dontaudit dontaudit auditallow auditallow neverallow neverallow

38. Type Enforcement attribute file_type; attribute httpdcontent; #These two statements... type httpd_user_content_t; typeattribute httpd_user_content_t file_type, httpdcontent; #are equivalent to this one type httpd_user_content_t, file_type, httpdcontent; #These two statements... type mozilla_t, domain; typealias mozilla_t alias netscape_t; #are equivalent to this one type mozilla_t alias netscape_t, domain ;

39. Type Enforcement rule_name src_type_set target_type_set : class_set perm_set; #valid allow user_t bin_t : file { read getattr } ; allow user_t bin_t : dir { read getattr search } ; #invalid since file does not have a search permission allow user_t bin_t { file dir } {read getattr search } ; #don’t audit when this access is denied dontaudit httpd_t etc_t : dir search ; #audit when this access is allowed #by default allowed access is not audited auditallow domain shadow_t : file write ; #This statement may never be allowed by any rule neverallow user_t shadow_t : file write allow user_t bin_t : { file dir } * ; allow user_t bin_t : file ~{ write setattr ioctl };

40. Type Enforcement Type Transitions type_transition type_change #These two statements... type_transition user_t passwd_exec_t : process passwd_t; type_transition sysadm_t passwd_exec_t : process passwd_t; #are equivalent to this one type_transition { user_t sysadm_t } : process passwd_t; #This domain transition rule… type_transition init_t apache_exec_t : process apache_t ; #would require at least the follow 3 allow rules to succeed allow init_t apache_exec_t : file execute ; allow init_t apache_t : process transition; allow apache_t apache_exec_t : file entrypoint ;

41. RBAC Adds 2 components to security context Adds 2 components to security context user user role role Adds 3 policy language keywords Adds 3 policy language keywords allow (different than AVC allow) allow (different than AVC allow) role_transition (similar to type_transition) role_transition (similar to type_transition) dominance dominance

42. RBAC Example #valid security context joe:user_r:passwd_t #role user_r assigned to user joe user joe roles { user_r }; #equivalent to this one role user_r types { user_t passwd_t }; allow staff_r sysadm_r; role_transition sysadm_r http_exec_t system_r; #super_r inherits all types from sysadm_r and secadm_r dominance { role super_r { role sysadm_r; role secadm_r; }}

43. Multilevel Security Policy Declares Levels and categories Policy Declares Levels and categories applies constraints on objects and permissions with MLS dominance keywords applies constraints on objects and permissions with MLS dominance keywords ==, !=, eq, dom, domby, incomp ==, !=, eq, dom, domby, incomp mlsconstrain file {create relabelto } { l2 eq h2 } mlsconstrain file {create relabelto } { l2 eq h2 } mlsvalidatetrans transitions between levels mlsvalidatetrans transitions between levels Still requires a lot of work Still requires a lot of work

44. Conditional Policies Allows enabling/disabling portions of policy Allows enabling/disabling portions of policy Booleans define in policy Booleans define in policy Logical operations allowed Logical operations allowed && && || || ^ ! == == != != Does not support nested conditionals Does not support nested conditionals Booleans modified through special applications or SELinuxfs Booleans modified through special applications or SELinuxfs

45. Configuration for running insmod Figure 4 shows a portion of the policy configuration that allows the administrator domain (sysadm_t) to run the insmod program to insert kernel modules. Figure 4 shows a portion of the policy configuration that allows the administrator domain (sysadm_t) to run the insmod program to insert kernel modules. The insmod program is labeled with the insmod_exec_t type and runs in the insmod_t domain. The insmod program is labeled with the insmod_exec_t type and runs in the insmod_t domain.

46. Figure 4: Configuration for running insmod

47. Configuration for running insmod allow sysadm_t insmod_exec_t :file x_file_perms; allow sysadm_t insmod_exec_t :file x_file_perms; allows the sysadm_t domain to run the insmod program. allows the sysadm_t domain to run the insmod program. allow sysadm_t insmod_t :process transition; allow sysadm_t insmod_t :process transition; allows the sysadm_t domain to transition to the insmod_t domain. allows the sysadm_t domain to transition to the insmod_t domain. allow insmod_t insmod_exec_t :process {entrypoint, execute } allow insmod_t insmod_exec_t :process {entrypoint, execute } allows the insmod_t domain to be entered by the insmod program and to execute code from this program. allows the insmod_t domain to be entered by the insmod program and to execute code from this program.

48. Configuration for running insmod allow insmod_t sysadm_t :fd inherit_fd_perms; allow insmod_t sysadm_t :fd inherit_fd_perms; allows the insmod_t domain to inherit and use file descriptors from the sysadm_t domain. allows the insmod_t domain to inherit and use file descriptors from the sysadm_t domain. allow insmod_t self :capability sys_module; allow insmod_t self :capability sys_module; allows the insmod_t domain to use the CAP_SYS_MODULE capability. allows the insmod_t domain to use the CAP_SYS_MODULE capability. allow insmod_t sysadm_t :process sigchild; allow insmod_t sysadm_t :process sigchild; allows the insmod_t domain to send the SIGCHLD signal to sysadm_t when it exits. allows the insmod_t domain to send the SIGCHLD signal to sysadm_t when it exits.

49. Reference Policy Maintained by NSA and FC Mailing Lists Maintained by NSA and FC Mailing Lists Compiles into three versions Compiles into three versions Strict, Targeted, MLS Strict, Targeted, MLS Stats Stats Version.18 Version.18 Object Classes 55 Object Classes 55 Common Permissions 3, Permission 205 Common Permissions 3, Permission 205 Types 1589 Types 1589 allow 372755, auditallow 12, dontaudit 238663 allow 372755, auditallow 12, dontaudit 238663 type_transition 2657, type_change 68 type_transition 2657, type_change 68 roles 6, RBAC allow 6, role_transition 97, users 3 roles 6, RBAC allow 6, role_transition 97, users 3 bools 70 bools 70

69. Components checkpolicy checkpolicy libselinux libselinux libsemanage libsemanage libsepol libsepol policycoreutils policycoreutils

71. libselinux Used by SELinux aware applications Used by SELinux aware applications Houses user space AVC Houses user space AVC Contains functions to Contains functions to calculate AVCs calculate AVCs get/set/create contexts get/set/create contexts query policy engine query policy engine

72. libsemanage Used to query and configure state of a running system Used to query and configure state of a running system Provides functions to query/modify Provides functions to query/modify login names login names users users network ports/interfaces network ports/interfaces file contexts file contexts level translations level translations roles roles etc. etc.

74. SELinuxfs Interface between userspace and kernel Interface between userspace and kernel Used by libselinux and libsemanage to communicate requests with the kernel Used by libselinux and libsemanage to communicate requests with the kernel Provides a quick and easy interface for humans Provides a quick and easy interface for humans Usually not used directly from programs Usually not used directly from programs

75. policycoreutils SELinux Management and policy analysis tools SELinux Management and policy analysis tools audit2allow audit2allow audit2why audit2why load_policy load_policy newrole newrole restorecon restorecon semanage semanage semodule semodule sestatus sestatus setbool setbool etc... etc...

76. Distributions Fedora Core 3 and later Fedora Core 3 and later Debian Debian Gentoo Gentoo SuSe SuSe SE-BSD SE-BSD SE-MACH SE-MACH

77. Installation Where to get the copy? Where to get the copy? Free download from Free download fromhttp://www.nsa.gov/selinux/ Components of SELinux Distribution Components of SELinux Distribution Patches to the Linux kernel (based on kernel 2.4.18) Patches to the Linux kernel (based on kernel 2.4.18) Patches to a number of standard tools and utilities, support files, and documentation Patches to a number of standard tools and utilities, support files, and documentation

78. Installation Need to have an existing Redhat Linux Need to have an existing Redhat Linux Redhat 7.2 or later will be better Redhat 7.2 or later will be better SELinux does not provide a modified xdm/gdm/kdm to set the security context for the user session SELinux does not provide a modified xdm/gdm/kdm to set the security context for the user session Environment we use: Environment we use: Redhat 7.3 Redhat 7.3

79. Installation Download the installation package Download the installation package(lsm-2.4-selinux-2002053110.tgz) Unzip the file, we got two folders Unzip the file, we got two folders # /lsm2.4 and /selinux The quick installation steps are as followings The quick installation steps are as followings

80. Installation Edit policy/users for your users Edit policy/users for your users Be sure to authorize at least one user for the system administrator role (sysadm_r) Be sure to authorize at least one user for the system administrator role (sysadm_r) Edit the default_context and cron_context files in utils/appconfig for your users Edit the default_context and cron_context files in utils/appconfig for your users security context has the syntax user:role:domain or user:role:type security context has the syntax user:role:domain or user:role:type e.g. root:sysadm_r:sysadm_t or root:user_r:user_t e.g. root:sysadm_r:sysadm_t or root:user_r:user_t

81. Installation Edit policy/file_contexts/ {types.fc,program/*.fc} for your site Edit policy/file_contexts/ {types.fc,program/*.fc} for your site Check the pathnames against your file system layout Check the pathnames against your file system layout Ensure that your current configuration is not set up to run an X Display Manager (xdm, gdm, kdm) Ensure that your current configuration is not set up to run an X Display Manager (xdm, gdm, kdm) he default runlevel specified in he default runlevel specified in /etc/inittab should be runlevel 3 (Full multiuser mode) /etc/inittab should be runlevel 3 (Full multiuser mode)

82. Installation Perform the quick install Perform the quick install make quickinstall make quickinstall When the kernel configuration menu is displayed, configure the kernel for your hardware as appropriate When the kernel configuration menu is displayed, configure the kernel for your hardware as appropriate Configure your boot manager to boot the SELinux kernel Configure your boot manager to boot the SELinux kernel e.g. if you use the LILO boot manager, configure /etc/lilo.conf, and run /sbin/lilo e.g. if you use the LILO boot manager, configure /etc/lilo.conf, and run /sbin/lilo

83. Installation Boot the SELinux kernel and login in the sysadm_r role and sysadm_t domain(e.g. using “ root ” ) Boot the SELinux kernel and login in the sysadm_r role and sysadm_t domain(e.g. using “ root ” ) Run setfiles again to ensure that files created by the old kernel during the shutdown are properly labeled Run setfiles again to ensure that files created by the old kernel during the shutdown are properly labeled cd policy cd policy make relabel make relabel Add /usr/local/selinux/bin and /usr/local/selinux/sbin to your path for the modified utilities Add /usr/local/selinux/bin and /usr/local/selinux/sbin to your path for the modified utilities

84. Installation After installation, we can try the following commands to see if it is installed correctly After installation, we can try the following commands to see if it is installed correctly ‘ ps -e --context ‘ ‘ ps -e --context ‘ The second column should show the security context of each process The second column should show the security context of each process Has the syntax user:role:domain or user:role:type Has the syntax user:role:domain or user:role:type ‘ ls -- context / ‘ ‘ ls -- context / ‘ The fourth column should show the security context of each file or directory in / The fourth column should show the security context of each file or directory in /

85. Installation ps -e --context ps -e --context PIDSIDCONTEXTCOMMAND 1 7system_u:system_r:init_tinit [3] 2 7system_r:system_r:init_t[keventd]... ……… 855245system_u:system_r:local_login_tlogin --root 856244system_u:system_r:getty_t/sbin/mingetty tty2 857244system_u:system_r:getty_t/sbin/mingetty tty3 858244system_u:system_r:getty_t/sbin/mingetty tty4 859244system_u:system_r:getty_t/sbin/mingetty tty5 860244system_u:system_r:getty_t/sbin/mingetty tty6 863246root:sysadm_r:sysadm_t-bash 910246root:sysadm_r:sysadm_tps -e --context

86. Installation ls -- context / ls -- context / drwxr-xr-x rootrootsystem_u:object_r:bin_tbin drwxr-xr-x rootrootsystem_u:object_r:boot_tboot drwxr-xr-x rootrootsystem_u:object_r:device_tdev drwxr-xr-x rootrootsystem_u:object_r:etc_tetc drwxr-xr-x rootrootsystem_u:object_r:user_home_thome drwxr-xr-x rootrootsystem_u:object_r:file_tinitrd drwxr-xr-x rootrootsystem_u:object_r:lib_tlib drwxr-xr-x rootrootsystem_u:object_r:lost_found_tlost+found drwxr-xr-x rootrootsystem_u:object_r:file_tmisc drwxr-xr-x rootrootsystem_u:object_r:file_tmnt drwxr-xr-x rootrootsystem_u:object_r:file_topt dr-xr-xr-x rootrootsystem_u:object_r:proc_tproc drwxr-x--- rootrootsystem_u:object_r:sysadm_home_troot drwxr-xr-x rootrootsystem_u:object_r:sbin_tsbin drwxrwxrwx rootrootsystem_u:object_r:tmp_ttmp drwxr-xr-x rootrootsystem_u:object_r:usr_tusr drwxr-xr-x rootrootsystem_u:object_r:var_tvar

87. Customizing the policy What we can do What we can do Adding users Adding users Adding permissions Adding permissions Adding programs to an existing domain Adding programs to an existing domain Creating a new domain Creating a new domain Creating a new type Creating a new type Creating a new role Creating a new role

88. Customizing the policy Adding users Adding users If we want to add a user steve to the system who should be authorized for both the user_r and sysadm_r roles If we want to add a user steve to the system who should be authorized for both the user_r and sysadm_r roles Add an entry to the policy/users files: Add an entry to the policy/users files: user steve roles { user_r sysadm_r } Run make load to reload the policy Run make load to reload the policy

89. Customizing the policy Adding programs to an existing domain Adding programs to an existing domain Locate an appropriate domain by Locate an appropriate domain by examining the existing programs domains under policy/domains/program examining the existing programs domains under policy/domains/program examining how existing programs are associated with the executable types for those domains in policy/file_contexts/program examining how existing programs are associated with the executable types for those domains in policy/file_contexts/program Relabel the program by Relabel the program by # make relabel

90. Customizing the policy Creating a new role Creating a new role Create a new domain to be used as the initial login domain for the role Create a new domain to be used as the initial login domain for the role Define role declaration in policy/rbac Define role declaration in policy/rbac Reload the policy Reload the policy # make load Add an entry for the role in Add an entry for the role in/etc/security/default_type

91. References SELinux installation help SELinux installation help Stephen Smalley, “ Configuring the SELinux Policy ”, 2002 Stephen Smalley, “ Configuring the SELinux Policy ”, 2002 Stephen Smalley and Timothy Fraser, “ A Security Policy Configuration for the Security-Enhanced Linux ”, 2001 Stephen Smalley and Timothy Fraser, “ A Security Policy Configuration for the Security-Enhanced Linux ”, 2001 http://www.nsa.gov/selinux http://www.nsa.gov/selinux

92. References National Security Agency. Security Enhanced Linux, December 8, 2004. http://www.nsa.gov/selinux/index.cfm Thompson, Kerry. The UnOfficial SELinux FAQ, June 15, 2004. http://www.crypt.gen.nz/selinux/faq.html Wade, Karsten. Fedora Core 3 SELinux FAQ, November 9, 2004. http://fedora.redhat.com/docs/selinux-faq-fc3/index.html Smally, Stephen. Configuring the SELinux Policy, February 2002, revised January 2003. NAI Labs. Smally, Stephen. Configuring the SELinux Policy, February 2002, revised January 2003. NAI Labs. Secure Computing Corporation. The Origin of Sidewinder® G2 Firewall, December 8, 2004. http://www.securecomputing.com/index.cfm?skey=1024

93. References OSDGroup LLC. Module 13 – SELinux Overview, December 8, 2004. http://www.bradfordlearning.com/en/courseware/sample_ch apters/se_linux_sample_chapter.pdf SourceFORGE.net. SELinux Background, December 8, 2004. http://selinux.sourceforge.net/background.php3 Hallyn, Serge Edward. Domain and Type Enforcement in Linux. The College of William and Mary in Virginia. Hallyn, Serge Edward. Domain and Type Enforcement in Linux. The College of William and Mary in Virginia. Bleher, Thomas. Source file: domains/program/apache.te (patch), November 30, 2004. Bleher, Thomas. Source file: domains/program/apache.te (patch), November 30, 2004.

94. More Information SELinux Homepage: www.nsa.gov/selinux SELinux Homepage: www.nsa.gov/selinuxwww.nsa.gov/selinux SELinux Mailing list: http://www.nsa.gov/selinux/info/list.cfm?MenuID =41.1.1.9 SELinux Mailing list: http://www.nsa.gov/selinux/info/list.cfm?MenuID =41.1.1.9 http://www.nsa.gov/selinux/info/list.cfm?MenuID =41.1.1.9 http://www.nsa.gov/selinux/info/list.cfm?MenuID =41.1.1.9 Redhat SELinux Mailing List: http://www.redhat.com/mailman/listinfo/fedora- selinux-list Redhat SELinux Mailing List: http://www.redhat.com/mailman/listinfo/fedora- selinux-list http://www.redhat.com/mailman/listinfo/fedora- selinux-list http://www.redhat.com/mailman/listinfo/fedora- selinux-list Fedora SELinux Wiki: http://fedoraproject.org/wiki/SELinux Fedora SELinux Wiki: http://fedoraproject.org/wiki/SELinux