Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

Published byBritton O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux."— Presentation transcript:

1 Security-Enhanced Linux Eric Harney CPSC 481

2 What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux ● Maintains compatibility with existing software ● “Designed to enforce separation of information based on confidentiality and integrity requirements.” ● Open source – GPL

3 Mandatory Access Control ● Exists on top of traditional Unix DAC ● Administrator defines a policy ● Kernel enforces this policy – Doesn't trust the application – Doesn't trust the user

4 Role-Based Access Control ● Users are assigned to one or more roles ● Roles indicate which type domains a user may access – Similar to traditional Unix uid – Used to separate privileges – Each daemon may have its own role ● Example roles include system_r, sysadm_r, user_r ● Role transitions must be defined

5 Type Enforcement ● Types are assigned to files – Designate categories of files ● Web server ● Database server ● Mail server ● Regular users – Stored in the file system ● Types are assigned to processes as domains – Domains are closely related to types

6 Principle of Least Privilege ● Reduces the power of the root account – Process running as root is still restricted ● Services cannot access each others' data – Compromising one service only allows access or damage to its own data

7 Policies ● A policy is a set of rules which specifies allowable behavior ● Strict versus targeted – Enumerating good versus bad behavior – No “default permit” ● Defines – Types for file objects – Domains for processes – Roles – User identities ● Highly configurable with booleans

8 Example Policy Statements ● Type enforcement – allow sshd_t sshd_exec_t:file { read execute entrypoint }; – allow sshd_t sshd_tmp_t:file { create read write getattr setattr link unlink rename }; – allow sshd_t user_t:process transition; ● Role definitions – role system_r types { kernel_t initrc_t getty_t klogd_t }; – role user_r types { user_t user_netscape_t }; – role sysadm_r types { sysadm_t run_init_t };

9 Benefits of SELinux ● Helps prevent damage from unknown or unpatched exploits ● Provides fine-grained access control to all parts of system ● Allows a customized level of security

10 Example Attack ● Apache web server running as root with httpd_t ● Malicious user causes a buffer overflow in Apache and executes arbitrary code ● User directs Apache to fetch /etc/shadow and serve it to the web client ● File read passes DAC, but /etc/shadow is assigned type shadow_t ● Apache's httpd_t role has no access to shadow_t domain – access denied

11 Possible Attacks ● Kernel protection is not substantially increased – A buffer overflow in kernel space could still be disastrous ● An attacker compromising your login credentials still means game over ● SELinux policies are complex - an incorrectly written policy also means game over

12 Availability ● Included in standard mainline Linux kernel ● Only well supported by some distributions – Red Hat Enterprise Linux – Fedora – Gentoo (Hardened Gentoo) ● Will be evaluated for Common Criteria compliance in the future

Download ppt "Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux."

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Understand Database Security Concepts

Understand Database Security Concepts
SubDomain: Parsimonious Server Security Presenter: Alptekin Küpçü.

SubDomain: Parsimonious Server Security Presenter: Alptekin Küpçü.
1 UCR Access Control/Capabilities Some slides/ideas adapted from Ninghui Li.

1 UCR Access Control/Capabilities Some slides/ideas adapted from Ninghui Li.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Similar presentations

Ads by Google