Scribd
Upload
209 views28 pages

Selinux: Security Enhanced Linux

SELinux is a Linux kernel security module that implements mandatory access controls. It works by confining processes and files within domains that are assigned security contexts. These security contexts are used to enforce fine-grained access policies defined in SELinux policies. It provides an alternative to discretionary access controls for additional security. The key aspects of SELinux are its security contexts, types, the targeted policy, and enforcement of access controls through permissive and enforcing modes.

Uploaded by

Ajeet Singh Raina
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
209 views28 pages

Selinux: Security Enhanced Linux

SELinux is a Linux kernel security module that implements mandatory access controls. It works by confining processes and files within domains that are assigned security contexts. These security contexts are used to enforce fine-grained access policies defined in SELinux policies. It provides an alternative to discretionary access controls for additional security. The key aspects of SELinux are its security contexts, types, the targeted policy, and enforcement of access controls through permissive and enforcing modes.

Uploaded by

Ajeet Singh Raina
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 28

SELinux

Security Enhanced Linux


Patience !!!
SELinux is a different way of handling access control than many
administrators and users are familiar with.
Agenda
• Introduction
• What is SELinux?
• Background
• Terminology
• Access Control Philosophies
• LSM Architecture
• SELinux Policy
• SELinux Modes
• Controlling SELinux
Introduction
• Wikipedia says:

“….Security-Enhanced Linux (SELinux) is an implementation of


mandatory access control using Linux Security Modules (LSM) in the
Linux kernel, based on the principle of least privilege. It is not a Linux
distribution, but rather a set of modifications that can be applied to Unix-
like operating systems, such as Linux and BSD.”
What is SELinux?
• A kernel level MAC (Mandatory Access Control) implementation for
Linux
• Originally commissioned and built by/for the NSA
• A head-ache for the uninitiated
• Very effective if done right
• Adopted into 2.6 kernel series
Background
1985: LOCK system(early Type Enforcement)
– Secure Ada project through Honeywell
1990: DTMach / DTOS
DTMach – Mach-based prototype
DTOS (Distributed Trusted Operating System)
1995: Utah Fluke / Flask
Fluke* - University of Utah's research operating system
1999: 2.2 Linux Kernel (patch)
2001: 2.4 Linux Kernel (patch)
2002: LSM
2003: 2.6 Linux Kernel (mainline)
2006: Full network labeling
Terminology
• Subject: A domain or process.
• Object: A resource (file, directory, socket, etc.).
• Types: A security attribute for files and other objects.
• Roles: A way to define what “types” a user can use.
• Identities: Like a username, but specific to SELinux.
• Contexts: Using a type, role and identity is a “Context.”
Access Control Philosophies

DAC
• A traditional permission model
• The owner of a particular file can change
the permissions of an object.
• Can be changed at the discretionary of
the owner.
• Inherent security flaws
Access Control Philosophies

DAC

• Used to control access by restricting a subject's access to an object.


Subject object

Processes file,network socket

• A user can expose a file or directory to a security or confidentiality breach with a


misconfigured chmod command and an unexpected propagation of access rights.
• there are really only two major categories of users, administrators and non-
administrators
• It is generally used to limit a user's access to a file.
• In this type of access control it is the owner of the file who controls other users'
accesses to the file.”

Ex: ls –l
-rw-rw-r– 1 vmware vmware 2645 May 05 08:48 personnel.txt
Access Control Philosophies

MAC

• Acess control decisions are not at the descretion of individual users or even
system administrators.
• allows you to define permissions for how all processes (called subjects) interact
with other parts of the system such as files, devices, sockets, ports, and other
processes (called objects in SELinux).
• This is done through an administratively-defined security policy over all
processes and object .
• MACs cannot be overridden by the owner of the object.
LSM architecture
SELinux Complete Diagram
SELinux Complete Diagram
1. The policy server gathers the security context from the subject and
object, and sends the pair of labels to the security server, which is
responsible for policy decision making.
2. The policy server first checks the AVC, and returns a decision to the
enforcement server.
3. If the AVC does not have a policy decision cached, it turns to the
security server, which uses the binary policy that is loaded into the kernel
during initialization. The AVC caches the decision, and returns the
decision to the policy server.
4. If the policy permits the subject to perform the desired operation on
the object, the operation is allowed to proceed.
5. If the policy does not permit the subject to perform the desired
operation, the action is denied, and one or more avc: denied messages
are logged to $AUDIT_LOG, which is typically /var/log/messages.
SELinux Complete Diagram
• Object management includes labeling objects with a security context,
managing object labels in memory.
• Object managers are there to obtain security policy decisions from
the security server and to apply the decisions to label and control
access to their objects
SELinux Complete Diagram
• Object management includes labeling
objects with a security context, managing
object labels in memory.
• Object managers are there to obtain
security policy decisions from the security
server and to apply the decisions to label
and control access to their objects
Type Enforcement
• Certain attributes are applied to all objects
and subjects.
• These attributes are termed as Security
Contexts.
• Each process and file/directory/port on the
system is assigned a Security Context
based on which the Type Enforcement
policy allow/disallow access.
Type Enforcement
• Security context are stored in Extended Attributes(xattrs) on
ext2/ext3 filesystem.
• A typical SELinux security context is of the form:
User Identity:Role:Type/Domain

• Users ( 3 in number)
• Roles ( 6 in number)
• Types(1,513 in number)

• Any object or subject in the SELinux Policy installed in the system


can have one of these user identities,one of six roles and one of the
available 1,513 types
Targeted Policy
• To list user identities defined in the SELinux Targeted Policy:
#seinfo –u
Users:3
system_u
root
user_u

• To check the available roles:

# seinfo –r

Roles:6

Staff_r
User_r
Object_r
secadm_r
Sysadm_r
System_r
SELinux Modes
• Disabled
SELinux is not implemented on the host
A Common choice during the installation,

• Permissive
Similar to Debugging Mode
Policies and Rules are applied to objects and subjects, but actions are not effected.
Examples:
If SELInux policy would prevent the httpd subject from accessing the object folder
/webdata on my system,implementing SELinux in Permissive mode would let Apache
WebServer access the folder /webdata but log a denial in the log files.

• Enforcing

SELinux in action
All the production servers ,when hardened, should enable SELinux in Enforcing Mode
SELinux Modes
• Enforcing
SELinux in action
All the production servers ,when hardened, should enable SELinux in Enforcing
Mode.
Controlling SELinux
getenforce:
gets the current mode of SELinux.

Example:

#getenforce
Disabled

Setenforce:
modifes the mode SELinux is running in.
It toggles in between Permissive and Enforcing mode when SELinux is enabled.

Example:
#setenforce 0
It activates Permissive SELinux Mode
#setenforce 1
It activates Enforcing SELinux Mode.
Controlling SELinux
• Sestatus:
Used to get the status of a system running SELinux.
Displays more information about SELinux Policy

Example:
#sestatus

SELinux status: enabled


SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Controlling SELinux
#echo 1 > /selinux/enforce
You can change the run parameters of the SELinux system.
#echo 0 > /selinux/enforce
To return back to Permissive Mode.
Understanding the targeted policy
• Seinfo: to view the various rules defined in an SELinux Policy

#seinfo
Understanding the targeted policy
• Default policy loaded in my system:

82,756 Allow Rules


1,399 Type Transition Rules
5,086 Don’t Audit Rules
Understanding the targeted policy
• Allow Rules
Specifically allow “access” to an “object” by a “subject”

access defined by
• Access permission – read, write,execute

Object defined by:


• The security context called the target context (tcontext)
• Class of the object called the target class(tclass)

Subject defined by:


- The security context called the source context(scontext)
Understanding the targeted policy
• A typical allow rule
• Allow the Web process (Apache server) to read the file
(/var/www/html/index.html )
Evaluation Factor:

Access Permission Required: read


Target Context (tcontext): ls –Z /var/www/html/index.html
=> system_u:object_r:httpd_sys_content_t:s0
Target Class(tclass): file
Source context(scontext): ps axZ | grep httpd
=> user_u:system_r:httpd_t:s0
Understanding the targeted policy
• Allow the Source Context –
user_u:system_r:httpd_t:s0 permission to
read on the class file bearing a Target
Context of
system_u:object_r:httpd_sys_content_t:s0

You might also like