CS745: Principles of Data and System Security

SELinux

By
Radhika B S

1
Overview

● Linux Basics
● Linux DAC and its Drawbacks
● Linux Security Module
● SELinux

2
What is Linux?

● The Linux Kernel: Open source monolithic kernel which forms the
core of Operating system. Handles core OS functionalities like
memory management, scheduling, access control etc.

● Linux Distributions: Operating systems developed using Linux

kernel. Apart from the kernel they include components like Shell,
Applications, Graphical Server etc

3
Widespread use of Linux

● Used in devices ranging from smart phones, smartwatches, cars,

servers to supercomputers
● 99% of the supercomputers in the world run off of Linux

4
Access Control Using Reference Monitor

subjects: Active entities like processes, users …

objects: Passive entities like files, sockets …

5
Traditional Access Control in Linux

Discretionary Access Control(DAC)

● Access decisions are taken based on user identity and the

ownership of the object
-rw-r--r-- 1 r r f1
-rw-r--r-- 1 root root f2

6
DAC Identifiers used in Access Control

● User: On creation, each user is assigned an unique identifier (uid) and

one or more groups identified by group ids (gid)

● Processes: When a user executes a process, the process will have

following ids associated with it
○ User ID (uid): ID of the user who initiated the process
○ Effective User ID (euid): Used ID which will be used to take the
access decision
○ Group ID (gid): Group ID associate with uid
○ Effective Group ID: Group ID associated with the effective user ID

● Files: Files are associated with owner uid and a single gid
7
Drawbacks of DAC

● Permissions can be changed at owner’s discretion

● root is omnipotent
● Coarse-grained access control

8
Hands-on

● User ids, process ids and file ids

● Commands whoami, id
● DAC
● Permissions can be changed at owners discretion
● Root is omnipotent
● Coarse grained access control

9
Password Management in Linux

● Linux provides passwd command to allow regular users to change

their own password and root to change any user’s password
● passwd needs to access file /etc/shadow which stores password
hashes
● /etc/shadow is owned by root and only root can read/write it
● The executable passwd is also owned by root

[r@localhost bin]$ ls -l /usr/bin/passwd

-rwsr-xr-x. 1 root root 27872 usr/bin/passwd

10
Set-UID

● setuid is used with passwd to allow regular users to change their

password
● When a regular user executes passwd, it runs with root privilege
setuid programs are usually small and highly verified

11
Dirty COW attack

● Kernel vulnerability affecting Linux based OSes including Android.

● Local privilege escalation caused by race condition.
● Exploit turns a read only mapping of file into writable

12
Linux Security Module

● Realizing the need for a better access control, several MAC based
systems were developed
● Many of those solutions had similar design approach
● LSM was developed to provide a framework for supporting variety
of custom MAC implementations
● Exposes hooks for labeling and access control decision making
● Some of the systems include AppArmor, TOMOYO, Smack

13
Linux Security Module

User Level Process

User Space

Kernel Space
System Call

DAC checks

LSM hook LSM Module

Allow/Deny

14
SELinux

● MAC based access control system developed by NSA which was

made open source in 2001
● Provides confinement and helps in proactive security
● Successfully protected systems against several zero-day attacks
especially privilege escalation attacks such as DirtyCOW,
ShellShock
● Also being used in Android as SEAndroid
● About 75% (1.5 billion) of the Android devices running today are
using SELinux in enforcing mode. The Android project estimates
that SELinux has reduced the severity of almost half of their kernel
bugs

15
Security Context

user:role:type[:levels]

16
Type Enforcement

● Related entities are grouped into types

● To access an object, the subject’s type must be authorized
toaccess the object’s type
● Provides flexible and fine-grained access control

17
Allow rules

● By default, every access is denied

● This can be overridden by using allow rules

allow source target:class permissions

● Object class: Category of kernel resources such as files,

directories, sockets etc. Each class has a set of associated actions
● Domain: Common term used for subject types

18
Allow Rules

allow user_t bin_t : file {read execute getattr};

19
Neverallow Rules

● Have similar syntax as allow rules

● Enables policy writer to specify certain allow rules that should be
added to the policy
● Help in avoiding accidental addition of unintended allow rules
● Used during compilation
● If a policy contains contradictory allow rules, the compilation fails

20
Information Flow Analysis in SELinux

allow httpd_t user_t:file read

21
Information Flow Analysis in SELinux

allow httpd_t user_t:file write

22
Information Flow Analysis in SELinux

allow ping_t user_tty_device_t:chr_file write;

allow updpwd_t user_tty_device_t:chr_file read;
allow updpwd_t shadow_t:file write;

23
Analysing Inconssitencies in SELinux using RWFM

24
References

● Selinux reference policy. https://github.com/TresysTechnology/refpolicy.

● F. Mayer, D. Caplan, and K. MacMillan. SELinux by example: using security
enhanced Linux. Pearson Education, 2006.
● C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security
modules: General security support for the linux kernel. In USENIX Security
Symposium, volume 2, pages 1–14, 2002.

25
SELinux Installation

● sudo /etc/init.d/apparmor stop

● sudo apt-get purge apparmor
● sudo apt-get update
● sudo reboot
● sudo apt-get install selinux selinux-basics selinux-policy-default
auditd
● sudo reboot

26