By: Corey McClurg

solidseniorΔιακομιστές

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

88 εμφανίσεις

5/7/2007

CoreMcClug/SELinux

1

By: Corey McClurg

Outline


A History of SELinux


What is SELinux and how do I get it?


Getting Started


Mandatory Access Control (MAC)


Using Type Enforcement to provide access Control


Creating rules with example


Roles (RBAC)


Limiting CGI Scripts


Conclusion




5/7/2007

CoreMcClug/SELinux

2

A Brief History


Originally started by the Information Assurance
Research Group of the NSA, working with Secure
Computing Corporation.


Based on a strong, flexible mandatory access control
architecture based on Type Enforcement, a
mechanism first developed for the LOCK system


5/7/2007

CoreMcClug/SELinux

3

History cont.


Originally started as two prototypes: DTMach and
DTOS

which were eventually transferred over to the
Fluke research operating system


Eventually the architecture was enhanced and
renamed Flask. The NSA has now integrated the
Flask architecture with Linux (SELinux)


5/7/2007

CoreMcClug/SELinux

4

What is the Idea behind
SELinux
?


An example of how mandatory access controls can
be added into Linux (Confining the actions of a
process, including a superuser process)


The security mechanisms implemented in the
system provide flexible support for a wide range of
security policies.


Make it possible to configure the system to meet a
wide range of security requirements.


Documentation and source code is provided.

5/7/2007

CoreMcClug/SELinux

5

How do I get SELinux?


It comes as an installation option when you install a
number of Linux distributions.


The latest release is also available from the NSA
website
http://www.nsa.gov/selinux/code/download
-
stable.cfm

for download, along with documentation,
all of the different libraries and the policy compiler.

5/7/2007

CoreMcClug/SELinux

6

How do I get started?


The release includes a general
-
purpose security
policy configuration designed to meet a number of
security objectives, this can be used as an example
to go off of.


Due to the flexibility of the system, the security
policy can be modified and extended to customize
for any given installation.

5/7/2007

CoreMcClug/SELinux

7

Mandatory Access Control (MAC)


A means of restricting access to objects based on the
sensitivity of the information contained in the
objects and whether they are authorized to access
information of such sensitivity


Authorization is based on prerequisites being met,
resulting in an individual gaining access


Enables the ability to deny users full control over the
access to resources that they create


access control is based on the compatibility of the
security properties of the data and the clearance
properties of the individual

5/7/2007

CoreMcClug/SELinux

8

Type Enforcement


In order to grant access to something, an allow rule
must be created, such as:


allow user_t bin_t : file {read execute getattr};


This means a process with a domain type of user_t can read,
execute, or get attributes for a file object with a type of
bin_t, there is no significance in the “_t” portion.


This rule might be in a policy to allow users to execute shell
programs such as the bash shell (/bin/bash).

5/7/2007

CoreMcClug/SELinux

9

Using Type Enforcement

A domain transition is wanted, in order for this to
occur, 3 things must exist:


1. The process' new domain type has entrypoint




access to an executable file type.


2. The process' current (or old) domain type has



execute access to the entry point file type.


3. The process' current domain type has
transition



access to the new domain
type.


Example


Execute the command “ls
-
Z /usr/bin/passwd”


This will produce the
output:











-
r
-
s

x

x root root system_u:object_r:passwd_exec_t
/usr/bin/passwd


Using this provided information, we can then create TE rules to
have a domain transition.


Three rules are required to give the user the ability to do a domain
transition to the password file:


allow user_t passwd_exec_t : file {getattr execute};


Lets user_t execute an execve() system call on passwd_exec_t


allow passwd_t passwd_exec_t : file entrypoint;


This rule provides entrypoint access to the passwd_t domain,
entrypoint defines which executable files can “enter” a domain.


allow user_t passwd_t : process transition;


The original type (user_t) must have transition
permission to the new type (passwd_t) for the domain
transition to be allowed.

5/7/2007

CoreMcClug/SELinux

11

Example cont.


This isn't very useful by itself since the user would have to
specifically say that they want a domain transition. This is
where type transition rules are used.


To create a domain transition by default the following rule is
created:


type_transition

user_t

passwd_exec_t

: process
passwd_t
;


The
type_transition

rule indicates that by default on
an
execve
() system call, if the calling process'
domain type is
user_t

and the executable file's type
is
passwd_exec_t

a domain transition to a new
domain type (
passwd_t
) will be attempted


A
type_transition

rule causes a domain transition to be
attempted by default, but it does not allow it, that's
why the other 3 rules had to be created

5/7/2007

CoreMcClug/SELinux

12

Example cont.


What does this example accomplish?


It makes it so that the current user can change the
password in the shadow(encrypted password) file,
without these rules, this would not be possible even for
the root user. The user isn't able to access the file
directly though, they much access it through the
passwd file so they can't do anything else.

5/7/2007

CoreMcClug/SELinux

13

Another Option:


In addition to Type Enforcement, SELinux also
provides a form of role
-
based access control (RBAC).


Roles build on type enforcement to limit the types to
which a process may transition based on the role
identifier in the process' security context.


Using roles is just a way to be even more specific about
what access rights are given.

5/7/2007

CoreMcClug/SELinux

14

Limiting CGI scripts with
SELinux


There are types already defined in
SELinux

with different rights
given to them.


httpd_sys_script_ro_t


A CGI script may only read files and directories with this
type. Setting all
cgi

scripts to this other than
index.cgi

will
make it so only
index.cgi

can do more than read files and
directories


httpd_sys_script_exec_t


index.cgi

must be set to this since
httpd

cannot
execute any other types.


httpd_sys_script_rw_t


If a
cgi

script needs to be able to write, say to a
database, then it will need this right (read/write
access)

5/7/2007

CoreMcClug/SELinux

15

CGI cont.


In addition to limiting the access of CGI scripts
themselves, unless rules have been specifically
declared to give a user access to CGI scripts, no user
will be able to access them in the first place.


CGI scripts can be much more safe on an apache
server with SELinux implemented

5/7/2007

CoreMcClug/SELinux

16

Conclusion


When used properly, SELinux can make a system
much more secure


A user is confined to being able to do only what has
been defined in the SELinux policy.


There are a few different routes that can be used to
achieve the level of desired security using SELinux.

5/7/2007

CoreMcClug/SELinux

17

References


http://www.phptr.com/articles/article.asp?p=60658
6&seqNum=1&rl=1


http://www.nsa.gov/selinux/index.cfm


http://www.nsa.gov/selinux/papers/policy2.pdf


http://docs.fedoraproject.org/selinux
-
apache
-
fc3/sn
-
using
-
other
-
types.html

5/7/2007

CoreMcClug/SELinux

18