5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how...

5/7/2007 CoreMcClug/SELinux 1

By: Corey McClurg

OutlineA History of SELinuxWhat is SELinux and how do I get it?Getting StartedMandatory Access Control (MAC)Using Type Enforcement to provide access

ControlCreating rules with exampleRoles (RBAC)Limiting CGI ScriptsConclusion


A Brief HistoryOriginally started by the Information

Assurance Research Group of the NSA, working with Secure Computing Corporation.

Based on a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system


History cont.Originally started as two prototypes:

DTMach and DTOS which were eventually transferred over to the Fluke research operating system

Eventually the architecture was enhanced and renamed Flask. The NSA has now integrated the Flask architecture with Linux (SELinux)


What is the Idea behind SELinux?An example of how mandatory access controls

can be added into Linux (Confining the actions of a process, including a superuser process)

The security mechanisms implemented in the system provide flexible support for a wide range of security policies.

Make it possible to configure the system to meet a wide range of security requirements.

Documentation and source code is provided.


How do I get SELinux?It comes as an installation option when you

install a number of Linux distributions. The latest release is also available from the

NSA website http://www.nsa.gov/selinux/code/download-stable.cfm for download, along with documentation, all of the different libraries and the policy compiler.


How do I get started?The release includes a general-purpose

security policy configuration designed to meet a number of security objectives, this can be used as an example to go off of.

Due to the flexibility of the system, the security policy can be modified and extended to customize for any given installation.


Mandatory Access Control (MAC)A means of restricting access to objects based

on the sensitivity of the information contained in the objects and whether they are authorized to access information of such sensitivity

Authorization is based on prerequisites being met, resulting in an individual gaining access

Enables the ability to deny users full control over the access to resources that they create

access control is based on the compatibility of the security properties of the data and the clearance properties of the individual


Type EnforcementIn order to grant access to something, an

allow rule must be created, such as:allow user_t bin_t : file {read execute

getattr}; This means a process with a domain type of user_t

can read, execute, or get attributes for a file object with a type of bin_t, there is no significance in the “_t” portion.

This rule might be in a policy to allow users to execute shell programs such as the bash shell (/bin/bash).


Using Type EnforcementA domain transition is wanted, in order for

this to occur, 3 things must exist: 1. The process' new domain type has

entrypoint access to an executable file type.

2. The process' current (or old) domain type has execute access to the entry point file type.

3. The process' current domain type has transition access to the new domain type.

Example Execute the command “ls -Z /usr/bin/passwd”This will produce the output: -r-s—x—x root root

system_u:object_r:passwd_exec_t /usr/bin/passwdUsing this provided information, we can then create TE

rules to have a domain transition.Three rules are required to give the user the ability to do

a domain transition to the password file: allow user_t passwd_exec_t : file {getattr execute};allow user_t passwd_exec_t : file {getattr execute};

Lets user_t execute an execve() system call on passwd_exec_t

allow passwd_t passwd_exec_t : file entrypoint;allow passwd_t passwd_exec_t : file entrypoint; This rule provides entrypoint access to the passwd_t

domain, entrypoint defines which executable files can “enter” a domain.

allow user_t passwd_t : process transition;allow user_t passwd_t : process transition; The original type (user_t) must have transition

permission to the new type (passwd_t) for the domain transition to be allowed.


Example cont.This isn't very useful by itself since the user would

have to specifically say that they want a domain transition. This is where type transition rules are used.

To create a domain transition by default the following rule is created:type_transition user_t passwd_exec_t : process type_transition user_t passwd_exec_t : process

passwd_t;passwd_t;The type_transition rule indicates that by

default on an execve() system call, if the calling process' domain type is user_t and the executable file's type is passwd_exec_t a domain transition to a new domain type (passwd_t) will be attempted

A type_transition rule causes a domain transition to be attempted by default, but it does not allow it, that's why the other 3 rules had to be created


Example cont.What does this example accomplish?

It makes it so that the current user can change the password in the shadow(encrypted password) file, without these rules, this would not be possible even for the root user. The user isn't able to access the file directly though, they much access it through the passwd file so they can't do anything else.


Another Option:

In addition to Type Enforcement, SELinux also provides a form of role-based access control (RBAC).Roles build on type enforcement to limit the

types to which a process may transition based on the role identifier in the process' security context.

Using roles is just a way to be even more specific about what access rights are given.


Limiting CGI scripts with SELinuxThere are types already defined in SELinux with

different rights given to them. httpd_sys_script_ro_thttpd_sys_script_ro_t

A CGI script may only read files and directories with this type. Setting all cgi scripts to this other than index.cgi will make it so only index.cgi can do more than read files and directories

httpd_sys_script_exec_thttpd_sys_script_exec_tindex.cgi must be set to this since httpd

cannot execute any other types.httpd_sys_script_rw_thttpd_sys_script_rw_t

If a cgi script needs to be able to write, say to a database, then it will need this right (read/write access)


CGI cont.In addition to limiting the access of CGI

scripts themselves, unless rules have been specifically declared to give a user access to CGI scripts, no user will be able to access them in the first place.

CGI scripts can be much more safe on an apache server with SELinux implemented


ConclusionWhen used properly, SELinux can make a

system much more secureA user is confined to being able to do only

what has been defined in the SELinux policy.

There are a few different routes that can be used to achieve the level of desired security using SELinux.


Referenceshttp://www.phptr.com/articles/article.asp?

p=606586&seqNum=1&rl=1http://www.nsa.gov/selinux/index.cfmhttp://www.nsa.gov/selinux/papers/

policy2.pdfhttp://docs.fedoraproject.org/selinux-

apache-fc3/sn-using-other-types.html


Date post:	18-Jan-2018
Category:	Documents
Upload:	christiana-brown
View:	220 times
Download:	0 times

5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how...

Documents