SELinux (Security Enhanced Linux) is an internal firewall that confines processes and protects the operating system through mandatory access controls. It prevents processes from accessing files or resources without permission. SELinux enforces a security policy that defines what subjects (users and programs) can access which objects (files, devices, ports). It provides confinement for untrusted programs and limits the damage that can be caused by malicious software.
2. Outline
What is SELinux
What can SELinux do
What can not SELinux do
Why should SELinux be used
Getting SELinux
SELinux modes
Basic concepts
Linux user mapping
Logging
MLS and MCS
SELinux policies
Userland tools
Performance
License
SELinux demo on Fedora
Questions about SELinux
References
2
3. What is SELinux (1/1)
Internal firewall between programs.
Linux security module (LSM)
Others are smack, tomoyo, apparmor.
Mandatory Access Control (MAC)
What subjects can access which objects.
Subjects: users, programs.
Objects: files, devices, sockets, etc.
3
4. What can SELinux do (1/2)
Prevents
processes from reading data and programs,
bypassing application security mechanisms,
executing untrustworthy programs,
interfering with other processes in violation of the system security
policy.
Confine the potential damage that can be caused by
malicious or flawed programs.
4
5. What can SELinux do (2/2)
Type enforcement
focuses on the SELinux type within a SELinux security context.
Role-based access control
decides which types (for processes) a role is allowed to have.
Multi-level security
classification of data.
5
6. What can not SELinux do (1/1)
Resource limits are outside the scope of an access control
systems.
grsecurity, cgroups, pam are recommended.
6
7. Why should SELinux be used (1/1)
In multifunctional systems, to seperate
functionalities
e.g. For webserver, email and dns server,
e.g. For Arcelik smart tv, money transaction and
entertainment processes.
e.g. For Arcelik yazarkasa, aygaz app. and yapikredi
app.
7
8. Getting SELinux (1/5)
SELinux support is already included in the
mainline Linux 2.6 kernel available from
kernel.org
8
9. Getting SELinux (2/5)
SE-enabled Linux kernel
CONFIG_SECURITY_SELINUX
NSA SELinux support.
DEFAULT_SECURITY_SELINUX
Set default security mode as SELinux.
SECURITY_SELINUX_AVC_STATS
Collect access vector caches.
CONFIG_SECURITY_SELINUX_BOOTPARAM
Allows SELinux to be disabled at boot.
SECURITY_SELINUX_DEVELOP
Experiment with SELinux and develop policies.
CONFIG_SECURITY_SELINUX_DISABLE
Allows SELinux to be disabled at runtime.
9
11. Getting SELinux (4/5)
SELinux userland packages [gse]
libsepol
library for binary policy manipulation.
no dependency.
policycoreutils
several policy-related utilities.
uses libselinux, libsepol, libsemanage.
sepolgen
python library that forms the core of modern audit2allow.
11
15. Basic concepts (1/5)
Security context
Every process and object has a context.
Syntax: user:role:type[:range]
MLS range is optional.
Inherited from processes (on fork) or parent files/directories.
Users
Diff. from linux users*
SELinux users do not change during a user session, whereas a Linux user
might change via su or sudo.
suffix: *_u. e.g. user_u
associated to one or more roles that the SELinux user is allowed
to use.
15
16. Basic concepts (2/5)
Roles
A SELinux user may be allowed to take on one or more roles.
suffix: *_r. e.g. user_r
associated to one or more types the SELinux user is allowed to
access.
Types
Determine access permission.
suffix: *_t. e.g. music_t
associated with processes or objects.
Attributes
Group types with similar properties.
16
17. Basic concepts (3/5)
17
Ranges
Security level.
if policy supports MCS / MLS.
Object classes
Categories of objects.
# ls /sys/fs/selinux/class
Each class has a set of permissions. [ocp]
# ls /sys/fs/selinux/class/tcp_socket/perms/
Rules
Specified using the type of the process and object.
e.g. allow user_t user_home_t:file { create read write };
18. Basic concepts (4/5)
18
Booleans
are used to enable/disable policies.
# getsebool -a
# sesearch -b selinuxuser_execheap -AC
ET allow user_t kernel_t : system syslog_read ; [ user_dmesg ]
Rule will be allowed if corresponding boolean is true (T). And boolean is now enabled. (E)
Constraints
under which circumstances an operation is allowed.
circumstances that don't match are disallowed.
# seinfo --constrain
e.g. constrain dir_file_class_set { create relabelto relabelfrom } (
u1 == u2
or t1 == can_change_object_identity );
19. Basic concepts (5/5)
19
Type transition
for objects (files):
# sesearch -T
type_transition [Creating Subject type] [Parent Object/Subject Type] : [Class
of new Object/Subject] [New Object/Subject Type]
for subjects (process):
# pstree -Z
# sesearch -T -c process
type_transtion [Parent process type] [Type of process] : process [New type of
the process created]
20. Linux user mapping (1/1)
20
Map a linux user to only one
SELinux user. [ual]
Multiple linux users can be
mapped to same SELinux
user.
# semanage login -l
# semanage login -a -s staff_u
emrecan
21. Logging (1/1)
Denials are logged in the audit subsystem.
/var/log/audit/audit.log
Permissive mode generates more log
messages.
# cat /var/log/audit/audit.log | audit2allow -r
21
22. Multi-level security and MCS (1/2)
22
based on the Bell-La Padula model
“no write down” and “no read up”
user:role:type:sensitivity [:category,...] - sensitivity [:category,...]
| LEVEL | - | LEVEL |
| RANGE |
sensitivity: s0 lowest, s15 maximum
category: optional, c0.c255.
unordered and unrelated lists of "compartments".
level: combination of sensitivity and category.
translate to human readable form in setrans.conf
s0 = unclassified, s15 = top secret
c0 = finance, c100 = commercial, c255 = book
23. Multi-level security and MCS (2/2)
23
utilization for android:
app running on behalf of one user cannot read or write files created by the same
app running on behalf of another user.
in fact, MLS reference policy does not allow write-up, read-
down.
default is to use equal levels.
24. SELinux policies (1/3)
Compiled in a binary format.
smaller memory requirements.
Type enforcement file (*.te)
mandatory.
name, version of the module.
types, rules, booleans, etc.
File contexts file (*.fc)
contains the default security contexts to be provided for files created/used by the
application for which we are creating the policy module.
Interface file (*.if)
generally would contain macro definitions that assist in creating type enforcement
rules. 24
25. SELinux policies (2/3)
3 steps to configure policy for embedded devices:
obtain reference policy,
remove unnecessary rules,
have to remove too many rules.
add necessary rules.
25
26. SELinux policies (3/3)
Reference policy project [rpp]
basis for creating other policies.
well-written and good enough for PC distros.
many dependencies:
checkpolicy
policycoreutils
libsepol
libsemanage
python
26
27. Userland tools (1/4)
id, ls, ps, netstat -Z
display context of shell, file, process, network.
audit2allow
read SELinux denials, show corresponding rules.
audit2why
determine why a denial occured.
chcon
change context of a file.
chcon -t user_home_t /tmp/osman
chcat
change categories of a file.
change authorized categories for a user.
27
28. Userland tools (2/4)
getenforce
return status of SELinux.
newrole
change role, type or level.
newrole -r system_r -t unconfined_t
semanage
change boolean settings,
change roles and levels for SELinux users,
change context of a file persistently (restorecon)
semanage fcontext -a -t user_home_t /tmp/osman
semodule
insert, delete and list SELinux policy modules on the running system.
28
29. Userland tools (3/4)
setenforce
modify the mode.
seinfo
policy query tool.
setsebool
set the state of an SELinux boolean either temporarily or persistently.
sestatus
status tool.
29
30. Userland tools (4/4)
restorecon, restorecond*
restores default context of a file.
customizable types [wct]
context is not reset during a standard relabel operation.
# cat /etc/selinux/targeted/contexts/customizable_types
runcon
change context of a program when started (temporary)
runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash
run_init [gs]
start services in the correct domain
run_init /etc/init.d/ssh start
30
34. Questions about SELinux (1/1)
Can I use SELinux with grsecurity (and PaX)?
Yes, even recommended. However grsecurity’s ACL support is not used together
w/ SELinux. [gfq]
If root user can change, for example booleans, how is selinux more
secure than DAC of linux?
i.e. setsebool -P allow_execheap on/off
We don't need to have conditional policy. If we do, the enabled/disabled rules are
defined in the policy. DAC doesn't have predefined conditions like that.
Can we write a policy that doesn’t allow setenforce?
Yes, moreover we can even compile the kernel so permissive mode is disabled no
matter what the policy says.
34