Scribd
Upload
210 views

SEcurity Enhanced Linux Overview

Security Enhanced Linux (SELinux) provides Mandatory Access Controls (MAC) to Linux beyond traditional permissions. It assigns security contexts to classify system components and define rules for interaction. SELinux implements Multi-Category Security (MCS) to isolate virtual machines and applications. Administrators can use SELinux utilities and troubleshooting tools to manage policies, labels, and diagnose issues. SELinux also supports more advanced implementations like Multi-Level Security (MLS) for classified networks.

Uploaded by

Helen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
210 views

SEcurity Enhanced Linux Overview

Security Enhanced Linux (SELinux) provides Mandatory Access Controls (MAC) to Linux beyond traditional permissions. It assigns security contexts to classify system components and define rules for interaction. SELinux implements Multi-Category Security (MCS) to isolate virtual machines and applications. Administrators can use SELinux utilities and troubleshooting tools to manage policies, labels, and diagnose issues. SELinux also supports more advanced implementations like Multi-Level Security (MLS) for classified networks.

Uploaded by

Helen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Security Enhanced Linux Primer

Frank Caviggia
Senior Consultant
June 4, 2015
1

Frank Caviggia

Overview
SELinux Concepts
- What is SELinux?
- DAC and MAC
- Polyinstantiation and Multitenancy
SELinux Utilities
- Commands
- Booleans
- Labeling
- Sandbox
- Troubleshooting

SELinux Implementations
- Multi-Category Security
- Multi-Level Security
More Information

Frank Caviggia

SELinux Concepts

Frank Caviggia

Frank Caviggia

SELinux Overview
Security-Enhanced Linux (SELinux) was a research project sponsored by the NSA to
provide Mandatory Access Controls (MAC) to the Linux kernel
SELinux mainlined into the Linux kernel in August 2003 (2.6.0-test3), it was first
enabled for general use in Red Hat Enterprise Linux 4
Kernel enforcement based on security context provided by policies rather than standard
permissions. Think of it like a chroot jail on steroids or watertight compartments in ship
design

Watertight Compartments in Ship Design1


1

SELinux Policy Example

Picture Source: Wikipedia Bulkhead (Partition)

Frank Caviggia

Discretionary Access Control (DAC)


Traditional Unix Permissions
- User, Group, Others (ugo)
- Read, Write, Execute (rwx)

Discretionary Access Controls (DAC)

Access Control Lists (ACLs)


- POSIX1 compliant ACLs standard in Linux filesystems (ext3, ext4, XFS, etc.)
- Extends DAC controls to specific user(s) and group(s)

Portable Operating System Interface EXchange

Frank Caviggia

Mandatory Access Control (MAC)


SELinux has 3 defined policy modes - Targeted (Default), Strict, and MLS.
Security Context implemented through extended attributes (xattr) in filesystem and
enforced by the Linux Kernel according to SELinux Policy

Security Context in SELinux

Unix concept of everything is a file (devices, processes, files, directories, etc.) Thus,
everything is labeled with a Security Context
SELinux policy defines the watertight compartments the SELinux policy controls how
users, services, files, and binaries interact
Policy is generally developed with software vendor when possible. Otherwise,
developing policy can be achieved through testing and evaluation to give least
privilege to allow completion of a job function

Frank Caviggia

Type Enforcement (TE)


Type Enforcement (TE) used by Targeted policy (Default)
in SELinux
- The Linux Kernel enforces transactions between
processes and objects via domain transitions

- Further control can be specified using different policy

SELinux Domain Transitions

Compromised Apache process cannot access /etc/shadow

Frank Caviggia

Polyinstantiation and Multitenancy


Polyinstantiation is the process used on MLS systems to ensure data being processed by
users at separate security levels do so in isolated spaces to use to prevent unauthorized
access to data.
1

Data written to these directories will be stored in an independent directory at the security
level that they were written, particularly important for shared temporary directories (/tmp,
/var/tmp, /dev/shm/)
User will not see the redirection to a secure folder, SELinux handles the transition
transparently. See the Private Tmp feature in RHEL 72
Multitenancy extends the concept of polyinstantiation with cgroups and Linux Containers
(LXC) to ensure that applications are securely separated from each other through Type
Enforcement (TE) and MCS (the c0.c1023 attributes of the security level)

Multitenancy in OpenShift

IBM Developer Works Article Improve Security with Polyinstantiation

https://securityblog.redhat.com/2014/04/09/new-red-hat-enterprise-linux-7-security-feature-privatetmp/

Frank Caviggia

SELinux Utilities

10

Frank Caviggia

GUI Administration
SELinux Configuration

# system-config-selinux
SELinux Troubleshooting

# sealert b

11

Frank Caviggia

Basic SELinux Commands


Determine and change SELinux modes:

# sestatus
# getenforce
# setenforce [ Enforcing | Permissive | 1 | 0 ]
List files and their SELinux Security Context:

# ls -Z <file>
# getfattr -n security.selinux <file>
List processes and their SELinux Security Context:

# ps -efZ
Restore original SELinux Security Context:

# restorecon -v <file>

12

Frank Caviggia

SELinux Booleans
SELinux defines Booleans for often used settings in SELinux:
List SELinux Booleans:

# getsebool a
List SELinux Booleans related to httpd service:

# getsebool a | grep httpd


Set SELinux Boolean values:

# setsebool -P <boolean> [ on | off | 1 | 0 ]

Check Booleans First in Troubleshooting!


13

Frank Caviggia

SELinux Labels (files)


To change SELinux security context on a file:
Temporary change context (original context fixed with restorecon):

# chcon t <context> <file>


Permanent context change. Prevents relabeling with restorecon:

# semanage fcontext a -t <context> <file>

Example: Allow apache to use /web directory instead of /var/www/html:


# semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'
# restorecon Rv /web

14

Frank Caviggia

SELinux Labels (ports)


List pre-labeled ports:
# semanage port -l
Run apache using a to a non-standard tcp port:

# semanage port -a -t http_port_t -p tcp 81


Same concept for SSHD:

# semanage port -a -t ssh_port_t -p tcp 2222

15

Frank Caviggia

SELinux Labels (users)


List of user roles:
# semanage user -l
List of confined users:
# semanage login -l
Confine a user to user_u role (minimal privleges):

# semanage login -a -s user_u caviggia


Other roles to consider:
guest_u ssh access only
xguest_u Xwindows + Firefox
staff_u Unprivileged user + ability to stat processes

16

Frank Caviggia

SELinux Sandbox
Red Hat provides the sandbox utility to isolate a command using SELinux which is quite
useful for the security of a system:
# yum install y policycoreutils-sandbox
Firefox session using sandbox when browsing to untrusted sites:
# mkdir ~/.home; mkdir ~/.tmp
# sandbox -X -H ~/.home T ~/.tmp -t sandbox_web_t firefox
Using evince in the sandbox utility for an untrusted PDF document:

# sandbox -X evince untrusted.pdf &

17

Frank Caviggia

Troubleshooting (Policy)
To help diagnose an issue there are the sealert and audit2why commands:

# sealert a /var/log/audit/audit.log

# grep avc /var/log/audit/audit.log | grep denied | audit2why


Both programs will give suggestions for possible fixes, but you can isolate things further
with the audit2why command by using grep for a specific program (e.g. userprog):
# grep avc /var/log/audit/audit.log | grep denied | grep userprog | audit2why

Analyze the output of the command to see if a policy can be created to fix the issues, use
the audit2allow utility to create a policy this may take multiple tries to develop a policy:
# grep avc /var/log/audit/audit.log | grep denied | grep userprog > out.txt
# audit2allow -i out.txt M userprog
# semodule -i userprog.pp

18

Frank Caviggia

Troubleshooting (relabel)
To relabel the entire filesystem (for example to re-enable SELinux after being disabled)
to the default SELinux contexts use the following commands:

# touch /.autorelabel
# reboot

19

Frank Caviggia

SELinux Implementations

20

Frank Caviggia

Multi-Category Security (MCS)

Using the SELinux targeted policies, each KVM instance has their own
container via SELinux Type Enforcement (TE) and Multi-Category Security
(MCS) which uses random compartments that are randomly assigned to keep
the VMs separate

21

Frank Caviggia

Venom Vulnerability (CVE-2015-3456)

VS.
Compromised VM containment with KVM and sVirt (SELinux Labels)

Compromised VM uses hypervisor exploit to compromise other VMs

SELinux policy prevented a buffer overflow in QEMU/KVM from attacking other VMs:

22

http://venom.crowdstrike.com/
https://access.redhat.com/articles/1444903
http://danwalsh.livejournal.com/71489.html

Frank Caviggia

Multi-Level Security (MLS)

Apache

Unclassified (s3)

Apache

Apache

System Low (s0)

Secret (s6)

Apache

TS

Top Secret (s9)

Apache

TS//SCI

Top Secret/SCI
(s10:c32,c43)

Multi-Level Security (MLS) uses all parts (user, role, type, security level, and
category) of the security context with strict enforcement. The details of this are
more complex than the scope of this presentation

23

Frank Caviggia

Questions?

24

Frank Caviggia

More Information
Dont Disable SELinux:

http://stopdisablingselinux.com/
Tresys SELinux Reference Policy:
https://github.com/TresysTechnology/refpolicy/wiki
Dan Walshs (Mr. SELinux) Blog:
http://danwalsh.livejournal.com/

RHEL 7 SELinux Users and Administrators Guide:


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
7/html/SELinux_Users_and_Administrators_Guide/index.html
SELinux Coloring Book:
https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

25

Frank Caviggia

You might also like