security-enhanced linux. references implementation of security-enhanced linux by yue cui, xiang...

Security-Enhanced LinuxSecurity-Enhanced Linux

ReferencesReferences

1.1. Implementation of Security-Implementation of Security-Enhanced Linux by Yue Cui, Xiang Enhanced Linux by Yue Cui, Xiang Sha, Li SongSha, Li Song

2.2. Security Enhanced Linux by David Security Enhanced Linux by David Quigley (Fedora)Quigley (Fedora)

3.3. Security-Enhanced Linux by Joseph Security-Enhanced Linux by Joseph A LaConteA LaConte

BackgroundBackground

Security-Enhanced Linux is a NSA (National Security-Enhanced Linux is a NSA (National Security Agency) backed research project.Security Agency) backed research project.

Goals:Goals: Promote Security ResearchPromote Security Research Address OS SecurityAddress OS Security Demonstrate MAC (Mandatory Access Controls) through Demonstrate MAC (Mandatory Access Controls) through

Type Enforcement® technologyType Enforcement® technology in a mainstream osin a mainstream os

NoteNote: SELinux project is : SELinux project is notnot intended as a intended as a complete security solution for Linux complete security solution for Linux

SELinux BackgroundSELinux Background1985:1985: LOCK system(early Type Enforcement)LOCK system(early Type Enforcement)

– – Secure Ada project through HoneywellSecure Ada project through Honeywell

1990: DTMach / DTOS 1990: DTMach / DTOS

DTMach – Mach-based prototypeDTMach – Mach-based prototype

DTOS (Distributed Trusted Operating System)DTOS (Distributed Trusted Operating System)

1995: Utah Fluke / Flask 1995: Utah Fluke / Flask

Fluke* - University of Utah's research operating systemFluke* - University of Utah's research operating system

1999: 1999: 2.2 Linux Kernel (patch)2.2 Linux Kernel (patch)

2001: 2001: 2.4 Linux Kernel (patch)2.4 Linux Kernel (patch)

2002:2002: LSMLSM

2003:2003: 2.6 Linux Kernel (mainline)2.6 Linux Kernel (mainline)

2006: 2006: Full network labelingFull network labeling

Why Linux?Why Linux?

Linux is an open source project with many Linux is an open source project with many developers; therefore:developers; therefore:

Provides an opportunity for more Provides an opportunity for more research.research.

Allows application/testing in a Allows application/testing in a mainstream os.mainstream os.

Improves security in an existing os.Improves security in an existing os.

SELinuxSELinux

Security-Enhanced Linux Security-Enhanced Linux (SELinux)(SELinux) Uses the Linux Security Modules (LSM) Uses the Linux Security Modules (LSM)

framework to implement flexible Mandatory framework to implement flexible Mandatory Access Control (MAC) in the Linux kernel.Access Control (MAC) in the Linux kernel.

Restricts privileges of user programs and Restricts privileges of user programs and system servers using security labels and an system servers using security labels and an administratively-defined policy.administratively-defined policy.

MAC versus DACMAC versus DAC

Discretionary Access Control (DAC) is the Discretionary Access Control (DAC) is the standard security model for Linux. In this standard security model for Linux. In this model, access privileges are based on the model, access privileges are based on the user identity and object ownership.user identity and object ownership.

Mandatory Access Control (MAC) limits Mandatory Access Control (MAC) limits privileges for subjects (processes) and privileges for subjects (processes) and objects (file, socket, device, etc).objects (file, socket, device, etc).

Please note: SELinux does not change any existing security in the Linux Please note: SELinux does not change any existing security in the Linux environment; rather, SELinux extends the security model to include environment; rather, SELinux extends the security model to include Mandatory Access Control (i.e. both MAC and DAC are enforced in Mandatory Access Control (i.e. both MAC and DAC are enforced in the SELinux environment).the SELinux environment).

SELinux vs. traditional LinuxSELinux vs. traditional Linux

SELinux enforces MAC policies that SELinux enforces MAC policies that confine user programs and system confine user programs and system servers to the minimum amount of servers to the minimum amount of privilege they require to do their jobsprivilege they require to do their jobs

The ability of these user programs and The ability of these user programs and system daemons to cause harm when system daemons to cause harm when compromised(via buffer overflow for compromised(via buffer overflow for example) is reduced or eliminated.example) is reduced or eliminated.

SELinux vs. traditional LinuxSELinux vs. traditional Linux

The confinement mechanism operates The confinement mechanism operates independently of the traditional Linux independently of the traditional Linux access control mechanismsaccess control mechanisms

It has no concept of a “root” super-It has no concept of a “root” super-user, and does not share the well-user, and does not share the well-known shortcomings of the traditional known shortcomings of the traditional Linux security mechanisms(such as a Linux security mechanisms(such as a dependence on setuid/setgid binaries)dependence on setuid/setgid binaries)

SELinux vs. traditional LinuxSELinux vs. traditional Linux The security of traditional LinuxThe security of traditional Linux

Depends on the correctness of the kernel, all the Depends on the correctness of the kernel, all the privileged applications, and each of their privileged applications, and each of their configurationsconfigurations

A problem in any one of these areas may allow the A problem in any one of these areas may allow the compromise of the entire systemcompromise of the entire system

The security of SELinuxThe security of SELinux Depends on the correctness of the kernel and its Depends on the correctness of the kernel and its

security policy configurationsecurity policy configuration While problems may allow the limited compromise While problems may allow the limited compromise

of individual user programs and system daemons, of individual user programs and system daemons, they do not pose a threat to the security of other they do not pose a threat to the security of other user programs and system daemons or to the user programs and system daemons or to the security of the system as a wholesecurity of the system as a whole

Security-Enhanced LinuxSecurity-Enhanced Linux

Security Policies are Security Policies are implemented usingimplemented using:: Type EnforcementType Enforcement®® (TE) (TE)

((introduced in 1985 by Boebert and Kain)introduced in 1985 by Boebert and Kain) Role-based access control (RBAC)Role-based access control (RBAC) Multi-level SecurityMulti-level Security

Security Model in SELinuxSecurity Model in SELinux

Type Enforcement (TE) modelType Enforcement (TE) model Provides fine-grained control over Provides fine-grained control over

processes and objects in the systemprocesses and objects in the system Role-Based Access Control (RBAC) Role-Based Access Control (RBAC)

modelmodel Provides a higher level of abstraction Provides a higher level of abstraction

to simplify user managementto simplify user management

TE modelTE model Traditional TE modelTraditional TE model

Binds a security attribute called a Binds a security attribute called a domain to each process and a type to domain to each process and a type to each objecteach object

Treats all processes in the same domain Treats all processes in the same domain identically and all objects that have the identically and all objects that have the same type identicallysame type identically

A pair of access matrices specify how A pair of access matrices specify how domains can access types and how domains can access types and how domains can interact with other domainsdomains can interact with other domains

Each user is authorized to operate in Each user is authorized to operate in certain domainscertain domains

TE modelTE model SELinux TE modelSELinux TE model

Uses a single type attribute in the security Uses a single type attribute in the security context for both processes and objectscontext for both processes and objects

A domain is simply a type that can be A domain is simply a type that can be associated with a process. associated with a process.

Uses the security class information provided by Uses the security class information provided by the Flask architecture the Flask architecture

Security classes can distinguish objects of the Security classes can distinguish objects of the same type.same type.

Does not directly associate users with domains; Does not directly associate users with domains; uses RBAC model to provide an additional layer uses RBAC model to provide an additional layer of abstraction between users and domainsof abstraction between users and domains

Type EnforcementType Enforcement

Object(s):Object(s): items in a system that are acted upon (files, IPC, items in a system that are acted upon (files, IPC, sockets, etc….)sockets, etc….)

Subject(s):Subject(s): process that are requesting access to an object process that are requesting access to an object All Objects and Subjects contain a security contextAll Objects and Subjects contain a security context Security Context(s)Security Context(s) are composed of four parts are composed of four parts All Security Context components are checked against the policy All Security Context components are checked against the policy

to see if access is allowed. to see if access is allowed. Type is the base component while role and user are used to Type is the base component while role and user are used to

further restrict type enforcementfurther restrict type enforcement

Security ContextsSecurity Contexts

system_u:object_r:passwd_exec_t:s0:c0.c2-s2:c0.c1system_u:object_r:passwd_exec_t:s0:c0.c2-s2:c0.c1

user:role:type:sensitivity[:category,…][-sensitivity[:category,…]]

TE Access ControlTE Access Control

Source type(s):Source type(s): The domain type of the process accessing the The domain type of the process accessing the objectobject

Target type(s):Target type(s): The type of the object being accessed by the The type of the object being accessed by the processprocess

Object class(es):Object class(es): The class of object to permit access to The class of object to permit access to Permission(s):Permission(s): The kind of access permitted for the indicated The kind of access permitted for the indicated

object classobject class

allow user_t bin_t : file {read execute write getattr setattr}

Domain TransitionsDomain Transitions Analogous to SetUID programsAnalogous to SetUID programs Joe running as user_t (untrusted user) needs to change his Joe running as user_t (untrusted user) needs to change his

password. How does Joe change his password?password. How does Joe change his password? allow user_t passwd_exec_t : file {getattr execute}allow user_t passwd_exec_t : file {getattr execute} allow passwd_t passwd_exec_t : file entrypointallow passwd_t passwd_exec_t : file entrypoint allow user_t passwd_t : process transitionallow user_t passwd_t : process transition

What does this solve? Restricts trusted domain passwd_t What does this solve? Restricts trusted domain passwd_t and allows user_t to transition to it.and allows user_t to transition to it.

Implicit domain transitions provided via type_transition.Implicit domain transitions provided via type_transition.

Users & RolesUsers & Roles

First and second component of a security contextFirst and second component of a security context SELinux usernames and DAC usernames are not SELinux usernames and DAC usernames are not

synonymoussynonymous Semanage is used to maintain mappings of DAC to Semanage is used to maintain mappings of DAC to

SELinux usernames.SELinux usernames. Roles are collections of types geared towards a purposeRoles are collections of types geared towards a purpose Roles can be used to further restrict actions on the systemRoles can be used to further restrict actions on the system SELinux usernames are granted roles in the systemSELinux usernames are granted roles in the system

Role-Based Access Role-Based Access ControlControl

Each user gets a set of rolesEach user gets a set of roles

Each role is assigned a set of TE Each role is assigned a set of TE domains.domains.

Note: users are not identified by Linux uids; instead Note: users are not identified by Linux uids; instead a user identity attribute is used in the security a user identity attribute is used in the security context.context.

RBAC modelRBAC model

Traditional RBAC modelTraditional RBAC model authorizes users to act in certain roles authorizes users to act in certain roles

and assigns a set of permissions to each and assigns a set of permissions to each rolerole

SELinux RBAC modelSELinux RBAC model authorizes each user for a set of roles, authorizes each user for a set of roles,

each role for a set of TE domainseach role for a set of TE domains maintains a role attribute in the security maintains a role attribute in the security

context of each processcontext of each process

PoliciesPolicies

Configuration consists Configuration consists

ofof: : Flask definitionsFlask definitions TE and RBAC TE and RBAC

declarations and rulesdeclarations and rules User declarationsUser declarations Constraint definitionsConstraint definitions Security context Security context

specifications.specifications.

PoliciesPolicies

TE StatementsTE Statements Attribute Attribute

DeclarationsDeclarations Type DeclarationsType Declarations TE Transition RulesTE Transition Rules TE Change RulesTE Change Rules TE Access Vector TE Access Vector

RulesRules TE Access Vector TE Access Vector

AssertionsAssertions Type Member RulesType Member Rules

RBAC StatementsRBAC Statements Role Declarations and Role Declarations and

DominanceDominance Role Allow RulesRole Allow Rules Role Transition RulesRole Transition Rules

PoliciesPolicies

Syntax for TE and RBAC declarations*

Syntax for type declarations*

* Smally, Stephen January 2003.

PoliciesPolicies

Bleher, Thomas November 30, 2004

LimitationsLimitations

Performance OverheadPerformance Overhead – approximately 7%. – approximately 7%.

ComplexityComplexity – requires in-depth knowledge of the – requires in-depth knowledge of the operating system, the security policies, and the operating system, the security policies, and the operating environment.operating environment.

MaintenanceMaintenance – policy fine-tuning, changes required – policy fine-tuning, changes required for changes to the system.for changes to the system.

Benefit of SELinuxBenefit of SELinux

The SELinux’s new features are The SELinux’s new features are designed todesigned to Enforce the separation of information Enforce the separation of information

based on confidentiality and integrity based on confidentiality and integrity requirementsrequirements

Prevent processes from Prevent processes from reading data and programs, reading data and programs, tampering with data and programs,tampering with data and programs, executing untrustworthy programs, or executing untrustworthy programs, or interfering with other processes in violation interfering with other processes in violation

of the system security policy of the system security policy

MLSMLS MLS portion of Security Context is composed of 4 MLS portion of Security Context is composed of 4

partsparts Low/HighLow/High Sensitivity/CategorySensitivity/Category

Includes syntax to define dominance of security Includes syntax to define dominance of security levelslevels

Subjects with range of levels considered Subjects with range of levels considered trusted trusted subjectssubjects

Implements a variation of Bell-La PadulaImplements a variation of Bell-La Padula

Linux Security Modules Linux Security Modules (LSM)(LSM)

Kernel framework for security modulesKernel framework for security modules Provides a set of hooks to implement further Provides a set of hooks to implement further

security checkssecurity checks Usually placed after existing DAC checks and Usually placed after existing DAC checks and

before resource accessbefore resource access Implications? SELinux check is not called if the Implications? SELinux check is not called if the

DAC failsDAC fails Makes auditing difficult at times.Makes auditing difficult at times.

SELinux LSM ModuleSELinux LSM Module

User Space

Kernel Space

Selinux Filesystem

Access

Vector

Cache

Security Server

(Policy Rules and

Access Decision Logic)LSM Hooks

Various Kernel

Object Managers

Cache Miss

Yes or No?

SELinux LSM Module

Policy Management

Interface

Figure taken from SELinux by

Example

Userspace Object ManagersUserspace Object Managers

Access

Vector

Cache

libselinux

User-Space

Object Manager


Example

User Space

Kernel Space

Selinux Filesystem

Policy Management

Interface

Allow

access?

Yes or No?

Access

Vector

Cache

Security Server

(Policy Rules and

Access Decision Logic)

Cache Miss

Yes or No?

Policy ServerPolicy Server

Access

Vector

Cache

libselinux

User-Space

Object Manager


Example

User Space

Kernel Space

Selinux Filesystem

Policy

Management

Interface

Cache Miss?

Yes or No?

User-Space

Security Server

Policy

Management

Server

Load

User

Policy

Policy Server

Access

Vector

Cache

Security Server

(Policy Rules and


Cache Miss

Yes or No?

Policy LanguagePolicy Language

Make, Scripts,

M4, and so on

Type Enforcement

Statements

(Types, TE Rules,

Roles, Users)

Constraints

Resource labeling

Specifications

Classes and Permissions

Checkpolicy

Binary Policy

File

Kernel Space

Selinux Filesystem

Access

Vector

Cache

Security Server

(Policy Rules and


Cache Miss

Yes or No?

SELinux LSM Module

load_policy

Policy Source

Modules

policy.conf


Example

Object ClassesObject Classes

Represents resources of a certain kindRepresents resources of a certain kind Policy must include declarations for all object Policy must include declarations for all object

classesclasses ClassesClasses

File related (blk_file, chr_file, dir, fd …)File related (blk_file, chr_file, dir, fd …) Network related (socket, packet_socket, rawip_socket, …)Network related (socket, packet_socket, rawip_socket, …) IPC related (ipc, msg, msgq, sem, shm)IPC related (ipc, msg, msgq, sem, shm) Misc Classes (capability, process, security, system)Misc Classes (capability, process, security, system)

PermissionsPermissions

Specific to a particular Object ClassSpecific to a particular Object Class Includes traditional Linux permissionsIncludes traditional Linux permissions Extends existing permissions to be finer Extends existing permissions to be finer

grainedgrained Includes SELinux specific permissions for Includes SELinux specific permissions for

labelinglabeling

Type EnforcementType Enforcement

Several major keywordsSeveral major keywords typetype attributeattribute typeattributetypeattribute typealiastypealias allowallow dontauditdontaudit auditallowauditallow neverallowneverallow

Type EnforcementType Enforcementattribute file_type;attribute httpdcontent;

#These two statements...type httpd_user_content_t;typeattribute httpd_user_content_t file_type, httpdcontent;

#are equivalent to this onetype httpd_user_content_t, file_type, httpdcontent;

#These two statements...type mozilla_t, domain;typealias mozilla_t alias netscape_t;

#are equivalent to this onetype mozilla_t alias netscape_t, domain;

Type EnforcementType Enforcementrule_name src_type_set target_type_set : class_set perm_set;#validallow user_t bin_t : file { read getattr } ;allow user_t bin_t : dir { read getattr search } ;

#invalid since file does not have a search permissionallow user_t bin_t { file dir } {read getattr search } ;

#don’t audit when this access is denieddontaudit httpd_t etc_t : dir search ;

#audit when this access is allowed#by default allowed access is not auditedauditallow domain shadow_t : file write ;

#This statement may never be allowed by any ruleneverallow user_t shadow_t : file write

allow user_t bin_t : { file dir } * ;allow user_t bin_t : file ~{ write setattr ioctl };

Type EnforcementType EnforcementType Transitions

type_transitiontype_change

#These two statements...type_transition user_t passwd_exec_t : process passwd_t;type_transition sysadm_t passwd_exec_t : process passwd_t;

#are equivalent to this onetype_transition { user_t sysadm_t } : process passwd_t;

#This domain transition rule…type_transition init_t apache_exec_t : process apache_t ;

#would require at least the follow 3 allow rules to succeedallow init_t apache_exec_t : file execute ;allow init_t apache_t : process transition;allow apache_t apache_exec_t : file entrypoint ;

RBACRBAC

Adds 2 components to security contextAdds 2 components to security context useruser rolerole

Adds 3 policy language keywordsAdds 3 policy language keywords allowallow (different than AVC allow) (different than AVC allow) role_transitionrole_transition (similar to (similar to

type_transition)type_transition) dominancedominance

RBAC ExampleRBAC Example#valid security context

joe:user_r:passwd_t

#role user_r assigned to user joe

user joe roles { user_r };

#equivalent to this one

role user_r types { user_t passwd_t };

allow staff_r sysadm_r;

role_transition sysadm_r http_exec_t system_r;

#super_r inherits all types from sysadm_r and secadm_r

dominance { role super_r { role sysadm_r; role secadm_r; }}

Multilevel SecurityMultilevel Security

Policy Declares Levels and categoriesPolicy Declares Levels and categories applies constraints on objects and applies constraints on objects and

permissions with MLS dominance keywordspermissions with MLS dominance keywords ==, !=, eq, dom, domby, incomp==, !=, eq, dom, domby, incomp mlsconstrain file {create relabelto } { l2 eq mlsconstrain file {create relabelto } { l2 eq h2 }h2 }

mlsvalidatetransmlsvalidatetrans transitions between transitions between levelslevels

Still requires a lot of workStill requires a lot of work

Conditional PoliciesConditional Policies Allows enabling/disabling portions of policyAllows enabling/disabling portions of policy Booleans define in policyBooleans define in policy Logical operations allowedLogical operations allowed

&&&& |||| ^̂ !! ==== !=!=

Does not support nested conditionalsDoes not support nested conditionals Booleans modified through special applications or Booleans modified through special applications or

SELinuxfsSELinuxfs

Configuration for running insmod

Figure 4 shows a portion of the policy Figure 4 shows a portion of the policy configuration that allows the configuration that allows the administrator domain (sysadm_t) to administrator domain (sysadm_t) to run the insmod program to insert run the insmod program to insert kernel modules. kernel modules.

The insmod program is labeled with The insmod program is labeled with the insmod_exec_t type and runs in the insmod_exec_t type and runs in the insmod_t domain. the insmod_t domain.

Figure 4: Configuration for running insmod


allow sysadm_t insmod_exec_t :file allow sysadm_t insmod_exec_t :file x_file_perms;x_file_perms; allows the sysadm_t domain to run the insmod allows the sysadm_t domain to run the insmod

programprogram. . allow sysadm_t insmod_t :process allow sysadm_t insmod_t :process

transition;transition; allows the sysadm_t domain to transition to the allows the sysadm_t domain to transition to the

insmod_t domain.insmod_t domain. allow insmod_t insmod_exec_t :process allow insmod_t insmod_exec_t :process

{entrypoint, execute }{entrypoint, execute } allows the insmod_t domain to be entered by allows the insmod_t domain to be entered by

the insmod program and to execute code from the insmod program and to execute code from this program. this program.


allow insmod_t sysadm_t :fd allow insmod_t sysadm_t :fd inherit_fd_perms;inherit_fd_perms; allows the insmod_t domain to inherit and use file allows the insmod_t domain to inherit and use file

descriptors from the sysadm_t domain. descriptors from the sysadm_t domain. allow insmod_t self :capability allow insmod_t self :capability

sys_module;sys_module; allows the insmod_t domain to use the allows the insmod_t domain to use the

CAP_SYS_MODULE capability.CAP_SYS_MODULE capability. allow insmod_t sysadm_t :process sigchild; allow insmod_t sysadm_t :process sigchild;

allows the insmod_t domain to send the SIGCHLD allows the insmod_t domain to send the SIGCHLD signal to sysadm_t when it exits. signal to sysadm_t when it exits.

Reference PolicyReference Policy Maintained by NSA and FC Mailing ListsMaintained by NSA and FC Mailing Lists Compiles into three versionsCompiles into three versions

Strict, Targeted, MLSStrict, Targeted, MLS StatsStats

Version .18Version .18 Object Classes 55Object Classes 55 Common Permissions 3, Permission 205Common Permissions 3, Permission 205 Types 1589Types 1589 allow 372755, auditallow 12, dontaudit 238663allow 372755, auditallow 12, dontaudit 238663 type_transition 2657, type_change 68type_transition 2657, type_change 68 roles 6, RBAC allow 6, role_transition 97, users 3roles 6, RBAC allow 6, role_transition 97, users 3 bools 70bools 70

ComponentsComponents

checkpolicycheckpolicy libselinuxlibselinux libsemanagelibsemanage libsepollibsepol policycoreutilspolicycoreutils

libselinuxlibselinux

Used by SELinux aware applicationsUsed by SELinux aware applications Houses user space AVCHouses user space AVC Contains functions to Contains functions to

calculate AVCscalculate AVCs get/set/create contextsget/set/create contexts query policy enginequery policy engine

libsemanagelibsemanage

Used to query and configure state of a Used to query and configure state of a running systemrunning system

Provides functions to query/modifyProvides functions to query/modify login nameslogin names usersusers network ports/interfacesnetwork ports/interfaces file contextsfile contexts level translationslevel translations rolesroles etc.etc.

SELinuxfsSELinuxfs

Interface between userspace and kernelInterface between userspace and kernel Used by libselinux and libsemanage to Used by libselinux and libsemanage to

communicate requests with the kernelcommunicate requests with the kernel Provides a quick and easy interface for Provides a quick and easy interface for

humanshumans Usually not used directly from programsUsually not used directly from programs

policycoreutilspolicycoreutils SELinux Management and policy analysis toolsSELinux Management and policy analysis tools

audit2allowaudit2allow audit2whyaudit2why load_policyload_policy newrolenewrole restoreconrestorecon semanagesemanage semodulesemodule sestatussestatus setboolsetbool etc...etc...

DistributionsDistributions

Fedora Core 3 and laterFedora Core 3 and later DebianDebian GentooGentoo SuSeSuSe SE-BSDSE-BSD SE-MACHSE-MACH

InstallationInstallation

Where to get the copy?Where to get the copy? Free download fromFree download from

http://www.nsa.gov/selinux/http://www.nsa.gov/selinux/

Components of SELinux DistributionComponents of SELinux Distribution Patches to the Linux kernel (based on Patches to the Linux kernel (based on

kernel 2.4.18)kernel 2.4.18) Patches to a number of standard tools and Patches to a number of standard tools and

utilities, support files, and documentationutilities, support files, and documentation


Need to have an existing Redhat Need to have an existing Redhat LinuxLinux Redhat 7.2 or later will be betterRedhat 7.2 or later will be better

SELinux does not provide a modified SELinux does not provide a modified xdm/gdm/kdm to set the security xdm/gdm/kdm to set the security context for the user sessioncontext for the user session

Environment we use:Environment we use: Redhat 7.3Redhat 7.3


Download the installation package Download the installation package

(lsm-2.4-selinux-2002053110.tgz)(lsm-2.4-selinux-2002053110.tgz) Unzip the file, we got two foldersUnzip the file, we got two folders

# /lsm2.4 and /selinux# /lsm2.4 and /selinux The quick installation steps are as The quick installation steps are as

followingsfollowings


Edit policy/users for your usersEdit policy/users for your users Be sure to authorize at least one user for the Be sure to authorize at least one user for the

system administrator role (sysadm_r)system administrator role (sysadm_r) Edit the default_context and cron_context Edit the default_context and cron_context

files in utils/appconfig for your usersfiles in utils/appconfig for your users security context has the syntax security context has the syntax

user:role:domain or user:role:typeuser:role:domain or user:role:type e.g. root:sysadm_r:sysadm_t or e.g. root:sysadm_r:sysadm_t or

root:user_r:user_troot:user_r:user_t


Edit policy/file_contexts/ Edit policy/file_contexts/ {types.fc,program/*.fc} for your site{types.fc,program/*.fc} for your site Check the pathnames against your file system Check the pathnames against your file system

layoutlayout Ensure that your current configuration is Ensure that your current configuration is

not set up to run an X Display Manager not set up to run an X Display Manager (xdm, gdm, kdm)(xdm, gdm, kdm) he default runlevel specified inhe default runlevel specified in /etc/inittab should be runlevel 3 (Full multiuser /etc/inittab should be runlevel 3 (Full multiuser

mode)mode)


Perform the quick installPerform the quick install make quickinstallmake quickinstall When the kernel configuration menu is When the kernel configuration menu is

displayed, configure the kernel for your displayed, configure the kernel for your hardware as appropriatehardware as appropriate

Configure your boot manager to boot Configure your boot manager to boot the SELinux kernelthe SELinux kernel e.g. if you use the LILO boot manager, e.g. if you use the LILO boot manager,

configure /etc/lilo.conf, and run /sbin/liloconfigure /etc/lilo.conf, and run /sbin/lilo

InstallationInstallation Boot the SELinux kernel and login in the Boot the SELinux kernel and login in the

sysadm_r role and sysadm_t domain(e.g. using sysadm_r role and sysadm_t domain(e.g. using “root”)“root”)

Run setfiles again to ensure that files created Run setfiles again to ensure that files created by the old kernel during the shutdown are by the old kernel during the shutdown are properly labeledproperly labeled cd policycd policy make relabel make relabel

Add /usr/local/selinux/bin and Add /usr/local/selinux/bin and /usr/local/selinux/sbin to your path for the /usr/local/selinux/sbin to your path for the modified utilitiesmodified utilities


After installation, we can try the following After installation, we can try the following commands to see if it is installed correctlycommands to see if it is installed correctly

‘ ‘ ps -e --context ‘ps -e --context ‘ The second column should show the security The second column should show the security

context of each processcontext of each process Has the syntax user:role:domain or user:role:typeHas the syntax user:role:domain or user:role:type

‘ ‘ ls -- context / ‘ls -- context / ‘ The fourth column should show the security The fourth column should show the security

context of each file or directory in /context of each file or directory in /

InstallationInstallation ps -e --contextps -e --context

PIDPID SIDSID CONTEXTCONTEXT COMMANDCOMMAND

11 7 7 system_u:system_r:init_tsystem_u:system_r:init_t init [3]init [3]

22 7 7 system_r:system_r:init_tsystem_r:system_r:init_t [keventd][keventd]

...... …… …… ……

855855 245245 system_u:system_r:local_login_tsystem_u:system_r:local_login_t login --rootlogin --root

856856 244244 system_u:system_r:getty_tsystem_u:system_r:getty_t /sbin/mingetty tty2/sbin/mingetty tty2





863863 246246 root:sysadm_r:sysadm_troot:sysadm_r:sysadm_t -bash-bash

910910 246246 root:sysadm_r:sysadm_troot:sysadm_r:sysadm_t ps -e --contextps -e --context

InstallationInstallation ls -- context /ls -- context /drwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:bin_tsystem_u:object_r:bin_t binbindrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:boot_tsystem_u:object_r:boot_t bootbootdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:device_tsystem_u:object_r:device_t devdevdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:etc_tsystem_u:object_r:etc_t etcetcdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:user_home_tsystem_u:object_r:user_home_thomehomedrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t initrdinitrddrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:lib_tsystem_u:object_r:lib_t liblibdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:lost_found_tsystem_u:object_r:lost_found_t lost+foundlost+founddrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t miscmiscdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t mntmntdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:file_tsystem_u:object_r:file_t optoptdr-xr-xr-x rootdr-xr-xr-x root rootroot system_u:object_r:proc_tsystem_u:object_r:proc_t procprocdrwxr-x--- rootdrwxr-x--- root rootroot system_u:object_r:sysadm_home_tsystem_u:object_r:sysadm_home_t rootrootdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:sbin_tsystem_u:object_r:sbin_t sbinsbindrwxrwxrwx rootdrwxrwxrwx root rootroot system_u:object_r:tmp_tsystem_u:object_r:tmp_t tmptmpdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:usr_tsystem_u:object_r:usr_t usrusrdrwxr-xr-x rootdrwxr-xr-x root rootroot system_u:object_r:var_tsystem_u:object_r:var_t varvar

Customizing the policyCustomizing the policy

What we can doWhat we can do Adding usersAdding users Adding permissionsAdding permissions Adding programs to an existing domainAdding programs to an existing domain Creating a new domainCreating a new domain Creating a new typeCreating a new type Creating a new roleCreating a new role


Adding usersAdding users If we want to add a user If we want to add a user stevesteve to the to the

system who should be authorized for system who should be authorized for both the both the user_ruser_r and and sysadm_rsysadm_r roles roles

Add an entry to the Add an entry to the policy/userspolicy/users files: files:user steve roles { user_r sysadm_r }user steve roles { user_r sysadm_r }

Run Run make loadmake load to reload the policy to reload the policy


Adding programs to an existing domainAdding programs to an existing domain Locate an appropriate domain by Locate an appropriate domain by

examining the existing programs domains under examining the existing programs domains under policy/domains/programpolicy/domains/program

examining how existing programs are examining how existing programs are associated with the executable types for those associated with the executable types for those domains in domains in policy/file_contexts/programpolicy/file_contexts/program

Relabel the program byRelabel the program by# make relabel# make relabel


Creating a new roleCreating a new role Create a new domain to be used as the Create a new domain to be used as the

initial login domain for the roleinitial login domain for the role Define role declaration in Define role declaration in policy/rbacpolicy/rbac Reload the policyReload the policy

# # make loadmake load Add an entry for the role inAdd an entry for the role in

/etc/security/default_type/etc/security/default_type


SELinux installation helpSELinux installation help

Stephen Smalley, “Configuring the SELinux Policy”, Stephen Smalley, “Configuring the SELinux Policy”,

20022002

Stephen Smalley and Timothy Fraser, “A Security Stephen Smalley and Timothy Fraser, “A Security

Policy Configuration for the Security-Enhanced Policy Configuration for the Security-Enhanced

Linux”, 2001Linux”, 2001

http://www.nsa.gov/selinuxhttp://www.nsa.gov/selinux


National Security Agency. National Security Agency. Security Enhanced LinuxSecurity Enhanced Linux, December , December 8, 2004. http://www.nsa.gov/selinux/index.cfm8, 2004. http://www.nsa.gov/selinux/index.cfm

Thompson, Kerry. Thompson, Kerry. The UnOfficial SELinux FAQThe UnOfficial SELinux FAQ, June 15, 2004. , June 15, 2004. http://www.crypt.gen.nz/selinux/faq.htmlhttp://www.crypt.gen.nz/selinux/faq.html

Wade, Karsten. Wade, Karsten. Fedora Core 3 SELinux FAQFedora Core 3 SELinux FAQ, November 9, 2004. , November 9, 2004. http://fedora.redhat.com/docs/selinux-faq-fc3/index.htmlhttp://fedora.redhat.com/docs/selinux-faq-fc3/index.html

Smally, Stephen. Smally, Stephen. Configuring the SELinux PolicyConfiguring the SELinux Policy, February , February 2002, revised January 2003. NAI Labs. 2002, revised January 2003. NAI Labs. <URL:http://www.nsa.gov/selinux/papers/policy2-abs.cfm><URL:http://www.nsa.gov/selinux/papers/policy2-abs.cfm>

Secure Computing Corporation. Secure Computing Corporation. The Origin of SidewinderThe Origin of Sidewinder®® G2 G2 FirewallFirewall, December 8, 2004. , December 8, 2004. http://www.securecomputing.com/index.cfm?skey=1024http://www.securecomputing.com/index.cfm?skey=1024


OSDGroup LLC. OSDGroup LLC. Module 13 – SELinux OverviewModule 13 – SELinux Overview, December 8, , December 8, 2004. 2004. http://www.bradfordlearning.com/en/courseware/sample_chahttp://www.bradfordlearning.com/en/courseware/sample_chapters/se_linux_sample_chapter.pdfpters/se_linux_sample_chapter.pdf

SourceFORGE.net. SourceFORGE.net. SELinux BackgroundSELinux Background, December 8, 2004. , December 8, 2004. http://selinux.sourceforge.net/background.php3http://selinux.sourceforge.net/background.php3

Hallyn, Serge Edward. Hallyn, Serge Edward. Domain and Type Enforcement in LinuxDomain and Type Enforcement in Linux. . The College of William and Mary in Virginia. The College of William and Mary in Virginia. <URL:http://www.cs.wm.edu/~kearns/dissertations.d/serge.p<URL:http://www.cs.wm.edu/~kearns/dissertations.d/serge.pdf> df>

Bleher, Thomas. Source file: domains/program/Bleher, Thomas. Source file: domains/program/apache.teapache.te (patch), November 30, 2004. (patch), November 30, 2004. <URL:http://www.cip.ifi.lmu.de/~bleher/cgi-bin/archzoom.cgi/<URL:http://www.cip.ifi.lmu.de/~bleher/cgi-bin/archzoom.cgi/[email protected]/policy--suse--0--patch-12?log>[email protected]/policy--suse--0--patch-12?log>

More InformationMore Information

SELinux Homepage: SELinux Homepage: www.nsa.gov/selinuxwww.nsa.gov/selinux SELinux Mailing list: SELinux Mailing list:

http://www.nsa.gov/selinux/info/list.cfm?Mhttp://www.nsa.gov/selinux/info/list.cfm?MenuID=41.1.1.9enuID=41.1.1.9

Redhat SELinux Mailing List: Redhat SELinux Mailing List: http://www.redhat.com/mailman/listinfo/fehttp://www.redhat.com/mailman/listinfo/fedora-selinux-listdora-selinux-list

Fedora SELinux Wiki: Fedora SELinux Wiki: http://fedoraproject.org/wiki/SELinuxhttp://fedoraproject.org/wiki/SELinux

http://www.nsa.gov/selinux

http://www.nsa.gov/selinux/info/list.cfm?MenuID=41.1.1.9

http://www.nsa.gov/selinux/info/list.cfm?MenuID=41.1.1.9

http://www.redhat.com/mailman/listinfo/fedora-selinux-list

http://www.redhat.com/mailman/listinfo/fedora-selinux-list

security-enhanced linux. references implementation of security-enhanced linux by yue cui, xiang...

Documents