Friday, January 15, 2010

2. SELinux Basics

Mandatory Access Control (MAC) SELinux
Benefits using the MAC model
  • MAC requires more system administration/experties
  • Some level of object oriented knowledge is required to configure. The objects in the system is divided in to 2
  1. Subjects - users & process
  2. Objects  - Files on the system (test/binary/sockets/named_pipes etc)
  • Offers more granular/fine control of security. This means the ability to restrict at very lower level of  access to the objects.(eg:- read/write/entering to a directory,lock a file, access a different contex area with in  the memmory etc)
  • SELInux is compiled in to the kernel and supported via LSM (Loadable security module) 

Determine the kernel supports SELinux
Step 1
# cd /boot/
# grep -i selinux config-`uname -ar`

    This will list the configuration of the selinux in the currently loaded kernel
Step 2
# sestatus -v
    This will tell the current status of the SELinux. "Policycoreutils" is the package which installs the
sestatus binary. This RPM also installs most used selinux binaries.
  • SELinux (MAC-based system) requires labeling for objects and subjects In-order to determine the access using SElinux the subjects and objects should be labelled. Here we have to set the given role and permissions to the subject and it should get matched with the object roles and permissions. /usr/sbin/setfiles is the binary to set the labelling for subjects and objects.
  • MAC based systems are Ideal for internet facing system running httpd,named,mysqld etc. The targeted  policy in SELinux ships with policies that supports these daemons.
  • The MAC checks perform by SELinux occurs after the DAC based checks
  • SELinux denies interaction between Subjects and Objects by default.
  • SELinux supports Type Enforcement (TE) TE is the way for us to label and group various subjects and  objects.i.e, it ties the process(subjects) to files(Objects).
  • TE also allows the creation of domains. Domains means assaigning various subjects into groups. i.e,  grouping httpd,htpasswd,htdigest into a group called httpd_r which equals a domain. And we can set permissions to this domain for accessing various objects.
    SELinux functions in 3 Modes
1. Enforcing
    In this mode SELinux applies policies defined. In RedHat Linux the default policy is called "Targeted". This policy will be applied in the enforcing mode. Any violation to this policy will be results in deniel of access to object and  also creates a alarm.

2. Permissive
    The policy (Targeted) is applied, but instead of deniel it simply logs. it permites the subject for accessing  the objects . So this mode can be used to log the violation to test whether the application is compactable with the targeted policy.

3. Disabled
    The policy (Targeted) and SELinux is disabled.

Switching the SELinux Mode:

To enable the SELinux in permissive change the configuration at follwing file. This method requires the system

# cd /etc/selinux
# vim config

Another method of enabling SELinux, needs system reboot to enable SELinux
# system-config-securitylevel
    check the enabled mode only, this will makes the SELinux enabled in Permissive mode. and if need to
run in Enforcing mode have to select the Enforcing option.

3rd method of enabling SELinux
# vim /etc/grub.conf
#add the following to kernel line
#selinux=0 will run SELinux in Premissive mode

    This applies to all kernels that supports the SELinux (2.4 or 2.6)

Once the system is rebooted and running in Permissive mode we can use the following command to run the SELinux in to Enforcing mode without the system reboot
# echo 1 > /selinux/enforce
    The /selinux directory is same like /proc, a pseudo directory and all the files are saved in memory. all the SELinux labels will be presented at this directory.

SELinux Permissive mode:
    After enabling and rebooting the machine use the following to check the selinux status.
# sestatus
    This shows the status, SELinux mount point, mode (permissive or enforcing),policy version etc
  • Permissive mode allows to run the applications and all the Violations to the security policy will  logged in   /var/log/messages.
  • Policy version that ships with RHEL 4 is version 18. The policy is written in the source format based on  M4 macro language and compiled in to binary format.
  • /etc/selinux/targeted houses the source and binary files of the policy targated. The source policy may not be installed but the binaries policy must be installed to operate SELinux
  • /etc/selinux/targeted/policy contains the policy binary. selinux-policy-targated is the package installs the policy binary.
  • /etc/selinux/targeted/booleans file defines the daemons that the targated policy covers.

Booting Process of SELinux (How INIT handles the SELinux startup):
    After the BIOS starts hands of control to GRUB.GRUB initializes the Kernel. Kernel then initializes all the hardwares and hands over to INIT, the very first process in the Linux machine. In a SELinux enviornment init has to take certain decision whether the SELinux can be supported or not.
  1. /proc/filesystem contains the details about the filesystems that supported by the kernel INIT will search  for the "selinuxfs" in the /proc/filesystem. If this is not present the SELinux support will not be enabled.
  2. If enforcing=1 or enforcing=0 is passed in to the kernel commandline at boot time in GRUB the INITwill attempt to start in Enforcing(enforcing=1) or Permissive(enforcing=0) mode respectively
  3.  If there is no keyword defined to start through GRUB command line then the INIT will checks the/etc/selinux/config & starts the SELinux according to the config file. The GRUB command line overrides allthe configurations in the config file
  4. Loads the SELinux enviornment which includes the mounting of /selinux
  5. INIT reloads itself into the 'unconfined_t' domain. All process that are not targated will assossiated with the 'unconfined_t' domain.

Thursday, January 14, 2010

1. SELINUX - Introduction


Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM). It is a project of the United States National Security Agency (NSA) and the  SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.It provides essentially the kernel firewall. Typically all OS runs with a discretionary access control mechanism(DAC). This means the process will be running with the respective user privilages. Also means a user on the system has all discretion for providing access to resources owned by the perticular user. However in Mandatary Access Controll system (MAC) the security admin is responsible for defining the policies access/restrictions the subject to object access. It involves the labeling subjects and objects.

     SELinux provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel. Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system.SELinux defines the access and transition rights of every user, application, process, and file on the system.  SELinux then governs the interactions of these entities using a security policy that specifies how strict or lenient a given Red Hat Enterprise Linux installation should be. On a day-to-day basis, system users will be largely unaware of SELinux. Only system administrators need to consider how strict a policy to implement for their server environment. The policy can be as strict or as lenient as needed, and is very finely detailed. This detail gives the SELinux kernel complete,granular control over the entire system.

The SELinux Decision Making Process:
When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object  permissions are cached. If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the  information to populate the security server's matrix.

3 common access control models:

    1. Discretionary Access Control (DAC)
                    This is the default model. Users has the rights to grand or deny access the objects.
 Major Problems with the DAC based system:
  • These are prone to malware and malicious softwares.
  • Setuid or setgid files are vulnuerable when a daemon compramises and gains the access.
  •  Access to all objects in the system is based on the identity of the user
  •  Default policy is liberal to access the objects
    2. Mandatory Access Control (MAC)-SELINUX
                     This is implemented by Selinux.
Benefits using the MAC model
  •  MAC requires more system administration/experties
  •  Some level of object oriented knowledge is required to configure. The objects in the system is divided in to 2
  1. Subjects - users & process
  2. Objects  - Files on the system (test/binary/sockets/named_pipes etc)
  • Offers more granular/fine control of security. This means the ability to restrict at very lower level of  access to the objects.(eg:- read/write/entering to a directory,lock a file, access a different contex area with in the memmory etc)
    3. Non-Discretionary Access Control (nDAC)
                       It is almost like a hybrid between DAC & MAC.
  • Administrator defines the DAC control for entire system