Security-Enhanced Linux

1
Security-Enhanced Linux

• Eric Harney
• CPSC 481

2
What is SELinux?

• Developed by NSA
• Released in 2000
• Adds additional security capabilities to Linux
• Maintains compatibility with existing software
• Designed to enforce separation of information
  based on confidentiality and integrity
  requirements.
• Open source
• GPL

3
Mandatory Access Control

• Exists on top of traditional Unix DAC
• Administrator defines a policy
• Kernel enforces this policy
• Doesn't trust the application
• Doesn't trust the user

4
Role-Based Access Control

• Users are assigned to one or more roles
• Roles indicate which type domains a user may
  access
• Similar to traditional Unix uid
• Used to separate privileges
• Each daemon may have its own role
• Example roles include system_r, sysadm_r, user_r
• Role transitions must be defined

5
Type Enforcement

• Types are assigned to files
• Designate categories of files
• Web server
• Database server
• Mail server
• Regular users
• Stored in the file system
• Types are assigned to processes as domains
• Domains are closely related to types

6
Principle of Least Privilege

• Reduces the power of the root account
• Process running as root is still restricted
• Services cannot access each others' data
• Compromising one service only allows access or
  damage to its own data

7
Policies

• A policy is a set of rules which specifies
  allowable behavior
• Strict versus targeted
• Enumerating good versus bad behavior
• No default permit
• Defines
• Types for file objects
• Domains for processes
• Roles
• User identities
• Highly configurable with booleans

8
Example Policy Statements

• Type enforcement
• allow sshd_t sshd_exec_tfile read execute
  entrypoint
• allow sshd_t sshd_tmp_tfile create read write
  getattr setattr link unlink rename
• allow sshd_t user_tprocess transition
• Role definitions
• role system_r types kernel_t initrc_t getty_t
  klogd_t
• role user_r types user_t user_netscape_t
• role sysadm_r types sysadm_t run_init_t

9
Benefits of SELinux

• Helps prevent damage from unknown or unpatched
  exploits
• Provides fine-grained access control to all parts
  of system
• Allows a customized level of security

10
Example Attack

• Apache web server running as root with httpd_t
• Malicious user causes a buffer overflow in Apache
  and executes arbitrary code
• User directs Apache to fetch /etc/shadow and
  serve it to the web client
• File read passes DAC, but /etc/shadow is assigned
  type shadow_t
• Apache's httpd_t role has no access to shadow_t
  domain access denied

11
Possible Attacks

• Kernel protection is not substantially increased
• A buffer overflow in kernel space could still be
  disastrous
• An attacker compromising your login credentials
  still means game over
• SELinux policies are complex - an incorrectly
  written policy also means game over

12
Availability

• Included in standard mainline Linux kernel
• Only well supported by some distributions
• Red Hat Enterprise Linux
• Fedora
• Gentoo (Hardened Gentoo)
• Will be evaluated for Common Criteria compliance
  in the future