Introducing SELinux Part I

Anand Tanksali

OS Layers

Applications & Userland

Privileged User

Kernel

Operating System

Hardware

What is DAC? Discretionary access control (DAC) is a type of access control defined by

the Trusted Computer System Evaluation Criteria[1] "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject".

DAC based systems

Linux

BSD

Solaris

Please note that this does not represent an exhaustive list.

What is MAC? In computer security, mandatory access control (MAC) refers to a

type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place.

* Cost of custom research service depends on project scope

Examples for a MAC based System

• SELinux

•Trusted BSD (For BSD based systems only)

•Trusted Solaris Or what was Solaris 10

Securing a Linux distro.

/etc/sysctl.conf

Restrict root logins.

Configure IP-Tables.

Reconfigure the kernel.

Uninstall / disable

unnecessary daemons.

/etc/default/security

/etc/pam.d

.Enable Auditing.

Chroot.

Please note that this does not represent an exhaustive list.

Problems persist……

Access is based upon users access

Processes can change security properties

Standard access control is discretionary

Privilege levels are user & root

History of SELinux

SELinux was originally a development project from the National Security Agency (NSA)[1] and others

The NSA integrated SELinux into the Linux kernel using the Linux Security Modules (LSM) framework.

The next evolution of SELinux was as a loadable kernel module for the 2.4.<x> series of Linux kernels. This module stored PSIDs in a normal file, and SELinux was able to support more file systems.

The SELinux code was integrated upstream to the 2.6.x kernel, which has full support for LSM and has extended attributes (xattrs) in the ext3 file system. SELinux was moved to using xattrs to store security context information.

The SELinux advantage

Ability to confine services.

Auditing logs for reporting.

Provide fine grained access control.

Provides a system wide policy when in enforcing mode.

Please note that this does not represent an exhaustive list.

GUI Screen

Terminal Output Output from a Linux system

daemonology@darkstar:~$ ls -la /var/www/index.html

-rw-r--r--. 1 root root 177 2011-05-10 21:31 /var/www/index.html

Output from a SELinux systemdaemonology@darkstar:~$ ls -Z /var/www/html/index.html

-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/index.html