selinux - what the hell does that mean? disoray thelug : dc214 [email protected]
TRANSCRIPT
200612 - disoray SELinux 2
Agenda
Who is this guy?What is this crap?OK, who cares?Fine, fine, some technical stuff for the masses.
Uh, I don’t get it.
200612 - disoray SELinux 4
Who is this guy anyway?(disoray)
Nobody really Glorified Script-Kiddy Mostly a lurker Never done anything worth mentioning
Founder: thelug The Hectic Eclectic Linux User Group Dead, see 1st bullet
Member of: Nothing really Someone who doesn’t sleep well
Ever
Not experienced with SELinux
200612 - disoray SELinux 6
Wikipedia says:
Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD.
200612 - disoray SELinux 7
What is SELinux?
A kernel level MAC (Mandatory Access Control) implementation for Linux
Originally commissioned and built by/for the NSA A big-fat-giant head-ache for the uninitiated Very cool if done right
Not the usual case BTW One of three well known MAC implementations
Others include Trusted Solaris and Mainframe under “Top Secret” (as apposed to RACF).
200612 - disoray SELinux 8
What is MAC?
Not an Apple product. MAC: Mandatory Access Control
I own it, not you. Ex: Directory “Secret” is owned by “Agent”. “Agent”
does not have authority to grant access to others. Only the “Owner” does.
DAC: Discretionary Access Control It’s yours, do what you will. Same example: “Agent” can grant access to whomever she
cares. RBAC: Role Based Access Control
Depending on what your role is, maybe. If “Agent” has the correct Role, she can, otherwise
she can’t.
200612 - disoray SELinux 9
SELinux past tense.
Auditing and reporting support very limited and poorly integrated in SELinux.
One big giant nasty policy.
No decent interface for managing policies.
Building policies was a flat file hack style.
Fresh files got no label. You had to comb the system to find and label them manually.
Poor scalability with SMP.
200612 - disoray SELinux 10
Recent improvements.
FC4 policy now has over 120 confined domains, updates in Hardened Gentoo, and support being mainstreamed into Debian.
Multi Level Security support enhanced and mainstreamed.
Audit system enhanced and increasingly integrated.
RHEL5 entered into evaluation against CAPP, LSPP, and RBAC with SELinux coverage.
Loadable policy modules, build and package policy modules separately.
Policy management API (libsemanage)
Improved support for policy development: Polgen, SEEdit, SLIDE, CDS Framework.
Atomic labeling of new files.
File security labels visible for all filesystems exactly as seen by SELinux.
Major improvements in SMP scalability.
Significant reduction in kernel memory use by policy.
200612 - disoray SELinux 12
Well, the NSA sure cares!
Researchers in the Information Assurance Research Group of the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS. The NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask. The NSA has now integrated the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community.
- NSA Website
200612 - disoray SELinux 13
So, what’s the point?
Primarily for Government Systems containing certain classifications of data are required to run under a MAC solution.
Helps with audits too. Though not necessary, a MAC solution can make many of today’s corporate audits MUCH easier.
200612 - disoray SELinux 14
Terminology.
Subject: A domain or process. Object: A resource (file, directory, socket,
etc.). Types: A security attribute for files and other
objects. Roles: A way to define what “types” a user can
use. Identities: Like a username, but specific to
SELinux. Contexts: Using a type, role and identity is a
“Context.”
200612 - disoray SELinux 15
How does this apply to “you”?
Let’s define “you” first:Hobbiest/Enthusiest
Students, Average Gamer, etc.
Corporate systems guy SysAdmin, Architect, etc.
Cracker/Malicious Type
200612 - disoray SELinux 16
Hobbiest/Enthusiest
How it applies Well, it pretty well doesn’t. At this point, the only folks directly impacted by SELinux are those who manage the boxes, audit the boxes, or try to hack the boxes that are running it.
Indirectly: you can sleep better, we promise. ;-)
200612 - disoray SELinux 17
Corporate Systems Guy
A *REALLY* big pain. That whole “minimum privileges” thing can
suck when you get into the details. A *REALLY* big help.
Compliance sucks. Being able to produce the type of reporting available with SELinux is great.
For systems running multiple clients or other entity types, think of it as a chroot jail that you can wrap around most anything.
An opportunity for training dollars -- “Hey boss, this stuff is a real trick!”
200612 - disoray SELinux 18
Cracker/Malicious Type
Today, extremely annoying. A new (well, kind of anyway) puzzle to tinker
with. Not really a big deal unless they’re working
against government systems. Very few corporate shops are running it today.
Still just another control model, just like DAC or RBAC. Granted, a lot tighter than DAC, and has many similarities to RBAC.
200612 - disoray SELinux 20
Reference material.
The NSA Site:
http://www.nsa.gov/selinux/
The Wikipedia reference:
http://en.wikipedia.org/wiki/SELinux
Heh, a “symposium”:
http://selinux-symposium.org/