SELinux basics
3 likes2,783 views
The document introduces SELinux, which uses mandatory access control (MAC) in addition to traditional UNIX discretionary access control (DAC). SELinux labels processes and files with security contexts that define access permissions in the security policy. The policy controls access between labeled processes and files through type enforcement rules. System administrators can manage labels and policy using tools like semanage and restorecon.
SELinux basics
- 2. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
- 3. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
- 4. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
- 5. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
- 6. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
- 7. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- 8. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
- 9. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
- 10. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
- 11. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context
- 13. Traditional UNIX DAC approach ● Owner controls access to object ● File owner/group ● Process with effective UID/GID ● File mode ● Almighty root user above the rules
- 14. SELinux MAC approach ● Policy controls access to objects ● Labeled objects (files, sockets, …) ● Labeled processes (domains) ● Policy rules ● Concept of “almighty” unconfined processes is defined within policy …
- 15. DAC and MAC at the same time ● Allows for tighter privilege control UNIX SELinux File owner/group: UID/GID File context (FC): label Process effective user/group: UID/GID Process domain: label File mode Type Enforcement (TE) rules setuid() Domain transition Setuid bit File context + implicit domain transition rule
- 16. Labels $ ls -Z /var/spool/anacron/cron.daily -rw-------. root root system_u:object_r:system_cron_spool_t:s0 /var/spool/anacron/cron.daily $ ps uxZ |grep /usr/sbin/atd system_u:system_r:crond_t:s0-s0:c0.c1023 root 4371 0.0 0.0 21448 212 ? Ss 2012 0:00 /usr/sbin/atd
- 17. Policy ● Delivered via RPM packages ● selinux-policy, selinux-policy-targeted ● Reference policy, multiple available ● Modular ● File contexts (*.fc) ● Type enforcement rules (*.te) ● M4 macros, "interfaces" (*.if)
- 18. File Contexts ● Labeling rules delivered with policy packages ● RPM applies labels upon package installation ● Files inherit labels otherwise cron.fc: /etc/cron.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ⋮ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- 19. Type Enforcement rules ● Specified in custom DSL + M4 ● Compiled & loaded into kernel at runtime cron.te: allow system_cronjob_t cron_log_t:file manage_file_perms; ⋮ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
- 20. Domains ● TE rules control domain transition ● Transitioned into upon execution of labeled file ● Remember the setuid bit? ● "unconfined" domains cron.te: init_daemon_domain(system_cronjob_t, anacron_exec_t)
- 21. Management Tools ● getenforce 1; getenforce ● /var/sysconfig/selinux ● UNIX tools with -Z argument ● semanage # semanage fcontext -l |grep /var/spool/anacron /var/spool/anacron(/.*)? all files system_u:object_r:system_cron_spool_t:s0 # chcon -t etc_t /var/spool/anacron # restorecon -v /var/spool/anacron restorecon reset /var/spool/anacron context system_u:object_r:etc_t:s0 ->system_u:object_r:system_cron_spool_t:s0
- 22. What if things don't work? ● audit2why, audit2allow to analyze ● restorecon to fix context