Jump to content

Security-Enhanced Linux

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 98.249.207.46 (talk) at 15:19, 20 May 2013 (Users, policies and security contexts). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The SELinux administrator in Fedora 8

Security-Enhanced Linux (SELinux) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement.[1][2] The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency.

It has been integrated into the mainline Linux kernel since version 2.6, on 8 August 2003.

Overview

The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[3] The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems.

From NSA Security-enhanced Linux Team:[4]

"NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals."

(SELinux has been integrated into version 2.6 series of the Linux kernel, and separate patches are now unnecessary; the above is a historical quotation.)

Security-Enhanced Linux implements the Flux Advanced Security Kernel (FLASK) integrated in some versions of the Linux kernel with a number of utilities designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Such a kernel contains architectural components prototyped in the Fluke operating system. These provide general support for enforcing many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multilevel security. FLASK, in turn, was based on DTOS, a Mach-derived Distributed Trusted Operating System, as well as Trusted Mach, a research project from Trusted Information Systems that had an influence on the design and implementation of DTOS.

A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux (discretionary) access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

The security of an "unmodified" Linux system (a system without SELinux) depends on the correctness of the kernel, of all the privileged applications, and of each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a "modified" system (based on an SELinux) kernel depends primarily on the correctness of the kernel and its security-policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.

From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls, role-based access control (RBAC), and type enforcement architecture. Third-party tools enable one to build a variety of security policies.

Users, policies and security contexts

The entire operational philosophy of SELinux revolves around the timeworn notion of authorized actions and permitted actors thereof. Possible transitions that cause data to flow from labeled repository (object) to labeled user process (subject) or vice versa are subject to rules that can be precisely delineated in terms of "roles" and detailed vectors of "privileges." To this extent, SELinux is a rude example of a type enforcement architecture (TEA), a concept that dates back at least to the late 1970s. It also bears strong conceptual ties to the concept of process capabilities and (by extension) capability lists that one finds in such experimental operating systems as Hydra. Indeed, it can even be argued that the capability concept underlies the entire philosophy of device usage tickets and ticket-granting servers in the not-quite-ready-for-prime-time MIT Kerberos authentication infrastructure. (This demurrer is included because, like many MIT-sponsored projects with the potential to deliver brilliant results, the students lost interest when the project was 85% complete, leaving a host—to say the least—of loose ends.

SELinux users do not support a one-to-one mapping to underlying users as defined through /etc/passwd. For every current user or process, SELinux assigns a context triple consisting of a role, user ID, and domain (= type). This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. Circumstance for when the user is allowed to get into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified context (user, role and domain), but SELinux may deny the transition if it is not approved by the policy configuration.

Files, network ports, and other hardware also have an SELinux context, consisting of a name, role (seldom used), and type. In case of the file systems, mapping between files and the security contexts is called labeling. The labeling is defined in policy files but can also be manually adjusted without changing the policies. Hardware types are quite detailed, for instance, bin_t (all files in the folder /bin) or postgresql_port_t (PostgreSQL port, 5432). The SELinux context for a remote file system can be specified explicitly at mount time. SELinux adds the -Z switch to the shell commands ls, ps, and some others, allowing the security context of the files or process to be seen.

Typical policy rules often consist of explicit permissions; which domains the user must possess to perform certain actions with the given target (read, execute, or, in case of network port, bind or connect), and so on. More complex mappings are also possible, involving roles and security levels. A typical policy consists of a mapping (labeling) file, a rule file, and an interface file, that define the domain transition. These three files must be compiled together with the SELinux tools to produce a single policy file. The resulting policy file can be loaded into the kernel, making it active. Loading and unloading policies does not require a reboot. The policy files are either hand written or can be generated from the more user friendly SELinux management tool. They are normally tested in permissive mode first, where violations are logged but allowed. The audit2allow tool can be used later to produce additional rules that extend the policy to allow all legitimate activities of the application being confined.

Features

  • Clean separation of policy from enforcement
  • Well-defined policy interfaces
  • Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
  • Independent of specific policies and policy languages
  • Independent of specific security label formats and contents
  • Individual labels and controls for kernel objects and services
  • Support for policy changes
  • Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
  • Flexible policy
  • Controls over process initialization and inheritance and program execution
  • Controls over file systems, directories, files, and open file descriptors
  • Controls over sockets, messages, and network interfaces
  • Controls over use of "capabilities"
  • Cached information on access-decisions via the AVC (Access Vector Cache)[5]

Usage

SELinux can potentially control which activities are allowed for each user, process and daemon, with very precise specifications. However, it is mostly used to confine daemons like database engines or web servers that have more clearly defined data access and activity rights. A confined daemon that becomes compromised is thus limited in the harm it can do. Ordinary user processes often run in the unconfined domain, not restricted by SELinux but still restricted by the classic Linux access rights.

Command-line utilities include: chcon,[6] restorecon,[7] restorecond,[8] runcon,[9] secon,[10] fixfiles,[11] setfiles,[12] load policy,[13] booleans,[14] getsebool,[15] setsebool,[16] togglesebool[17] setenforce, load policy, setfiles,[18] selinuxenabled, semodule, postfix-nochroot, check-selinux-installation, semodule package, checkmodule, selinux-config-enforcing,[19] selinuxenabled,[20] selinux-policy-upgrade[21] and security set boolean.[22]

Usage examples

To put SELinux into enforcing mode: 

$ sudo setenforce 1

To query the SELinux status: 

$ getenforce

Implementations

SELinux is available with commercial support as part of Red Hat Enterprise Linux (RHEL) version 4 and all future releases. This presence is also reflected in corresponding versions of CentOS and Scientific Linux. The supported policy in RHEL4 is the targeted policy which aims for maximum ease of use and thus is not as restrictive as it might be. Future versions of RHEL are planned to have more targets in the targeted policy which will mean more restrictive policies.

In free community supported GNU/Linux distributions, Fedora was one of the earliest adopters, including support for it by default since Fedora Core 2. Other distributions include support for it such as Debian as of the etch release[23] and Ubuntu as of 8.04 Hardy Heron.[24] As of version 11.1, openSUSE contains SELinux “basic enablement”.[25] SUSE Linux Enterprise 11 features SELinux as a “technology preview”.[26]

The earliest work directed toward standardizing an approach toward provision of mandatory and discretionary access controls (MAC and DAC) within a UNIX (more precisely, POSIX) computing environment can be attributed to the National Security Agency's Trusted UNIX (TRUSIX) Working Group, which met from 1987 to 1991 and published one Rainbow Book (#020A) and produced a formal model and associated evaluation evidence prototype (#020B) that was ultimately unpublished. It was sponsored by Chet Coates and Mario Tinto of the NSA's National Computer Security Center, and managed by Dr. Charles Testa and Bruce Wilner of Infosystems Technology (Greenbelt, Maryland; later, Falls Church, Virginia), the crucial architects of the TRUSIX project, and members of its Modeling Subcommittee — Steve Bunch, Dr. Frank Knowles, Dr. J. Eric Roskos, Larry Wehr, and Bruce Wilner.[27] Their efforts, particularly as critics of the less technically profound work of the TRUSIX Access Control List (ACL) Subcommittee, survive in the IEEE POSIX 1003.6 "security extensions for portable operating systems environments" specification.[28]

Other systems

SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take.

The AppArmor system generally takes a similar approach to SELinux. One important difference is that AppArmor identifies file system objects by path name instead of inode. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link is created to it, while SELinux would deny access through the newly created hard link. SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.[citation needed]

Isolation of processes can also be accomplished by mechanisms like virtualization; the OLPC project, for example, in its first implementation[29] sandboxed individual applications in lightweight Vservers.

The NSA have adopted some of the SE Linux concepts in Security Enhanced Android.[30]

See also

References

  1. ^ "SELinux Frequently Asked Questions (FAQ) - NSA/CSS". National Security Agency. Retrieved 2013-02-06.
  2. ^ http://www.nsa.gov/research/_files/selinux/papers/slinux.pdf
  3. ^ Compare "National Security Agency Shares Security Enhancements to LINUX". NSA Press Release. Fort George G. Meade, Maryland: National Security Agency Central Security Service. 2001-01-02. Retrieved 2011-11-17. The NSA is pleased to announce that it has developed, and is making available to the public, a prototype version of a security-enhanced Linux system.
  4. ^ "Security-Enhanced Linux - NSA/CSS". National Security Agency. 2009-01-15. Retrieved 2013-02-06.
  5. ^ Fedora Documentation Project (2010). Fedora 13 Security-Enhanced Linux User Guide. Fultus Corporation. p. 96. ISBN 978-1-59682-215-3. Retrieved 2012-02-22. SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Caching decisions decreases how often SELinux rules need to checked, which increases performance.
  6. ^ "chcon". Linuxcommand.org. Retrieved 2013-02-06.
  7. ^ "restorecon(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  8. ^ "restorecond(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  9. ^ "runcon(1) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  10. ^ "secon(1) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  11. ^ "fixfiles(8): fix file SELinux security contexts - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  12. ^ "setfiles(8): set file SELinux security contexts - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  13. ^ "load_policy(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  14. ^ "booleans(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  15. ^ "getsebool(8): SELinux boolean value - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  16. ^ "setsebool(8): set SELinux boolean value - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  17. ^ "togglesebool(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  18. ^ "setfiles(8): set file SELinux security contexts - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  19. ^ "Ubuntu Manpage: selinux-config-enforcing - change /etc/selinux/config to set enforcing". Canonical Ltd. Retrieved 2013-02-06.
  20. ^ "Ubuntu Manpage: selinuxenabled - tool to be used within shell scripts to determine if". Canonical Ltd. Retrieved 2013-02-06.
  21. ^ "Ubuntu Manpage: selinux-policy-upgrade - upgrade the modules in the SE Linux policy". Canonical Ltd. Retrieved 2013-02-06.
  22. ^ "security_set_boolean(3) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  23. ^ SELinux in Debian
  24. ^ SELinux support for Ubuntu
  25. ^ SELinux in SUSE
  26. ^ "Release Notes for SUSE Linux Enterprise Desktop 11". Novell. Retrieved 2013-02-06.
  27. ^ Testa and Wilner, under NSA auspices, also briefly chaired the joint DoD/DOE Labeling Working Group, which counted among its membership such early TCSEC contributors as David Bell, former chief scientist of the DoD Computer Security Center Marvin Schaefer, and Willis Ware, as well as building Trusted RUBIX, the only relational database management system to offer B2 functionality and assurance atop a B2 POSIX platform, partially under the auspices of the United States Air Force Rome Laboratory.
  28. ^ National Computer Security Center, Formal Security Policy Model for the UNIX System, Technical Guidelines Series #NCSC-TG-010-B, unpublished draft, April 1991.
  29. ^ OLPC/Sugar Rainbow
  30. ^ "SE Android".
Retrieved from "https://en.wikipedia.org/w/index.php?title=Security-Enhanced_Linux&oldid=555957480"