SELinux
SELinux
Protection or a problem
Marcel Nijenhof <marceln@pion.xs4all.nl>
(c) http://creativecommons.org/licenses/bysa/3.0/nl/
Marcel Nijenhof
● Studied computational physics
● Work as a system maintainer
● Chairman of the nllgg
– Dutch linux user group
● Developer for nslu2linux (10 optware packages)
Program
● Introduction
● Configuration
● Utilities
● Examples
– Booleans and cgi
– Changing the document root for apache
– A module for a cgi script
Introduction
● Questions are allowed!
● Linux kongress 2006
● What we use:
– F7 (fedora 7)
– FC4/RHEL 4 are based on a older version
● Alternatives
– App armor
– RSBAC?
What is SElinux
● A security infrastructure for linux
– Designed by the NSA (first for there own os flask)
– Mandatory access control
– Selinux is a addon to already existing posix security model
Mandority Access Control
● Based on described policy
● Models:
– Type enforcement
– Role Based Access Control
– MultiLevel Security
● Discrete Access Control
– Standard posix model
– Users decide the security policy
Security context
● Identity: Who are you (!= linux login)
● Domain: Processes with the same access rules
● Type: Files with the same access rules
● Rol: To which domains do you have access
● Transitions: Starting a process
● Files get a context on creating
Enforcing & permissive & disabled
● Mode of Selinux
– Configured in “/etc/selinux/config”
– Information: “getenforce”getenforce
– Changing: “setenforce”setenforce
● Enforcing: violations are denied
● Permissive: violations are logged and allowed
● Disabled: SElinux isn't started/used
Strict & targeted
● Two default security models
– Strict
● Every program has it's own rules
● Nothing is allowed unless there is a accept rule
– Targeted
● Certain daemons/programs have a policy's
● Standard users are “unconfined”
● Only Targeted is supported.
– Some things don't work in strict mode
booleans
● Booleans are switches in a policy
– Information about booleans “getsebool [a]”getsebool [a]
– Change booleans “setsebool”setsebool
● A boolean changes the policy to allow certain behaviour
– E.g. Cgi scripts for apache
File labels/domains?
● File labels:
– ls lZ
– chcon
– semange
– restorecon
● Domain van process
– ps efZ
Modules
● SELinux used modules for a application
– A module contains the application specific rules
● Module tools
– semodule
– checkmodule
– semodule_package
– audit2allow
Loging
● Through syslog (/var/log/messages)
– Apr 6 21:56:44 dhcp250 kernel: audit(1175889403.993:382): avc: denied { search } for pid=1640 comm="ps"
name="1515" dev=proc ino=5230 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=dir
● Through dmesg (comparable with syslog)
● The best options is the audit daemon
– type=AVC msg=audit(1175889589.180:393): avc: denied { getattr } for pid=1687 comm="ps" name="2" dev=proc ino=951 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
Example 1: pages in /usr/src
● Example
– Change httpd.conf
– Make a “index.html” /usr/src
– Access that page in enforcing and permissive mode
● Sollution
– semanage fcontext a t httpd_sys_content_t /usr/src
– semanage fcontext a t httpd_sys_content_t /usr/src/index.html
– restorecon Fvr /usr/src
– # "/usr/src(/.*)?" bestaat al!!
Example 2: cgiscripten
● Cgi scripten are default allowed
– setsebool httpd_enable_cgi=off
– For persistent change use: “P”
– Use selinux with enforcing and permisive mode
Example 3: Using ps in a cgi script
● Cgi scrips are restricted in files they are allowed to read
– They aren't allowed to read everything under “/proc”
– ps shows only the own process
● Sollution
– Run in permisive mode
– Run audit2allow to create the module
– Load the module
Details audit2allow
● setenforce 0
● tail 0f /var/log/audit/audit.log >/tmp/1
● links dump http://localhost/cgibin/cgips
● setenforce 1
● audit2allow M cgips i /tmp/1
● semodule i cgips.pp
Remark about this sollution
● Problems
– All cgi scripts are allowed to run ps
– A process with a new domain needs a new rule
● Solution
– Create a domain for this script
● Script uses a domain transition
● Only this script has the permissions
– Let all process run during the test
De cgips_t solution
● Use the selinuxpolicydevel package!
● cd /usr/share/selinux/devel for f in example.*
do
sed 's/myapp/cgips/g' ${f} > cgips${f#example}
done
● vi cgips.*
vi> cgips.fc > /var/www/cgibin/ps vi> (te, if) remove log and tmp
vi> (te) add “type_transition httpd_t cgips_exec_t:process cgips_t;” and type for httpd_t
● make cgips.pp
● semodule i cgips.pp
● After that create the rest of the rules with audit2allow
Result of the cgips_t sollution
● There are more then 120 lines!
– policy_module(cgips,1.0.5) ....
type cgips_t;
type cgips_exec_t;
domain_type(cgips_t)
domain_entry_file(cgips_t, cgips_exec_t)
domain_auto_trans(httpd_t,cgips_exec_t,cgips_t)
allow httpd_t cgips_exec_t:file { execute getattr ioctl read };
....
– /var/www/cgibin/cgips gen_context(system_u:object_r:cgips_exec_t,s0)
Conclusions
● Selinux is has some complexity
– Hard to understand why things are allowed or not
● The target mode is acceptable
– Normal things work and vulnerable network services are protected
● The modular structure makes it possible to make small changes
● I don't turn it off by default any more
Questions
?
Links
● http://www.lurkinggrue.org/gettingstarted_newselinuxHOWTO.html
● http://www.lurkinggrue.org/writingselinuxpolicyHOWTO.html
● http://fedoraproject.org/wiki/SELinux/
● This talk:
http://pion.xs4all.nl/lezingen/SElinuxeng.pdf