Scribd
Upload
16 views28 pages

03 PolicyConcepts

The document discusses security contexts and type enforcement in SELinux. It explains that SELinux assigns security contexts to subjects and objects for access control. A type is an identifier applied to subjects and objects that signifies security equivalence and controls access between them. The document provides an example of an SELinux policy rule that allows the passwd program to modify the shadow password file by allowing the passwd_t type access to files with the shadow_t type.

Uploaded by

amaf.hamid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views28 pages

03 PolicyConcepts

The document discusses security contexts and type enforcement in SELinux. It explains that SELinux assigns security contexts to subjects and objects for access control. A type is an identifier applied to subjects and objects that signifies security equivalence and controls access between them. The document provides an example of an SELinux policy rule that allows the passwd program to modify the shadow password file by allowing the passwd_t type access to files with the shadow_t type.

Uploaded by

amaf.hamid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

SELinux Policy

Concepts and Overview

Security Policy Development Primer


for Security Enhanced Linux

(Module 3)

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 1


Access Control Attributes
ƒ SELinux assigns subject and objects a
security context:

root:sysadm_r:sysadm_t[:s0:c0.c128]

mls identifier
type identifier
role identifier
user identifier

ƒ Security context is only access control attribute in SELinux


ƒ Security Identifier (SID): number represents security context
active within the kernel

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 2


Standard Linux vs SELinux
ƒ Subject (Process) Access Control Attributes
ƒ Linux: real and effective user and group IDs
ƒ SELinux: security context (user:role:type)
Î Linux UIDs and SELinux UID are independent

ƒ Objects Access Control Attributes


ƒ Linux: (files) access modes (rwx r-x r-x) and user and
group IDs
ƒ SELinux: security context (user:role:type)

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 3


More on Security Contexts
ƒ Linux and SELinux access controls are orthogonal
ƒ each mechanism uses its own access control attributes
ƒ two separate access checks; both must pass
ƒ A process type is also called a “domain”
ƒ though object and subject contexts are identical
ƒ Role and user are little used on objects
ƒ objects’ role usually “object_r”
ƒ Type is most used part of a context (by far) in policies
ƒ emphasis on type enforcement in a policy

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 4


What is a Type?
ƒ A type is an unambiguous identifier
ƒ created by the policy writer
ƒ applied to all subjects and objects and for access decisions
ƒ Types group subjects and objects
ƒ signifies security equivalence
ƒ everything with the same type has the same access
ƒ policies have as few or as many types as needed
ƒ Type “meaning” created through use
ƒ e.g. shadow_t only has meaning because of a policy rules
ƒ similar to a programmer giving meaning to variables

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 5


Type Enforcement Access Control
ƒ Access specified between
ƒ subject type (e.g., process or domain)
ƒ and object type (e.g., file, dir, socket, etc.)
ƒ Four elements in defining allowed access
ƒ source type(s) aka domain(s)
ƒ target type(s) objects to which access allowed
ƒ object class(es) classes to which access applies
ƒ permission(s) type of access allowed

ƒ SELinux prevents access unless explicitly allowed

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 6


Object Classes and Permissions
ƒ SELinux defines 41 kernel object classes
association lnk_file netlink_route_socket security
blk_file msg netlink_selinux_socket sem
capability msgq netlink_socket shm
chr_file netif netlink_tcpdiag_socket sock_file
dir netlink_audit_socket netlink_xfrm_socket socket
fd netlink_dnrt_socket node system
fifo_file netlink_firewall_socket packet_socket tcp_socket
file netlink_ip6fw_socket passwd udp_socket
filesystem netlink_kobject_uevent_socket process unix_dgram_socket
ipc netlink_nflog_socket rawip_socket unix_stream_socket
key_socket

ƒ Each with their own fine-grained permissions


ƒ For example, file object class has 20 permissions:
ioctl read write
create getattr setattr
lock relabelfrom relabelto
append unlink link
rename execute swapon
quotaon mounton execute_no_trans
entrypoint execmod
ƒ Documentation available at www.tresys.com/selinux

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 7


passwd Program Example
allow passwd_t shadow_t : file
{ create ioctl read getattr lock write setattr append link unlink rename };

ƒ Allows processes with passwd_t domain type read, write, and create access to
files with shadow_t type
ƒ Purpose: passwd program runs with passwd_t type, allowing it to change shadow
password file (/etc/shadow)

ƒ Shadow password file attributes:


-r-------- root root system_u:object_r:shadow_t /etc/shadow

standard Linux SELinux


only root allowed to only allows passwd_t
create new copies of file domain (via above allow
rule) to modify file

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 8


passwd Program Example

euid: root write, create, …


passwd_t (change password)

passwd

r-------- root root

shadow_t

/etc/shadow

allow passwd_t shadow_t : file


{ read getattr write setattr append };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 9


Problem of Domain Transitions

euid: root write, create, …


passwd_t (change password)
login
? passwd

uid:joe
write,… r-------- root root
euid: joe
user_t
shadow_t
bash
/etc/shadow

allow passwd_t shadow_t : file


{ read getattr write setattr append };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 10


Standard Linux passwd Security

uid: joe
euid: joe

login fork()
bash passwd

execve()
uid: joe
euid: joe Anyone can r-------- root root
execute

bash r-s--x--x root root


/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 11


Standard Linux passwd Security

uid: joe
euid: joe write, create, …
(change password)
login fork()
passwd

execve()
uid: joe
euid: joe r-------- root root

bash r-s--x--x root root


/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 12


Standard Linux passwd Security

uid: joe
euid: joe

login fork()
bash

execve()
uid: joe
euid: joe r-------- root root
set uid

bash r-s--x--x root root


/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 13


Standard Linux passwd Security

uid: joe
euid: root write, create, …
(change password)
login fork()
passwd

execve()
uid: joe
euid: joe r-------- root root
set uid

bash r-s--x--x root root


/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 14


SELinux Domain Transitions

uid: joe
euid: joe
user_t
login fork()
bash

uid: joe
euid: joe r-------- root root
user_t
shadow_t
bash r-s--x--x root root
/etc/shadow
passwd_exec_t

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 15


SELinux Domain Transitions

uid: joe
euid: joe
user_t
login fork()
bash

execve()
uid: joe
euid: joe r-------- root root
user_t
shadow_t
bash r-s--x--x root root
/etc/shadow
passwd_exec_t

/usr/bin/passwd allow user_t passwd_exec_t : file { getattr execute };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 16


SELinux Domain Transitions

uid: joe
euid: root write, create, …
passwd_t (change password)

login fork()
passwd

execve()
uid: joe
euid: joe r-------- root root
user_t
shadow_t
bash r-s--x--x root root
/etc/shadow
allow passwd_t passwd_exec_t : file entrypoint;
passwd_exec_t allow user_t passwd_t : process transition;
type_transition user_t passwd_exec_t : process passwd_t;
/usr/bin/passwd allow user_t passwd_exec_t : file { getattr execute };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 17


Type Transition Statement
ƒ First form: default domain transition
ƒ Causes a domain type transition to be attempted on
execve()

type_transition user_t passwd_exec_t : process passwd_t;

source file type of object new type


domain executable (process for for process
domain trans)

user_t
1
execve()
passwd_t passwd_exec_t
2

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 18


Type Transition Statement
ƒ type_transition specifies default transition
ƒ Does NOT allow it!
ƒ Successful domain trans. requires access allowed
ƒ original domain execute access to executable file
ƒ original domain permission to transition to new domain
ƒ new domain permission to be entered via program
ƒ others...
ƒ Second form: default object types on creation
ƒ to be discussed in later modules

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 19


The Role of Roles
ƒ Roles associates domains with users
ƒ further constrains process type transitions
ƒ process type allowed only if allowed by role definition
ƒ even if type enforcement allows it

ƒ Role declaration statement

role user_r types passwd_t;


role for which type allowed
is allowed type

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 20


Roles in Domain Transitions

user_r:passwd_t write, setattr, …


(change password)

login fork() passwd

execve()
user_r:user_t r-------- root root

shadow_t
bash r-s--x--x root root
/etc/shadow
passwd_exec_t
role user_r types passwd_t;
/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 21


Why Type Enforcement
ƒ Extremely configurable mandatory access control
ƒ flexible (not tied to a single security objective)
ƒ dynamic (loadable/conditional policy)
ƒ possible to be pragmatic within a policy
ƒ even necessary due to Linux legacy!
ƒ fine-grained access control
ƒ object classes and permissions, unlimited types and rules
ƒ Useful for a large number of security goals and
objectives

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 22


Security Goals TE can Implement
ƒ System integrity, RVM/kernel self-protection
ƒ raw devices and resources
ƒ kernel configuration and binary files (e.g., modules)
ƒ daemon/services configuration and binary files
ƒ protection of SELinux policy itself
ƒ Application integrity
ƒ configuration and binary files
ƒ inter-process communication
ƒ Least privilege
ƒ preventive security engineering design
ƒ protection of privileged user environments

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 23


Security Goals TE can Implement
ƒ Controlled execution domains
ƒ isolation of untrusted code (e.g., sandboxes)
ƒ prevention of malicious code in trusted domains
ƒ System Hardening
ƒ confinement of error propagation (exploitations)
ƒ fine-grained access control
ƒ Domain isolation
ƒ trusted from untrusted
ƒ application from application
ƒ Information flow policies
ƒ Multilevel security and multiple security levels
ƒ Guards and other cross-domain solutions
ƒ Perimeter defense

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 24


Challenges with SELinux TE
ƒ Policies are usually complex
ƒ Due to complexity of Linux kernel
ƒ legacy issues with Linux/Unix
ƒ need for Pragmatism
ƒ Flexibility comes with a price!
ƒ 41 kernel object classes, hundreds of permissions
ƒ thousands of object instances
ƒ unlimited domain and object types
ƒ Assurance of mechanism evolving
ƒ open source model helps
ƒ certainly no worse than Linux (or other mainstream OSs)
ƒ in fact much better with a good TE policy

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 25


Policy Concept Overview Summary

ƒ Standard Linux and SELinux access control


mechanisms are orthogonal
ƒ SELinux security context: user:role:type
ƒ applied to both objects and subjects
ƒ type is the primary means of controlling access
ƒ Fine grained access control
ƒ 41 kernel object classes, hundreds of permissions
ƒ Access must be explicitly allowed in TE policy
ƒ all access denied by default

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 26


Policy Concept Overview Summary

ƒ TE allow statement:
allow domain_type object_type: classes permission ;
ƒ specifies allowed access based on types
ƒ TE domain transition:
ƒ changing of process type (domain) on execve()
ƒ type_transition specifies default transition
ƒ Type enforcement flexible
ƒ can implement many security properties
ƒ Roles further constrain domain transitions

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 27


QUESTIONS?

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 28

You might also like