With Selinux NO ACCESS!
Total Page:16
File Type:pdf, Size:1020Kb
CovEr Story SE Linux Mandatory Access Control (MAC) with SELinux NO ACCESS! SELinux provides a safer system through the powerful concept of mandatory access controls. BY THORSTEN SCHERF inux is an extremely safe operat- platform that supports SELinux. The im- (DACs). This means that the owner of a ing system, but legacy access portant thing is that the required kernel file has absolute control over the object Lprivileges provide no protection support (CONFIG_SECURITY_SELINUX) they have created. If a user inadvertently against misconfiguration or badly pro- and the libselinux, policycoreutils, and grants global write access to the file, a grammed software. If a program runs selinux-policy-targeted packages are separate process that validates this step haywire because the administrator has installed. SELinux also requires a few does not exist. forgotten to install the latest patch, or if standard packages (SysV-Init, pam, Or, if an attacker manages to execute a user escalates privileges due to an in- util-linux, coreutils, and others). arbitrary program code on the web correct setting, the native safety of the The legacy Linux security system is server by exploiting a vulnerability in system is no protection. SELinux miti- based on Discretionary Access Controls the web server software, the program gates the potential danger by code – a shell for example – adding an extra level of access will run with the privileges control called the Mandatory J<C`eloB\ie\c of a user account the server Access Control (MAC) level. GifZ\jjGX J: J: =`c\=X is running on. If that account About seven years ago, the is the apache user, the at- National Security Agency (NSA) GifZ\jjGY J: J: =`c\=Y tacker has access to all files J\Zli`kp [1] launched the first version of Gfc`Zp that the apache user account SELinux. Intended as an exten- Lj\iLX J: J: ;\m`Z\;X can access. sion for kernel 2.4 at the time, In most cases, no process the kernel patches have since Lj\iLY J: J: Lj\iLY checks whether the web found their way into the official J\Zli`kp server really needs to access 2.6 kernel. For many distribu- <e]fiZ\d\ek the files that it is accessing to tions, SELinux is part of the Df[lc\ be able to do its chores. An standard configuration. The ex- attacker who gains access to amples introduced in this arti- >iXekjfi the system then may be able cle are based on the Red Hat I\hl\jkjXZZ\jj [\e`\jXZZ\jj to escalate their privileges community distribution Fedora on the machine. Just re- Core 8, although they are Figure 1: The kernel-based security server decides on the level of cently, many Linux systems generically valid on any other access. were compromised because 36 ISSUE 91 JUNE 2008 SE Linux CovEr Story of a bug in the kernel that allowed at- tackers to exploit the vmsplice() system call. As a consequence, attackers gained complete control over the whole system. On systems with SELinux, every file, or every object, is given a separate secu- rity label by MAC for an extra level of control. In the case of file objects, Linux stores this label in the extended attri- butes. At the same time, each process, or each subject, is also given the corre- sponding label. This label, which is known as the security context, typically comprises three components: User:Role:Type/ Domain. Two examples Figure 2: The sedaudit tool displays all the log entries for SELinux in a sorted list. of this for the Apache server process file /usr/bin/httpd file are as follows: access is not explicitly permitted, it is Demo initially logged and finally prohibited – As a short demonstration of the way # ls -lZ /usr/sbin/http at least in enforcing mode. type enforcement works, consider the -rwxr-xr-x root U The kernel’s security server makes following: The administrator creates a root system_u:object_r:U sure that no infringement against the file called index.html in the /tmp folder. httpd_exec_t /usr/sbin/httpd policy occurs. The security server is an After doing so, the administrator moves entity that references the policy, and the (doesn’t copy) the file into the web serv- and: security label defines whether access is er’s document root, which, on Fedora, is permitted. To avoid performance over- /var/www/html/. Finally, the administra- # ps -AZ|grep httpd heads, the kernel-based server uses the tor launches the web server (/etc/init.d/ user_u:system_r:httpd_t 2571 ? U Access Vector Cache (AVC). httpd start) and accesses the page just 00:00:01 httpd SELinux Functions Just like security labels, the Posix ACLs SELinux distinguishes three different im- users can give the newrole command extend attributes of a file. In this exam- plementations: (which is similar to su) to change roles, ple, they look like this: • Type Enforcement (TE) assuming the policy allows this. A typi- • Role-Based Access Control (RBAC) cal role name is user_r (roles always end U with _r). # getfattr -d -m • Multi-Level Security (MLS) security /usr/sbin/httpd TE specifies which subject is permitted Russell Coker offers a couple of SELinux ... to access which objects – for example, play machines on the network [2] to security.selinux=U which process is allowed to access allow people to experiment; these ma- "system_u:object_r:httpd_U which files. However, a wide variety of chines demonstrate RBAC functionality. exec_t\000" different objects exists, including net- Coker has published the root account for work ports or memory areas. SELinux these machines, allowing anybody who assigns a domain to each subject and is interested to log in as the administra- SE Policy a type to each object. To explain this tor. Testers will soon find out that the command set available to them is ex- The policy is another important compo- generically, type enforcement controls which domain is allowed to access tremely restricted, in that the root user is nent. An SE policy defines access be- which types. Both types and domains not the administrative user on these play tween individual objects and subjects. are identified in a similar way; they machines. The policy specifies which objects the always end with _t (e.g., httpd_t). Finally, MLS defines different security process (such as an httpd process with RBAC uses an abstract user model and levels and is primarily used in high-secu- a specific role) is allowed to access. If assigns each user exactly one role. Users rity environments, such as military appli- then inherit the privileges assigned to cations. Objects are assigned to security File System Security Label the role. It is thus possible to assign a levels (confidential, strictly confidential, secret, and so on), and subjects are Although SELinux will work on file role to the root user that does not pos- given permissions for these different lev- systems that do not support extended sess any administrative privileges. To els of confidentiality. Wherever MLS is attributes, such as NFS or ISO9660, change to another role with extended deployed, the security label is extended administrators have to resort to various privileges, the user would first need to by adding a fourth and fifth component workarounds to get this to happen. The authenticate with a password. This is an until it looks like this: mount command has an option to interesting feature if you want to set up handle this: context=<security-label>. the machine without the omnipotent This lets you specify a security label for root user. The user can only assume a User:Role:Type/ the complete filesystem. single role at any given time; however, Domain:Sensitivity:Category JUNE 2008 ISSUE 91 37 CovEr Story SE Linux created in a web browser (http://local- host/index.html). If SELinux enforcing mode is enabled (default), the web browser displays an error message be- cause index.html was created in /tmp and inherited its security label: # ls -lZ /tmp/index.html -rw-r--r-- root root U root:object_r:tmp_t U /tmp/index.html In contrast, the web server process runs in the domain titled httpd_t: # ps -AZ|grep httpd user_u:system_r:httpd_tU 2571 ?U 00:00:02 httpd Figure 3: seaudit-report can generate statistics in HTML. The policy needs a rule that gives the {getattr } for pid=6608 U files (Figure 2); the tool displays individ- httpd_t domain access to tmp_t type comm="httpd" name=U ual log entries graphically. files, but it does not exist. The web "index.html" dev=dm-0 ino=179881 By calling seaudit-report --html logfile, server needs to access its own configura- scontext=user_u:system_r:U you can even generate an HTML page tion files, CGI scripts, and other content httpd_t tcontext=U that displays both the logs and various in its directory. Specific types exist for root:object_r:tmp_t tclass=file statistics on the SELinux system (see all of these files; for example, httpd_ Figure 3). config_t, httpd_log_t, httpd_sys_script_ This log entry reveals that the process exec_t, and httpd_sys_content_t. with PID 6608 and name httpd has just Spotting trouble Files in the /tmp folder are not typi- attempted to issue the getattr system call If setroubleshootd is running, the follow- cally the kinds of objects the web server (i.e., it attempted to call the attributes) ing additional entry is displayed in the accesses; thus, no allow instruction is in for a file with inode number 179881 and logfile /var/log/messages: the policy file for the tmp_t type. name index.html. scontext and tcontext If you check the /var/log/audit/audit. refer to the security label for the source setroubleshoot: #012 U log file, you will find a message to the process (apache) and the target file SELinux is U effect that an unauthorized attempt to (index.html).