SELinux Policy Concepts and Overview

Security Policy Development Primer for Security Enhanced

(Module 3)

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 1 Access Control Attributes

ƒ SELinux assigns subject and objects a security context:

root:sysadm_r:sysadm_t[:s0:c0.c128]

mls identifier type role identifier identifier user identifier

ƒ Security context is only access control attribute in SELinux ƒ Security Identifier (SID): number represents security context active within the kernel

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 2 Standard Linux vs SELinux

ƒ Subject (Process) Access Control Attributes ƒ Linux: real and effective user and group IDs ƒ SELinux: security context (user:role:type) Î Linux UIDs and SELinux UID are independent

ƒ Objects Access Control Attributes ƒ Linux: (files) access modes (rwx r-x r-x) and user and group IDs ƒ SELinux: security context (user:role:type)

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 3 More on Security Contexts

ƒ Linux and SELinux access controls are orthogonal ƒ each mechanism uses its own access control attributes ƒ two separate access checks; both must pass ƒ A process type is also called a “domain” ƒ though object and subject contexts are identical ƒ Role and user are little used on objects ƒ objects’ role usually “object_r” ƒ Type is most used part of a context (by far) in policies ƒ emphasis on type enforcement in a policy

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 4 What is a Type?

ƒ A type is an unambiguous identifier ƒ created by the policy writer ƒ applied to all subjects and objects and for access decisions ƒ Types group subjects and objects ƒ signifies security equivalence ƒ everything with the same type has the same access ƒ policies have as few or as many types as needed ƒ Type “meaning” created through use ƒ e.g. shadow_t only has meaning because of a policy rules ƒ similar to a programmer giving meaning to variables

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 5 Type Enforcement Access Control

ƒ Access specified between ƒ subject type (e.g., process or domain) ƒ and object type (e.g., file, dir, socket, etc.) ƒ Four elements in defining allowed access ƒ source type(s) aka domain(s) ƒ target type(s) objects to which access allowed ƒ object class(es) classes to which access applies ƒ permission(s) type of access allowed

ƒ SELinux prevents access unless explicitly allowed

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 6 Object Classes and Permissions

ƒ SELinux defines 41 kernel object classes association lnk_file netlink_route_socket security blk_file msg netlink_selinux_socket sem capability msgq netlink_socket shm chr_file netif netlink_tcpdiag_socket sock_file dir netlink_audit_socket netlink_xfrm_socket socket fd netlink_dnrt_socket node system fifo_file netlink_firewall_socket packet_socket tcp_socket file netlink_ip6fw_socket udp_socket filesystem netlink_kobject_uevent_socket process unix_dgram_socket ipc netlink_nflog_socket rawip_socket unix_stream_socket key_socket

ƒ Each with their own fine-grained permissions ƒ For example, file object class has 20 permissions: ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint execmod ƒ Documentation available at www.tresys.com/selinux

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 7 passwd Program Example allow passwd_t shadow_t : file { create ioctl read getattr lock write setattr append link unlink rename };

ƒ Allows processes with passwd_t domain type read, write, and create access to files with shadow_t type ƒ Purpose: passwd program runs with passwd_t type, allowing it to change shadow password file (/etc/shadow)

ƒ Shadow password file attributes: -r------root root system_u:object_r:shadow_t /etc/shadow only root allowed to create new copies of file standard Linux SELinux only allows passwd_t domain (via above allow rule) to modify file

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 8 passwd Program Example

euid: root write, create, … passwd_t (change password)

passwd

r------root root

shadow_t

/etc/shadow

allow passwd_t shadow_t : file { read getattr write setattr append };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 9 Problem of Domain Transitions

euid: root write, create, … passwd_t (change password) login ? passwd

uid:joe write,… euid: joe r------root root user_t shadow_t bash /etc/shadow

allow passwd_t shadow_t : file { read getattr write setattr append };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 10 Standard Linux passwd Security

uid: joe euid: joe

login fork() bash passwd uid: joe execve() euid: joe Anyone can r------root root execute

bash r-s--x--x root root /etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 11 Standard Linux passwd Security

uid: joe euid: joe write, create, … (change password) login fork() passwd

uid: joe execve() euid: joe r------root root

bash r-s--x--x root root /etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 12 Standard Linux passwd Security

uid: joe euid: joe

login fork() bash

uid: joe execve() r------root root euid: joe set uid

bash r-s--x--x root root /etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 13 Standard Linux passwd Security

uid: joe euid: root write, create, … (change password) login fork() passwd

uid: joe execve() r------root root euid: joe set uid

bash r-s--x--x root root /etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 14 SELinux Domain Transitions

uid: joe euid: joe user_t login fork() bash

uid: joe euid: joe r------root root user_t shadow_t bash r-s--x--x root root /etc/shadow passwd_exec_t

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 15 SELinux Domain Transitions

uid: joe euid: joe user_t login fork() bash

uid: joe execve() euid: joe r------root root user_t shadow_t bash r-s--x--x root root /etc/shadow passwd_exec_t

/usr/bin/passwd allow user_t passwd_exec_t : file { getattr execute };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 16 SELinux Domain Transitions

uid: joe euid: root write, create, … passwd_t (change password) login fork() passwd

uid: joe execve() euid: joe r------root root user_t shadow_t bash r-s--x--x root root /etc/shadow allow passwd_t passwd_exec_t : file entrypoint; passwd_exec_t allow user_t passwd_t : process transition; type_transition user_t passwd_exec_t : process passwd_t; /usr/bin/passwd allow user_t passwd_exec_t : file { getattr execute };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 17 Type Transition Statement

ƒ First form: default domain transition ƒ Causes a domain type transition to be attempted on execve()

type_transition user_t passwd_exec_t : process passwd_t;

source file type of object new type domain executable domain(process trans)for for process

user_t 1 execve() passwd_t passwd_exec_t 2

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 18 Type Transition Statement

ƒ type_transition specifies default transition ƒ Does NOT allow it! ƒ Successful domain trans. requires access allowed ƒ original domain execute access to executable file ƒ original domain permission to transition to new domain ƒ new domain permission to be entered via program ƒ others... ƒ Second form: default object types on creation ƒ to be discussed in later modules

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 19 The Role of Roles

ƒ Roles associates domains with users ƒ further constrains process type transitions ƒ process type allowed only if allowed by role definition ƒ even if type enforcement allows it

ƒ Role declaration statement

role user_r types passwd_t;

role for which type allowed

is allowed type

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 20 Roles in Domain Transitions

user_r:passwd_t write, setattr, … (change password)

login fork() passwd

execve() user_r:user_t r------root root

shadow_t bash r-s--x--x root root /etc/shadow passwd_exec_t role user_r types passwd_t; /usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 21 Why Type Enforcement

ƒ Extremely configurable mandatory access control ƒ flexible (not tied to a single security objective) ƒ dynamic (loadable/conditional policy) ƒ possible to be pragmatic within a policy ƒ even necessary due to Linux legacy! ƒ fine-grained access control ƒ object classes and permissions, unlimited types and rules ƒ Useful for a large number of security goals and objectives

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 22 Security Goals TE can Implement

ƒ System integrity, RVM/kernel self-protection ƒ raw devices and resources ƒ kernel configuration and binary files (e.g., modules) ƒ daemon/services configuration and binary files ƒ protection of SELinux policy itself ƒ Application integrity ƒ configuration and binary files ƒ inter-process communication ƒ Least privilege ƒ preventive security engineering design ƒ protection of privileged user environments

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 23 Security Goals TE can Implement

ƒ Controlled execution domains ƒ isolation of untrusted code (e.g., sandboxes) ƒ prevention of malicious code in trusted domains ƒ System Hardening ƒ confinement of error propagation (exploitations) ƒ fine-grained access control ƒ Domain isolation ƒ trusted from untrusted ƒ application from application ƒ Information flow policies ƒ Multilevel security and multiple security levels ƒ Guards and other cross-domain solutions ƒ Perimeter defense

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 24 Challenges with SELinux TE

ƒ Policies are usually complex ƒ Due to complexity of ƒ legacy issues with Linux/ ƒ need for Pragmatism ƒ Flexibility comes with a price! ƒ 41 kernel object classes, hundreds of permissions ƒ thousands of object instances ƒ unlimited domain and object types ƒ Assurance of mechanism evolving ƒ open source model helps ƒ certainly no worse than Linux (or other mainstream OSs) ƒ in fact much better with a good TE policy

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 25 Policy Concept Overview Summary

ƒ Standard Linux and SELinux access control mechanisms are orthogonal ƒ SELinux security context: user:role:type ƒ applied to both objects and subjects ƒ type is the primary means of controlling access ƒ Fine grained access control ƒ 41 kernel object classes, hundreds of permissions ƒ Access must be explicitly allowed in TE policy ƒ all access denied by default

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 26 Policy Concept Overview Summary

ƒ TE allow statement: allow domain_type object_type: classes permission ; ƒ specifies allowed access based on types ƒ TE domain transition: ƒ changing of process type (domain) on execve() ƒ type_transition specifies default transition ƒ Type enforcement flexible ƒ can implement many security properties ƒ Roles further constrain domain transitions

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 27 QUESTIONS?

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 28