Masaryk University Faculty}w¡¢£¤¥¦§¨ of Informatics!"#$%&'()+,-./012345<yA| Multilevel Classification in SELinux Master’s thesis Bogdan Iakym Brno, autumn 2012 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Bogdan Iakym Advisor: Ing. Mgr. Zdeněk Říha, Ph.D. ii Acknowledgement First of all, I would like to thank my advisor, Ing. Mgr. Zdeněk Říha, Ph.D., for his guidance and helpful advices. Many thanks go also to the other col- leagues from the Laboratory of Security and Applied Cryptography. Last but not least, I am grateful to my family and friends for their love and support. Thank you all. iii Abstract Multilevel Security (MLS) systems classify data, based on their confidential- ity or integrity. One of possible implementation of MLS system is SELinux, that enforces Bell-LaPudula model (BLP). The goal of this work is to study and analyze basic components of MLS policy in SELinux. This studying includes practical experiments related to File System, Inter-Process Com- munication, Polyinstantiation, Application and Database Support of MLS. The goal of the practical part is to design, implement and test the config- uration of MLS policy, applicable for Apache web server. Finally, this work analyzes the benefits that can be brought by MLS to the security ofweb services and the areas in which such systems could be deployed. iv Keywords SELinux, MLS, security policy, configuration, Bell-LaPadula model, integrity, confidentiality, security level, access control. v Contents 1 Introduction .............................3 1.1 Problematic Area .........................3 1.2 Thesis Outline ..........................4 2 SELinux Overview ..........................5 2.1 Introduction ............................5 2.2 Objects and Subjects .......................7 2.3 Type Enforcement Mechanism .................8 2.3.1 Security Context . .8 2.3.2 Types and Attributes . .8 2.3.3 Access Vector Rules . .9 2.3.4 Domain Transition . 10 2.3.5 Constraints . 11 2.4 Role Based Access Control .................... 11 2.4.1 Role Statements . 12 2.4.2 Users and Roles . 13 2.4.3 Mapping between Linux and SELinux Users . 13 2.5 Audit Logs ............................ 14 2.6 Booleans .............................. 15 2.7 Object Labeling .......................... 16 2.8 SELinux Policies ......................... 17 2.9 Policy Modules .......................... 18 2.10 The Reference Policy ....................... 20 2.11 Summary ............................. 21 3 SELinux Tools for MLS ...................... 23 3.1 Introduction ............................ 23 3.2 Security Levels .......................... 23 3.2.1 Sensitivities . 24 3.2.2 Categories . 25 3.2.3 Implementation in the Reference Policy . 26 3.2.4 Security Level Translation . 27 3.3 mlsconstrain Statements ..................... 27 3.4 mlsvalidatetrans Statements ................... 29 3.5 Privilege Management ...................... 30 3.6 Semantics of MLS Policy ..................... 31 3.7 MLS support ........................... 34 3.7.1 File System . 35 3.7.2 Inter-Process Communication . 36 1 3.7.3 Application Support Analysis . 38 3.7.4 Polyinstantiation . 40 3.7.5 SE-PostgreSQL . 43 3.7.6 Apache SELinux Plus . 44 3.8 Summary ............................. 46 4 Apache Configuration with MLS Policy ............ 47 4.1 Introduction ............................ 47 4.2 Design of the Configuration ................... 47 4.3 Deployment of the MLS system ................. 49 4.3.1 Development Environment . 49 4.3.2 Authentication . 50 4.3.3 Typebounds Approach . 52 4.3.4 Writing Policy Module . 53 4.4 Testing .............................. 60 4.4.1 Functionality Tests . 60 4.4.2 Performance Analysis . 62 4.5 Summary ............................. 67 5 Conclusion .............................. 69 A The CD contents .......................... 76 2 1 Introduction 1.1 Problematic Area We live in the information age, when a huge amount of data are stored in the computer systems. At the same time, we also know how many attacks aimed to compromise, manipulate and disrupt these data are currently possible. It is not something new to claim how important is to be aware of security mechanisms to protect so expensive information resources. Fundamental se- curity goals of each system are confidentiality, integrity and availability of information. Confidentiality relates to preventing unauthorized access to information that should be only disclosed to authorized ones. Therefore, a part of con- fidentiality protection is also authentication that controls whether an entity is who it claims to be. Confidentiality often refers to protection against ma- licious software, spam, phishing and different means of social engineering, where an attacker attempts to obtain confidential information such as user account passwords, numbers of credit cards or different types of personal information. The purpose of integrity protection is to ensure that data were not changed inappropriately. Violation of integrity includes accidental or delib- erate attempts to modify, insert or destruct data by unauthorized entities. Systems that are secure in terms of confidentiality or integrity should also remain available. In other words, information resources should be avail- able whenever the authorized users request them. Otherwise, implemented security mechanisms would be meaningless. Practical implementation of secure computer systems results in a va- riety of access controls. Nowadays, operating systems are more and more focused on improvment of different security means whose goal is to provide customers with truly qualitive product. One of them is operating system Linux, which primary comes with Discretionary Access Control(DAC). It is dominant access control, that we have today. In short, DAC is based on the concept that individual users can specify who may or may not access the resource. These restrictions define permissions for particular users, groups and all others. However, all DAC mechanisms have a fundamental weakness in that they are not able to recognize critical difference between human users and computer programs.[1] In other words, a program has the same access capabilities as the owner of this program, hence, malicious programs, such as "Trojan horses" could be able to obtain superuser privileges. The mechanism 3 1. Introduction of Mandatory Access Control(MAC) was called to solve this issue. The key difference between these approaches is that access control decisions inMAC are not delegated to individual users, but to special security policies that define a strict set of permissions for each component of a system. Oneofthe most common MAC mechanism is multilevel security. The term "Multilevel Security"(MLS) comes from a military community. Documents in a military are often labeled according to their sensitivity lev- els, ranging from unclassified (anyone can see this) to confidential, secret, top secret, etc. In the 1970s similar concepts started to be considered for implementation in computer systems. The primary goal was to provide data with powerfull integrity and confidentiality protection mechanisms. As a re- sult, such famous MLS models as High-water mark, Bell-LaPudula, Biba and others appeared. In any MLS model access control verifies whether a par- ticular subject has the required clearance to access an object with a given classification. Long time deployment of MLS in computer systems was considered as a complex, nontrivial task. After implementation of Mandatory Access Con- trol(MAC) on Linux Operation System, idea of using multilevel security sys- tems seems to be not just attractive, but really feasible. Security-Enhanced Linux(SELinux) project is an example of such implementation and currently integrated into Linux kernel from the version 2.6. It provides an access con- trol, based on flexible configuration of different types of security policies. As a result, from the kernel 2.6.12 SELinux supports MLS policy. Probably, this is the most accessible and opened MLS system that we have today. In terms of confidentiality and integrity protection, this mechanism presents powerfull tool, and all its details will be analyzed throughout this work. 1.2 Thesis Outline The thesis is divided into five chapters. Chapter 1 is this introduction. Main SElinux concepts and components are presented in Chapter 2. MLS policy details are described in Chapter 3. In Chapter 4 the design, implementation and testing of the target configuration is presented. Chapter 5 concludes the thesis. 4 2 SELinux Overview 2.1 Introduction MLS policy was implemented as a new type of SELinux policy together with other MAC mechanisms such as Type Enforcement(TE). However, without understanding basic SELinux concepts it will be difficult to apply and use effectively MLS tools. So, this introduction presents a brief historical notes of SELinux evolution and the purpose of its emergence. If we look at the history of SELinux, we will find that first projects related to this research started from the 1980s. At this time high-assurance operating system security and microkernel research merged in the project Distribute Trusted Math(DTMach).[1] Later The U.S. National Security Agency’s re- search organization took part in this research and developed a number of sub- sequent microkernel projects. The result of this work was completely