An Architecture for Systematic Administration of SELinux Policies in Distributed Environments Pedro Chavez Lugo, Juan J. Flores, and Juan Manuel Garcia Garcia Abstract—An operating system designed under the criteria of to system resources. But the best point to the attackers is to the class A1, consists of a collection of security strengthening know vulnerabilities that are not known by developers and mechanisms for the kernel. SELinux is an example of this administrators. type of operating system that supports several types of security policies applied to access control. In this paper we address 1) Authentication Mechanism: The authentication mecha- the problem of inconsistency in SELinux policies, which can nism determines if the user really is who he/she claims to be. be present in distributed environments. To solve this problem, Authentication can be based on one or more of the following we propose an architecture that integrates a policy server for factors: enabling a simple and secure administration. The policy server collects, integrates, and updates all policies that are applied in - Something you know (a number or password). the distributed environment. We aim to achieve authenticity, - Something you possess (a key or smart card). integrity and confidentiality in the policy update process through - Something you are (Biometrics). the Kerberos V protocol. A redundant policy server is used to A “something you know” factor does limit the number of obtain availability on policies. incorrect online or offline login attemps. Users can reproduce Index Terms—Access, control, distributed, administration, their own features accurately and repeatedly by a biometric SELinux, policies, Kerberos. factor. The “something you possess” factor is a poor au- thentication mechanism, and it is neccessary to employ the I. INTRODUCTION “something you know” or “something you are” factor. A strong Owadays an operating system must integrate all the authentication mechanism combines two or more factors but it N security mechanisms that enable it to identify users, comes with an increase in cost. Some works about biometry, control access to system resources, and record events (le- password managers, and smartcards can be found in [4]–[7]. gitimate and intrusive). An operating system should provide 2) Auditing Mechanism: The designers, builders, and ad- functionality for managing hardware, serve as a base for ministrators sometimes need to analyze the audit records to application programs, and act as an intermediary between the solve security problems. A trusted OS needs the ability to end user and hardware, in addition to providing security and record (log) the system’s and the users’ activity. The identity, protection [1]. The Orange Book [2] classifies systems into D, action, and time are the minimum aspects to log in order to C, B, and A divisions of enhanced security protection. Division answer questions. It’s necessary to log the activities to: A uses of formal security verification methods to assure that - Perform chronological reconstructions of events. the mandatory and discretionary security controls; class A1 - Detect unauthorized events recognition/spoofing. is a verified design [3]. A class A1 system bring along an - Provide problem identification. increase in complexity in the use and administration. In this It is necessary to limit the space for the audit records paper, we address the problem of inconsistency in SELinux in a storage medium. More detailed information about audit policies, which can be present in distributed environments. records can be found in [8]. 3) Access Control Mechanism: An operating system must A. Security Mechanisms contain a lot of subjects and objects and each subject can To identify users, limit the access to objects, and log the access some or all objects (see Fig. 1). Access control limits actions performed by subjects, an operating system must the interaction between subjects and objects. Authorization is contains some of the following non bypassable mechanisms: part of access control, and its function is to grant or deny the - Authentication. access to an object by a subject action (see Fig. 2). - Auditing. Morrie Gasser [9] cites three tasks for the access control - Access Control. mechanism: Those mechanisms are described in the following subsec- - Authorization determines which subjects are entitled to tions. The first question is how to determine if a computer have access to which objects. system is secure. To answer this question some organizations - Determining the access rights (a combination of access formed hackers teams trying to obtain unauthorized access modes such as read, write, execute, delete, etc). - Enforcing the access rights. Div. de Est. de Postgrado, F. de Ing. Electrica, Universidad Michoacana, In Access Control subjects and objects have security at- Morelia, Michoacan, Email: [email protected], pedro@lsc.fie.umich.mx Dep. de Sistemas Computacionales, Instituto Tecnologico de Morelia, tributes, and access is determined by a policy. A policy is Morelia, Michoacan, Email: [email protected] a set of rules that guide the access control engine based on INTERNATIONAL JOURNAL OF 127 Issue 4, Volume 1, 2007 COMPUTERS AND COMMUNICATIONS Objects O 1 ...O i O m S 1 n−1 SS n O Subjets 1 S 1 S 1 S 2 O . 2 . S 2 S n−1 O 3 S n S 3 O 4 Subjects S = { S 1 , . , S n } Objects O = { O 1 , . , O m } Access mode R = { r , . , r } Fig. 1. Subjects accessing objects 1 k A[ a , O b SS c ] R Fig. 3. Access matrix Access read? Access granted S 1 Access Control O 1 r w x r − − − − − Access denied user group Fig. 2. Access control - Authorization others Fig. 4. Object mode permission bits one or more access control models. A constraint is a mean to disallow granted permissions. Some operating systems like III.ACCESS CONTROL MODELS SELinux use some access control models, and the system administrators need to know the right configuration steps and An access control model describes the ideal and concrete each model used [10]. In following sections we define the definition for access control. A formal model is an important two diferent access control types and the most popular access component that provides a base to design and build trusted control models. systems. It is necessary to enforce the chosen model in the kernel and not to use the user space to solve all security problems. The formal model helps to demonstrate how secure II. ACCESS CONTROL TYPES a given implementation is. The survey [12] cites some formal An access control type describes the conceptual definition models (developed from 1970 to 1980) to prove an O.S. really for access control. The Trusted Computer System Evaluation provides the security its claims. Criteria document [11], cites two different access control types: A. Access Matrix Model - Discretionary Access Control (DAC). - Mandatory or Non-discretionary Access Control (MAC). A first matrix access control approach was proposed by Lampson B. W. [13]; his model has four main sets: Subjects (S), Objects (O), read-write-execute combination represented A. Discretionary Access Control by access mode (R), and a matrix to represent how and which DAC is a means of restricting access to objects based on objects or subjects can be accessed by a subject. the identity of subjects and/or groups to which they belong. Figure 3 shows an access matrix and notations for subjects, This kind of control is discretionary in the sense that a subject objects, and access modes. An object Ob or subject Sc can be with a certain access permission is capable of passing on that accessed in mode rj by subject Sa if A[Sa,Ob | Sc]. permission (perhaps indirectly) to any other subject (unless Nowadays, a variant of the matrix model variant is called restrained by mandatory access control). Access Control Lists (ACLs), and used in the Unix and Linux The rules of Discretionary Access Control allow users to OS since the 70’s and 80’s, respectively [14]. In this model change the security attributes of their objects. every object has three sets of permissions to define access for the owner, owning group, and others. Each set defines read (r), write (w), and execute (x) permissions, wich are represented B. Mandatory Access Control by only nine bits (see Fig. 4). MAC is a means of restricting access to objects based on ACLs, has survived because it is a simple model, and the sensitivity (as represented by a label) of the information provides easy customization, administration, and usage. A contained in the objects and the formal authorization (i.e., disadvantage of ACLs is the coarse access granularity; i.e. clearance) of subjects to access information of such sensitivity. user, group, and others. ACLs is a DAC model, where the The rules in MAC disallow users to change security at- users/subjects can change their objects security attributes. For tributes to their objects. We believe it is necessary a new some subject operations it is necessary the admin identit. This MAC definition, including a policy that specifies that rules final point can generate a threat like buffer overflow to gain are controlled by the organization and not by users. permission administrator privileges [15]. INTERNATIONAL JOURNAL OF 128 Issue 4, Volume 1, 2007 COMPUTERS AND COMMUNICATIONS Object 1 Object 1 Label: Top secret Label: High_integrity Object 2 Object 2 Subject 1 Subject 1 Label: Secret Label: Medium_integrity Label: Secret Label: Secret Access denied Access denied Object 3 Object 3 Read Read Write Label: Unclassified Write Label: Low_integrity Fig. 5. Data flow in MLS Fig. 6. Data flow in Biba Integrity Types B. Multilevel Security F G r w r D. Elliott Bell y Leonard J. Lapadula proposed the Multi- D U o level Security (MLS) model [16], based on a military informa- m a tion structure.