© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 1SELinux Policy Concepts and OverviewSecurity Policy Development Primer for Security Enhanced Linux (Module 3)© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 2 SELinux assigns subject and objects a security context:Access Control Attributesroot:sysadm_r:sysadm_t[:s0:c0.c128]type identifierrole identifieruser identifier Security context is only access control attribute in SELinux Security Identifier (SID): number represents security context active within the kernelmls identifier© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 3Standard Linux vs SELinux Subject (Process) Access Control Attributes Linux: real and effective user and group IDs SELinux: security context (user:role:type)Î Linux UIDs and SELinux UID are independent Objects Access Control Attributes Linux: (files) access modes (rwx r-x r-x) and user and group IDs SELinux: security context (user:role:type)© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 4More on Security Contexts Linux and SELinux access controls are orthogonal each mechanism uses its own access control attributes two separate access checks; both must pass A process type is also called a “domain” though object and subject contexts are identical Role and user are little used on objects objects’ role usually “object_r” Type is most used part of a context (by far) in policies emphasis on type enforcement in a policy© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 5What is a Type? A type is an unambiguous identifier created by the policy writer applied to all subjects and objects and for access decisions Types group subjects and objects signifies security equivalence everything with the same type has the same access policies have as few or as many types as needed Type “meaning” created through use e.g. shadow_t only has meaning because of a policy rules similar to a programmer giving meaning to variables© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 6Type Enforcement Access Control Access specified between subject type (e.g., process or domain) and object type (e.g., file, dir, socket, etc.) Four elements in defining allowed access source type(s)aka domain(s) target type(s) objects to which access allowed object class(es)classes to which access applies permission(s)type of access allowed SELinux prevents access unless explicitly allowed© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 7 SELinux defines 41 kernel object classes Each with their own fine-grained permissions For example, file object class has 20 permissions:ioctl read writecreate getattr setattrlock relabelfrom relabelto append unlink link rename execute swaponquotaon mounton execute_no_transentrypoint execmod Documentation available at www.tresys.com/selinuxObject Classes and Permissionskey_socketunix_stream_socketrawip_socketnetlink_nflog_socketipcunix_dgram_socketprocessnetlink_kobject_uevent_socketfilesystemudp_socketpasswdnetlink_ip6fw_socketfiletcp_socketpacket_socketnetlink_firewall_socketfifo_filesystemnodenetlink_dnrt_socketfdsocketnetlink_xfrm_socketnetlink_audit_socketdirsock_filenetlink_tcpdiag_socketnetifchr_fileshmnetlink_socketmsgqcapabilitysemnetlink_selinux_socketmsgblk_filesecuritynetlink_route_socketlnk_fileassociation© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 8passwd Program Exampleallow passwd_t shadow_t : file{ create ioctl read getattr lock write setattr append link unlink rename }; Allows processes with passwd_t domain type read, write, and create access to files with shadow_t type Purpose: passwd program runs with passwd_t type, allowing it to change shadow password file (/etc/shadow) Shadow password file attributes:-r-------- root root system_u:object_r:shadow_t /etc/shadowstandard Linux SELinuxonly root allowed to create new copies of fileonly allows passwd_tdomain (via above allow rule) to modify file© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 9passwd Program Exampleeuid: root passwd_tpasswdr-------- root rootshadow_t/etc/shadowwrite, create, …(change password)allow passwd_t shadow_t : file { read getattr write setattr append };© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 10Problem of Domain Transitionseuid: root passwd_tpasswdr-------- root rootshadow_t/etc/shadowwrite, create, …(change password)uid:joeeuid: joe user_tloginbashallow passwd_t shadow_t : file { read getattr write setattr append };write,…?© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 11Standard Linux passwd Securityuid: joeeuid: joe r-------- root root/etc/shadowuid: joeeuid: joe loginbashr-s--x--x root root/usr/bin/passwdfork()execve()bashpasswdAnyone can execute© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 12Standard Linux passwd Securityuid: joeeuid: joer-------- root root/etc/shadowwrite, create, …(change password)uid: joeeuid: joe loginbashr-s--x--x root root/usr/bin/passwdfork()execve()passwd© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 13Standard Linux passwd Securityuid: joeeuid: joe r-------- root root/etc/shadowuid: joeeuid: joe loginbashr-s--x--x root root/usr/bin/passwdfork()set uidbashexecve()© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 14Standard Linux passwd Securityuid: joeeuid: rootr-------- root root/etc/shadowuid: joeeuid: joe loginbashr-s--x--x root root/usr/bin/passwdfork()passwdset uidwrite, create, …(change password)execve()© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 15SELinux Domain Transitionsuid: joeeuid: joe r-------- root root/etc/shadowuid: joeeuid: joe loginbashr-s--x--x root root/usr/bin/passwdfork()bashshadow_tuser_tuser_tpasswd_exec_t© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, [email protected]) 16SELinux Domain Transitionsuid: joeeuid: joe r-------- root root/etc/shadowuid: joeeuid: joe loginbashr-s--x--x root root/usr/bin/passwdfork()bashshadow_tuser_tuser_tpasswd_exec_texecve()allow user_t
View Full Document
Unlocking...