Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Advanced Systems Security Security Enhanced Linux Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory March 4 2010 Page 1 SELinux Deployment You ve configured your SELinux policy Now what is left Surprisingly a lot Many services must be aware of SELinux Got to get the policy installed in the kernel Got to manage all this policy And then there is the question of getting the policy to do what you want Systems and Internet Infrastructure Security SIIS Laboratory Page 2 User space Services What kind of security decisions are made by user space services Systems and Internet Infrastructure Security SIIS Laboratory Page 3 User space Services What kind of security decisions are made by user space services Authentication e g sshd Access control e g X windows DBs etc Configuration e g policy build and installation Also many services need to be aware of SELinux to enable usability E g Listing files processes with SELinux contexts ls ps Systems and Internet Infrastructure Security SIIS Laboratory Page 4 User space Services Authentication Various authentication services need to create a subject context on a user login Like login in general except we set an SELinux context and a UID for the generated shell How do you get all these ad hoc authentication services to interact with SELinux Systems and Internet Infrastructure Security SIIS Laboratory Page 5 Authentication for SELinux Pluggable Authentication Modules There is a module for SELinux that various authentication services use to create a subject context Systems and Internet Infrastructure Security SIIS Laboratory Page 6 User space Services Access Control Many user space services are shared among clients of different security Problem service may leak one client s secret to another If your SELinux policy allows multiple clients with different security requirements to talk to the same service what can you do Systems and Internet Infrastructure Security SIIS Laboratory Page 7 User space Services Add SELinux support to the service X Windows postgres dbus gconf telephony server E g Postgres with the SELinux user space library Systems and Internet Infrastructure Security SIIS Laboratory Page 8 User space Services Configuration You need to get the SELinux policy constructed and loaded into the kernel Without allowing attacker to control the system policy And policy can change dynamically How to compose policies How to install policies Systems and Internet Infrastructure Security SIIS Laboratory Page 9 Compose Policies The SELinux policy is modular Although not in a pure object oriented sense Too much had been done Policy management system composes the policy from modules linking a module to previous definitions and loads them Systems and Internet Infrastructure Security SIIS Laboratory Page 10 Installing Policies sys security system call rejected Linux maintainers do not want to add system calls The use of a void input to the kernel will not be allowed Alternatives proc Supposed to be process specific sysfs special files for I O with kernel Systems and Internet Infrastructure Security SIIS Laboratory Page sysfs Background During the 2 5 development cycle the Linux driver model was introduced to fix several shortcomings of the 2 4 kernel No unified method of representing driver device relationships existed There was no generic hotplug mechanism procfs was cluttered with lots of non process information Main uses Configure drivers Export driver information Systems and Internet Infrastructure Security SIIS Laboratory Page sysfs Example load policy From userspace libselinux src load policy c int security load policy void data size t len char path PATH MAX int fd ret snprintf path sizeof path s load selinux mnt fd open path O RDWR if fd 0 return 1 ret write fd data len close fd Systems and Internet Infrastructure Security SIIS Laboratory Page sysfs Example load policy From kernel security selinux selinuxfs c enum sel inos SEL ROOT INO 2 SEL LOAD load policy SEL ENFORCE get or set enforcing status static struct tree descr selinux files SEL LOAD load sel load ops S IRUSR S IWUSR SEL ENFORCE enforce sel enforce ops S IRUGO S IWUSR static struct file operations sel load ops write sel write load Systems and Internet Infrastructure Security SIIS Laboratory Page sysfs Example load policy From kernel security selinux selinuxfs c static ssize t sel write load struct file file const char user buf size t count loff t ppos length task has security current SECURITY LOAD POLICY if length goto out if copy from user data buf count 0 goto out length security load policy data count ss services c if length goto out Systems and Internet Infrastructure Security SIIS Laboratory Page When Are We Done There is a significant configuration effort to get the SELinux system deployed Who does this What happens if I want to change something Does it prevent the major threats Systems and Internet Infrastructure Security SIIS Laboratory Page 16 Threat Remote Attackers How do we design policies if our threat is remote attackers Systems and Internet Infrastructure Security SIIS Laboratory Page 17 Goal Confine Network Daemons Motivation for AppArmor the other major LSM supported by SuSE and other Linux versions SELinux targeted policy has same aim Goal keep a compromised daemon from compromising the system Challenge some daemons must be trusted e g SSH DNS DHCP Result Chen Li and Mao NDSS 2009 found that AppArmor and SELinux targeted have attack paths from network daemons SELinux has more Systems and Internet Infrastructure Security SIIS Laboratory Page 18 Threat Protect System Integrity How do we design policies to protect the system s trusted computing base Systems and Internet Infrastructure Security SIIS Laboratory Page 19 Goal Methodology to Find TCB Take the SELinux Example Policy and customize for the particular site a security target Goal Find a trusted computing base from those processes in the trust model Challenge Many policy rules allow interaction of trusted and untrusted processes Result Develop a methodology for customizing a policy but some leaps of faith result Systems and Internet Infrastructure Security SIIS Laboratory Page 20 SELinux Example