Download - Introduction to SELinux Part-I
Introducing SELinux Part I
Anand Tanksali
OS Layers
Applications & Userland
Privileged User
Kernel
Operating System
Hardware
What is DAC? Discretionary access control (DAC) is a type of access control defined by
the Trusted Computer System Evaluation Criteria[1] "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject".
DAC based systems
Linux
BSD
Solaris
Please note that this does not represent an exhaustive list.
What is MAC? In computer security, mandatory access control (MAC) refers to a
type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place.
* Cost of custom research service depends on project scope
Examples for a MAC based System
• SELinux
•Trusted BSD (For BSD based systems only)
•Trusted Solaris Or what was Solaris 10
Securing a Linux distro.
/etc/sysctl.conf
Restrict root logins.
Configure IP-Tables.
Reconfigure the kernel.
Uninstall / disable
unnecessary daemons.
/etc/default/security
/etc/pam.d
.Enable Auditing.
Chroot.
Please note that this does not represent an exhaustive list.
Problems persist……
Access is based upon users access
Processes can change security properties
Standard access control is discretionary
Privilege levels are user & root
History of SELinux
SELinux was originally a development project from the National Security Agency (NSA)[1] and others
The NSA integrated SELinux into the Linux kernel using the Linux Security Modules (LSM) framework.
The next evolution of SELinux was as a loadable kernel module for the 2.4.<x> series of Linux kernels. This module stored PSIDs in a normal file, and SELinux was able to support more file systems.
The SELinux code was integrated upstream to the 2.6.x kernel, which has full support for LSM and has extended attributes (xattrs) in the ext3 file system. SELinux was moved to using xattrs to store security context information.
The SELinux advantage
Ability to confine services.
Auditing logs for reporting.
Provide fine grained access control.
Provides a system wide policy when in enforcing mode.
Please note that this does not represent an exhaustive list.
GUI Screen
Terminal Output Output from a Linux system
daemonology@darkstar:~$ ls -la /var/www/index.html
-rw-r--r--. 1 root root 177 2011-05-10 21:31 /var/www/index.html
Output from a SELinux systemdaemonology@darkstar:~$ ls -Z /var/www/html/index.html
-rw-r--r-- username username system_u:object_r:httpd_sys_content_t /var/www/index.html