SELinux Policy

Concepts and Overview

Security Policy Development Primer

for Security Enhanced Linux

(Module 3)

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 1

 Access Control Attributes
ƒ SELinux assigns subject and objects a
security context:

root:sysadm_r:sysadm_t[:s0:c0.c128]

mls identifier
type identifier
role identifier
user identifier

ƒ Security context is only access control attribute in SELinux

ƒ Security Identifier (SID): number represents security context
active within the kernel

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 2

 Standard Linux vs SELinux
ƒ Subject (Process) Access Control Attributes
ƒ Linux: real and effective user and group IDs
ƒ SELinux: security context (user:role:type)
Î Linux UIDs and SELinux UID are independent

ƒ Objects Access Control Attributes

ƒ Linux: (files) access modes (rwx r-x r-x) and user and
group IDs
ƒ SELinux: security context (user:role:type)

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 3

 More on Security Contexts
ƒ Linux and SELinux access controls are orthogonal
ƒ each mechanism uses its own access control attributes
ƒ two separate access checks; both must pass
ƒ A process type is also called a “domain”
ƒ though object and subject contexts are identical
ƒ Role and user are little used on objects
ƒ objects’ role usually “object_r”
ƒ Type is most used part of a context (by far) in policies
ƒ emphasis on type enforcement in a policy

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 4

 What is a Type?
ƒ A type is an unambiguous identifier
ƒ created by the policy writer
ƒ applied to all subjects and objects and for access decisions
ƒ Types group subjects and objects
ƒ signifies security equivalence
ƒ everything with the same type has the same access
ƒ policies have as few or as many types as needed
ƒ Type “meaning” created through use
ƒ e.g. shadow_t only has meaning because of a policy rules
ƒ similar to a programmer giving meaning to variables

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 5

 Type Enforcement Access Control
ƒ Access specified between
ƒ subject type (e.g., process or domain)
ƒ and object type (e.g., file, dir, socket, etc.)
ƒ Four elements in defining allowed access
ƒ source type(s) aka domain(s)
ƒ target type(s) objects to which access allowed
ƒ object class(es) classes to which access applies
ƒ permission(s) type of access allowed

ƒ SELinux prevents access unless explicitly allowed

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 6

 Object Classes and Permissions
ƒ SELinux defines 41 kernel object classes
association lnk_file netlink_route_socket security
blk_file msg netlink_selinux_socket sem
capability msgq netlink_socket shm
chr_file netif netlink_tcpdiag_socket sock_file
dir netlink_audit_socket netlink_xfrm_socket socket
fd netlink_dnrt_socket node system
fifo_file netlink_firewall_socket packet_socket tcp_socket
file netlink_ip6fw_socket passwd udp_socket
filesystem netlink_kobject_uevent_socket process unix_dgram_socket
ipc netlink_nflog_socket rawip_socket unix_stream_socket
key_socket

ƒ Each with their own fine-grained permissions

ƒ For example, file object class has 20 permissions:
ioctl read write
create getattr setattr
lock relabelfrom relabelto
append unlink link
rename execute swapon
quotaon mounton execute_no_trans
entrypoint execmod
ƒ Documentation available at www.tresys.com/selinux

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 7

 passwd Program Example
allow passwd_t shadow_t : file
{ create ioctl read getattr lock write setattr append link unlink rename };

ƒ Allows processes with passwd_t domain type read, write, and create access to
files with shadow_t type
ƒ Purpose: passwd program runs with passwd_t type, allowing it to change shadow
password file (/etc/shadow)

ƒ Shadow password file attributes:

-r-------- root root system_u:object_r:shadow_t /etc/shadow

standard Linux SELinux

only root allowed to only allows passwd_t
create new copies of file domain (via above allow
rule) to modify file

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 8

passwd Program Example

euid: root write, create, …

passwd_t (change password)

passwd

r-------- root root

shadow_t

/etc/shadow

allow passwd_t shadow_t : file

{ read getattr write setattr append };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 9

Problem of Domain Transitions

euid: root write, create, …

passwd_t (change password)
login
? passwd

uid:joe
write,… r-------- root root
euid: joe
user_t
shadow_t
bash
/etc/shadow

allow passwd_t shadow_t : file

{ read getattr write setattr append };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 10

Standard Linux passwd Security

uid: joe
euid: joe

login fork()
bash passwd

execve()
uid: joe
euid: joe Anyone can r-------- root root
execute

bash r-s--x--x root root

/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 11

Standard Linux passwd Security

uid: joe
euid: joe write, create, …
(change password)
login fork()
passwd

execve()
uid: joe
euid: joe r-------- root root

bash r-s--x--x root root

/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 12

Standard Linux passwd Security

uid: joe
euid: joe

login fork()
bash

execve()
uid: joe
euid: joe r-------- root root
set uid

bash r-s--x--x root root

/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 13

Standard Linux passwd Security

uid: joe
euid: root write, create, …
(change password)
login fork()
passwd

execve()
uid: joe
euid: joe r-------- root root
set uid

bash r-s--x--x root root

/etc/shadow

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 14

SELinux Domain Transitions

uid: joe
euid: joe
user_t
login fork()
bash

uid: joe
euid: joe r-------- root root
user_t
shadow_t
bash r-s--x--x root root
/etc/shadow
passwd_exec_t

/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 15

SELinux Domain Transitions

uid: joe
euid: joe
user_t
login fork()
bash

execve()
uid: joe
euid: joe r-------- root root
user_t
shadow_t
bash r-s--x--x root root
/etc/shadow
passwd_exec_t

/usr/bin/passwd allow user_t passwd_exec_t : file { getattr execute };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 16

SELinux Domain Transitions

uid: joe
euid: root write, create, …
passwd_t (change password)

login fork()
passwd

execve()
uid: joe
euid: joe r-------- root root
user_t
shadow_t
bash r-s--x--x root root
/etc/shadow
allow passwd_t passwd_exec_t : file entrypoint;
passwd_exec_t allow user_t passwd_t : process transition;
type_transition user_t passwd_exec_t : process passwd_t;
/usr/bin/passwd allow user_t passwd_exec_t : file { getattr execute };

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 17

 Type Transition Statement
ƒ First form: default domain transition
ƒ Causes a domain type transition to be attempted on
execve()

type_transition user_t passwd_exec_t : process passwd_t;

source file type of object new type

domain executable (process for for process
domain trans)

user_t
1
execve()
passwd_t passwd_exec_t
2

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 18

 Type Transition Statement
ƒ type_transition specifies default transition
ƒ Does NOT allow it!
ƒ Successful domain trans. requires access allowed
ƒ original domain execute access to executable file
ƒ original domain permission to transition to new domain
ƒ new domain permission to be entered via program
ƒ others...
ƒ Second form: default object types on creation
ƒ to be discussed in later modules

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 19

The Role of Roles
ƒ Roles associates domains with users
ƒ further constrains process type transitions
ƒ process type allowed only if allowed by role definition
ƒ even if type enforcement allows it

ƒ Role declaration statement

role user_r types passwd_t;

role for which type allowed
is allowed type

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 20

Roles in Domain Transitions

user_r:passwd_t write, setattr, …

(change password)

login fork() passwd

execve()
user_r:user_t r-------- root root

shadow_t
bash r-s--x--x root root
/etc/shadow
passwd_exec_t
role user_r types passwd_t;
/usr/bin/passwd

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 21

 Why Type Enforcement
ƒ Extremely configurable mandatory access control
ƒ flexible (not tied to a single security objective)
ƒ dynamic (loadable/conditional policy)
ƒ possible to be pragmatic within a policy
ƒ even necessary due to Linux legacy!
ƒ fine-grained access control
ƒ object classes and permissions, unlimited types and rules
ƒ Useful for a large number of security goals and
objectives

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 22

 Security Goals TE can Implement
ƒ System integrity, RVM/kernel self-protection
ƒ raw devices and resources
ƒ kernel configuration and binary files (e.g., modules)
ƒ daemon/services configuration and binary files
ƒ protection of SELinux policy itself
ƒ Application integrity
ƒ configuration and binary files
ƒ inter-process communication
ƒ Least privilege
ƒ preventive security engineering design
ƒ protection of privileged user environments

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 23

 Security Goals TE can Implement
ƒ Controlled execution domains
ƒ isolation of untrusted code (e.g., sandboxes)
ƒ prevention of malicious code in trusted domains
ƒ System Hardening
ƒ confinement of error propagation (exploitations)
ƒ fine-grained access control
ƒ Domain isolation
ƒ trusted from untrusted
ƒ application from application
ƒ Information flow policies
ƒ Multilevel security and multiple security levels
ƒ Guards and other cross-domain solutions
ƒ Perimeter defense

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 24

 Challenges with SELinux TE
ƒ Policies are usually complex
ƒ Due to complexity of Linux kernel
ƒ legacy issues with Linux/Unix
ƒ need for Pragmatism
ƒ Flexibility comes with a price!
ƒ 41 kernel object classes, hundreds of permissions
ƒ thousands of object instances
ƒ unlimited domain and object types
ƒ Assurance of mechanism evolving
ƒ open source model helps
ƒ certainly no worse than Linux (or other mainstream OSs)
ƒ in fact much better with a good TE policy

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 25

 Policy Concept Overview Summary

ƒ Standard Linux and SELinux access control

mechanisms are orthogonal
ƒ SELinux security context: user:role:type
ƒ applied to both objects and subjects
ƒ type is the primary means of controlling access
ƒ Fine grained access control
ƒ 41 kernel object classes, hundreds of permissions
ƒ Access must be explicitly allowed in TE policy
ƒ all access denied by default

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 26

 Policy Concept Overview Summary

ƒ TE allow statement:
allow domain_type object_type: classes permission ;
ƒ specifies allowed access based on types
ƒ TE domain transition:
ƒ changing of process type (domain) on execve()
ƒ type_transition specifies default transition
ƒ Type enforcement flexible
ƒ can implement many security properties
ƒ Roles further constrain domain transitions

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 27

 QUESTIONS?

© 2002 - 2005 Tresys Technology, LLC (www.tresys.com/selinux, selinux@tresys.com) 28