SElinux filesystem filesystem labeling labeling SElinux and type - - PDF document
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments
November 13, 2020
answer the lab assignment’s questions in written report
deadline is start of your lab session the following week reports not accepted (zero for lab) if late submit via D2L
re-download the script files' zip to obtain the new vmconfigure scripts for this "sniffing" exercise
will hold a final lab office hours 11am next
Zoom link: https://usc.zoom.us/j/92599920289
CS530 will be next offered Fall 2021 lab graders will be needed
machine and scripts for this exercise delayed expected tomorrow 11/14/20 will email students when completed and
this is our final lab
background
SElinux
memory management process isolation
chroot – at filesystem/directory granularity SELinux – at individual file granularity
the easy part
active subjects reference passive objects
government example
cyber example
each access mediated by some arbitration mechanism
(runs low-level in/at the heart of a trusted OS kernel)
reference monitor authorization database audit subject
the database holds rules covering each interaction
each rule allows or disallows the rule collection is called the “policy”
multics did it with labels on memory “segments” selinux does it with labels on processes and
btw, traditional permissions also use labels ("rwxr-
xr-x") on filesystem objects (though not on
users may control access decisions for some objects but policy is by central authority (sysadmin), never a user
policy is the “mandate” in “mandatory”
mandatory and discretionary can be combined
multics – ACLs (discretionary) + MLS (mandatory) linux – permissions (discretionary) + SELinux type enforcement (mandatory)
co-existing, independent systems
purpose: associate names with bodies of data (aka “content”) method: reserve part of the disk for a directory analogous to book’s table of contents consuming first few pages name pointer name pointer name pointer data data data
disk:
directory
directory entries may include characteristic file info
– size, timestamp, filetype, owner, various labels and things, etc.
data data data
disk:
name pointer info name pointer info name pointer info
info pointer info pointer info pointer data data data
disk:
inode table
directory portion called “inode table” table entries (inodes) lack files’ names! a “directory” is a regular file files’ names appear in directory files
| bin | etc | home | info pointer info pointer info pointer
disk:
inode table
| hosts | passwd | hello.txt Hello!
(for / and /etc )
etc var / cgi-bin error www manual httpd
httpd.conf
conf logs html
your webpage files (index.html et.al.)
DocumentRoot
home etc root usr bin
apache territory (apache reads files here only)
etc var / cgi-bin error www manual httpd
httpd.conf
conf logs html
your webpage files (index.html et.al.)
DocumentRoot
home etc root usr bin student public_html
apache territory (apache reads files here only)
etc var / cgi-bin error www manual httpd
httpd.conf
conf logs html
your webpage files (index.html et.al.)
DocumentRoot
home etc root usr bin web
etc var / cgi-bin error www manual httpd
httpd.conf
conf logs html
your webpage files (index.html et.al.)
DocumentRoot
home etc root usr bin web
" Alias /otherstuff /var/web "
“[SELinux] compensates for the inevitable buffer overflows and
isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days-- when someone gets a toe-hold on a computer through a vulnerability in a local networked application … and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.”
book press release
“Beating the 0-day vulnerability threat”
book cover banner
permissions system cares which user account but SELinux cares which program user can normally access more files than a particular program should my progX doesn't need access to all the same files as my progY, just
because they're both mine!
gaining illicit control, which access do you want attacker to get?
Why should I use SELinux? In short because SELinux can help protect you from bugs in applications. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However applications, especially the desktop applications we all use, come in at millions of lines of code. Without knowing what those millions
becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run differently from yourself thereby limiting what an exploited application can do. http://selinuxproject.org/page/FAQ
who! what!
filenames – those are labels themselves (on data) permission strings – those are labels (on files) SELinux contexts – another set of lables (also on files)
context/label – 4 components
secon shows them individually we care only about the “type” or “type label” (“net_conf_t in this case)
data data data
disk:
inode table
info data pointer lbl pointer info data pointer label info data pointer
label
to management (beyond just files)
th field give you the file's label
permissions here pointer to additional data of variable length here (“extended attributes”) e.g., ACL, SELinux labels
dhcpd
dhcpd_t
/etc/dhcp/dhcpd.conf
dhcp_etc_t
httpd
httpd_t
/var/www/html/index.html
httpd_sys_content_t
Everything gets a label:
subject verb permission
allow httpd_t httpd_sys_content_t:file { getattr ioctl lock map open read }; allow dhcpd_t dhcpd_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }
subject verb permission
animals and their food: processes and their files:
httpd_sys_content_t dhcpd_t
traditional from: SELinux: NSA’s Open Source Security Enhanced Linux
policy_module(mylogging, 0.1) gen_require(` type syslogd_t; type named_conf_t; ') # Allow writing to named_conf_t files allow syslogd_t named_conf_t:file { getattr append lock ioctl open write }; sample.te
a policy rule
language compilation
processes (subjects) get their own labels
kernel space (OS) user space
compiled in-kernel blob
(selinux “engine”) label label label label
blob of all the firewall rules (nftables “engine”)
1 filesystem objects and their labels 2 policy store (rules in ascii) 3 kernel-loadable blob file
disk
“ “a process of this type, can access a file labeled with that type a process of this type, can access a file labeled with that type” ”
subjects (processes)
apparent correspondence/match (at least by string tokens) httpd looks somehow related to the /var/www and /etc/httpd directories
create web pages on client
(one in-place in apache territory, one elsewhere then moved into apache territory)
browse them from server
the one created in place remains web readable the one moved into place does not
(though neither file permissions nor apache configuration has changed)
labels on the 2 objects labels on the subject now we’ve changed it to match
I have enjoyed the opportunity to be the lab
Applause
– I applaud your effort, interest, ability – best of luck in your academic and career futures