SELinux - Security-Enhanced Linux

Security-Enhanced Linux (aka SELinux)

a set of patches to the Linux kernel and utilities to provide a strong, flexible Mandatory Access Control architecture into the major subsystems of the kernel. (source)

Access Control

general term applying to physical security or computer security to describe :

• a system / process
• that allows / forbids
• someone / something (aka a subject)
• to "consume" : enter / use / access / read /
• a resource (aka an object) : place / equipment / information / device / file /

There are different kinds of Access Controls :

• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)

All are governed by authorization rules (aka policies).

Discretionary Access Control (DAC, details)

Access Control system in which users are allowed to make policy decisions for themselves or others. The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC, since a user can

• change his own permissions on a file (e.g. making it executable)
• grant permissions to others (up to his own permissions)

Mandatory Access Control (MAC, details)

Access Control system in which policies are centrally managed and can be altered by administrators only. MAC systems have no notion of a superuser.

security context (source)

the identity + role + domain trio (there is a 4th optional field : "level") :

• identity : each Linux user account is mapped to a SELinux user, allowing Linux users to inherit grants placed on SELinux users
• role :

  * intermediary between "identity" and "domain/type"
  * the roles that can be entered determine which domains can be entered : ultimately, this controls which object types can be accessed
  

  an identity can have multiple roles
• type / domain :
  • "domain" when referring to a process, "type" when referring to an object (file, port, ... ?)
  • there is a 1-1 relationship between role and domain
  • type names end in _t
  • examples of type/domain that can be used in "type enforcement" rules

security context for :

• a file : a regexp + class(?) + context definition (source) :

  /var/log/audit(/.*)?		all files		system_u:object_r:auditd_log_t
  ^^^^^^^^^^^^^^^^^^^^		^^^^^^^^^		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  regexp matching			class			context to apply to
  dir + files						matching objects

  see /etc/selinux/targeted/contexts/files/*
• a user :
  • assigned at the time of his connection, according to his roles
  • see /etc/selinux/targeted/contexts/users/*
• a process : by default defined by the context of the user who launches it

modes

mode	can deny access ?	warn ?	log ?	details
enforcing	yes	yes	yes
permissive	no	yes	yes	used mostly for troubleshooting
disabled	no	no	no

• Logs are :
  • /var/log/messages
  • /var/log/audit/audit.log
  • /var/lib/setroubleshoot/setroubleshoot_database.xml
• To get the current mode :
  • getenforce

    Enforcing

  • sestatus

    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     actual (secure)
    Max kernel policy version:      33

• To set the current mode :
  • to permissive mode : setenforce 0
  • to enforcing mode : setenforce 1

• By default, the policy does not allow any interaction unless a rule explicitly grants access. (i.e. Everything is forbidden unless explicitly authorized).
• SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first, which means that no SELinux denial is logged if the traditional DAC rules prevent the access.

(source)

• you put labels on everything : users, stuff users may want to play with (files, processes, ), ways of playing with these (read, write, )
• by default, everything is forbidden
• each rule defines a type of user + type of stuff + type of play that is allowed. When someone asks to play with something, access is granted if labels mach

• subjects : those who do things : users, processes,
• objects : stuff the "subjects" are trying to interact with : files, ports,
• access : what "subject" does to "object" : read, write, open, connect to,

Type enforcement explained with cats, dogs and food : Your visual how-to guide for SELinux policy enforcement

allow     cat       cat_chow:food      eat;
allow     dog       dog_chow:food      eat;
          ^^^       ^^^^^^^^^^^^^      ^^^
          subject   object             access