SELinux For Dummies - LinuxFest Northwest 2015

advertisement
SELinux For Dummies
Gary Smith, EMSL, Pacific Northwest National
Laboratory
A Little Context
Cyber Security is all about managing risk.
How do you think about managing risk?
The Five Golden Principles of Security
Know your system
Principle of Least Privilege
Defense in Depth
Protection is key but detection is a must.
Know your enemy.
2
Introduction
Most operating systems use what is called Discretionary
Access Control (DAC) to control how processes interact
with files and the way processes interact with each other.
On operating systems using DAC, users control the
permissions of the files they own.
The kernel enforces access control decisions based on
these security properties.
3
What could go wrong?
If a bug in the Apache web server allows privilege
escalation to root, the whole system has the potential to
be compromised.
Ordinary security policy is too simplistic and there is no
way to enforce least privilege (even though we’ve layered
on many ways to try to enforce least privilege).
4
Enter SELinux
One way of solving these problems is SELinux.
SELinux adds additional access control beyond what is
offered with traditional DAC.
Processes and resources have additional security
properties associated with them and the security policy in
the kernel is flexible and easily changed.
SELinux adds Mandatory Access Control (MAC) to the
Linux kernel.
A general purpose MAC architecture needs the ability to
enforce an administratively-set security policy over all
processes and files in the system, basing decisions on
labels containing a variety of security-relevant
information.
5
MAC vs. DAC Smackdown
In a DAC model, file and resource decisions are based
solely on user identity and ownership of the objects.
Each user and program run by that user has complete
discretion over the user's objects.
Malicious, flawed, or misconfigured software can do
anything with the files and resources it controls through
the user that started the process.
If the user is the super-user or the application is setuid or
setgid to root, the process can have root level control over
the entire file system.
A MAC system does not suffer from these problems.
The system manager can administratively define a
security policy over all processes and objects.
6
MAC vs. DAC Smackdown (cont.)
Interactions among processes, objects and other
processes is controlled through the kernel security
module.
Decisions by the kernel security module are based on all
the security relevant information available from the policy,
and not just authenticated user identity.
MAC allows you to provide granular permissions for all
users, programs, processes files, directories, devices,
socket, ports, fifos, etc.
7
SELinux Benefits
All processes and files are labeled with a type. A type
defines a domain for processes, and a label for files.
Running in their own domains separates processes from
each other, and SELinux policy rules define how
processes interact with files, as well as how processes
interact with each other.
Access is only allowed if a SELinux policy rule exists that
specifically allows it.
SELinux implements fine-grained access control.
SELinux policy is not set at user discretion but rather is
administratively-defined and enforced system-wide.
8
SELinux Forms of Access Control
SELinux has four forms of access control:
Targeted Enforcement (TE)
Strict
Role-Based Access Control (RBAC) and
Multi-Level Security (MLS)
9
What SELinux is not…
SELinux is not:
A replacement for passwords, firewalls, or other security systems.
Antivirus software.
An all-in-one security solution.
10
Getting into SELinux – The Security Context
Everything in SELinux revolves around the Security
Context.
In SELinux parlance, processes are called subjects and
files, directories, sockets, FIFOs, etc. are called objects.
There are no “verbs”, “adverbs”, “adjectives” or
“prepositions” in SELinux.
Every subject (process) and object (file on the computer)
has a security context associated with it.
This context has different names depending on what it is
attached to.
It’s called a file context when it is associated with a file.
If it’s associated with a process, it’s called a domain
11
Looking at the Security Context
Now lets look at what makes up a security context.
The security context is made up of 3 or 4 components
separated by “:”
Most discussions of security contexts start at the left and
work towards the right.
I’m going to do it in reverse order and start on right and
work towards the left.
The fields in a security context are:
user:role:type:level
A sample security context:
system_u:object_r:net_conf_t:s0
12
-Z is your friend
How do you see a file’s or process’ security context?
Use the –Z option with Linux commands.
So, ls –Z will show you the security context files and ps
–efZ will show you the security context for the running
processes.
Want to know what your security context is? Do id –Z.
One of the powerful features of SELinux is that
applications do not need to be aware of SELinux.
Of the hundreds/thousands of rpm packages in RHEL 6,
only about 50 are compiled with SELinux awareness in
them.
13
SELinux Aware Applications
Applications used to view or manipulate security contexts
(Core Utilities). Examples of this are the ls for viewing
file context, ps for viewing process context, and find for
finding files based on context.
Programs required to set user session security context.
The login programs are the most obvious programs for
this: login, sshd, display manager such as gdm, and
cron
The SELinux core programs. These are used to
control/manipulate security context such as chcon,
setfiles, restorecon Those used to manipulate
policy such as load_policy, check_policy,
check_module, semodule, semanage,
setenforce, getenforce, setsebool,
getsebool.
14
mv versus cp: How to get yourself into
Context Hell
The mv command will attempt to maintain the security
context of the file when it is moved to a different directory.
This might cause some confusion, but this works the
same way as with discretionary access control.
The cp command acts a little differently.
If a file exists that you are copying over, the new file will
maintain the file context of the previous file.
If the file does not exist, it will either get the security
context of the directory, or, if a file transition rule exists, it
will transition the context to follow the rule.
15
mv versus cp: How to get yourself into
context hell – (cont.)
cp has an option to preserve the mode, ownership, and
timestamps, and context.
If you want to copy a file and explicitly set the context, use
the –Z option followed by the context.
16
SELinux Modes
SELinux has three modes of operation:
Disabled - SELinux enforcement entirely turned off and also the
creation of proper labels on the files no longer takes place.
Permissive - The kernel will also continue to create properly
labeled files, watch all system access checks, and report Access
Violations in the form of Access Vector Cache (AVC) messages
but will allow the access.
Enforcing - This tells the system to run with SELinux labeling files
with proper contexts, watching all system access checks, stopping
all "Denied" access, and logging all AVC violations.
To see the current SELinux mode, do getenforce or
sestatus.
17
Setting Up SELinux
How do you go about enabling SELinux? If this is a fresh
install, you’ll be presented with an option to enable it on
the first boot after installation and “Bob’s your uncle.”
More than likely, the system you wish to bring SELinux up
on has been running for some time. The first step is to
determine the state of SELinux on the system.
Edit the file /etc/selinux/config. Change the lines to look
like this:
SELINUX=permissive
SELINUXTYPE=targeted
You could go for whole enchilada and go straight from
disabled mode to enforcing mode. I do not recommend
this unless you enjoy hordes of enraged users darkening
your doorway.
18
Enabling SELinux
If the system has been running in disabled mode, newly
created file system objects will not be labeled with a
security context.
To set the file systems to be relabeled on reboot, do
touch /.autorelabel
and reboot.
19
Troubleshooting SELinux
After you reboot the system having set up SELinux to run
in permissive mode, you are going to get permission error
messages in the audit file, /var/log/audit/audit.log.
To get at the AVC messages, do
ausearch –i –m AVC,USER_AVC –sv no
Here’s a list of things to look at when you are trying to
resolve an SELinux access problem.
Wrong Subject Context
Wrong Object Context
Right Subject and Object Context but No Access
An Intrusion Attempt
20
Wrong Subject Context
The program is running with the wrong subject context.
This happens when a program’s executable file has the
wrong context.
This happens when a third party software application
installed and it is given an inappropriate SELinux file
context.
This was fixed with a chcon command and the
semanage commands.
chcon --type=traceroute_exec_t /usr/bin/nmap
ls –Z /usr/bin/nmap
-rwxr-xr-x. root root system_u:object_r:traceroute_exec_t:s0 /usr/bin/nmap
semanage fcontext –a –t traceroute_exec_t /usr/bin/nmap
21
Wrong Object Context
The file(s) being accessed by the program has the wrong
object context.
This can happen for any number of reasons.
The installation of third party software may result in files
with wrong context because of inheritance from an upper
level directory.
Often, configuration files end up with the wrong context as
a result of how the system manager changes the
configuration file.
To repair the file, use the command
restorecon /path/to/file-name
22
Right Subject and Object Context but No Access
The program and the file have the correct contexts, but
the policy should allow some operation between the two
contexts, which is currently not allowed.
In this case, it will be necessary to modify the SELinux
policy.
First, consider looking thru the list of SELinux booleans
for one that is related to the service which is not working
using either getsebool or semanage.
Hmm. What’s an SELinux boolean?
23
SELinux Booleans
Minor modifications to SELinux policies can be made
without modifying and recompiling the policy source by
setting boolean values for optional features.
Such features include allowing users to share their home
directories under Samba or allowing Apache to serve files
from users home directories which would otherwise be
denied by the SELinux policy.
Originally, booleans were, well, booleans. They have
been extended beyond boolean values.
Get a listing of all the booleans:
getsebool –a
semanage boolean –l
24
SELinux Boolean Examples
Allow httpd to read users home directories but not
across a reboot:
setsebool httpd_enable_homedirs on
Allow httpd to read users home directories permanently:
setsebool –P httpd_enable_homedirs on
Allow httpd to use an additional port:
semanage port –a –t http_port_t –p tcp 8080
25
Audit2allow – Policy Modules The Easy Way
Sometimes, it will be necessary to create and load a new
policy module.
An easy way to build a policy module is with the
audit2allow tool.
audit2allow takes input in the form of AVC denial
messages and generates syntactically correct Type
Enforcement rules which should be sufficient to prevent
the denials.
For example, to generate and display the rules which
would allow all denials in the audit log, do
audit2allow < /var/log/audit/audit.log
26
Audit2allow Examples
This not only might be overkill on the policy but also
difficult to scope out.
A better way to do is something like this:
ausearch –i –m AVC –sv no –ts recent | audit2allow
This will generate and display rules which should allow
kernel denials within the past five minutes.
To narrow the search down to particular program:
ausearch –i –m AVC –sv no –ts recent | grep prelude-manager |
audit2allow
Or make ausearch do the searching based on a type :
ausearch -i -m AVC -sv no –ts recent –se prelude_manager_t |
audit2allow
27
Building a Policy Profile
If you feel that this generated policy corrects the kernel
denials you are experiencing, you can use audit2allow to
create a policy module package suitable for loading into
the kernel policy.
A note about module naming conventions: Module names
must begin with a letter, optionally followed by letters,
numbers, "-", "_", ".”
First generate the module source:
ausearch -i -m AVC -sv no –ts recent –se nrpe_t | audit2allow –m
drwho-nrpe > drwho-nrpe.te
28
What a Policy Module Source File Looks Like
module drwho-nrpe 1.0;
require {
type nrpe_t;
type rpm_var_lib_t;
class dir search;
}
#============= nrpe_t ==============
allow nrpe_t rpm_var_lib_t:dir search;
29
Creating and Loading a Policy Package
Compile the policy source module into a binary
representation:
checkmodule -M -m –o drwho-nrpe.mod drwho-nrpe.te
Create a SELinux policy module package from a binary
policy module:
semodule_package –o drwho-nrpe.pp –m drwho-nrpe.mod
Load the policy package into the kernel:
semodule –install drwho-nrpe.pp
This looks suspiciously like compiling, linking and loading
a device driver.
30
Going From Permissive to Enforcing Mode
OK! You’ve got all your problems with labeling and
contexts ironed out and you’re ready to go to Enforcing
Mode.
As with Linux there’s more than one way to do anything. If
you want to make the transition to Enforcing Mode on a
provisional basis, do this as root:
setenforce enforcing
This will put the running kernel into Enforcing Mode. If
things don’t seem to be running as well as you expected,
you can go back to Permissive Mode (and do more
debugging) by doing
setenforce permissive
Or use permissive domains…
31
Permissive Domains
In permissive mode, SELinux performs all of the checks
and reports all of the AVC messages, but does not
enforce the denials.
A new capability in SELinux lets the administrator change
a single process (domain) to be permissive.
A permissive domain is a domain that performs the
SELinux access checks, however if SELinux policy would
have denied access, the kernel allows the access,
reports the AVC violation, and files get created with the
correct context.
semanage permissive -a nrpe_t
semanage permissive –d nrpe_t
semanage permissive –l
32
Permissive Domains Uses
They can be used for making a single process (domain)
run permissive to troubleshoot an issue without putting
the entire system at risk by making it permissive.
They allow an administrator to create policies for new
applications.
Previously, it was recommended that a minimal policy be
created, and then the entire machine put into permissive
mode, so that the application could run, but SELinux
denials still logged.
audit2allow could then be used to help write the policy.
This put the whole system at risk.
With permissive domains, only the domain in the new
policy can be marked permissive, without putting the
whole system at risk.
33
Indiana Jones and the Search for Unconfined
Daemons
One last item to do before closing the case on going to
SELinux is checking for unconfined daemons.
This doesn’t mean looking for daemons that are like
homeless people and have no shelter.
Daemons that SELinux has no policy for will inherit the
context of the parent process.
This is the init process and they get stuck with initrc_t as a
context.
Two things can happen as result of this:
One is that it causes AVC denials
It could allow the daemon to have privileges it doesn’t need.
34
The Magic Incantation for Unconfined Daemons
To check for unconfined daemons, do:
ps -eZ | egrep "initrc" | egrep -vw
"tr|ps|egrep|bash|awk" | tr ':' ' ' | awk ‘{ print $NF }’
If you don’t get any output from the above command list,
congratulations, you have no unconfined daemons!
You probably won’t be so lucky, but you’ll know which
ones are still running unconfined and decide if they pose
an unacceptable security risk.
As an example, this is from a system used to scan for
network vulnerabilities:
nessus-service
nessusd
rpasswdd
35
Making Enforcing Mode a Way of Life
As it stands now, if the system you’ve been pouring
blood, sweat, tears into achieving Enforcing Mode were to
reboot, it would come up in Permissive Mode.
To make Enforcing Mode the modus operandi of the
system, edit /etc/selinux/config and change
SELINUX=permissive
To
SELINUX=enforcing
36
SELinux Resources
If you want a one-stop-shopping center for SELinux
resources go to
http://selinuxproject.org/page/User_Resources
And there’s always the source
http://www.nsa.gov/research/selinux/docs.shtml
37
T-t-t-t-that’s all, folks!
Gary Smith
Information System Security Officer, Molecular Science
Computing, EMSL, Pacific Northwest National
Laboratory
Richland, WA
gary.smith@pnnl.gov
38
Download