selinux filesystem labeling and type enforcement
TRANSCRIPT
SElinuxSElinux filesystemfilesystem labelinglabeling
and type enforcementand type enforcement
November 13, 2020
Administrative Administrative –– submittal instructionssubmittal instructions
� answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please)
� deadline is start of your lab session the following week
� reports not accepted (zero for lab) if late
� submit via D2L
Administrative Administrative –– script files reminderscript files reminder� re-download the script files' zip
� to obtain the new vmconfigure scripts for this "sniffing" exercise
AdministrativeAdministrative
� will hold a final lab office hours 11am next Thursday 11/19
Zoom link: https://usc.zoom.us/j/92599920289
Administrative Administrative –– employmentemployment
� CS530 will be next offered Fall 2021
� lab graders will be needed– you are the automatically ideal candidates
– you must remain a student in Fall 2021
– contact me with expression of interest now, or subsequently
– hiring can only take place next August-September
– see link to job description on lab class website
AdministrativeAdministrative
� machine and scripts for this exercise delayed
� expected tomorrow 11/14/20
� will email students when completed and available
AdministrativeAdministrative
� this is our final lab
AgendaAgenda
� background
�general concept of confinement
�filesystems and filesystem geography
�example: apache web server
� SElinux
Background:Background:
general concept of confinementgeneral concept of confinement
Confinement in cyber securityConfinement in cyber security
� “Systems should do1) what they are designed to do2) and nothing else.”
� cyber confinement examples
memory
memory management process isolation
storage
chroot – at filesystem/directory granularity
SELinux – at individual file granularity
the easy part
Central concept of access controlCentral concept of access control
� active subjects reference passive objects
- “reference” means propose access
� government example
- subjects are employees
- objects are documents
� cyber example- subjects are processes
- objects may be filesystem objects (unix)
or memory segments (multics)
� each access mediated by some arbitration mechanism
- approved or disapproved
reference monitor reference monitor –– another, similar possibilityanother, similar possibility
• centerpiece of security kernels in trusted OS's(runs low-level in/at the heart of a trusted OS kernel)
• sits between subjects and objects
• uses an authorization database as input
• supplies audit (event) information as output
reference monitorreference monitor
reference monitor
authorization database
audit
subject object
ref monitor enforces policyref monitor enforces policy
� the database holds rules covering each interaction type for every subject/object combination
– e.g. a population of 3 subjects and 5
objects with 2 operations would need 30
rules
� each rule allows or disallows
� the rule collection is called the “policy”
Well then, policy is prerequisiteWell then, policy is prerequisite
� the policy is the law
�absent the law you can't enforce the law
�so the database must get pre-populated by the system admin
� ref monitor is the cop, but sysadmin is the legislature
�everything flows from policy
““RulesRules”” can be fashioned from labelscan be fashioned from labels
� multics did it with labels on memory “segments”
� selinux does it with labels on processes and filesystem objects
� btw, traditional permissions also use labels ("rwxr-
xr-x") on filesystem objects (though not on processes)
Who gets to write the rules?Who gets to write the rules?Access control types: discretionary Access control types: discretionary vsvs manadatorymanadatory
� users may control access decisions for some objects
� but policy is by central authority (sysadmin), never a user
� policy is the “mandate” in “mandatory”
� mandatory and discretionary can be combined� multics – ACLs (discretionary) + MLS (mandatory)
� linux – permissions (discretionary) + SELinux type enforcement (mandatory)
co-existing, independent systemsoperate as “perms && selinux” ie, perms first
Background:Background:
filesystemsfilesystems
FilesystemFilesystem underpinningsunderpinningsgeneral general filesystemfilesystem structure logicstructure logic
� purpose: associate names with bodies of data (aka “content”)
� method: reserve part of the disk for a directory
� analogous to book’s table of contents consuming first few pages
name
pointer
name
pointer
name
pointer
data
data
data
disk:
directory
� directory entries may include characteristic file info– size, timestamp, filetype, owner, various labels and things, etc.
data
data
data
disk:
•directory
name
pointer
info
name
pointer
info
name
pointer
info
Additional logic Additional logic ((““infoinfo””))
Linux (ext2) Linux (ext2) filesystemfilesystem differs a bitdiffers a bit
---- where are the filenames?where are the filenames?
info
pointer
info
pointer
info
pointer
data
data
data
disk:
inode table
Linux (ext2/3/4) Linux (ext2/3/4) filesystemfilesystem structurestructure
� directory portion called “inode table”
� table entries (inodes) lack files’ names!
� a “directory” is a regular file
� files’ names appear in directory files
| bin
| etc
| home
|
info
pointer
info
pointer
info
pointer
disk:
inode table
| hosts
| passwd
| hello.txt
Hello!
•directory files
(for / and /etc )
Directories sit in their own filesDirectories sit in their own filesfilesfiles’’ names are in therenames are in there
finding /etc/finding /etc/hello.txthello.txt
Background:Background:
apache web serverapache web server
Apache Apache filesystemfilesystem mapmap
etc var
/
cgi-bin error
www
manual
httpd
httpd.conf
conf logs html
your
webpage files
(index.html et.al.)
DocumentRoot
home etc root usrbin
apache territory
(apache reads files here only)
Apache Apache filesystemfilesystem mapmap
etc var
/
cgi-bin error
www
manual
httpd
httpd.conf
conf logs html
your
webpage files
(index.html et.al.)
DocumentRoot
home etc root usrbin
student
public_html
apache territory
(apache reads files here only)
a foreign directory "/a foreign directory "/varvar/web"/web"outside the fold / beyond viewoutside the fold / beyond view
etc var
/
cgi-bin error
www
manual
httpd
httpd.conf
conf logs html
your
webpage files
(index.html et.al.)
DocumentRoot
home etc root usrbin
web
//varvar/web brought inside/web brought insideas "/as "/otherstuffotherstuff ""
etc var
/
cgi-bin error
www
manual
httpd
httpd.conf
conf logs html
your
webpage files
(index.html et.al.)
DocumentRoot
home etc root usrbin
web
otherstuff
" Alias /otherstuff /var/web "
SElinuxSElinux
Confinement in Confinement in SELinuxSELinux
“[SELinux] compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application …and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.”
book press release
“Beating the 0-day vulnerability threat”
book cover banner
� permissions system cares which user account
� but SELinux cares which program
� user can normally access more files than a particular program should
� my progX doesn't need access to all the same files as my progY, just because they're both mine!
� gaining illicit control, which access do you want attacker to get?
Trying to access a resourceTrying to access a resource(permissions (permissions vsvs SELinuxSELinux))
Why should I use SELinux?
In short because SELinux can help protect you from bugs in applications. Most people treat
applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to
google.com and it does so on my behalf"). However applications, especially the desktop
applications we all use, come in at millions of lines of code. Without knowing what those millions
of lines of code do there is no way to know if an application will really do what you tell it or if it
becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run
differently from yourself thereby limiting what an exploited application can do.
http://selinuxproject.org/page/FAQ
who!
what!
What labels are there? where are What labels are there? where are SELinuxSELinux’’ss??
� filenames – those are labels themselves (on data)
� permission strings – those are labels (on files)
� SELinux contexts – another set of lables (also on files)( “context” == “label” )
context/label – 4 components
secon shows them individually
we care only about the “type” or “type label”
(“net_conf_t in this case)
data
data
data
disk:
inode table
info
data pointer
lbl pointer
info
data pointer
label
info
data pointer
label
SELinuxSELinux
---- where are the fileswhere are the files’’ labels?labels?
- or -
object types subject
to management
(beyond just files)
We call it a We call it a ““filefile””systemsystem butbut……““in in unixunix, everything is a file, everything is a file””
inodeinode field structurefield structure
1616thth field give you the file's labelfield give you the file's label
permissions here
pointer to additional data of
variable length here
(“extended attributes”)
e.g., ACL, SELinux labels
dhcpd
dhcpd_t
/etc/dhcp/dhcpd.conf
dhcp_etc_t
httpd
httpd_t
/var/www/html/index.html
httpd_sys_content_t
Everything
gets a label:
objectsubject verbpermission
allow httpd_t httpd_sys_content_t:file { getattr ioctl lock map open read };
allow dhcpd_t dhcpd_exec_t:file { entrypoint execute execute_no_trans
getattr ioctl lock map open read }
objectsubject verbpermission
policy rules policy rules -- concept and structureconcept and structure
animals
and their food:
processes
and their files:
httpd_sys_content_t dhcpd_t
Enforcement Enforcement --
by subject label to object label matchby subject label to object label match
SELinuxSELinux policy creation:policy creation:
language, tools, procedurelanguage, tools, procedure
traditional
from: SELinux: NSA’s Open Source Security Enhanced Linux
policy_module(mylogging, 0.1)
gen_require(`
type syslogd_t;
type named_conf_t;
')
# Allow writing to named_conf_t files
allow syslogd_t named_conf_t:file { getattr append lock ioctl open write };
sample.te
a policy rule
cf. tranditional
language compilation
processes (subjects) get their own labels
kernel space (OS)
user
space
•process descriptor array
compiled in-kernel blob
of all the policy rules
(selinux “engine”)
labellabel
label
label
cf. compiled in-kernel
blob of all the
firewall rules
(nftables “engine”)
Processes labeled too. WhatProcesses labeled too. What’’s where?s where?
1 filesystem objects and their labels
2 policy store (rules in ascii)
3 kernel-loadable blob file
disk
Labels on files and processesLabels on files and processes““a process of this type, can access a file labeled with that typea process of this type, can access a file labeled with that type””
objects (files)
subjects (processes)
apparent
correspondence/match
(at least by string tokens)
httpd looks somehow related
to the /var/www and
/etc/httpd directories
DemonstrationDemonstration
demo demo –– 2 files web2 files web--readablereadable
create web pages on client(one in-place in apache
territory, one elsewhere
then moved into apache
territory)
browse them from server
demo demo –– now enforce now enforce SELinuxSELinux policypolicy
the one created in place
remains web readable
the one moved into place
does not
(though neither file permissions
nor apache configuration has
changed)
demo demo –– why?why?
labels must match!labels must match!
labels on the 2 objects
labels on the subject
now we’ve changed it to match
demo demo ––webweb--readablilityreadablility restoredrestored
USCUSC’’s #2 department: CSs #2 department: CS
USCUSC’’s #1 department:s #1 department: Admissions!Admissions!
Thank youThank you
� I have enjoyed the opportunity to be the lab instructor for your class
� Applause– I applaud your effort, interest, ability
– best of luck in your academic and career futures