SELinux general information

From EnGardeWiki

Security Enhanced Linux, or SELinux, is a security system that adds Mandatory Access Control to a Linux system. Originally developed by the National Security Agency and released as an open source project, it is incorporated into EnGarde Secure Linux 3.0. This is a revolutionary advance, but is also very different from the standard Linux security model.

Contents 1 Discretionary Access Control 2 Mandatory Access Control 3 Why SELinux? 4 SELinux Resources

Discretionary Access Control

Standard Linux file permissions use the Discretionary Access Control (DAC) model. Under DAC, files are owned by a user and that user has full control over them, including the ability to grant access permissions to other users. The root account has full control over every file on the entire system. An attacker who penetrates an account can do anything with the files owned by that user. For example, an attacker who compromises a web server has full control over all files owned by the webserver account. Worse, if an application runs under the context of the root user, an attacker penetrating it now has full control over the entire system.

Mandatory Access Control

SELinux supplements Discretionary Access Control with Mandatory Access Control (MAC). Under MAC, the adminstrator writes a security policy that defines access rights for all users and applications. MAC in effect provides each application with a virtual sandbox that only allows the application to perform the tasks it is designed for and explicitly allowed in the security policy to perform. For example, the webserver process may only be able to read web published files and serve them on a specified network port. An attacker penetrating it will not be able to perform any activities not expressly permitted to the process by the security policy, even if the process is running as the root user. Files are assigned a security context that determines what specific processes can do with them, and the allowable actions are much more finely grained than the standard Unix read/write/execute controls. For example, a web served file would have a context allowing the apache process to read it but not execute or make changes to it, while the log files would be appendable but not readable or otherwise changeable by apache. Network ports are also assigned a context, which can prevent penetrated applications from using ports not permitted to them by security policy.

Standard Unix permissions are still present on the system, and will be consulted before the SELinux policy when access attempts are made. If the standard permissions would deny access, access is simply denied and SELinux is not consulted at all. If the standard file permissions would allow access, the SELinux policy is consulted and access is either allowed or denied based on the security contexts of the source process and the targeted object.

Why SELinux?

The contrast between this approach and the approach of most security products in the anti-virus and intrusion prevention and detection markets could not be more stark. Anti-virus and IDS/IPS systems based on signatures are reactive, operating only on known threats, which is why zero-day exploits are so prized by malware authors. You can compare these products to firewalls with a default "allow any" rule, and many specific "deny" rules. This is a losing battle, as the quantity of malware keeps increasing at an exponential rate and vendors and their customers fight a losing battle to keep up. Any newly discovered security flaw will have a window of vulnerability between the exploit's release and the signature being added and propagated to the end user.

SELinux, on the other hand, can be compared to a firewall with a default "deny any" rule, and a set of "allow" rules to only permit actions that are necessary for proper system operation. Malware or hack attempts that penetrate an application and attempt to escalate privileges can be stopped dead or limited to the point of near uselessness by the SELinux security policy, protecting the system regardless of whether the threat is well known or it is a brand new zero-day attack. SELinux does not need to know anything about the exploit to protect the system, it ony needs to know what proper operations should be allowed.

SELinux Resources

Full information on the use and administration of SELinux is beyond the scope of this document, but more information can be found by following the links in this section.

• NSA SELinux The NSA (National Security Agency) SELinux page. Contains a good overview of the theory of information security behind SELinux.
• NSA SELinux Mailing List The NSA mailing list for SELinux development. The bleeding edge development of SELinux happens on this list, as well as discussion of the future direction of SELinux.
• Unofficial SELinux FAQ This unofficial FAQ covers generalized SELinux information that is not specific to any one distribution. Contains more practical and less theoretical information than the official NSA SELinux FAQ.
• SELinux: NSA's Open Source Security Enhanced Linux O'Reilly publishes this SELinux book. Very good, but as with any printed material on something being developed as quickly as SELinux, a bit out of date.
• LinuxSecurity features a series of articles on SELinux using EnGarde Secure Linux as a policy development platform.
  • SELinux and Mandatory Access Control
  • SELinux and Access Decisions
  • SELinux Administration
  • SELinux Policy Development