Learning Objectives
By the end of this chapter, you should be able to:
- Understand how the Linux Security Module framework works and how it is deployed.
- List the various LSM implementations available.
- Delineate the main features of SELinux.
- Explain the different modes and policies available.
- Grasp the importance of contexts and how to get and set them.
- Know how to use the important SELinux utility programs.
- Gain some familiarity with AppArmor.
What Are Linux Security Modules?
An LSM is code compiled directly into the Linux ___ that, utilizing the LSM framework, can ___ _ ___ access to important kernel objects.
The types of objects protected ___…
- kernel
- deny a process
- include files, inodes, task structures, credentials, and interprocess communication objects
What Are Linux Security Modules?
The idea behind LSM is to implement mandatory access controls over the variety of requests made to the kernel, but to do so a way that: (3)
Minimizes changes to the kernel
Minimizes overhead on the kernel
Permits flexibility and choice between different implementations, each of which is presented as a self-contained LSM (Linux Security Module).
What Are Linux Security Modules?
The basic idea of LSM is to ___ into/between system calls; insert code whenever an application requests a transition to kernel (system) mode in order to accomplish work that requires enhanced abilities; this code makes sure permissions are valid, malicious intent is protected against, etc. It does this by invoking security-related functional steps ___ a system call is fulfilled by the kernel.
- hook
- before and/or after
Main LSM Choices
For a long time, the only enhanced security model implemented was ___. When the project was first floated upstream in 2001 to be included directly in the kernel, there were objections about using only one approach to enhanced security.
As a result, the LSM approach was adopted, where alternative modules to ___ could be used as they were developed and was incorporated into the Linux kernel in 2003.
The current LSM implementations are:
- ___
- ___
- ___
- ___
- SELinux
- SELinux
Main LSM Choices
Originally, only 1 LSM could be used at a time as they can potentially modify the same parts of the Linux kernel. However, since 2019 it has been possiable to combine (stack) LSMs in certain specified orders.
What are the avaliable current LSM implementations?
- ___
- ___
- ___
- ___
- SELinux
- AppArmor
- Smack
- Tomoyo
Main LSM Choices
LSMs are now considered as either ___ or ___ when configuring their combination.
We will concentrate primarily on SELinux and secondarily on AppArmor in order of usage volume.
- major
- minor
SELinux Overview
SELinux was originally developed by the United States ___ and has been integral to ___ disto for a very long time, which has brought it a large usage base.
- NSA (National Security Administration)
- RHEL
SELinux Overview
Operationally, SELinux is a set of security rules that are used to determine which processes can access which files, directories, ports, and other items on the system.
It works with 3 conceptual quantities, what are they?
Describe the the 3 conceptual quantities work together?
SELinux Conceptual Quantities:
- Contexts
- Contexts are labels to files, processes and ports. Examples of contexts are SELinux user, role and type.
- Rules
- Rules describe access control in terms of contexts, processes, files, ports, users, etc.
- Policies
- Policies are a set of rules that describe what system-wide access control decisions should be made by SELinux.
- A SELinux context is a name used by a rule to define how users, processes, files and ports interact with each other. As the default policy is to deny any access, rules are used to describe allowed actions on the system.
SELinux Enforcement Modes
SELinux can be run under one of three modes.
What are the 3 modes?
These modes are selected (and explained) in ___ (CentOS and openSUSE) or ___ (Ubuntu).
The ___ utility can display the current mode and policy.
SELinux Modes:
- Enforcing
- All SELinux code is operative and access is denied according to policy. All violations are audited and logged.
- Permissive
- Enables SELinux code, but only audits and warns about operations that would be denied in enforcing mode.
- Disabled
- Completely disables SELinux kernel and application code, leaving the system without any of its protections.
- /etc/sysconfig/selinux (centos/openSUSE)
- /etc/selinux/config (ubuntu)
- sestatus
LSM - SELinux utility
What 2 command do you use to set/get LSM mode to be one of the mode it supports? (modes: enforcing, permissive, disabled)
- getenforce
- setenforce
Examples:
$ getenforce
Enforcing
$ sudo setenforce Permissive
$ getenforce
Permissive
LSM - SELinux utility
___ can be used to switch between ___ and ___ modes on the fly while the system is in operation. However, changing in or out of the ___ mode cannot be done this way.
- setenforce
- enforcing
- permissive
- disabled
LSM - SELinux utility
While ___ allows you to switch between permissive and enforcing modes, it does not allow you to disable SELinux completely. There are at least 2 different ways to disable SELinux. What are they?
- ___
- ___
- setenforce
1. Configuration file- Edit the SELinux configuration file (usually /etc/selinux/config) and set SELINUX=disabled. This is the default method and should be used to permanently disable SELinux.
- Kernel parameter
- Add selinux=0 to the kernel parameter list when rebooting.
- Edit the SELinux configuration file (usually /etc/selinux/config) and set SELINUX=disabled. This is the default method and should be used to permanently disable SELinux.
Disabling SELinux
It is important to note that disabling SELinux on systems in which SELinux will be ___ is not recommended. It is preferable to use the ___ mode instead of disabling SELinux, so as to avoid relabeling the entire filesystem, which can be time-consuming.
- re-enabled
- permissive
SELinux Policies
The same configuration file that sets the mode, usually ___ , also sets the SELinux policy. Multiple policies are allowed, but only one can be ___ . Changing the policy may require a reboot of the system and a time-consuming re-labeling of filesystem contents. Each policy has files which must be installed under ___.
What are the 3 most common SELinux policies? describe them.
- /etc/sysconfig/selinux
- active at a time
- etc/selinux/[SELINUXTYPE]
- targeted
- The default policy in which SELinux is more restricted to targeted processes. User processes and init processes are not targeted, while network service processes are targeted. SELinux enforces memory restrictions for all processes, which reduces the vulnerability to buffer overflow attacks.
- minimum
- A modification of the targeted policy where only selected processes are protected.
- MLS
- The Multi-Level Security policy is much more restrictive; all processes are placed in fine-grained security domains with particular policies.
SELinux Context Utilities
As mentioned earlier, contexts (in terms of SELinux) are labels applied to ___, ___, ___, and ___. Those labels are used to describe ___ ___. There are four SELinux contexts:
- User
- Role
- Type
- Level
- files
- directories
- ports
- processes
- access rules
SELinux Context Utilities
As mentioned earlier, contexts are labels applied to files, directories, ports, and processes. Those labels are used to describe access rules. There are four SELinux attributes that apply to a context what are they?
- ___
- ___
- ___
- ___
- User
- Role
- Type
- Level.
Context Utilities
However, we will focus on type context attribute, which is the most ___ utilized context attribute. The label naming convention determines that type context labels should end with ___, as in ___.
- commonly
- _t
- kernel_t
Context Utilities
What is the command to see the context of a
- file/directory
- process
- port
- Use the -Z option to see the context with
- ls -Z
- ps -Z
Examples:
View file/directory context attributes:
- $ ls -Z
View process context attributes:
- $ ps auZ
LSM Context Utilities
What is the command to change the context attibute of a file/directory, process, port?
- chcon
Examples:
$ ls -Z
-rw-rw-r–. dog dog unconfined_u:object_r:user_home_t:s0 somefile
$ chcon -t etc_t somefile
$ ls -Z
-rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile
$ ls -Z
- rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile
- rw-rw-r–. dog dog unconfined_u:object_r:user_home_t:s0 somefile1
$ chcon –reference somefile somefile1
$ ls -Z
- rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile
- rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile1
SELinux and Standard Commands
Many standard command line commands, such as ls and ps, were extended to support SELinux, and corresponding sections were added to their man pages explaining the details. Often the parameter Z is passed to standard command line tools, as in:
Other tools that were extended to support SELinux include ___, ___, and ___.
!!Note that if you have disabled SELinux, no useful information is displayed in the related fields from these utilities.
- cp
- mv
- mkdir
LSM Context
When viewing the context attributes of this file what are the context attributes displayed?
- ___
- ___
- ___
- ___
ls -Z
-rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile
- User
- Role
- Type
- Level
SELinux Context Inheritance
Newly created files inherit the context from their parent directory, but when ___ files, it is the context of the source directory which may be preserved, which can cause problems.
Continuing the previous example, we see the context of tmpfile was not changed by moving the file from /tmp to /home/jimih:
$ cd /tmp/
$ touch tmpfile
$ ls -Z tmpfile
-rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile
$ cd
$ touch homefile
$ ls -Z homefile
-rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
$ mv /tmp/tmpfile.
$ ls -Z
- rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
- rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile
The classical example in which moving files creates a SELinux issue is moving files to the DocumentRoot directory of the httpd server. On SELinux-enabled systems, the web server can only access files with the correct context labels. Creating a file in /tmp, and then moving it to the DocumentRoot directory, will make the file unaccessible to the httpd server until the SELinux context of the file is adjusted.
- moving
SELinux Restoring Context
___ resets file contexts, based on parent ___ settings. In the following example, ___ resets the default label recursively for all files at the home directory:
$ ls -Z
- rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
- rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile
$ ___ -Rv /home/jimih
___ reset /home/jimih/tmpfile context \
unconfined_u:object_r:user_tmp_t:s0 >unconfined_u:object_r:user_home_t:s0
$ ls -Z
- rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
- rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 tmpfile
Note that the context for tmpfile has been reset to the default context for files created at the home directory. The type was changed from user_tmp_t to user_home_t.
- restorecon
- directory
- restorecon
- restorecon
-
30 - User Accounts60
-
31. Group Management11
-
32. File Permissions and Ownership19
-
33. Pluggable Authentication Modules (PAM)3
-
34. Network Addresses15
-
35. Network Devices And Configuration54
-
36. Firewalls53
-
37. System Startup And Shutdown13
-
38. GRUB12
-
39. SYSTEM INIT: SYSTEMD, SYSTEMV AND UPSTART22
-
40. BACKUP AND RECOVERY METHODS58
-
41. Linux Security Modules46
-
42. Local System Security15
-
43. Basic Troubleshooting9
-
44. System Rescue9
-
man man12
