Understanding SELinux, Part 1

Understanding MAC

Mandatory Access Control (MAC) ensures that the security policy of an organisation is adhered to. The various ‘actors’ in
any security policy can broadly be classified as:

  • Subjects
  • Objects

Subjects perform certain operations on objects and the security policy specifies which of these operations are allowed or disallowed through Mandatory Access Control. In an operating system:

  • Subjects are typically processes or threads.
  • Objects are typically files, directories, TCP/UDP ports, shared memory segments, network interfaces, etc.

When an application process or thread tries to access objects that are disallowed in the security policy, an ACCESS DENIAL occurs, thus providing a layer of security between applications. Each application can be understood to be running in its domain, and subjects can typically access objects or perform operations within this domain, thereby confining the application within the boundaries of its ‘domain’.

A new process/thread, on execution, might create its own domain through something referred to as domain transition. We will come to this in the later part of this series.

To identify subjects and objects and to determine what access is allowed to whom, SELinux implements a MAC mechanism called Type Enforcement. This enables a granular control of the access mechanism over the operating system.

Type Enforcement and Security Contexts

Under Type Enforcement, certain attributes are applied to all objects and subjects. These attributes are termed as Security Contexts. Each process and file/directory/port on the system is assigned a Security Context based on which the Type Enforcement policy allows/disallows access.

Security Contexts are stored in Extended Attributes (xattrs) on an ext2/ext3 filesystem. A typical SELinux security context is of the form: User Identity:Role:Type/Domain.

In multi-layer security and multi-category systems, two more attributes—sensitivity and category—are added. We will come to these later in the series.

Roles and users in the security context are present to support RBAC (Role-Based Access Control) features in SELinux. RBAC is to enable user privileges within the SELinux system. This too will be discussed later.

In this introductory article, our focus will be on SELinux Type Enforcement to give you a feel of SELinux, and thus we will primarily highlight the third attribute of the Security Context—Type/Domain.

Introduction to SELinux policies

The SELinux Type Enforcement Policy is based on rules that apply on Security Contexts. Processes running with a certain Security Context are either allowed or disallowed to perform operations (access permissions—read/write/getattribute/setattribute, etc) on objects with certain Security Contexts.

The total compilation of these rules is called a SELinux policy. Red Hat Enterprise Linux comes with two standard policies—Targeted and Strict. To briefly summarise the above:

  • All processes (subjects), files, TCP/UDP ports, etc, (objects) are assigned a security context.
  • Rules are created that allow/disallow access type (read/write, etc) by subjects to objects based on Security Contexts of the subject and that of the object.
  • The set of these rules creates a policy. Currently, we are discussing Type Enforcement Policies.
  • This policy is applied mandatorily to the system and cannot be overridden by users and even system administrators.
  • Mandatory Access Control through Type Enforcement Policies enables SELinux fine-grained control over the operating system and any applications that might be running on top of it—adding an extra defence layer.

Pages: 1 2 3

2 Comments

  1. shekhar sharma says:

    its amazing thanks for providing such a information………..

  2. Pawan says:

    Hi Sir,

    Thanks for such a great article,

    just to add on

    Selinux could also be enabled using file in ll /etc/selinux/config, the content of the file look similar to the /etc/sysconfig/selinux

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing – SELinux security policy is enforced.
    # permissive – SELinux prints warnings instead of enforcing.
    # disabled – No SELinux policy is loaded.
    #SELINUX=enforcing
    SELINUX=disabled
    # SELINUXTYPE= can take one of these two values:
    # targeted – Targeted processes are protected,
    # minimum – Modification of targeted policy. Only selected processes are protected.
    # mls – Multi Level Security protection.
    SELINUXTYPE=targeted

    However enabling SELINUX using this need a reload of the kernel and would not take effect until a reboot (Corrections are welcome)

    We could enable the selinux on the fly by amending files in its /proc like system, It may vary from distribution to distribution, the best way to find it

    [pawan@localhost PAWAN]$ sestatus
    SELinux status: enabled

    *** SELinuxfs mount: /sys/fs/selinux ****

    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: enforcing
    Mode from config file: disabled
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Max kernel policy version: 28

    The one highlighted with **** is the area of interest

    if you do a

    [pawan@localhost PAWAN]$ ll /sys/fs/selinux

    -rw-r–r–. 1 root root 0 Oct 1 09:59 enforce
    –w——-. 1 root root 0 Oct 1 09:59 disable

    You will a lot of file and dir, my area of interest is the enforce file

    just do

    [pawan@localhost PAWAN]$ sudo echo 1 > /sys/fs/selinux/enforce

    you need be root or need to elevate your privileges

    you are done it will do the trick, SELINUX is enabled to enforcing mode.

Trackbacks/Pingbacks

  1. Starting with Linux - [...] visit, or staying away from bad guys. And if you really got paranoid, you could lock yourself in a …

Leave a Reply

Your email address will not be published. Required fields are marked *