SELinux Concepts

by Mike on November 7, 2008

in Server Security

As security issues continue to rise, new strategies for security are imperative. This is most often true with servers and networked computers because of the implications for down servers and non-functioning workstations.   SELinux or Security Enhanced Linux was developed by the US National Security Agency to address the increased need for security on servers and managing the daemons that exist on the server.  SELinux integrates the security architecture into the kernel using Linux Security Modules (LSM).

When a multi-user system exists, the environment must determine the exact rights of each account on the system. In addition, the environment must protect the system integrity. This process is called access control. The basic Linux system uses discretionary access control or DAC. In this system each file, directory, program, etc. is labeled to indicate which users and groups have specific read/write/execute rights to that object. This method has worked well for a long time. User discretion is the basic aspect of this control mechanism. In a discretionary mechanism programs run with the rights of the user that is operating the program. This protects the entire system. However, some programs run in setsuid root enabling root rights for all users who use the program. Of course there are huge dangers if the program has a problem with the code or if an attacker targets the whole system because they have gained root rights using one of these programs.   For  example, if a user gained root access to Bind they may gain root access to the entire system.

In order to deal with the problems of discretionary access control, an alternative was developed called mandatory access control or MAC. With this method users no longer control access but real access is controlled by security policies. Security polices define the rights of specific users and programs within the system. MAC bases the security for objects not only on user rights but also any other information which may impact security on the system as a whole. MAC lives by the principle of least privilege which only allows programs the very minimum needed to function. The result of this type of system is that since a root superuser is not used, a compromise does not provide access to the whole system. The problem with these types of programs is that they are difficult to manage, with their main application being for military systems.

The third type of system that is available is the MAC/DAC combination.  This option provides some of the features of each.  One  modified version of MAC exists in AppArmor which is used by Ubuntu and Suse.  AppArmor supplements the discretionary access control with MAC options.

AppArmor attempts to protect processes on the server or desktop from security threats. AppArmor enforces limits on what processes can access on the system.  It attempts to restrict processes to those resources that the process requires to function only.  AppArmor will not only define the system resources a program can access , it will also determine the privileges with which it can access those resources. To protect applications you will need to set up a security profile for each application that you want to protect.

When you have many software applications on a system you have the risk of hosting software flaws that you are not aware of.  These software flaws provide avenues of access for attackers to compromise your system.  Exploits that are discovered and on the same day that they are used to crack a system by an attacker are called zero-day exploits.  AppArmor provides protection against these kinds of attacks by protecting against known and unknown vulnerabilities.
The choice for CentOS is SELinux, Security Enhanced Linux. SELinux is an open source project sponsored by the National Security Agency. The focus is to use SELinux to implement mandatory access control. SELinux provides security at the kernel level. What this does for security is provide a security system at a fundamental level that will not be as impacted by security settings of individual programs. In effect, SELinux takes programs and isolates each program from the system so that it still functions with the system but is in a security sense independent of the system. In other words, if a program is compromised it does not offer more access to the system, rather it offers less access to the system. An added benefit to this isolation is that it protects data from being shared incorrectly, by removing discretion of the user.   The image below illustrates this concept.  Daemons and their support programs are placed in domains or jails.  These jails prevent access to other parts of the operating system.  DNS (bind) is separated from the rights to Apache so that if one is compromised the entire system is not compromised.

SELinux uses two components, both the security policy within the kernel and a user-space component for dealing with role changes,  policy development, etc. These two components work with two security mechanisms. The first is type enforcement which forces processes (the actual program) to be isolated from other programs. In this way one program cannot access the domain of another program. In the example DNS and Apache are in separate domains. They work together to provide a server interface for users, but they are in separate domains that will not allow access to the other domain.   This isolation provides integrity of the system. The other mechanism is role-based access control. Under this system rights to objects are not determined by rules for that object but rather by roles which determine which domains can be used. There are two typical roles:

user_r
sysadm_r

These roles are assigned to objects and users are assigned to roles. This information is kept in a security context for each object.

SELinux has become more important in CentOS 5 as it now manages 88 domains verses 14 domains in CentOS 4.

Previous post:

Next post: