3 Common Access Control Models:
1. Discretionary Access Control (DAC)
- prone to malware/malicious
- setuid/setgid(cdrecord) files are vulnerable
- Access to objects(files) are based solely user identity(uid/gid)
- Access is course, NOT fine/granular
- default policy is liberal
- Admin/Non-Admin - 2 user privileges
- prone to malware/malicious
- setuid/setgid(cdrecord) files are vulnerable
- Access to objects(files) are based solely user identity(uid/gid)
- Access is course, NOT fine/granular
- default policy is liberal
- Admin/Non-Admin - 2 user privileges
2. Mandatory Access Control (MAC) - SELinux
- More systems administration/expertise is required
- objects the system are abstracted into 2 classes
1. Subjects - user, processes
2. Objects - files(text/binary/sockets/named_pipes)
- offers more granular/fine coory ntrol of security
- The ability to restrict at a lower-level access to objects
- More systems administration/expertise is required
- objects the system are abstracted into 2 classes
1. Subjects - user, processes
2. Objects - files(text/binary/sockets/named_pipes)
- offers more granular/fine coory ntrol of security
- The ability to restrict at a lower-level access to objects
3. Non-Discretionary Access Control (nDAC)
- Administrator defines the DAC controls for the entire system
- Administrator defines the DAC controls for the entire system
2. Mandatory Access Control (MAC) - SELinux
- More systems administration/expertise is required
- objects the system are abstracted into 2 classes
1. Subjects - user, processes
2. Objects - files(text/binary/sockets/named_pipes)
- offers more granular/fine coory ntrol of security
- The ability to restrict at a lower-level access to objects
- SELinux is compiled into the kernel and supported via LSMs
- SELinux(MAC-based system) requires labeling of objects/subjects
- Ideal for Internet-facing systems - httpd,named,mysqld,etc.
- MAC-based checks occurr AFTER DAC-based checks
- SELinux denies interaction between Subjects & Objects by default
- Type Enforcement (TE) - tie subject(process) to objects
- TE allows the creation of Domains - assigning subjects to groups
- HTTPD (httpd,htpasswd,htdigest) -> httpd_r = Domain
- More systems administration/expertise is required
- objects the system are abstracted into 2 classes
1. Subjects - user, processes
2. Objects - files(text/binary/sockets/named_pipes)
- offers more granular/fine coory ntrol of security
- The ability to restrict at a lower-level access to objects
- SELinux is compiled into the kernel and supported via LSMs
- SELinux(MAC-based system) requires labeling of objects/subjects
- Ideal for Internet-facing systems - httpd,named,mysqld,etc.
- MAC-based checks occurr AFTER DAC-based checks
- SELinux denies interaction between Subjects & Objects by default
- Type Enforcement (TE) - tie subject(process) to objects
- TE allows the creation of Domains - assigning subjects to groups
- HTTPD (httpd,htpasswd,htdigest) -> httpd_r = Domain
SELinux functions in 3 Modes
1. Enforcing - policy(targeted) is applied
2. Permissive - policy(targeted) is applied, but simply logged
3. Disabled - policy(targeted)/SELinux is DISABLED
1. Enforcing - policy(targeted) is applied
2. Permissive - policy(targeted) is applied, but simply logged
3. Disabled - policy(targeted)/SELinux is DISABLED
How to enable SELinux @ Runtime
1. execute system-config-securitylevel
2. modify /etc/grub.conf - selinux=0(disabled) or selinux=1(enabled)
1. execute system-config-securitylevel
2. modify /etc/grub.conf - selinux=0(disabled) or selinux=1(enabled)
Changing SELinux Mode @ Runtime in Real-Time
echo 1 > /selinux/enforce
echo 1 > /selinux/enforce
Permissive Mode Notes:
1. Programs will still run as expected
2. Violations to the security policy will appear in /var/log/messages
3. Policy version 18 loads RedHat Enterprise Linux version 4
1. Programs will still run as expected
2. Violations to the security policy will appear in /var/log/messages
3. Policy version 18 loads RedHat Enterprise Linux version 4
INIT - SELinux Invocation:
1. BIOS
2. Boot Loader (GRUB)
3. Kernel
4. init - first process loaded your Linux system
a. check /proc/filesystems - selinuxfs is present
b. enforcing=1 or enforcing=0 is passed into the kernel command-line
c. /etc/selinux/config - parses file for mode and policy
d. loads SELinux environment, which includes mounting /selinux
e. init - reloads itself into the 'unconfined_t' domain
1. BIOS
2. Boot Loader (GRUB)
3. Kernel
4. init - first process loaded your Linux system
a. check /proc/filesystems - selinuxfs is present
b. enforcing=1 or enforcing=0 is passed into the kernel command-line
c. /etc/selinux/config - parses file for mode and policy
d. loads SELinux environment, which includes mounting /selinux
e. init - reloads itself into the 'unconfined_t' domain
Labeling of Objects to support Type Enforcement(TE)
1. ALL objects(files) MUST be properly labeled
2. Files that are improperly labeled will NOT be protected
3. Tuples/labels = Security Context = user:role:type
4. Type applied to subject(httpd) = DOMAIN
5. Type applied to object(install.log) = TYPE
1. ALL objects(files) MUST be properly labeled
2. Files that are improperly labeled will NOT be protected
3. Tuples/labels = Security Context = user:role:type
4. Type applied to subject(httpd) = DOMAIN
5. Type applied to object(install.log) = TYPE
2 Ways to relable filesystem
1. Suggested way:
a. touch /.autorelabel && reboot - happens prior to program launch
b. fixfiles -l fixedfiles.log relabel
c. fixfiles -R package_name restore
/root testing_SELINUX_DISABLED
/home/linuxcbt testing_DISABLED_SELINUX
1. Suggested way:
a. touch /.autorelabel && reboot - happens prior to program launch
b. fixfiles -l fixedfiles.log relabel
c. fixfiles -R package_name restore
/root testing_SELINUX_DISABLED
/home/linuxcbt testing_DISABLED_SELINUX
How to correctly label files under ~/public_html?
1. ensure that Apache is configured to serve userdirs
2. ensure proper DAC permissions for user's home directory chmod a+x ~
3. ensure proper lablel: chcon -R -t httpd_user_content_t public_html
4. echo 1 > /selinux/enforce
1. ensure that Apache is configured to serve userdirs
2. ensure proper DAC permissions for user's home directory chmod a+x ~
3. ensure proper lablel: chcon -R -t httpd_user_content_t public_html
4. echo 1 > /selinux/enforce
Security Checks Order
1. DAC-checks occur first and if denied obviates need for MAC-checks
2. MAC-checks
1. DAC-checks occur first and if denied obviates need for MAC-checks
2. MAC-checks
How to correctly restore policy-based security labels/context?
1. /sbin/restorecon -Rv - restore recursively
2. /sbin/restorecon -nv - display changes that would be applied
1. /sbin/restorecon -Rv - restore recursively
2. /sbin/restorecon -nv - display changes that would be applied
Common Utilities:
1. ps -Z - reveals the various sandboxes/domains (subjects)
2. ls -Z - reveals security context of files/directories(objects)
3. cp -Z - new file with NEW security context(Type) is created
4. mv -Z - preserves SELinux security tuple/context/label
5. id -Z - reveals current security context of user (tuple)
1. ps -Z - reveals the various sandboxes/domains (subjects)
2. ls -Z - reveals security context of files/directories(objects)
3. cp -Z - new file with NEW security context(Type) is created
4. mv -Z - preserves SELinux security tuple/context/label
5. id -Z - reveals current security context of user (tuple)
Targeted Policy (each daemon is sandboxed):
1. Protect vulnerable/highly-utilized daemons/services
List of protected daemons
1. dhcpd - assigns IP information automatically
2. httpd - web server - httpd_t
3. mysqld - DBMS server
4. named (BIND) - DNS
5. nscd
6. ntpd
7. portmap
8. postgres - DBMS server
9. snmpd - SNMP - _t
10. squid - squid_t
11. syslogd - syslogd_t
12. winbind - winbind_t
1. Protect vulnerable/highly-utilized daemons/services
List of protected daemons
1. dhcpd - assigns IP information automatically
2. httpd - web server - httpd_t
3. mysqld - DBMS server
4. named (BIND) - DNS
5. nscd
6. ntpd
7. portmap
8. postgres - DBMS server
9. snmpd - SNMP - _t
10. squid - squid_t
11. syslogd - syslogd_t
12. winbind - winbind_t
Every Other program/daemon/process/subject
13. unconfined_t
13. unconfined_t
How to disable protection of currently-protected targeted daemon?
1. httpd_disable_trans - echo "1 1" > /selinux/booleans/httpd_disable_trans
2. echo "1" > /selinux/commit_pending_bools
3. restart httpd - /sbin/service httpd restart
1. httpd_disable_trans - echo "1 1" > /selinux/booleans/httpd_disable_trans
2. echo "1" > /selinux/commit_pending_bools
3. restart httpd - /sbin/service httpd restart
What constitutes a security context or tuple?
1:2:3 - example of Security Context tuple
id:first_name:last_name
1:2:3 - example of Security Context tuple
id:first_name:last_name
Field/Degree #1 - User Label:
Non-privileged User: user_u
privileged User (root): root
Non-privileged User: user_u
privileged User (root): root
Field/Degree #2 - RBAC Role-Based Access Control
Non-privileged Users: system_r
privileged User (root): system_r
Non-privileged Users: system_r
privileged User (root): system_r
Field/Degree #3 - Type(Objects(files))/Domain(Subjects(programs/users))
Privileged/Non-privileged Users: unconfined_t
Processes i.e. (httpd): httpd_t, dhcpd_t
Privileged/Non-privileged Users: unconfined_t
Processes i.e. (httpd): httpd_t, dhcpd_t
The need to install Source Policy:
1. In order to make policy-related changes
2. In order to learn more about the targeted policy
3. You may need to define a policy for a new program
Note: SELinux processes existing policy based binary format in memory.
1. In order to make policy-related changes
2. In order to learn more about the targeted policy
3. You may need to define a policy for a new program
Note: SELinux processes existing policy based binary format in memory.
File_Contexts - within the targeted binary policy
regexp [ -type ] ( context | <<none>> )
/home -d system_u:object_r:home_root_t
regexp [ -type ] ( context | <<none>> )
/home -d system_u:object_r:home_root_t
Note: types such as var_t, httpd_t tend to be implemented with slight variation: i.e.
var_yp_t, httpd_exec_t
var_yp_t, httpd_exec_t
Key Startup Utility for SELinux-Protected daemons - /usr/sbin/run_init
1. run_init ensures protected daemon isolation
2. /usr/sbin/run_init /etc/init.d/httpd start
1. run_init ensures protected daemon isolation
2. /usr/sbin/run_init /etc/init.d/httpd start
How the 'file_contexts' file gets generated?
1. /etc/selinux/targeted/contexts/files/file_contexts
2. file_contexts refer to the security context/tuple applied to files(objects)
3. .fc = file context
4. .te = type enforcement
5. ly .fc files with corresponding .te files are enforced
6. /etc/selinux/targeted/src/policy/domains - houses TE files that correspond to FC(.fc) files
i.e Apache ScriptAlias /var/www/cgi-bin
1. /etc/selinux/targeted/contexts/files/file_contexts
2. file_contexts refer to the security context/tuple applied to files(objects)
3. .fc = file context
4. .te = type enforcement
5. ly .fc files with corresponding .te files are enforced
6. /etc/selinux/targeted/src/policy/domains - houses TE files that correspond to FC(.fc) files
i.e Apache ScriptAlias /var/www/cgi-bin
Focus TE files which relate to FC files
1. /etc/selinux/targeted/src/policy/domains
2. TE files enforce type.
a. Describe what domains are able to do
b. including types that domains are able to access
c. system-related calls (link,unlink,read,write,tcp_open,udp_open,etc.)
3. Apache is likely to need to be able to do the following:
a. read files (config files, content files, log files)
b. bind to network ports (TCP:80, TCP:443)
c. write to files (log files)
d. execute scripts
4. TE Files enable actions objects
1. /etc/selinux/targeted/src/policy/domains
2. TE files enforce type.
a. Describe what domains are able to do
b. including types that domains are able to access
c. system-related calls (link,unlink,read,write,tcp_open,udp_open,etc.)
3. Apache is likely to need to be able to do the following:
a. read files (config files, content files, log files)
b. bind to network ports (TCP:80, TCP:443)
c. write to files (log files)
d. execute scripts
4. TE Files enable actions objects
Syntax for allowing subject-to-object access is as follows:
allow|neverallow subject object object_class { permissions }
allow httpd_suexec_t self:capability { setuid setgid };
allow|neverallow subject object object_class { permissions }
allow httpd_suexec_t self:capability { setuid setgid };
Backup of SELinux-protected(labeled) files
Note: install star utility
1. use star utility
a. star -xattr -H=exustar -c -f tempselinux2.star tempselinux2/
2. use star utility to extract/preserve SELinux security context
a. star -xattr -x -f tempselinux2.star
3. optionally, backup without SELinux-context and rely upon SELinux to reinstate the security context for all files using: 'fixfiles'
or optionally using 'touch /.autorelablel && reboot'
Note: install star utility
1. use star utility
a. star -xattr -H=exustar -c -f tempselinux2.star tempselinux2/
2. use star utility to extract/preserve SELinux security context
a. star -xattr -x -f tempselinux2.star
3. optionally, backup without SELinux-context and rely upon SELinux to reinstate the security context for all files using: 'fixfiles'
or optionally using 'touch /.autorelablel && reboot'
What to look for in log files related to denies/permission problems?
allow|neverallow subject object object_class { permissions }
allow httpd_suexec_t self:capability { setuid setgid };
1. /var/log/messages is the default AUDIT Log file
2. stores messages related to avc
allow|neverallow subject object object_class { permissions }
allow httpd_suexec_t self:capability { setuid setgid };
1. /var/log/messages is the default AUDIT Log file
2. stores messages related to avc
You are likely to see in /var/log/messages the following events:
1. AV allocating resources for logging
2. policy reloads
3. filesystem has been relabeled
1. AV allocating resources for logging
2. policy reloads
3. filesystem has been relabeled
avc: denied {getattr link unlink read write} for pid 3742 exe=/usr/sbin/httpd path=/home/linuxcbt2/public_html scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
Enabling Auditing - extends SELinux logging
1. Modify /etc/grub.conf
2. reboot
3. confirm that auditing is enabled
4. peruse /var/log/messages for audit instances
5. break security labels to witness audit trails
Auditing increases verbosity.
1. Modify /etc/grub.conf
2. reboot
3. confirm that auditing is enabled
4. peruse /var/log/messages for audit instances
5. break security labels to witness audit trails
Auditing increases verbosity.
SELinux Management Tools:
1. Shell-based - seinfo, avcstat, sesearch
2. GUI-based - apol, seaudit
Install setools*
1. Shell-based - seinfo, avcstat, sesearch
2. GUI-based - apol, seaudit
Install setools*
seaudit
1. seaudit -l /var/log/firewall.log -p /etc/selinux/targeted/policy/policy.18
1. seaudit -l /var/log/firewall.log -p /etc/selinux/targeted/policy/policy.18
转载于:https://blog.51cto.com/rhcss/140618
201
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
