Download - SELinux - Apistek · 2020. 8. 14. · Title: SELinux 王禹軒 Author: 侯佳岑 Created Date: 8/13/2020 5:54:15 PM
-
SELinux
王禹軒
-
Copyright 2017 ITRI 工業技術研究院
要怎麼做才安全?
法律/凖則 + 強制力
(管控能力)
邊境防衛
警察
國家防衛能力
全民皆兵
防
禦
縱
深
-
Copyright 2017 ITRI 工業技術研究院
要怎麼做才安全?
https://newtalk.tw/news/view/2020-04-17/392965 https://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-
%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C
%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%
E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8
E
https://calcloud.nmns.edu.tw/cp-6-267276-1.html
https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.html
-
Copyright 2017 ITRI 工業技術研究院
• 屏除網路與外界隔離(X)
• 防火牆
• 防毒軟體
• 管控能力 = 存取控制
• 制定法條、規則 -> 可受檢視、
公評
• 系統(政府+人)嚴格、確實遵守
執行
下一道防線?
國家 安全
攻擊
防火牆
防毒軟體
下一道防線?
邊境防衛
警察
全民皆兵
法律/凖則 + 強制力
(管控能力 = 存取控制) 資安防衛能力
-
Copyright 2017 ITRI 工業技術研究院
• 屏除網路與外界隔離(X)
• 防火牆
• 防毒軟體
• 管控能力 = 存取控制
• 制定法條、規則 -> 可受檢視、
公評
• 系統(政府+人)嚴格、確實遵守
執行
國家 安全
攻擊
防火牆
防毒軟體
邊境防衛
警察
全民皆兵
法律/凖則 + 強制力
(管控能力 = 存取控制) 資安防衛能力
SELinux
下一道防線?
-
Copyright 2017 ITRI 工業技術研究院
• 存取控制(法律/準則)
• SMACK
• AppArmor
• SELinux
▪ File
▪ Filesystem
▪ Service
▪ Process
競爭技術參考
管控嚴格、完整 防禦縱深 資安防衛能力
Easy
to Use
NAME SELinux Smack Apparmor
Granularity
(LSM Hook Point)
176 114 62
Separation of Policy
and Mechanism
Yes Partial Yes
Whitelisting Yes Yes No
Extended Attribute Yes Yes No
Used on Redhat
Military
Android
AGL Ubuntu
OpenSUSE
-
Copyright 2017 ITRI 工業技術研究院
SELinux Concept
● Mandatory Access Control
https://securitychecksmatter.blogspot.com/p/security-poster-library.html
https://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.html
-
Copyright 2017 ITRI 工業技術研究院
SELinux Concept
Object Label
Process Request Resource
Access Subject Label
● Mandatory Access Control
● Label Format :
○ Filesystem with extended attribute
○ User:Role:Type:Range
Extra info (metadata) about this file,
Security.selinux = “Label”
Security.capability = ...
File
inode
-
Copyright 2017 ITRI 工業技術研究院
SELinux Concept
Object Label
Process Request Resource
Access Subject Label
● Mandatory Access Control
● Label Format :
○ Filesystem with extended attribute
○ User:Role:Type:Range
● Different MAC model support :
○ Type Enforcement, MCS, MLS, RBAC
-
Copyright 2017 ITRI 工業技術研究院
Type enforcement (1/2)
Reference : https://opensource.com/business/13/11/selinux-policy-guide
https://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guide
-
Copyright 2017 ITRI 工業技術研究院
Type enforcement (2/2)
-
Copyright 2017 ITRI 工業技術研究院
MCS (1/2)
-
Copyright 2017 ITRI 工業技術研究院
MCS (2/2)
-
Copyright 2017 ITRI 工業技術研究院
MLS (1/2)
-
Copyright 2017 ITRI 工業技術研究院
MLS (2/2)
-
Copyright 2017 ITRI 工業技術研究院
SELinux Concept
Object Label
Process Request Resource
Access Subject Label
● Assumption: Trusted Subject
○ Trusted subjects are applications that
support specific SELinux functionality to
enforce the security policy
(e.g. the kernel, init, pam and login)
-
Copyright 2017 ITRI 工業技術研究院
How Trusted Subject Cooperate ?
-
Copyright 2017 ITRI 工業技術研究院
LSM Hook & Audit System
● Turn on kernel config option
○ Audit system
○ Filesystem extended attribute support
○ Socket and Network security hook
support
○ SELinux
-
Copyright 2017 ITRI 工業技術研究院
System Call
Interface
Entry Points : open file
Security
Server
with
Central
Policy
Authorize
Request ?
Yes/No
Hook Point:
selinux_file_open
Do open file
LSM Hook & Audit System
Audit log
or not ?
Kernel
Userspace
Enforcing
or not ?
-
Copyright 2017 ITRI 工業技術研究院
SELinux-aware Application
-
Copyright 2017 ITRI 工業技術研究院
SELinux-aware 1. Unaware (e.q. rm)
2. Aware, but not necessary (e.q. ls, ps)
3. Access Securityfs without checking special class (e.q. getenforce)
4. In addition to access Securityfs, check the permission in special class
below (e.q. systemd, init, setenforce)
a. File, Socket, Database, Filesystem class
i. Relabelto
ii. Relabelfrom
b. Process class
i. Dyntransition
ii. Setexec
iii. Setfscreate
iv. Setkeycreate
v. Setsockcreate
c. Security class
d. Kernel service class
Program
Behavior SELinux
-
Copyright 2017 ITRI 工業技術研究院
Example : SELinux Mode
● sestatus or getenforce
○ Enforcing, Permissive, Disabled
-
Copyright 2017 ITRI 工業技術研究院
Example : SELinux Mode
● sestatus or getenforce
○ Enforcing, Permissive, Disabled
Permissive != Disabled
-
Copyright 2017 ITRI 工業技術研究院
SELinux Label
● Get file label : ls -Z or getfilecon
● Get process label : ps Z or getpidcon
User user_u root system_u unconfined_u
Role user_r sysadm_r system_r,
object_r
unconfined_r
Type user_t sysadm_t … unconfined_t
O A S
-
Copyright 2017 ITRI 工業技術研究院
SELinux Label
● Set existing object Label : fixfiles, setfiles,
setfilecon
● File_contexts
File_contexts from Refpolicy : https://github.com/SELinuxProject/refpolicy
O A S
https://github.com/SELinuxProject/refpolicy
-
Copyright 2017 ITRI 工業技術研究院
SELinux Label
user_t
/etc (etc_t)
etc_t
test (test_t) Create
● Set new object label: Object Label Transition
○ type_transition user_t etc_t:file test_t;
O A S
-
Copyright 2017 ITRI 工業技術研究院
SELinux Label ● Set process label: Domain Transition
○ type_transition init_t sshd_exec_t:process sshd_t;
O A S
-
Copyright 2017 ITRI 工業技術研究院
Example : Linux Bootup
init
Login
init
Authenticate &
Compute SELinux user context
Load policy binary &
Reexecute itself in
right context
Getty getty
locallogin
Bash unprivuser
Policy Set in the
Reference Policy
SELinux Config
-
Copyright 2017 ITRI 工業技術研究院
SELinux Config
/etc/selinux/targeted/policy/policy.VERSION
-
Copyright 2017 ITRI 工業技術研究院
SELinux Policy
-
Copyright 2017 ITRI 工業技術研究院
Policy Set: Describe a Specific Part of the System
● All policy sets are comprised of three files:
○ .te : Main policy of the part (.c file)
○ .if : Interface for other parts of the system (.h file)
○ .fc: The file contexts for the part of the system
Policy Sets
Policy
Binary
Checkpolicy or
Checkmodule
Coding with M4 Macro
& Kernel Policy
Language
Policy
Requirement
-
Copyright 2017 ITRI 工業技術研究院
Type Enforcement - Allow Rule
● allow source_type target_type : class perm_set;
● allow user_t bin_t: file {open read write};
bin_t
Bash Process Request /bin/ls
file {open read write}
user_t
-
Copyright 2017 ITRI 工業技術研究院
Let’s Play: Write Policy
testfile_t
Bash Process Request /home/bighead/selinux_playground/ROfile
file {getattr open read}
unconfined_t
-
Copyright 2017 ITRI 工業技術研究院
checkmodule -m test.te -o test.mod semodule_package -o test.pp -m test.mod -f test.fc semodule -i test.pp
-
Copyright 2017 ITRI 工業技術研究院
Audit2allow
● journalctl -b | grep testfile | audit2allow -M PMName
-
Copyright 2017 ITRI 工業技術研究院
Q & A
-
Copyright 2017 ITRI 工業技術研究院
被 SELinux 擋住我該做什麼!?
1.關掉它
-
Copyright 2017 ITRI 工業技術研究院
被 SELinux 擋住我該做什麼!?
1.關掉它
2.去看 Log!
a. /var/log/audit (Need auditd)
b. journalctl
c. dmesg
d. sealert
e.要自己接 Netlink 訊息也是可以
-
Copyright 2017 ITRI 工業技術研究院
被 SELinux 擋住我該做什麼!?
1.關掉它
2.去看 Log!
3.檢視是否要允許存取
a. boolean
b. change label
c. change SELinux user mapping
d. add new policy rule
-
Copyright 2017 ITRI 工業技術研究院
我要怎麼檢視和更改 SELinux 設定檔
● semanage
○ fcontext
○ user & login
○ network interface, node, port
○ boolean
○ module
● /etc/selinux/POLICYNAME/...
-
Copyright 2017 ITRI 工業技術研究院
The Limitation of SELinux
1. Kernel attack
2. If you allow it, you can’t deny it
3. Side Channel
-
Copyright 2017 ITRI 工業技術研究院
SELinux Demo
43
SELinux enforce mode SELinux permissive mode
Busybox (Embedded System)
限定指定資料夾 僅能指定程序存取
保護特定程序 不被任何人kill
SELinux enforce mode
on Raspberry Pi 3 Model B+
SELinux 技術分享文