selinux - apistek · 2020. 8. 14. · title: selinux 王禹軒 author: 侯佳岑 created date:...

SELinux

王禹軒

Copyright 2017 ITRI 工業技術研究院

要怎麼做才安全？

法律/凖則＋強制力

(管控能力)

邊境防衛

警察

國家防衛能力

全民皆兵

防

禦

縱

深


要怎麼做才安全？

https://newtalk.tw/news/view/2020-04-17/392965 https://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-

%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C

%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%

E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8

E

https://calcloud.nmns.edu.tw/cp-6-267276-1.html

https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://newtalk.tw/news/view/2020-04-17/392965https://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://www.rfi.fr/tw/%E7%94%9F%E6%85%8B/20200304-%E8%8B%B1%E5%9C%8B%E6%88%96%E6%9C%80%E5%A4%9A%E6%9C%83%E6%9C%8950%E8%90%AC%E4%BA%BA%E6%AD%BB%E6%96%BC%E6%96%B0%E5%86%A0%E7%97%85%E6%AF%92%E8%82%BA%E7%82%8Ehttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.htmlhttps://calcloud.nmns.edu.tw/cp-6-267276-1.html


• 屏除網路與外界隔離（X）

• 防火牆

• 防毒軟體

• 管控能力 = 存取控制

• 制定法條、規則 -> 可受檢視、

公評

• 系統(政府+人)嚴格、確實遵守

執行

下一道防線？

國家安全

攻擊

防火牆

防毒軟體

下一道防線？

邊境防衛

警察

全民皆兵


(管控能力 = 存取控制) 資安防衛能力


• 屏除網路與外界隔離（X）

• 防火牆

• 防毒軟體

• 管控能力 = 存取控制

• 制定法條、規則 -> 可受檢視、

公評

• 系統(政府+人)嚴格、確實遵守

執行

國家安全

攻擊

防火牆

防毒軟體

邊境防衛

警察

全民皆兵


(管控能力 = 存取控制) 資安防衛能力

SELinux

下一道防線？


• 存取控制(法律/準則)

• SMACK

• AppArmor

• SELinux

▪ File

▪ Filesystem

▪ Service

▪ Process

競爭技術參考

管控嚴格、完整防禦縱深資安防衛能力

Easy

to Use

NAME SELinux Smack Apparmor

Granularity

(LSM Hook Point)

176 114 62

Separation of Policy

and Mechanism

Yes Partial Yes

Whitelisting Yes Yes No

Extended Attribute Yes Yes No

Used on Redhat

Military

Android

AGL Ubuntu

OpenSUSE


SELinux Concept

● Mandatory Access Control

https://securitychecksmatter.blogspot.com/p/security-poster-library.html

https://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.htmlhttps://securitychecksmatter.blogspot.com/p/security-poster-library.html


SELinux Concept

Object Label

Process Request Resource

Access Subject Label


● Label Format :

○ Filesystem with extended attribute

○ User:Role:Type:Range

Extra info (metadata) about this file,

Security.selinux = “Label”

Security.capability = ...

File

inode


SELinux Concept

Object Label




● Label Format :

○ Filesystem with extended attribute

○ User:Role:Type:Range

● Different MAC model support :

○ Type Enforcement, MCS, MLS, RBAC


Type enforcement (1/2)

Reference : https://opensource.com/business/13/11/selinux-policy-guide

https://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guidehttps://opensource.com/business/13/11/selinux-policy-guide


Type enforcement (2/2)


MCS (1/2)


MCS (2/2)


MLS (1/2)


MLS (2/2)


SELinux Concept

Object Label



● Assumption: Trusted Subject

○ Trusted subjects are applications that

support specific SELinux functionality to

enforce the security policy

(e.g. the kernel, init, pam and login)


How Trusted Subject Cooperate ?


LSM Hook & Audit System

● Turn on kernel config option

○ Audit system

○ Filesystem extended attribute support

○ Socket and Network security hook

support

○ SELinux


System Call

Interface

Entry Points : open file

Security

Server

with

Central

Policy

Authorize

Request ?

Yes/No

Hook Point:

selinux_file_open

Do open file

LSM Hook & Audit System

Audit log

or not ?

Kernel

Userspace

Enforcing

or not ?


SELinux-aware Application


SELinux-aware 1. Unaware (e.q. rm)

2. Aware, but not necessary (e.q. ls, ps)

3. Access Securityfs without checking special class (e.q. getenforce)

4. In addition to access Securityfs, check the permission in special class

below (e.q. systemd, init, setenforce)

a. File, Socket, Database, Filesystem class

i. Relabelto

ii. Relabelfrom

b. Process class

i. Dyntransition

ii. Setexec

iii. Setfscreate

iv. Setkeycreate

v. Setsockcreate

c. Security class

d. Kernel service class

Program

Behavior SELinux


Example : SELinux Mode

● sestatus or getenforce

○ Enforcing, Permissive, Disabled


Example : SELinux Mode

● sestatus or getenforce

○ Enforcing, Permissive, Disabled

Permissive != Disabled


SELinux Label

● Get file label : ls -Z or getfilecon

● Get process label : ps Z or getpidcon

User user_u root system_u unconfined_u

Role user_r sysadm_r system_r,

object_r

unconfined_r

Type user_t sysadm_t … unconfined_t

O A S


SELinux Label

● Set existing object Label : fixfiles, setfiles,

setfilecon

● File_contexts

File_contexts from Refpolicy : https://github.com/SELinuxProject/refpolicy

O A S

https://github.com/SELinuxProject/refpolicy


SELinux Label

user_t

/etc (etc_t)

etc_t

test (test_t) Create

● Set new object label: Object Label Transition

○ type_transition user_t etc_t:file test_t;

O A S


SELinux Label ● Set process label: Domain Transition

○ type_transition init_t sshd_exec_t:process sshd_t;

O A S


Example : Linux Bootup

init

Login

init

Authenticate &

Compute SELinux user context

Load policy binary &

Reexecute itself in

right context

Getty getty

locallogin

Bash unprivuser

Policy Set in the

Reference Policy

SELinux Config


SELinux Config

/etc/selinux/targeted/policy/policy.VERSION


SELinux Policy


Policy Set: Describe a Specific Part of the System

● All policy sets are comprised of three files:

○ .te : Main policy of the part (.c file)

○ .if : Interface for other parts of the system (.h file)

○ .fc: The file contexts for the part of the system

Policy Sets

Policy

Binary

Checkpolicy or

Checkmodule

Coding with M4 Macro

& Kernel Policy

Language

Policy

Requirement


Type Enforcement - Allow Rule

● allow source_type target_type : class perm_set;

● allow user_t bin_t: file {open read write};

bin_t

Bash Process Request /bin/ls

file {open read write}

user_t


Let’s Play: Write Policy

testfile_t

Bash Process Request /home/bighead/selinux_playground/ROfile

file {getattr open read}

unconfined_t


checkmodule -m test.te -o test.mod semodule_package -o test.pp -m test.mod -f test.fc semodule -i test.pp


Audit2allow

● journalctl -b | grep testfile | audit2allow -M PMName


Q & A


被 SELinux 擋住我該做什麼！？

1.關掉它



1.關掉它

2.去看 Log！

a. /var/log/audit (Need auditd)

b. journalctl

c. dmesg

d. sealert

e.要自己接 Netlink 訊息也是可以



1.關掉它

2.去看 Log！

3.檢視是否要允許存取

a. boolean

b. change label

c. change SELinux user mapping

d. add new policy rule


我要怎麼檢視和更改 SELinux 設定檔

● semanage

○ fcontext

○ user & login

○ network interface, node, port

○ boolean

○ module

● /etc/selinux/POLICYNAME/...


The Limitation of SELinux

1. Kernel attack

2. If you allow it, you can’t deny it

3. Side Channel


SELinux Demo

43

SELinux enforce mode SELinux permissive mode

Busybox (Embedded System)

限定指定資料夾僅能指定程序存取

保護特定程序不被任何人kill

SELinux enforce mode

on Raspberry Pi 3 Model B+

SELinux 技術分享文

selinux - apistek · 2020. 8. 14. · title: selinux 王禹軒 author: 侯佳岑 created date:...

Documents