Security-Enhanced Linux - AbsoluteAstronomy.com

Security-Enhanced Linux (SELinux) is a Linux

Linux kernel

The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....

feature that provides a mechanism for supporting access control security policies, including United States Department of Defense

United States Department of Defense

The United States Department of Defense is the U.S...

-style mandatory access control

Mandatory access control

In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...

s, through the use of Linux Security Modules

Linux Security Modules

Linux Security Modules is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux...

(LSM) in the Linux kernel

Linux kernel

The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....

. It is not a Linux distribution

Linux distribution

A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel. Such distributions are operating systems including a large collection of software applications such as word processors, spreadsheets, media players, and database applications...

, but rather a set of Kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement . The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency

National Security Agency

The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...

.

It has been integrated into the mainline Linux kernel since version 2.6.

Overview

The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source

Open source

The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

development community under the GNU GPL on December 22, 2000.
The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Secure Computing Corporation, Trusted Computer Solutions, and Tresys. Experimental ports of the FLASK

FLASK

The Flux Advanced Security Kernel is an operating system security architecture that provides flexible support for security policies....

/TE implementation have been made available via the TrustedBSD Project for the FreeBSD

FreeBSD

FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...

and Darwin

Darwin (operating system)

Darwin is an open source POSIX-compliant computer operating system released by Apple Inc. in 2000. It is composed of code developed by Apple, as well as code derived from NeXTSTEP, BSD, and other free software projects....

operating systems.

From NSA Security-enhanced Linux Team:

"NSA Security-enhanced Linux is a set of patches

Patch (computing)

A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...

to the Linux kernel

Linux kernel

The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....

and some utilities to incorporate a strong, flexible mandatory access control

Mandatory access control

(MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals."

(SELinux has been integrated into version 2.6 series of the Linux kernel, and separate patches are now unnecessary; the above is a historical quote.)

Security-Enhanced Linux implements the Flux Advanced Security Kernel

FLASK

The Flux Advanced Security Kernel is an operating system security architecture that provides flexible support for security policies....

(FLASK) integrated in some versions of the Linux kernel with a number of utilities designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Such a kernel contains architectural components prototyped in the Fluke operating system. These provide general support for enforcing many kinds of mandatory access control policies, including those based on the concepts of type enforcement

Type enforcement

The concept of type enforcement in the field of information technology is related to access control. Implementing TE, gives priority to “mandatory access control” over “discretionary access control” . Access clearance is first given to a subject accessing objects based on rules defined in an...

, role-based access control

Role-Based Access Control

In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...

, and multilevel security

Multilevel security

Multilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...

. FLASK, in turn, was based on DTOS, a Mach-derived Distributed Trusted Operating System, as well as Trusted Mach, a research project from Trusted Information Systems

Trusted Information Systems

Trusted Information Systems was a computer security research and development company during the 1980s and 1990s, performing computer and communications security research for organizations such as NSA, DARPA, ARL, AFRL, SPAWAR, and others.TIS was founded in 1983 by NSA veteran Steve Walker, and at...

that had an influence on the design and implementation of DTOS.

A Linux kernel integrating SELinux enforces mandatory access-control

Mandatory access control

policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid

Setuid

setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...

/setgid binaries).

The security of an unmodified Linux system depends on the correctness of the kernel, of all the privileged applications, and of each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on an SELinux kernel depends primarily on the correctness of the kernel and its security-policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.

From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls, role-based access control

Role-Based Access Control

(RBAC), and type enforcement architecture. Third-party tools enable one to build a variety of security policies.

Users, policies and security contexts

SELinux users and roles are not related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a role, user name, and domain (or type). This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. Circumstance for when the user is allowed to get into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified context (user, role and domain), but SELinux may deny the transition if it is not approved by the policy configuration.

Files, network ports, and other hardware also have an SELinux context, consisting of a name, role (seldom used), and type. In case of the file systems, mapping between files and the security contexts is called labeling. The labeling is defined in policy files but can also be manually adjusted without changing the policies. Hardware types are quite detailed, for instance, bin_t (all files in the folder /bin) or postgresql_port_t (PostgreSQL port, 5432). The SELinux context for a remote file system can be specified explicitly at mount time. SELinux adds the -Z switch to the shell commands ls, ps, and some others, allowing the security context of the files or process to be seen.

Typical policy rules often consist of explicit permissions; which domains the user must possess to perform certain actions with the given target (read, execute, or, in case of network port, bind or connect), and so on. More complex mappings are also possible, involving roles and security levels.
A typical policy consists of a mapping (labeling) file, a rule file, and an interface file, that define the domain transition. These three files must be compiled together with the SELinux tools to produce a single policy file. The resulting policy file can be loaded into the kernel, making it active. Loading and unloading policies does not require a reboot. The policy files are either hand written or can be generated from the more user friendly SELinux management tool. They are normally tested in permissive mode first, where violations are logged but allowed. The audit2allow tool can be used later to produce additional rules that extend the policy to allow all legitimate activities of the application being confined.

Features

Clean separation of policy from enforcement
Well-defined policy interfaces
Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
Independent of specific policies and policy languages
Independent of specific security label formats and contents
Individual labels and controls for kernel objects and services
Caching of access decisions for efficiency
Support for policy changes
Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security
Multilevel security
Multilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...

)
Very flexible policy
Controls over process initialization and inheritance and program execution
Controls over file systems, directories, files, and open file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...

s
Controls over sockets, messages, and network interfaces
Controls over use of "capabilities"

Usage

SELinux can potentially control all users, processes and daemons with very precise specifications which activities are allowed for every member. However, it is mostly used to confine daemons

Daemon (computer software)

In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...

like database engines or web servers that have more clearly defined data access and activity rights. A confined daemon that becomes compromised is thus limited in the harm it can do. Ordinary user processes often run in the unconfined domain, not restricted by SELinux but still restricted by the classic Linux access rights.

See also: chcon,
restorecon,
restorecond,
runcon,
secon

Secon

SECON is a surveying, mapping and GIS software development firm based in Bangalore, India. Originally named SECON Surveys, this company saw considerable growth in the 1990s due to its services to large Indian petroleum, oil and gas pipeline companies such as Reliance Industries, Essar Group and...

,
fixfiles,
setfiles,
load policy,
booleans,
getsebool,
setsebool,
togglesebool
setenforce, load policy
setfiles,
selinuxenabled, semodule, postfix-nochroot, check-selinux-installation, semodule package, checkmodule, selinux-config-enforcing, selinuxenabled, selinux-policy-upgrade ;

and also: security set boolean

Usage example (to put SELinux in permissive mode):
# setenforce 0

Implementations

SELinux is available with commercial support as part of Red Hat Enterprise Linux

Red Hat Enterprise Linux

Red Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...

(RHEL) version 4 and all future releases. This presence is also reflected in corresponding versions of CentOS

CentOS

CentOS is a free operating system based on Red Hat Enterprise Linux . It exists to provide a free enterprise class computing platform and strives to maintain 100% binary compatibility with its upstream distribution...

. The supported policy in RHEL4 is the targeted policy which aims for maximum ease of use and thus is not as restrictive as it might be. Future versions of RHEL will have more targets in the targeted policy which will mean more restrictive policies.

In free community supported GNU/Linux distributions, Fedora

Fedora (operating system)

Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat...

was one of the earliest adopters, including support for it by default since Fedora Core 2. Other distributions include support for it such as Debian

Debian

Debian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...

as of the etch release, Ubuntu

Ubuntu (operating system)

Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...

as of 8.04 Hardy Heron, Hardened Gentoo

Hardened Gentoo

Hardened Gentoo is a project of Gentoo Linux that is enhancing the distribution with security addons. Current security enhancements to Gentoo Linux can be:*SELinux**A system of mandatory access controls...

, and Yellow Dog Linux

Yellow Dog Linux

Yellow Dog Linux, also known as YDL, is a free and open source operating system for high performance computing on multicore architectures. It focuses on GPU systems and computers using the Power Architecture . YDL is currently developed by Fixstars...

.

It is also supported in EnGarde Secure Linux

EnGarde Secure Linux

EnGarde Secure Linux is an open source server-only Linux distribution developed by . EnGarde incorporates open source tools such as Postfix, BIND, and the LAMP stack....

.

As of version 11.1, openSUSE

SUSE Linux distributions

SUSE Linux is a computer operating system. It is built on top of the open source Linux kernel and is distributed with system and application software from other open source projects. SUSE Linux is of German origin and mainly developed in Europe. The first version appeared in early 1994, making...

contains SELinux "basic enablement". SUSE Linux Enterprise 11 will feature SELinux as a "technology preview".

There was some work to provide SELinux packages for Slackware

Slackware

Slackware is a free and open source Linux-based operating system. It was one of the earliest operating systems to be built on top of the Linux kernel and is the oldest currently being maintained. Slackware was created by Patrick Volkerding of Slackware Linux, Inc. in 1993...

, but development seems to have stagnated.

There has been work on other distributions such as Familiar Linux

Familiar Linux

Familiar Linux is a Linux distribution for iPAQ machines and other personal digital assistants , intended as a replacement for Windows CE on these machines. It can use OPIE or GPE Palmtop Environment as graphical user interface...

, but some of this was ceased due to technical reasons. (The Familiar Linux work was abandoned when SELinux needed extended file attributes

Extended file attributes

Extended file attributes is a file system feature that enables users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem...

, unsupported in the JFFS2

JFFS2

Journalling Flash File System version 2 or JFFS2 is a log-structured file system for use with flash memory devices. It is the successor to JFFS. JFFS2 has been included in the Linux kernel since the 2.4.10 release. JFFS2 is also available for a couple of bootloaders like Das U-Boot, Open...

filesystem.)

The earliest work directed toward standardizing an approach toward provision of mandatory and discretionary access controls (MAC and DAC) within a UNIX (more precisely, POSIX) computing environment can be attributed to the National Security Agency's Trusted UNIX (TRUSIX) Working Group, which met from 1987 to 1991 and published one Rainbow Book

Rainbow Series

The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...

(#020A) and produced a formal model and associated evaluation evidence prototype (#020B) that was ultimately unpublished. It was sponsored by Chet Coates and Mario Tinto of the NSA's National Computer Security Center, and managed by Dr. Charles Testa and Bruce Wilner of Infosystems Technology (Greenbelt, Maryland; later, Falls Church, Virginia), the crucial architects of the TRUSIX project, and members of its Modeling Subcommittee — Steve Bunch, Dr. Frank Knowles, Dr. J. Eric Roskos, Larry Wehr, and Bruce Wilner. Their efforts, particularly as critics of the less technically profound work of the TRUSIX Access Control List (ACL) Subcommittee, survive in the IEEE POSIX 1003.6 "security extensions for portable operating systems environments" specification.

Other systems

SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take.

The AppArmor

AppArmor

AppArmor is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access...

system generally takes a similar approach to SELinux. One important difference is that AppArmor identifies file system objects by path name instead of inode. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link is created to it, while SELinux would deny access through the newly created hard link. On the other hand, data that is inaccessible may become accessible when applications update the file by replacing it with a new version — a frequently used technique — while AppArmor would continue to deny access to the data. In both cases, a default policy of "no access" avoids the problem.

SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.

Isolation of processes can also be accomplished by mechanisms like virtualization

Operating system-level virtualization

Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...

; the OLPC project, for example, in its first implementation sandbox

Sandbox (computer security)

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....

ed individual applications in lightweight Vservers.

Controversy

Some software and security analysts pointed to the NSA offering such a tool to the community and the potential conflict of interest inherent to it.

External links

The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.