Outline

• Security Enhanced Linux (SELinux)

SELinux

• Security Enhanced Linux
• National Security Agency, beginning in 2000, open source
• basic idea is to characterize what operations each daemon or program is allowed to perform (AppArmor is similar)
• pros: potentially very secure, even default configuration protects very effectively
• cons: steep learning curve needed to reconfigure the policy, do anything not envisioned by creators of default policy
• does not protect against bugs in the kernel, "only" in the applications
• protects against exploits that allow programs to run as "root" -- root has limited special privileges

SELinux details

• based on the Flask architecture "for flexible mandatory access control" [NSA FAQ]:

  The Flask architecture has been subsequently mainstreamed into Linux® and ported to several other systems, including the Solaris™ operating system, the FreeBSD® operating system, and the Darwin kernel

  See also: The Flask Security Architecture
• "confine[s] user programs and system servers to the minimum amount of privilege they require to do their jobs" [NSA FAQ], which lessens damage from attacks or bugs
• 12,910 lines of code in /usr/src/linux-3.0.4/security/selinux, 108,751 lines in userspace code
• creating policies is the biggest challenge [refpolicy]:

  the difficulty and complexity of creating SELinux policies has become the number one barrier to the adoption of SELinux. It also potentially reduces the security of the policies

• as of 2011, at least one version of SELinux is being evaluated for "Labeled Security Protection Profile", LynuxWorks LynxOS-SE v6.5 Operating System
• many limitations [NSA FAQ]:

  The goal of this project has been to add mandatory access controls and make minimal changes to Linux. This latter goal greatly limits what can be done to increase assurance, so there has been no work focused upon increasing the assurance of Linux.

Security Features

• mandatory security: a "security policy where the definition of the policy logic and the assignment of security attributes is tightly controlled by a system security policy administrator" [The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments], implemented as Mandatory Access Control, or MAC
• Object Labeling: all objects that are controlled by the security policy, e.g. files and network (socket) ports, are also labeled by the security policy with a set of security attributes, referred to as a security context [a href="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml"> The Flask Security Architecture: System Support for Diverse Security Policies]
• Security Context for users: role + user name + domain/type, of which the domain is what is usually used to control accerss
• Security Context for objects (files/ports): name + role + type
• Policies list what domains the user must have to perform specific actions with a given target [from wikipedia]
• a similar system, AppArmor, claims:

  AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. [AppArmor wiki main page]

• there are 7,411 lines of code in /usr/src/linux-3.0.4/security/apparmor

More about using SELinux

• Introduction to SELinux and
• Introduction to SELinux II in Linux Journal, by Mick Bauer
• definition of Type Enforcement as "the security model in SELinux in which processes are confined to domains via security contexts.
• start of a description of securing an application to blink the keyboard LEDs
• list of servers secured by the Red Hat Targeted Policy: dhcpd, httpd, mysqld, named, nscd, ntpd, portmap, postgres, snmpd, squid, syslogd, winbind
• Filesystem Labeling in SELinux (by James Morris, and also in Linux Journal) describes how the SELinux labels are stored in Linux Extended Attributes (xattr), which are available for every file.