LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Hacks From Pax: Security Enhanced Linux and Mandatory Access Control Print E-mail
User Rating:      How can I rate this item?
Posted by Pax Dickinson   
SELinux Security Enhanced Linux, or SELinux, is an exciting security project that is reaching maturity and poised to revolutionize the way Linux security administration is performed. Originally developed by the National Security Agency and released as an open source project, but now breaking into the mainstream in Red Hat, Fedora, Gentoo, and the new release of EnGarde Secure Linux 3.0, it incorporates Mandatory Access Control into a base Linux system. This is a revolutionary advance, but is also very different from the standard Linux security model. This week in Hacks From Pax, I'll provide a basic introduction to the philosophy behind SELinux, and explain how it can add a powerful layer of security to your Linux system.

Discretionary Access Control vs. Mandatory Access Control

Standard Linux file permissions use the Discretionary Access Control (DAC) model. Under DAC, files are owned by a user and that user has full control over them, including the ability to grant access permissions to other users. The root account has full control over every file on the entire system. An attacker who penetrates an account can do anything with the files owned by that user. For example, an attacker who compromises a web server has full control over all files owned by the webserver account. Worse, if an application runs under the context of the root user, an attacker penetrating it now has full control over the entire system.

SELinux supplements Discretionary Access Control with Mandatory Access Control (MAC). Under MAC, the adminstrator writes a security policy that defines access rights for all users and applications. MAC in effect provides each application with a virtual sandbox that only allows the application to perform the tasks it is designed for and explicitly allowed in the security policy to perform. For example, the webserver process may only be able to read web published files and serve them on a specified network port. An attacker penetrating it will not be able to perform any activities not expressly permitted to the process by the security policy, even if the process is running as the root user. Files are assigned a security context that determines what specific processes can do with them, and the allowable actions are much more finely grained than the standard Unix read/write/execute controls. For example, a web served file would have a context allowing the apache process to read it but not execute or make changes to it, while the log files would be appendable but not readable or otherwise changeable by apache. Network ports are also assigned a context, which can prevent penetrated applications from using ports not permitted to them by security policy. Standard Unix permissions are still present on the system, and will be consulted before the SELinux policy when access attempts are made. If the standard permissions would deny access, access is simply denied and SELinux is not consulted at all. If the standard file permissions would allow access, the SELinux policy is consulted and access is either allowed or denied based on the security contexts of the source process and the targeted object.

The SELinux Revolution

The contrast between this approach and the approach of most security products in the anti-virus and intrusion prevention and detection markets could not be more stark. Anti-virus and IDS/IPS systems based on signatures are reactive, operating only on known threats, which is why zero-day exploits are so prized by malware authors. You can compare these products to firewalls with a default "allow any" rule, and many specific "deny" rules. This is a losing battle, as the quantity of malware keeps increasing at an exponential rate and vendors and their customers fight a losing battle to keep up. Any newly discovered security flaw will have a window of vulnerability between the exploit's release and the signature being added and propagated to the end user.

SELinux, on the other hand, can be compared to a firewall with a default "deny any" rule, and a set of "allow" rules to only permit actions that are necessary for proper system operation. Malware or hack attempts that penetrate an application and attempt to escalate privileges can be stopped dead or limited to the point of near uselessness by the SELinux security policy, protecting the system regardless of whether the threat is well known or it is a brand new zero-day attack. SELinux does not need to know anything about the exploit to protect the system, it ony needs to know what proper operations should be allowed.

This of course does not mean SELinux is a security holy grail. It requires knowledgeable administrators configuring its security policy, and should be used in concert with proper standard DAC unix permissions and tightly configured firewalls. SELinux adds another powerful layer of security to a system, however, and represents a major step forward in the state of the art of highly secure systems. Open source software is sometimes tarred as a follower and not an innovator by computer industry pundits, but SELinux is an example of open source leading the way in its adoption of a revolutionary change in the way systems are secured.
--
Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian Life Insurance, Philips Electronics and a wide variety of small business consulting roles.

Comments
Good infoWritten by mrp on 2007-09-09 12:21:23
Thisi is more useful info for me and most of my concepts regarding to security policy are clear now. 
 
 
Thank you !
MrWritten by Binduraj on 2007-10-30 07:10:24
I apreciate your efforts, searched manypages, but this is the real nice one, much better than redhat site

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law
Why Russian hackers are beating us
DQ Breach? HQ Says No, But Would it Know?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.