SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative – Administrative – submittal instructions submittal instructions � answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) � deadline is start of your lab session the following week � reports not accepted (zero for lab) if late � submit via D2L 1
Administrative – – script files reminder script files reminder Administrative � re-download the script files' zip � to obtain the new vmconfigure scripts for this "sniffing" exercise Administrative Administrative � will hold a final lab office hours 11am next Thursday 11/19 Zoom link: https://usc.zoom.us/j/92599920289 2
Administrative – – employment employment Administrative � CS530 will be next offered Fall 2021 � lab graders will be needed – you are the automatically ideal candidates – you must remain a student in Fall 2021 – contact me with expression of interest now, or subsequently – hiring can only take place next August-September – see link to job description on lab class website Administrative Administrative � machine and scripts for this exercise delayed � expected tomorrow 11/14/20 � will email students when completed and available 3
Administrative Administrative � this is our final lab Agenda Agenda � background � general concept of confinement � filesystems and filesystem geography � example: apache web server � SElinux 4
Background: Background: general concept of confinement general concept of confinement Confinement in cyber security Confinement in cyber security � “Systems should do 1) what they are designed to do 2) and nothing else.” � cyber confinement examples the easy part memory memory management process isolation storage chroot – at filesystem/directory granularity SELinux – at individual file granularity 5
Central concept of access control Central concept of access control � active subjects reference passive objects - “reference” means propose access � government example - subjects are employees - objects are documents � cyber example - subjects are processes - objects may be filesystem objects (unix) or memory segments (multics) � each access mediated by some arbitration mechanism - approved or disapproved reference monitor – reference monitor – another, similar possibility another, similar possibility • centerpiece of security kernels in trusted OS's (runs low-level in/at the heart of a trusted OS kernel) • sits between subjects and objects • uses an authorization database as input • supplies audit (event) information as output 6
reference monitor reference monitor authorization database subject object reference monitor audit ref monitor enforces policy ref monitor enforces policy � the database holds rules covering each interaction type for every subject/object combination – e.g. a population of 3 subjects and 5 objects with 2 operations would need 30 rules � each rule allows or disallows � the rule collection is called the “policy” 7
Well then, policy is prerequisite Well then, policy is prerequisite � the policy is the law � absent the law you can't enforce the law � so the database must get pre-populated by the system admin � ref monitor is the cop, but sysadmin is the legislature � everything flows from policy “Rules “ Rules” ” can be fashioned from labels can be fashioned from labels � multics did it with labels on memory “segments” � selinux does it with labels on processes and filesystem objects � btw, traditional permissions also use labels ("rwxr- xr-x") on filesystem objects (though not on processes) 8
Who gets to write the rules? Who gets to write the rules? Access control types: discretionary vs vs manadatory manadatory Access control types: discretionary � users may control access decisions for some objects � but policy is by central authority (sysadmin), never a user � policy is the “mandate” in “mandatory” � mandatory and discretionary can be combined � multics – ACLs (discretionary) + MLS (mandatory) � linux – permissions (discretionary) + SELinux type enforcement (mandatory) co-existing, independent systems operate as “perms && selinux” ie, perms first Background: Background: filesystems filesystems 9
Filesystem underpinnings underpinnings Filesystem general filesystem filesystem structure logic structure logic general � purpose: associate names with bodies of data (aka “content”) � method: reserve part of the disk for a directory � analogous to book’s table of contents consuming first few pages directory disk: name data pointer name pointer data name pointer data Additional logic ( Additional logic (“ “info info” ”) ) � directory entries may include characteristic file info – size, timestamp, filetype, owner, various labels and things, etc. • directory name disk: data info pointer name info pointer data name data info pointer 10
Linux (ext2) filesystem filesystem differs a bit differs a bit Linux (ext2) -- where are the filenames? where are the filenames? -- inode table disk: info data pointer info pointer data info pointer data Linux (ext2/3/4) filesystem Linux (ext2/3/4) filesystem structure structure � directory portion called “inode table” � table entries (inodes) lack files’ names! � a “directory” is a regular file � files’ names appear in directory files 11
Directories sit in their own files Directories sit in their own files files’ ’ names are in there names are in there files finding /etc/ finding /etc/hello.txt hello.txt • directory files (for / and / etc ) inode table | bin disk: info | etc pointer | home | | hosts info | passwd pointer | hello.txt info Hello! pointer Background: Background: apache web server apache web server 12
Apache filesystem Apache filesystem map map / var bin etc home etc root usr httpd www DocumentRoot manual cgi-bin error conf logs html httpd.conf your webpage files apache territory (index.html et.al.) (apache reads files here only) Apache filesystem filesystem map map Apache / var bin etc home etc root usr www httpd student DocumentRoot public_html cgi-bin manual error conf logs html httpd.conf your webpage files apache territory (index.html et.al.) (apache reads files here only) 13
a foreign directory "/var var/web" /web" a foreign directory "/ outside the fold / beyond view outside the fold / beyond view / var bin etc home etc root usr httpd web www DocumentRoot manual cgi-bin error conf logs html httpd.conf your webpage files (index.html et.al.) /var / var/web brought inside /web brought inside as "/otherstuff otherstuff " " as "/ / var bin etc home etc root usr web www httpd DocumentRoot cgi-bin manual error conf logs html otherstuff httpd.conf your webpage files " Alias /otherstuff /var/web " (index.html et.al.) 14
SElinux SElinux Confinement in SELinux SELinux Confinement in “[SELinux] compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days-- when someone gets a toe-hold on a computer through a vulnerability in a local networked application … and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.” book press release “Beating the 0-day vulnerability threat” book cover banner 15
Trying to access a resource Trying to access a resource (permissions vs (permissions vs SELinux SELinux) ) � permissions system cares which user account who! � but SELinux cares which program what! � user can normally access more files than a particular program should � my progX doesn't need access to all the same files as my progY, just because they're both mine! � gaining illicit control, which access do you want attacker to get? Why should I use SELinux? In short because SELinux can help protect you from bugs in applications. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However applications, especially the desktop applications we all use, come in at millions of lines of code. Without knowing what those millions of lines of code do there is no way to know if an application will really do what you tell it or if it becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run differently from yourself thereby limiting what an exploited application can do. http://selinuxproject.org/page/FAQ What labels are there? where are SELinux What labels are there? where are SELinux’ ’s s? ? � filenames – those are labels themselves (on data) � permission strings – those are labels (on files) � SELinux contexts – another set of lables (also on files) ( “context” == “label” ) context/label – 4 components secon shows them individually we care only about the “type” or “type label” (“net_conf_t in this case) 16
Recommend
More recommend
