chroot and selinux
TRANSCRIPT
Chroot
A secure way of running untrusted or security-flawed software.Limit program access to system resources outside jail.Confinement of programs to their own ‘/’ filesystem.Safely testing software in confined environment.
Chroot
chroot is a command and a system call.Changes the ‘/’ of current process.chroot should be executed only by root.New ‘/’ should contain all programs and files needed by programs running in chroot.
Chroot
A widely-spread example of chroot usage is anonymous ftp.Upon anonymous ftp login, the ftp client has access to chrooted ‘/’ which actually is a part of the bigger filesystem.The ftp user cannot access files outside the chrooted environment.
Chroot
Chroot ‘/’ should contain all files used by programs running inside it.Among others, FTP requires the following files:
/bin/ls/bin/false/usr/lib/libc.*/etc/passwd/etc/group/lib/ld.so.1Etc…
Chroot syntax: chroot <NEW ROOT PATH>
SELinux Overview
SELinux - Security Enhanced Linux.Developed by NSA.Linux kernel extensions.Implements Mandatory Access Control.Extends UNIX traditional access control mechanism.
SELinux Compatibility
A number of user-space utilities replaced with SELinux aware ones.
login,ls,ps,etc..Kernel modules compiled with regular kernel need to be recompiled.SELinux provides application compatibility. System calls interfaces and application visible data structures remain unchanged.
Current Linux security model
Root has complete control:
Uid = 0 Complete control.Setuid Binaries
Passwd, su, mount.Privilaged daemons
Cron, cups, apache master,etc..Any mis-configuration can lead to complete compromise of the system.
Discretionary VS Mandatory
Discretionary access control – the owner of the object defines access to it
This is the current Linux behaviourMandatory access control – central security policy
Policy cannot be overridden by malware or by accidentGranular access control to specific users and objects
More on MAC
Prevents privileges escalationRole-basedAllows protection from untrusted software codeCentralized security policy allows easy analysis and management
MAC in SELinux
Implements MAC using a combination of methods:
Type enforcement.
Role-based access control.
User identity.
Type enforcement is the most commonly used.
SELinux access control is evaluated after standard UNIX access control.
Type Enforcement
Everything on the system has a type.
Includes: files,TCP ports,etc…
Type Examples: system_u, user_home_tFine-grained access control for each object class.
ioctl, read, write, getattr, etc..
Domain
Domains resemble types in characteristic.Unlike types, domain are defined on processes.Domain examples:
Init_t – init domainsysadm_t – privileged domainuser_t – unprivileged domain
Fine-grained access control for each object class.fork signal getattr
Security Policy
Specifies which access methods are allowed.Allow type1 type2:clas {perm1 perm2 …};
Examples:allow user_t proc_t:file {getattr read};allow sysadm_t user_t:proccess {ptrace};allow named_t dns_port_t:udp_socket {name_bind}
Anything not explicitly allowed is denied.
Roles
Role is authorized for a set of domains.A single UNIX user may be authorized for multiple roles.
sysadm_r, developer_rCurrent role can be switched using ‘newrole’ command:
newrole –r sysadm_r
Identity
Not the same as uid.Determines which roles and domains can be used.Remains constant for a user. – su command doesn’t change identity, it
changes a domain.
Security Context
Combined security information – combined from:
Identity.
Role.
Domain/type.
Security context can be checked using:
id command – will show user’s security context.
ls –context – will show object’s context.
Examining Security Context
Security context is displayed as following:identity:role:domain/typeExample:
$ ls –dZ /home/testuser drwx--x--x testuser testuser system_u:object_r:user_home_dir_t /home/testuser*SELinux version of ls is used.
Strict VS Targeted policy
SELinux general configuration file is /etc/sysconfig/selinux.
Strict Policy
All processes including user logins and root, run in restricted mode. Anything not allowed explicitly is denied.
Targeted Policy
Only specific applications and objects are confined by SELinux.
Everything else runs in unconfined_t domain, which eliminates all SELinux restrictions.
Bundled targeted policy
Targeted Policies:
dhcpd, named, httpd, squid, portmap, nscd,etc..*More can be added.
Policy booleans allow easy policy configurations, such as:
Deny httpd access to home directories.
Allow dhcp failover mode.
Permissive vs Enforced
Permissive mode
Logs all SELinux related messages.
Does not enforce policies.
Good for analysis and auditing.
Safe.
Enforced mode
Kicks in all SELinux policies.
Should be used after configuration tests in permissive mode.
Logging
SELinux logs messages via syslog.
SELinux log record examples:
User tried to edit /etc/shadow and failed.avc: denied { getattr } for pid=6011 exe=/usr/bin/vim \ path=/etc/shadow dev=03:03 ino=123456 \ scontext=testuser:user_r:user_t \ tcontext=system_u:object_r:shadow_t tclass=file
User executed /bin/bash and succeeded. avc: granted for pid=1050 exe=/bin/bash path=/bin/bash\
dev 03:03 ino=1122 scontext=testuser:user_r:user_t \ tcontext=system_u:object_r:file_t tclass=file
Policy Editing
Policy source files reside under/etc/security/selinux/src/policy.
Policy is edited using text editor and later compiled using ‘checkpolicy’.
Audit2allow tool converts SELinux syslog messages into possible policy rules.
For custom made policies, use separate files to avoid upgrade collisions.