Hardening operating systems for security often require interesting sleights of technology, if not of hand. Security-Enhanced
Linux (SELinux) uses a more powerful and refined notion of access controls, called mandatory access controls (MAC), to help lock itself down from unauthorized access and use. With a few tricks up your sleeve, you can use this technique to get almost magical security protection.
Standard Linux distributions implement a basic file permission model called Discretionary Access Control (DAC). In this model, specific users own resources and files but they may delegate primitive access rights to other users throughout the system. Therefore, decisions regarding access to files and resources under this model rely on user identity and ownership.
If an application is subject to problems or mistakes with implementation or configuration, it may sometimes allow unauthorized users to assume the owner's credentials. Not only does this compromise the application itself, but it can even affect other processes or personnel depending on the owner's permissions to other files and resources. The worst-case scenario occurs when an application with root or administrator privileges is compromised and creates a massive single point of failure or vulnerability.
Using the MAC paradigm, fine-grained control over all user- and process-based interactions can be enforced. Granular, role-based access control is the key from an administrative standpoint, and is defined by objects, subjects and attributes. Each attribute of a given object detailed in a policy defines precisely who (personnel or processes) may access what (applications and data) and exactly how they may do so (create, modify or remove).
By leveraging extended MAC-based attributes for a given process, the scope of application activity can be safely narrowed to allow only the functionality it requires to operate, and no more. This effectively creates a logical divide between a known resource and the rest of the operating system by enforcing the principle of least privilege. This creates multiple points of failure or compromise.
At one time, SELinux kernel extensions were a pet project of the National Security Agency's Information Assurance initiative. It now has found its way into mainstream Linux distributions including FedoraCore and Debian. It has two modes of operation: permissive mode (debugging policies) and enforcement mode. There is any number of ways to determine its presence on a system (if you don't already know), one of which is the presence of a directory titled "selinux" at the root path. SELinux behavior is influenced by Boolean flags as follows:
[root@host]# /bin/echo 1 > /selinux/booleans/docked
[root@host]# /bin/echo 0 > /selinux/booleans/audit_on
Newly defined values must be explicitly committed to take effect:
[root@host]# /bin/echo 1 > /selinux/commit_pending_bools
Attributes of Ping:
[root@host]# /usr/sbin/getfattr -dm "^security" /bin/ping
The native network diagnostic utility ping helps illustrate the need for better MAC-based mechanisms. Ping requires raw socket access (the basic ability to modify packets beyond the kernel network code) which requires super-user privileges. However, ping is a diagnostic utility useful to more than the super-user, so delegating raw socket access to ping and limiting the scope of its capabilities otherwise is critical. Using traditional DAC-based controls, this is not entirely possible. Only where MAC is properly implemented can fine-grained access to all system resources be fully exercised.
The key concept in this architecture comes from understanding what makes sense for the target application to be able to do. Only those things that are necessary should be permitted, and everything else should be denied. By establishing security levels, creating secure hash keys and host-based mandatory access controls and controlling the underlying binary code package, you can properly scope and secure applications. This also prevents anyone from tampering with their contents or security attributes.
About the authors: Ed Tittel is a full-time freelance writer and trainer based in Austin, Texas, who specializes in markup languages, information security and IT certifications. Justin Korelc, a long-time Linux hacker who works with Ed, concentrates on hardware and software security topics. Together, the two have recently authored a book on Home Theater PCs and Tom's Hardware 2005 Holiday Buyer's Guide.