Security-Enhanced Linux

Last updated
SELinux
Original author(s) NSA and Red Hat
Developer(s) Red Hat
Initial releaseDecember 22, 2000;23 years ago (2000-12-22) [1]
Stable release
3.6 / 13 December 2023;12 months ago (2023-12-13) [2]
Repository
Written in C
Operating system Linux
Type Security, Linux Security Modules (LSM)
License GNU GPL
Website selinuxproject.org , https://www.nsa.gov/what-we-do/research/selinux/

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Contents

SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement. [3] [4] The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA).

Overview

The NSA Security-enhanced Linux Team describes NSA SELinux as [5]

a set of patches to the Linux kernel and utilities to provide a strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering, and bypassing of application security mechanisms, to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised (for example via buffer overflows or misconfigurations). This confinement mechanism operates independently of the traditional Linux (discretionary) access control mechanisms. It has no concept of a "root" superuser, and does not share the well-known shortcomings of the traditional Linux security mechanisms, such as a dependence on setuid/setgid binaries.

The security of an "unmodified" Linux system (a system without SELinux) depends on the correctness of the kernel, of all the privileged applications, and of each of their configurations. A fault in any one of these areas may allow the compromise of the entire system. In contrast, the security of a "modified" system (based on an SELinux kernel) depends primarily on the correctness of the kernel and its security-policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not necessarily pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.

From a purist perspective, SELinux provides a hybrid of concepts and capabilities drawn from mandatory access controls, mandatory integrity controls, role-based access control (RBAC), and type enforcement architecture. Third-party tools enable one to build a variety of security policies.

History

The earliest work directed toward standardizing an approach providing mandatory and discretionary access controls (MAC and DAC) within a UNIX (more precisely, POSIX) computing environment can be attributed to the National Security Agency's Trusted UNIX (TRUSIX) Working Group, which met from 1987 to 1991 and published one Rainbow Book (#020A), and produced a formal model and associated evaluation evidence prototype (#020B) that was ultimately unpublished.

SELinux was designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Originally, the patches that make up SELinux had to be explicitly applied to the Linux kernel source; SELinux was merged into the Linux kernel mainline in the 2.6 series of the Linux kernel.

The NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. [6] The software was merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Red Hat, Network Associates, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems.

Security-Enhanced Linux implements the Flux Advanced Security Kernel (FLASK). Such a kernel contains architectural components prototyped in the Fluke operating system. These provide general support for enforcing many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multilevel security. FLASK, in turn, was based on DTOS, a Mach-derived Distributed Trusted Operating System, as well as on Trusted Mach, a research project from Trusted Information Systems that had an influence on the design and implementation of DTOS.[ citation needed ]

Original and external contributors

A comprehensive list of the original and external contributors to SELinux was hosted at the NSA website until maintenance ceased sometime in 2009. The following list reproduces the original as preserved by the Internet Archive Wayback Machine. The scope of their contributions was listed in the page and has been omitted for brevity, but it can be accessed through the archived copy. [7]

  • The National Security Agency (NSA)
  • Network Associates Laboratories (NAI Labs)
  • The MITRE Corporation
  • Secure Computing Corporation (SCC)
  • Matt Anderson
  • Ryan Bergauer
  • Bastian Blank
  • Thomas Bleher
  • Joshua Brindle
  • Russell Coker
  • John Dennis
  • Janak Desai
  • Ulrich Drepper
  • Lorenzo Hernandez Garcia-Hierro
  • Darrel Goeddel
  • Carsten Grohmann
  • Steve Grubb
  • Ivan Gyurdiev
  • Serge Hallyn
  • Chad Hanson
  • Joerg Hoh
  • Trent Jaeger
  • Dustin Kirkland
  • Kaigai Kohei
  • Paul Krumviede
  • Joy Latten
  • Tom London
  • Karl MacMillan
  • Brian May
  • Frank Mayer
  • Todd Miller
  • Roland McGrath
  • Paul Moore
  • James Morris
  • Yuichi Nakamura
  • Greg Norris
  • Eric Paris
  • Chris PeBenito
  • Red Hat
  • Petre Rodan
  • Shaun Savage
  • Chad Sellers
  • Rogelio Serrano Jr.
  • Justin Smith
  • Manoj Srivastava
  • Tresys Technology
  • Michael Thompson
  • Trusted Computer Solutions
  • Tom Vogt
  • Reino Wallin
  • Dan Walsh
  • Colin Walters
  • Mark Westerman
  • David A. Wheeler
  • Venkat Yekkirala
  • Catherine Zhang

Users, policies and security contexts

SELinux users and roles do not have to be related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a username, role, and domain (or type). This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. The circumstances under which a process is allowed into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified context (user, role, and domain), but SELinux may deny the transition if it is not approved by the policy.

Files, network ports, and other hardware also have an SELinux context, consisting of a name, role (seldom used), and type. In the case of file systems, mapping between files and the security contexts is called labeling. The labeling is defined in policy files but can also be manually adjusted without changing the policies. Hardware types are quite detailed, for instance, bin_t (all files in the folder /bin) or postgresql_port_t (PostgreSQL port, 5432). The SELinux context for a remote file system can be specified explicitly at mount time.

SELinux adds the -Z switch to the shell commands ls, ps, and some others, allowing the security context of the files or process to be seen.

Typical policy rules consist of explicit permissions, for example, which domains the user must possess to perform certain actions with the given target (read, execute, or, in case of network port, bind or connect), and so on. More complex mappings are also possible, involving roles and security levels.

A typical policy consists of a mapping (labeling) file, a rule file, and an interface file, that define the domain transition. These three files must be compiled together with the SELinux tools to produce a single policy file. The resulting policy file can be loaded into the kernel to make it active. Loading and unloading policies does not require a reboot. The policy files are either hand written or can be generated from the more user friendly SELinux management tool. They are normally tested in permissive mode first, where violations are logged but allowed. The audit2allow tool can be used later to produce additional rules that extend the policy to allow all legitimate activities of the application being confined.

Features

SELinux features include:

Adoption

sestatus showing status of SELinux in a system SELinux sestatus screenshot.png
sestatus showing status of SELinux in a system

SELinux has been implemented in Android since version 4.3. [12]

Among free community-supported Linux distributions, Fedora was one of the earliest adopters, including support for it by default since Fedora Core 2. Other distributions include support for it such as Debian as of version 9 Stretch release [13] and Ubuntu as of 8.04 Hardy Heron. [14] As of version 11.1, openSUSE contains SELinux "basic enablement". [15] SUSE Linux Enterprise 11 features SELinux as a "technology preview". [16]

SELinux is popular in systems based on linux containers, such as CoreOS Container Linux and rkt. [17] It is useful as an additional security control to help further enforce isolation between deployed containers and their host.

SELinux is available since 2005 as part of Red Hat Enterprise Linux (RHEL) version 4 and all future releases. This presence is also reflected in corresponding versions of derived systems such as CentOS, Scientific Linux, AlmaLinux and Rocky Linux. The supported policy in RHEL4 is targeted policy which aims for maximum ease of use and thus is not as restrictive as it might be. Future versions of RHEL are planned to have more targets in the targeted policy which will mean more restrictive policies.

Use case scenarios

SELinux can potentially control which activities a system allows each user, process, and daemon, with very precise specifications. It is used to confine daemons such as database engines or web servers that have clearly defined data access and activity rights. This limits potential harm from a confined daemon that becomes compromised.

Command-line utilities include: [18] chcon, [19] restorecon, [20] restorecond, [21] runcon, [22] secon, [23] fixfiles, [24] setfiles, [25] load_policy, [26] booleans, [27] getsebool, [28] setsebool, [29] togglesebool [30] setenforce, semodule, postfix-nochroot, check-selinux-installation, semodule_package, checkmodule, selinux-config-enforcing, [31] selinuxenabled, [32] and selinux-policy-upgrade [33]

Examples

To put SELinux into enforcing mode:

setenforce 1

To query the SELinux status:

getenforce

Comparison with AppArmor

SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take. Another popular alternative is called AppArmor and is available on SUSE Linux Enterprise Server (SLES), openSUSE, and Debian-based platforms. AppArmor was developed as a component to the now-defunct Immunix Linux platform. Because AppArmor and SELinux differ radically from one another, they form distinct alternatives for software control. Whereas SELinux re-invents certain concepts to provide access to a more expressive set of policy choices, AppArmor was designed to be simple by extending the same administrative semantics used for DAC up to the mandatory access control level.

There are several key differences:

Similar systems and enhancements

Isolation of processes can also be accomplished by mechanisms such as virtualization; the OLPC project, for example, in its first implementation [36] sandboxed individual applications in lightweight Vservers. Also, the NSA has adopted some of the SELinux concepts in Security-Enhanced Android. [37]

General Dynamics builds and distributes PitBull Trusted Operating System, [38] a multilevel security (MLS) enhancement for Red Hat Enterprise Linux.

Multi-Category Security (MCS) is an enhancement to SELinux for Red Hat Enterprise Linux that allows users to label files with categories, in order to further restrict access through discretionary access control and type enforcement. Categories provide additional compartments within sensitivity levels used by multilevel security (MLS). [39]

See also

Related Research Articles

<span class="mw-page-title-main">GNU GRUB</span> Boot loader package

GNU GRUB is a boot loader package from the GNU Project. GRUB is the reference implementation of the Free Software Foundation's Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer or select a specific kernel configuration available on a particular operating system's partitions.

chroot Operation that changes the apparent root directory in Unix-like systems

chroot is an operation on Unix and Unix-like operating systems that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

Rule-set-based access control (RSBAC) is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000.

Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by Niels Provos and runs on various Unix-like operating systems.

The Flux Advanced Security Kernel (FLASK) is an operating system security architecture that provides flexible support for security policies. It is a joint venture between the National Security Agency, the University of Utah, and the Secure Computing Corporation project designed to provide a framework for a more secure operating system. Development and implementation started with the Mach microkernel, and has since shifted its focus to the Linux operating system. FLASK is a core framework in security-focused operating systems such as NSA's Security-Enhanced Linux (SELinux), OpenSolaris FMAC and TrustedBSD. This means that SELinux can be thought of as an implementation of FLASK.

In computer security, mandatory access control (MAC) refers to a type of access control by which a secured environment constrains the ability of a subject or initiator to access or modify on an object or target. In the case of operating systems, the subject is a process or thread, while objects are files, directories, TCP/UDP ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the operating system kernel examines these security attributes, examines the authorization rules in place, and decides whether to grant access. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security.

udev is a device manager for the Linux kernel. As the successor of devfsd and hotplug, udev primarily manages device nodes in the /dev directory. At the same time, udev also handles all user space events raised when hardware devices are added into the system or removed from it, including firmware loading as required by certain devices.

In computer networking, xinetd is an open-source super-server daemon which runs on many Unix-like systems, and manages Internet-based connectivity.

<span class="mw-page-title-main">AppArmor</span> Linux kernel security module

AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

Linux Security Modules (LSM) is a framework allowing the Linux kernel to support, without bias, a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.

The concept of type enforcement (TE), in the field of information technology, is an access control mechanism for regulating access in computer systems. Implementing TE gives priority to mandatory access control (MAC) over discretionary access control (DAC). Access clearance is first given to a subject accessing objects based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM) in SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before multilevel security (MLS) or its replacement multi categories security (MCS). It is a complement of role-based access control (RBAC).

The XTS-400 is a multilevel secure computer operating system. It is multiuser and multitasking that uses multilevel scheduling in processing data and information. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6.

<span class="mw-page-title-main">Tomoyo Linux</span> Linux kernel security module

Tomoyo Linux is a Linux kernel security module which implements mandatory access control (MAC).

In computer security, the Linux Intrusion Detection System (LIDS) was a patch to the Linux kernel and associated administrative tools that enhanced the kernel's security by implementing mandatory access control (MAC). When LIDS was in effect all system network administration operations, chosen file access, any capability use, raw device, memory, and I/O access could be made impossible, even for root. One could define which programs can access specific files. It used and extended the system capabilities bounding set to control the whole system and added some network and filesystem security features to the kernel to enhance the security. One could finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. LIDS supported Linux kernel 2.6, 2.4. LIDS was released under the terms of the GNU General Public License (GPL).

<span class="mw-page-title-main">Smack (software)</span> Linux kernel security module

Smack is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release, it was the main access control mechanism for the MeeGo mobile Operating System. It is also used to sandbox HTML5 web applications in the Tizen architecture, in the commercial Wind River Linux solutions for embedded device development, in Philips Digital TV products., and in Intel's Ostro OS for IoT devices.

<span class="mw-page-title-main">System Integrity Protection</span> Security feature by Apple

System Integrity Protection is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel and the systemd init system. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap was originally released for cloud applications but was later ported to also work for Internet of Things devices and desktop applications.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

Android devices have the ability to run virtual machines or emulate other operating systems. It does this either via desktop virtualization, platform virtualization, or emulation via compatibility layer.

References

  1. "Security-enhanced Linux available at NSA site - MARC". MARC . Retrieved 24 December 2018.
  2. "SELinux userspace release 3.6". SELinux Project. 2023-12-14. Retrieved 2024-03-16.
  3. "SELinux Frequently Asked Questions (FAQ) - NSA/CSS". National Security Agency. Archived from the original on 2018-09-18. Retrieved 2013-02-06.
  4. Loscocco, Peter; Smalley, Stephen (February 2001). "Integrating Flexible Support for Security Policies into the Linux Operating System" (PDF).
  5. "Security-Enhanced Linux - NSA/CSS". National Security Agency. 2009-01-15. Archived from the original on 2020-10-22. Retrieved 2021-04-21.
  6. Compare "National Security Agency Shares Security Enhancements to Linux". NSA Press Release. Fort George G. Meade, Maryland: National Security Agency Central Security Service. 2001-01-02. Archived from the original on 2018-09-18. Retrieved 2021-04-21. The NSA is pleased to announce that it has developed, and is making available to the public, a prototype version of a security-enhanced Linux operating system.
  7. "Contributors to SELinux". Archived from the original on 2008-10-18.
  8. Fedora Documentation Project (2010). Fedora 13 Security-Enhanced Linux User Guide. Fultus Corporation. p. 18. ISBN   978-1-59682-215-3 . Retrieved 2012-02-22. SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Caching decisions decreases how often SELinux rules need to checked, which increases performance.
  9. "SELinux/Quick introduction - Gentoo Wiki". wiki.gentoo.org.
  10. "Getting Started with SELinux". Linode Guides & Tutorials. 18 March 2020.
  11. "NB Overview - SELinux Wiki". selinuxproject.org.
  12. "Security-Enhanced Linux in Android". Android Open Source Project. Retrieved 2016-01-31.
  13. "SELinux". debian.org.
  14. "How To Install SELinux on Ubuntu 8.04 "Hardy Heron"". Ubuntu Tutorials.
  15. "openSUSE News". 20 August 2008.
  16. "Release Notes for SUSE Linux Enterprise Desktop 11". Novell . Retrieved 2013-02-06.
  17. "SELinux on CoreOS". CoreOS Docs.
  18. "SELinux/Commands - FedoraProject" . Retrieved 2015-11-25.
  19. "chcon". Linuxcommand.org. Archived from the original on 2004-10-24. Retrieved 2013-02-06.
  20. "restorecon(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  21. "restorecond(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  22. "runcon(1) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  23. "secon(1) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  24. "fixfiles(8): fix file SELinux security contexts - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  25. "setfiles(8): set file SELinux security contexts - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  26. "load_policy(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  27. "booleans(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  28. "getsebool(8): SELinux boolean value - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  29. "setsebool(8): set SELinux boolean value - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  30. "togglesebool(8) - Linux man page". Linux.die.net. Retrieved 2013-02-06.
  31. "Ubuntu Manpage: selinux-config-enforcing - change /etc/selinux/config to set enforcing". Canonical Ltd. Archived from the original on 2012-12-20. Retrieved 2013-02-06.
  32. "Ubuntu Manpage: selinuxenabled - tool to be used within shell scripts to determine if". Canonical Ltd. Archived from the original on 2013-02-09. Retrieved 2013-02-06.
  33. "Ubuntu Manpage: selinux-policy-upgrade - upgrade the modules in the SE Linux policy". Canonical Ltd. Archived from the original on 2012-04-04. Retrieved 2013-02-06.
  34. "SELinux backgrounds". SELinux. Security Guide. SUSE.
  35. "apparmor.d - syntax of security profiles for AppArmor". Archived from the original on 2013-10-17.
  36. "Rainbow". laptop.org.
  37. "SELinux Related Work". NSA.gov. Archived from the original on 2018-02-20. Retrieved 2016-08-23.
  38. General Dynamics. "PitBull Trusted Operating System".
  39. Red Hat, Inc. "49.4. Multi-Category Security (MCS)".