First SELinux impressions

With the recent release of the second Fedora Core 2 test, many users are getting their first exposure to Security Enhanced Linux (SELinux). We decided to take a look at SELinux in Fedora Core to give readers a taste of what's to come.

SELinux introduces new layers of security, enforced by the kernel, in addition to the standard Discretionary Access Control (DAC) model that Linux users are already familiar with. The DAC model applies security based only on a user's identity and the permissions associated with files and processes. SELinux adds Mandatory Access Control (MAC) over processes and files based on a policy set by the administrator, rather than based solely on user or process identity.

SELinux also provides Type Enforcement (TE) for files and devices, otherwise known as "objects," and Role-Based Access Control for users and processes. TE in conjunction with Role-Based Access Control (RBAC) provides the ability to set policies based on the type of object, rather than its DAC permissions. The practical upshot of this is that a user or process must not only have the appropriate DAC permissions to access an object, but also must meet the RBAC requirements to access an object.

It's important to note that SELinux does not do away with the standard DAC model. For example, if a normal user attempts to execute a file owned by root with the mode 500, they will be denied the ability to do so without SELinux features coming into play. However, SELinux goes beyond that level of control. For example, an administrator can set policy that prevents a user from granting access to files to other users even if that user owns the file.

To paraphrase Spider Man's tagline, with great power comes great complexity. Getting up to speed with SELinux tools and policy will take some time. While SELinux gives an administrator a greatly enhanced security toolbox, it also complicates the job of administrating a system. The integration of SELinux adds a number of new programs and configuration files for the administrator to familiarize themselves with, as well as adding new options to familiar programs like ps and ls. It is safe to say that the syntax for SELinux's policy configuration files is less than user-friendly.

Administrators who plan to tweak the SELinux policy settings should plan to set aside a fair amount of time to learn the syntax and procedure for updating policy. To edit a system's policy requires the administrator to edit one or more of dozens of configuration files under /etc/security/selinux/src/policy, then compile and load the new policy using make.

Users should also be aware that the additional security checks involved with SELinux may come at the price of a performance impact. The Fedora SELinux FAQ notes that SELinux decreased performance by 7% for "completely untuned code" when SELinux was last tested and may have become worse due to changes made since then. Of course, a 7% drop in system performance is generally considered preferable to a 100% compromised system.

Administrators considering SELinux should note that it may limit their choice of filesystems, at least with Fedora's implementation. The popular ReiserFS in Fedora does not support file labeling, making it unsuitable for use with SELinux. This writer also found that the ability to turn enforcement on and off, using "setenforce" is quite invaluable during SELinux testing. It is possible to disable logins to a system simply by setting /etc/passwd's security context incorrectly. For those who don't want to jump into SELinux with both feet, setting the enforcement policy to "permissive" will cause the system to print warnings whenever access to an object would have been denied, but to not restrict any access beyond what the traditional discretionary controls dictate.

For the most part, the end-user experience is, with luck, largely unchanged. Though some users have reported problems with various end-user applications not working with SELinux enabled, this writer did not encounter any problems using FC2 on the desktop or at the shell for normal work.

Despite its complexity, SELinux shows a great deal of promise for improving the overall security of Linux systems. It seems likely that the tools for creating and customizing SELinux will improve over time and make the task less difficult. Even at the current level of complexity, it would be well worth an administrator's time to learn and deploy SELinux for systems that are directly connected to the Internet or other hostile environments.

Index entries for this article
GuestArticles	Brockmeier, Joe

---

to post comments

Could be a lot better

Posted Apr 8, 2004 2:36 UTC (Thu) by elanthis (guest, #6227) [Link] (1 responses)

SELinux feels and acts completely alien on a Linux system. The entire design is so unlike the way a UNIX veteran would expect the system to be built. Complex configuration tools that aren't friendly standard system utilities like grep and awk, requiring configuration information to be stored in multiple places, reinventing wheels instead of improving the wheel, etc.

I'm working on a write-up regarding how SELinux *could* have been designed, and how it can be improved in user-space with no changes to the core SELinux code and design. I was hoping to have it finished tonight, actually, but I'm a bit weery of writing after some 4 hours of it.

Really, tho, SELinux is *not* the best implementation of a security framework at all. It's a bit sad Red Hat/Fedora are putting so much effort into switching to it when a more sane, integrated, UNIX-like security framework could be used. SELinux, as is, is just a nightmare to try to configure and use at all.

Could be a lot better

Posted Apr 8, 2004 16:11 UTC (Thu) by smoogen (subscriber, #97) [Link]

It is always easy to say how things *could* be designed... but it is very rare to see such things become actual code. I would say that a better model would be to write up your complaints and suggestions, and then get 10-20 coders to try and write your model.

First SELinux impressions

Posted Apr 8, 2004 4:36 UTC (Thu) by sward (guest, #6416) [Link] (4 responses)

SELinux may give administrators extra flexibility, and add some extra "layers" of protection for critical files (depending on how the policies are set). But security pros usually consider complexity to be the enemy of good security - and this system is nothing if not complex.

I suspect that for every properly configured SELinux install, there will be several that leave gaping holes because they've been misconfigured. If distros come up with good default configs, that will help, but it probably won't be enough. People will still be placing too much trust in a system they (incorrectly) believe to be secure.

On the whole, I'd rate this a small net benefit. Not the big step forward one was hoping for.

First SELinux impressions

Posted Apr 8, 2004 17:49 UTC (Thu) by dac (guest, #9260) [Link] (3 responses)

The complexity is a direct result of Linux being complex. There are over 30 object classes (e.g., files, dirs, sockets, etc.) with each one having some subset of the over 120 possible permissions. There is certainly a trade off in providing a system with the granularity to control every single permission for every object class.

SE Linux does not "leave gaping holes" no matter how misconfigured. An SE Linux policy that is wide open and allows all processes access to all objects is no worse than that system would be without SE Linux.

I think the immediate impact it can have on hardening a server is a big benefit. I agree with you somewhat from the perspective of desktop users trying to get a handle on the complexities.

First SELinux impressions

Posted Apr 8, 2004 21:01 UTC (Thu) by sward (guest, #6416) [Link]

I'll grant that the "gaping holes" comment was a little over the top, but if you are trusting the system with data that needed that additional protection, and you think that you have hardened it, but have actually misconfigured it in some non-obvious fashion - then you are worse off than if you knew that it could not be trusted with the data.

I'm sure that SELinux will be a great benefit in some areas, but the complexity (necessary as it is) still concerns me. Both from a configuration standpoint (though again, good defaults could go a long way), and from a code-complexity standpoint (more complex code being prone to more bugs).

First SELinux impressions

Posted Apr 12, 2004 15:48 UTC (Mon) by elanthis (guest, #6227) [Link] (1 responses)

The problem is that it's too hard to manage those security attributes. A much better configuration system could hide most of that complexity. Similar to how a desktop like GNOME or KDE hides much of the underlying UNIX complexity. If all I want to do is say that /usr/sbin/apache can't access anything outside of /svr/www, I should be able to say that and have it work. Yes, that would mean a new configuration file format and a much more intelligent "compiler" than m4, but that's what is needed. Imagine being able to open up /etc/security/access.d/apache and putting in:

binary /usr/sbin/apache {
path / deny all
path /etc/apache allow read
path /svr/www/html allow read
path /svr/www/cgi-bin allow read
path /svr/www/tmp allow read,write
}
binary /usr/sbin/apacheconf {
path / deny all
path /etc/apache allow read,write
}

That would generate automatically any domains/types needed, tag files, etc. Very simple configuration input, very easy to read, easy to understand, etc. If you need more than "read" and "write" support, just say so. "read" may well just be a meta-privilege that is an alias for several lower-level capabilities.

First SELinux impressions

Posted Apr 17, 2004 3:25 UTC (Sat) by dotpeople (guest, #20635) [Link]

What happened with the SE Linux patent dispute from a while back?

Have you tried LIDS? It supports a configuration syntax similar to your suggestion.

LIDS + grsecurity (minus the ACL features, which overlap with LIDS) is competitive with SE Linux. Especially in the usability (and therefore practical security) arena. At the least, it's a good sandbox to learn about isolation.

The combination will work in a live linux CD for firewalls, etc.

--
Rich Persaud

reiserfs

Posted Apr 8, 2004 5:17 UTC (Thu) by jamesm (guest, #2273) [Link]

Chris Mason from SuSE is submitting the xattr & SELinux support for reiserfs v3 to Andrew Morton, see http://marc.theaimsgroup.com/?l=linux-kernel&m=108127522421347&w=2

First SELinux impressions

Posted Apr 8, 2004 8:27 UTC (Thu) by angdraug (subscriber, #7487) [Link]

What I would *love* to see is a side-by-side comparison of SELinux and RSBAC, and probably some other role-based security system for good measure...

First SELinux impressions

Posted Apr 8, 2004 21:26 UTC (Thu) by Klavs (guest, #10563) [Link] (1 responses)

Anybody know why systrace is no used, atleast as an alternative? - see http://www.onlamp.com/pub/a/bsd/2003/02/27/Big_Scary_Daemons.html - its used on both OpenBSD and Linux - in exactly the same way, with the same config format (nice :)

it also seems much more intuitive - although I haven't had the time to use it yet.

First SELinux impressions

Posted Apr 9, 2004 15:12 UTC (Fri) by dac (guest, #9260) [Link]

I haven't looked at systrace, except for the url you cited. Based on that, I'd say one big difference is that a systrace policy controls how a particular program acts. SE Linux dictates how that program may act when run in a specific domain. An SE Linux policy may define the same set of controls for a program, but it may also define a subset of those permissions for a less trusted domain (for simplicity assume that a domain is a user or set of users).

The article also indicates that systrace is invoked only if the program is run with systrace. It also says that an administrator may grant access that is denied by the policy while the program is running. In SE Linux the security check is always invoked for all process/object interactions and there is no choice; access is granted or denied by the kernel.

I get the feeling that there are some very nice features that systrace might offer an SE Linux policy writer. It seems like it might be especially useful in generating a first cut policy for SE Linux.