Policy Editor for Security Enhanced Linux
Policy Editor is a tool to streamline and simplify your complicated settings for Security Enhanced Linux (SE Linux). Designed for professionals in Network industries.
This document is designed to describe Flask security model, which is used for the SE Linux, and to provide instructions for the setting up our powerful tool, the Policy Editor. In the last section, there is a basic explanation of how to verify logs.
For more information, see the manual of SE Linux Policy Editor.
1. Security Model for SE
Linux
1.1 Security Decision Based on
Labeled Object
1.2 Type Enforcement (Domain
Transition)
1.3 Role Based Access Control
(RBAC)
2. How to Configure Policy
rules with Policy Editor?
4 Setting an Administrative
role for bind
4.4 Associating a User to the
Role
1. Security Model for SE Linux
1.1
Security Decision Based on Labeled Object
The security model used by
policy
enforcement. All security policy related to logic is done by the security
server but is implemented in Linux as a kernel subsystem.
Under
SE Linux, a ¡ÈDomain¡É is appended to each
processes and a ¡ÈType¡É is appended to each
resource which includes not only a file
but also a network socket and a port as a label based on the security
policy.
You can
set permissions by setting rights for the type to the Domain. Each domain and
type should be ended with ¡È_t¡É.
See an
example for the setting which allows ¡Èhttpd¡É domain to access to a homepage in
Figure 0.1.
In the example, ¡Èhttpd_t¡É domain is
attached to ¡È/usr/sbin/httpd¡É and ¡Ècontents_t¡É type is attached to ¡È/var/www¡É.
¡Èhttpd¡É domain has a
permission to read to ¡Ècontents_t¡É. As a default, a
domain doesn¡Çt have any permission. You can add permissions to a domain one by
one by specifying permissions to each
resource label. Therefore, each process can have minimum right(s) and reduce
the damage by exposure or the threat of loss on your network.
Figure 0.1 An example of access control by labeled object
Notes:
Under SE Linux, access control is compatible with normal Linux permissions.
Make sure you can access to the type only by setting
permissions to both SE Linux and normal Linux.
1.2
Type Enforcement (Domain Transition)
To
allocate a domain label to each process, most of the cases, ¡ÈDomain Transition¡É scheme is used, which is very
similar to Linux setuid.
When a parent process pornes a set of
child processes, the domain of the parent process will be inherited to the
child processes.
Under SE Linux, you can change the domain
and attached a different domain to each child process. This is called ¡ÈDomain
Transition¡É.
The syntax is as follows:
¡ÈWhen
running Program X, any process run on Domain A will be run on Domain B¡É.
Program
X here, to be a trigger of domain transition, is called Entry point.
See some examples shown bellow.
Example
A: init process runs in init_t domain. When a process of init_t domain is
executed by script under ¡È/etc/rc.d¡É, itts child
Process(es) are run in initrc_t domain.
Example
B: xinetd runs in ¡Èxinetd_t¡É domain. When executing ¡È/sbin/in.telnetd¡É, its
child process(es) run in ¡Èrlogind_t¡É domain.
Repeating
domain transition like this allocates a domain to process to prevent from
centralized permission to specific process.
For any
other examples, see the screen image of [Configure domain transition] from SE
Linux Policy Editor.
1.3
Role Based Access Control (RBAC)
Each user in SE Linux has one or more ¡ÈRoles¡É. Role is a set of rights you set in the system.
Based on the role they play in the system,
Role Based Access Control (RBAC) assigns
permissions to objects. Any role name you set in your system should be
ended with ¡È_r¡É.
For
example, as a default in SE Linux Policy Editor, you can choose either ¡Èsysadm_r¡É
or ¡Èsecadm_r¡É for root user when logging in to the system. If choosing
¡Èsysadm_r¡É, root user will log in as Linux system administrator, choosing
¡Èsecadm_r¡É will log in as SE Linux security manager. Also, user shell runs with
a domain name with which is changed from ¡È_r¡É to ¡È_t¡É. Which
means, when root user login as ¡Èsysadm_r¡É, user shell runs in ¡Èsysadm_t¡É
domain.
You can
grant permission to a role with SE Linux Policy Editor. User shell runs based
on the permission set to the role.
Note that you need to configure
relationship between user and role in [Relationship between user and role] from
menu of SE Linux
Policy Editor in
advance to allow user to
login with one or more roles.
2. How to Configure Policy rules with Policy
Editor?
You can
configure policy rules of your SE Linux with Policy Editor with the following
steps:
1.
Create
a domain (role).
2.
Set
up domain transition.
3.
Grant
proper permission to the domain (role).
4.
Set
the role to one or more users. (for role)
5.
Load
the configurations to your Linux kernel.
6.
Update
file labeling.
A)
If
granting permission to a file, you need to label a new type label again. Type
label will be generated automatically by Policy Editor.
B)
If
there is no change in file labeling, you do not need to do so.¡Êe.g. setting only
network-related ACL¡Ë
7.
Run a
program and check logs. If your configurations are not completed properly or
incorrect, you will find an error in a log which indicates access has been
denied. See section 5 for your understanding of how to
verify a log.
8.
If
you find any error message in a log, go back to step 3.
It
is recommended that these configurations above will be done with permissive
mode.
3. Configure a Process (bind)
For an
example of process configuration, see the example for bind (/usr/sbin/named)
below. Suppose you allocate a domain named
¡Ènamed_t¡É in bind. This section describes the configuration based on
Redhat7.2, so see your manual for proper path if using
other
distributions. Configuration
for other deamon programs is same as this one.
3.1
Creating
a Domain
Click
on [Create new domain/role] from menu and enter ¡Ènamed_t¡É in Domain/Role name field to
click [Create] button.
3.2
Domain
Transition
Link
the domain you created to a program. Click on [Configure
domain transition] from menu. Since bind is run by a script under
¡È/etc/rc.d/init.d¡É so the original domain
of the bind will be ¡Èinitrc_t¡É. Then, Select [Add new
transition] and click [initrc_t]. From your right pane,
enter ¡Ènamed_t¡É as domain name and
¡È/usr/sbin/named¡É as entry point to click [apply]
button. Now, the bind will be started on ¡Ènamed_t¡É domain.
3.3 Granting
Permissions
Next,
grant permission to the bind to any required resource. Typically, run the
process in permissive mode and verify the log to identify
the resources needed to access.
(1) Verify the original domain has permission
to run the entry-point.
¡ÈInitrc_t¡É is
required to be allowed to execute named.
Select [Configure ACL(Access
Control List)] ¢ª [initrc_t] ¢ª [File ACL] ¢ª [/usr/sbin] and verify the checks in
r, x, y in named.
(2) Set permission to files
(a) Set Deny access
Select [Configure ACL(Access
Control List)] ¢ª [global] ¢ª [File ACL].
Check ¡Èdeny¡É for ¡È/var/named,/var/run/named¡É. This make all
access to ¡È/var/named¡É (zone file) and ¡È/var/run/named¡É (pid file) will be
denied to
all domains in your system. (*Notes)
(b) Grant permission to file(s)
Ž¥Select [Configure ACL(Access Control
List)]¢ª[named]¢ª[File ACL].
Ž¥Check [r] for ¡È/var/named¡É.
Ž¥Check [r] and [w] for ¡È/var/run/named¡É.
Ž¥Grant reed permission
to ¡È/etc/mtab¡É. Also, grant access to ¡Èetc_runtime_t¡É from [dynamic labeled
files] in ¡È/etc¡É directory.
* Notes¡§For the case of named, a pid file will be created
under ¡È/var/run/named¡É, however most of the cases, deamon will create a pid
file under
/var/run. If you
keep a pid file under /var/run, you need to configure
the file in [dynamic labeled files].
(3) Network ACL
Check [allow network socket] from [Network ACL].
Enter 53 for TCP and 953 for UDP in [reserve well-known port].
(4) Required
configuration for communicating with syslog
Since bind will create a log through
syslog, you need to configure communication with syslog. The way to configure a
domain to communicate with Syslog is fixed as follows:
Ž¥Choose ¡Èsyslogd_t ¡È
from [unix domain socket] in [Network ACL].
Ž¥Check [r] and [w] for
¡È/dev/log¡É in [File ACL]. You can find ¡È/dev/log¡É under [dynamic labeled files]
under ¡È/dev¡É as ¡Èdev_log_t¡É.
(1) Miscellaneous
A message might be displayed on
administrator¡Çs console by deamon. If you see any message, add ¡Èsysadm_r¡É to
read
/write permission in [communication with tty] and [communication with psd] from [TTY ACL].
Also, grant read / write
permission to ¡Èinitrc_t¡É for ¡È/var/run/named¡É since started script needs to
read / write pid file.
3.4
Update
Configuration
Go to top menu to select [Update configuration] and
click [update all configuration].
3.5
Confirming
the Settings
(1) Start bind
Log in as ¡Èsysadm_r¡É and enter the following command;
run_init /etc/rc.d/init.d/named restart
Bind will start following
sequence.
run_init command(run_init domain) -> start up script(initrc_t
domain) -> bind(named_t domain)
(2) Confirm bind domain
Enter the following command;
ps ax --context
Confirm the following line will be displayed;
system_u:system_r:named_t named
4
Setting
an Administrative role for bind
As an
example, create ¡Ènamemaster_r¡É role for administrative name server.
4.1
Creating
a Role
Create
a role named ¡Ènamemaster_r ¡È.
4.2
Domain
Transition
Go to [Configure domain transition].
(1) Configure domain transition for login
Configuration
of domain transition for login depends on when to allow login. You need to add
domain transition if necessary. Please make sure to set entry point as ¡È/bin/sh,/bin/bash¡É. See the following examples;
Ž¥allow login from local console: add
¡Ènamemaster_r¡É under ¡Èlogin_t¡É.
Ž¥allow login via telnet command: add
¡Ènamemaster_r¡É under ¡Èremote_login_t¡É.
Ž¥allow login with
ssh: add
¡Ènamemaster_r¡É under ¡Èsshd_t¡É
(2) Configure domain transition for named
Add a
domain transition to ¡Ènamed_t¡É under ¡Ènamemaster_r¡É since bind needs to be run
in ¡Ènamed_t¡É domain when re-start bind from ¡Ènamemaseter_r¡É. Entry point will
be ¡È/usr/sbin/named¡É.
4.3
Granting
Permissions
(1) File ACL
Select ¡Ènamemaster_r¡É from [Configure ACL(Access Control List)] to click [File ACL].
(a) Grant write permission to home directory
For root user, check [r] and [w] for ¡È/root¡É. For any
other user(s), check [r] and [w] under ¡È/home¡É.
(b) Grant write permission to zone file
Check [r], [w], and [s] for ¡È/var/named¡É.
(c) Grant reed permission to bind log file
It depends on bind settings. In this example, check
[r] and [s] for bind log file.
(d) Grant permission to run bind executable file
or script.
Check [r], [x], and [s] for ¡È/usr/sbin/named¡É.
Check [r], [x], and [s] for ¡È/etc/rc.d/init.d¡É.
(e) Grant permission to command(s)
Check [r], [x], and [s] for a directory where
commands are in, such as ¡È/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/selinux/bin¡É.
(f) Grant permission to read a mail
Check [s] for ¡È/var/spool¡É and [r] and [s]
for ¡È/var/spool/mail/¡É.
(g) Miscellaneous
Check [r] for ¡È/etc/mtab¡É. You can find
¡Èetc/mtab¡É under /etc directory as a dynamic labeled file named
¡Èetc_runtime_t¡É.
(2) Other configurations
(a) Network
Check [allow network socket] from [Network
ACL].
(b) Communication with bind
To communicate with local bind, you need
to allow communication between bind and process.
From [Configuration of IPC ACL ], choose ¡Ènamed_t¡É for [tcp socket] and [udp socket]
under [Socket] to click [apply] button.
(c) Terminal settings
Ž¥From [TTY ACL], check
¡Ècreate tty¡É under ¡ÈCommunicate with tty¡É. This setting is needed to create a
role-specific tty when login program
run at login.
Ž¥From [TTY ACL], add ¡Ènamemaster_r¡É for
[read] and [write] under [Communication with tty] and [Communication with ps]. (Skip this step if you
do not need remote login.)
4.4
Associating
a User to the Role
Select
[relationship between user and role]. Choose a user who login for ¡Ènamemaster_r¡É
and add ¡Ènamemaster_r in [allowed role].
4.5
Update
Configuration
Select
[Update configuration] to click [update all configuration]. All configurations
will be read to kernel system and re-label files.
4.6
Changing
UID
To use
¡Ènamemaster_r¡É with a user except root user, you need to set the user¡Çs uid as
0 since zone file can be written only by root
user with normal permission settings in UNIX.
In SE Linux, normal UNIX permission is considered to be editable, so whenever
you create administrative role, the uid should be set to 0.
5. Logs
5.1
Overview
SE
Linux outputs a log as a kernel message when any access is denied. As a
default, a log from SE Linux will be outputted to ¡È/var/log/messages¡É See an
example of a log in figure 0.1 below:
|
avc: denied { read } for
pid=8903 exe=/bin/cat path=/var/www/html/index.html dev= tcontext=system_u:object_r:var_www_t tclass=file |
You can
see a variety of information in the log above, but see the information in red
for common part of logs. This section describes
the information (field) in red.
l
{(manipulation)}: indicating the denied manipulation. In the
example above, ¡Èread¡É is denied.
l
scontext: indicating a domain name which try to access to the
target resource.
l
tcontext: indicating a label name associated to the target
resource.
l
tclass: indicating a type of the target resource.
In the
example in figure 0.1, the log indicates that a process with ¡Èsysadm_t¡É as a
domain name failed to read a file labeled ¡Èvar_www_t¡É. This log tells us that
read permission is needed to granted to var_www_t in
sysadm_t domain. Of course, you need to investigate if the access is needed or not.
However, it is a little complicated for user to verify what permissions needed to be granted, so see more examples below.
(Examples explain the information in a log according to the Policy Editor settings.)
5.2
File
ACL
If any
configuration missing for a file, the following log (figure 0.2) will be
displayed indicating access to the file is denied.
|
avc: denied { read } for pid=8903 exe=/bin/cat path=/var/www/html/index.html dev= tcontext=system_u:object_r:var_www_t
tclass=file |
Figure 0.2 Example of a log for file
The information in red in
the log above is related to a file configuration. You can see read access to
¡È/var/www/html/index.html¡É is
denied in ¡Èsysadm_t¡É domain.
Note that the path is shown from your
mount point. For example, file system is mounted to ¡È/usr/local¡É, you never know if it is
¡È/var/www/html¡É
or ¡È/usr/local/var/www/html¡É by the path shown above. You can see which file system you are
using by checking
¡Èdev¡É field. ¡Èdev=08:01¡É is the partition major and minor number mounted.
From ¡È/etc/mtab¡É, you can find how the major / minor
numbers and mount point corresponded each other.
Figure
0.3 shows permission you can grant with SE Linux Policy Editor and log
information. See the figure below to consider your
permission.
Figure 0.3 Grantable permission
with SE Linux Policy Editor and log information (for files)
|
Permission |
Log information |
|
r |
¡Èread lock unlock ioctl¡É
is shown in {}. |
|
w |
¡Éwrite append create setattr addname unlink link
rename¡É is shown in {}. |
|
x |
¡Éexecute execute_no_trans¡É is shown in {}. |
|
s |
¡Ésearch getattr¡É is displayed in {}. |
From
the example log above, you need to grant read access to
¡È/var/www/html/index.html¡È in ¡Èsysadm_t¡É domain. With
Policy
Editor, sysadm_t is a domain of user shell when user with sysadm_r role logs in,
so that grant read access to
¡È/var/www/html/index.html¡É in sysadm_r role as well.
5.3
Network
ACL
Various
logs will be outputted when network-related manipulation is denied. See the
Figure 0.4 for grantable permission with
SE
Linux Policy Editor.
Figure 0.4 Grantable permission with SE Linux
Policy Editor and log information (for network)
|
Permission |
Log information |
|
Allow network socket |
netif=eth0¡¢tclass=tcp_socket(udp_socket) |
|
Allow Raw socket |
{net_raw} |
|
Reserve Well-known port / Allow all of non-reserved
Well-known port / Reserve Well-known port reserved by other domain |
For the entry of { name_bind }¡¢port=xxx¡¢tclass=tcp_socket
(udp_socket), xxxÈÖ¤Îtcp/udp port xxx is denied. |
5.4
IPC
ACL
See the
Figure 0.5 for grantable permission with SE Linux Policy Editor and log
information for interprocess communication.
Figure 0.5 Grantable permission with SE Linux Policy Editor and log information
(for interprocess communication)
|
Permission |
Log information |
|
tcp/udp/unix socket |
For the entry of
tclass=tcp_socket/udp_socket/unix_stream_socket scontext = domain A tcontext = domain B, You need to allow domain A to communicate with domain B. |
|
Semaphore/Message/Message
Queue/Shared Memory/Pipe |
tclass=sem/msg/msgq/shm/pipe scontext = domain A tcontext = domain B |
|
sigchld/sigkill/sigstop/other signals |
{ sigchld }/{ sigkill }/{ sigstop }/{ signal } scontext = domain A tcontext = domain B |
5.5
TTY
ACL
5.5.1
Terminal
We have
following names for domain/role terminal;
Normal terminal:
(domain / role name) _tty_device_t
Pseudo
terminal: (domain / role name) _pts_device_t.
Also as
label names, we have the following:
Normal
terminal name before rabelling: tty_device_t
Pseudo
terminal name before rabelling: devpts_t,ptmx_t.
5.5.2
Log information
See the
Figure 0.6 for grantable permission with SE Linux Policy Editor and log
information for terminal-related.
Figure 0.6 Grantable permission with SE Linux Policy Editor and log information
(for terminal)
|
Permission |
Log information |
|
Create TTY |
In this case,
it is difficult to find an error from log file. ¡ÈCreate TTY¡É is
used only for roles and sshd_login_t / rlogind_t. Actually, it is
used only when creating a new role. To verify the
setting is done successfully, see the role / domain-specific terminal name is
named as ¡Èls –context
/dev/tty (terminal number)¡É for local login, ¡Èls--context/dev/pts/¡É for remote login. |
|
Grant reed / write permission |
If the following
message is outputted to a log, you need to grant permission to terminal
corresponding to ¡Ètcontext¡É. { read }
{write} tcontext =
terminal name |
|
Allow labeled |
It is very rare
to configure, however, if you see the following message, verify any lack of
configuration. Tcontext =
terminal name {relabelfrom relabelto} |
5.6
Administrative
ACL
Figure 0.7 Grantable permission with SE Linux Policy
Editor and log information (for administrative)
|
Permission |
Log information |
|
¡Èlabeled all files¡É ¡Èlabeled files that this domain can write access¡É |
One of the permission from left should be granted,
if necessary. { relabelfrom relabelto } |
|
Use of chsid system call |
{ chsid } |
|
Use avc_toggle command |
{ avc_toggle } |
|
Use load_policy command |
{ load_policy } |
|
Re-write arp,route table |
{ net_admin } |
|
Use of boot system call |
{ sys_boot } |
|
Reload kernel module |
{ sys_module } |
|
Use quotaon |
{ quotaon } |
|
swapon |
{ swapon } |
|
Use of mount system call |
{ mounton } |
|
raw I/O |
{ sys_rawio } |
|
Use of ptrace system call |
{ sys_ptrace } |
|
Use of chroot system call |
{ sys_chroot } |
|
Search all directories |
¡Ý |
|
Read all files |
¡Ý |
|
Write all files |
¡Ý |
|
Read / write un-labeled files |
¡Ý |
5.7
proc File System
ACL
When a
message ¡Èpath=/xxx,dev=
Grant
permission according to the file name in message.
5.8
tmpfs File System
ACL
When a
message ¡Èpath=/xxx,dev=
5.8.1
Label
name
A file will be
created to tmpfs with the following Type.
Before labeling:
tmpfs_t
Files created by domain or role¡§<domain / role name>_tmpfs_t¡§
These label names
are shown in tcontext. See the Figure 0.8 for grantable permission and log
information.
5.8.2
log information
Figure 0.8 Grantable permission
with SE Linux Policy Editor and log information (for tmpfs file system)
|
Permission |
Log information |
|
Can create my own file in tmpfs |
{ write }
tcontext=tmpfs_t |
|
Reed / write |
{
read }/{ write } is displayed and a label name
specified in 5.8.1 is shown in tcontext. |