Paul Arnold | The Wizarding World of SELinux

good uh morning everybody this presentation is called The Wizarding World of SC Linux and um my name is Paul Arnold and I am a cyber security engineer in the defense sector and I'm I'm here locally I live in Orlando um I've been working with lenx since 1999 um and I have experience with SC lenic pretty intensely in the last four or five years um and before I get any further with this I'm going to just do this real quick all any opinions or views that are in here in this presentation and this talk are my own and they don't express views or opinions of any of my past employers or UCF or any of that nature all right so the

reason that I'm doing this talk is because SC Linux is not magic and that's what I want to try to tell people I I I want to get people at least understand what it is because I know a lot of times it's just disabled that's I've read many things where the first thing you want to do is disable it well I I I want to at least have you all understand what you're doing when you disable it and hopefully stop a few people from disabling it because you're disabling a lot of security features that are that are inherent to some of the policy there within so I'm going to go over four kind of sections of this presentation um in

the beginning I have to go over four terms because if I don't I'm going to lose a lot of people because there is some jargon and terms that are involved with thatx I picked some specifics that are just going to help with this presentation to really kind of understand I'll I'll cover what it is um and where it came from and then I will uh cover what dealing with SE Linux and some of the tools you can do to uh tools you can use to troubleshoot or modify things and and find out what's going on instead of just outright disabling it um and then I have a short demo at the end that shows some of the differences uh

with a system that has SC Linux enforcing on versus is it off and the security holes that you've really opened up by turning something off all right so does anyone know what movie this is from may be hard to see hackers yes it is hackers and I'm sad to say this is not the first hackers reference in this besides weekend so all right what does hackers have to do with best SE well okay it's a bit of stretch I just really want to put a hacker reference in this presentation but uh uh so there's a uh a book that's being passed there it's called the orange book if anyone's familiar with the raino series books

from the 80s it's kind of where we got the definition as we know them today of what is two types of Access Control that I'm going to cover real quickly which is discretionary access control and mandatory access control um and uh I'll start with discretionary because it's the more traditional one that you'll see on a uh on operating systems um this allows users to specify Access Control access controls over objects you know like files or directories or whatnot at their own discretion if they own them so users can make their own policy decisions and uh that can be whether it's intentional or accidental now you in contrast you have mandatory access control and I'll do my

best to make this brief and understandable so it consists of a security policy that defines rules it's like a rule set over all subjects which may be users or services is something that acts upon information and then you have objects which be like which would be like files with store information and then that's enforced by the kernel and this is this is a deny by default kind of enforcement you have to explicitly allow something to happen and in addition to that the official definition manag access control all subjects and objects have a classification label and category which used by the Colonel to make Access Control decisions based on a level of trust and a need to know now it this is

commonly associated with government things classification doesn't necessarily have to be um I know it's it's much more prevalent in a government uh environment but um I kind of like the the Gen 2 hierarchy of classification for corporate which is public internal confidential strictly confidential so it doesn't have to be government only but that's generally where you see it right now and um the main difference here between the traditional discretionary is users can't make their own policy decisions that role is that those rule sets are generally made by like a security admin in a perfect world and users and admins they can't make a change whether it's intentional or accidental and um I'll cover a little

bit more once I get done with these two more terms almost done with terms all right so this is probably the most important thing to understand for the whole presentation is contexts which are also known as labels this is very critical to this talk and um specifically to this talk in SC Linux a label can be broken down into two sub definitions here that I'm going to be talking about one of them is types and um types are labels associated with all objects and subjects it's just that's that's the name for the label that's on every everything on the system and the rules for these types will be defined in that policy and then enforced by the

colonel and there's one more a domain and this is specifically a processing domain um this is a this is a specific type for processes or a collection of processes um within their own processing domain now it it's a little abstract so an example this would be like um like a the bind uh DN uh demon which name like Nam d uh that everything would probably be in a type called Nam D which is the Nam D domain or a single function like the P WD domain which is for password changes on a Linux system all right so what is I don't really know well um I figured out paper and then I had to actually do it all right uh so it stands

for security enhanc and uh um it began as a joint effort between University of Utah and the dod to implement a mandatory access control for Linux because uh the traditional mandatory Access Control Systems within the government were kind of expensive and proprietary uh so the NSA actually released the SC Linux as SC Linux as a kernel patch under GPL in 2003 um and I I believe became officially accepted into the kernel around 2005 um one of the great things about it is it's very flexible like uh for instance SE Linux is default on Android now as a 4.3 is um and it it so it can be on something as a mo small as a

mobile device to uh you know your general purpose desktop like at home or um a multi-level security system which I'll get into later which allows for data to exist at multiple classification levels on the same system and and you won't have any knowledge of a higher classification even being there I'll get to that a bit more later so I said earlier that one of the most important things to understand was the labels so ultimately if any of you get anything out of this SE Linux is a label based security system everything within SE Linux relies on labels so everything on slash for instance on on Linux system uh has a label that includes files sockets

devices it's everything has a label it doesn't it doesn't know what kind of rules to apply and it just falls apart um the policy that se LX policy which is kind of a it's a binary policy that's stored in kernel space and um it's used by this security server which is SE Linux to Mak those Access Control decisions um and that's what the mandatory access control is it has to be explicitly allowed in order to do anything all right so there's a few things I want to cover what Linux isn't um because there's some misconceptions I've heard from now now and then it's not antivirus or antimalware although it may it may um contain uh one a virus or malware on a

system but it doesn't prevent it doesn't detect them like it doesn't have any heris stics or anything that nature to detect them it's not an intrusion detection system although you could link it up with audit reports and kind of make it that way but it it isn't an intrusion detection system it's not a firewall and um it's still not magic um but uh move on to uh there's kind of three main components that it that it's made up of there's the actual like kernel code that's the Linux security module um not going to get too much more into that because you're getting into kernel development and then it's uh I would get bored talking about it uh

so the only important thing to note here is that the discretionary checks the traditional checks happen before any of this uh security modules checks would occur because it's much quicker um but the opposite is not true if if discretionary uh let me back up a little bit so if a discretionary check fails it's not going to check the mandatory one if a discretionary check passes and mandatory fails well you still fail so mandatory overrides everything there um the policy for in then we'll move on the policy it's um it's very flexible like I said you can have mobile devices the huge servers and and whatnot um and this can be tailored to the needs of the

system uh and they're also modular kind of like the Linux kernel can be modular or monolithic it's the same thing with aics policy they're all modular at this point and then I'll uh I'll get to some tools later they're generally used for status and policy action I'll pause here for a second how many people are thoroughly confused I okay do do you have any spe what I'm trying to get at is if you have any specific questions interrupt me right away because this I'm covering a lot of stuff that may be kind of conceptual at this point and I don't want to lose any people before we get get moving on so if anyone has any questions please let me

know um all right so there's three main policies um the one that that comes on by default and red hat Centos Fedora um and it's available for Gen 2 and Arch Linux A's kind of moved away from M Linux uh there all all three but all three of these policies are based on a reference policy which the NF NSA developed um and uh all of these policies like everything with are denied by default and allow by exception as this is a mandatory access system um and the these three policies here are more or less in a hierarchy in terms of targeted being the lowest everything in targeted then would be in MCS which stands for multiple category security

and everything in multiple category security would be in the multi- level security which is the most enforcing policy um so this H yeah you can kind of see those so I'll I'll take this this chart here real quick to show you kind of the difference between the traditional and the uh Mentor access control over here in this yellow that's kind of the traditional discretionary permissions you have read write execute for owner group and everybody that's that's what you're used to seeing on a Linux system and then you have the user and group right next to that and then you have these these other multiples colored strings next to it and that makes up what SC Linux ask uh adds for the taret

targeted policy um these are so you have a this is the user type all I'm sorry the user label the role label and the type it's most important being the type of course because that is the main label labeling system when within SC Linux and provides the basis for how it enforces the mandatory access control um with So within this policy this is the one that's the enabled by default one you see uh the user Rule and type is required and this the sensitivity in category which is more or less classification in category um those two are not mandatory um but I'll get into the next one real quick so in these multicategory and multi-level

policies all five of the labels are required and the difference between the targeted policies and these policies are that this this kind of red green orange and yellow thing that are that's at the end there and that's the sensitivity which is more or less a level of trust that that uh that user has or um that service has been allowed to operate at and then you have categories which is more or less the need to know and these are all yeah these are all government likee terms but this certainly can be applied to corporate you could have a category of HR and a category of finance and they probably aren't going to talk to each

other they're probably not going could have interactions with the files that are specifically finan or specifically HR well I'm it's just a poor example but anyway um this is this can get very complex in here and the MLS stuff so I'm not going to get too in depth with it I actually would have loved to do an entire presentation on this but I also wanted people to show up for my talk so um yeah not going to go too much further than that um MLS is a Bella laula uh security model if anyone's familiar with that so the security level a user at a certain security level may not read an object at a higher level and

a user at a certain security level may not write at an object lower than its level so that's how it enforces the multi- level and um just one final thing the U multicategory security is the default that is um in Android SE Linux it's kind of more or less sandboxes applications from one other uh and it's also used in the uh um Red Hat Atomic project which is SC Linux on Docker all right so all of these policies provide confinement and uh they confine and constrain objects and subjects as they are defined in the policy the rule sets and um basic so for instance Linux can uh can find an an application within its own domain so it has a label that

belongs to that type of application and um allow it to have only the minimum privileges required and uh this is important uh coming up in the demo that I'll show you what happens when that that's no longer the case so should an application require access to another Network and it wasn't explicitly allowed it would have to be explicitly granted within the rule set um so yeah once again this is a deny by default and this is what makes it mandatory Access Control versus discretionary um and uh this confinement also allows for a great a great way to prevent further exposure if you have say a web server that gets compromised well that web server can't to

orns of that nature um just because it's it's confined with its explicitly allowed set of rules it's allowed to uh perform all right so this is a term I kind of made up unconfined is a real thing but unconfined compromise is something I just made up here this more or less came about because there used to be a policy called strict and that's what led to a lot of people disabling SE Linux because everything had to be defined so there was kind of there was a compromise unconfined came out and um this basically allows demons that se Linux doesn't know about to run if SE Linux doesn't know about them in a non-confined domain it's more or less an

entirely permissive domain where it's X rules are not enforced um so why this isn't I mean in a perfect world we'd have allow rules for everything and everything else be deny but realistically it can be very difficult to do especially on a system that may not be of super high importance and I think that's another reason that you'll see it Desy Linux disabled for a lot of the time so this is better than outright just disabling asy Linux so you have your services that have rules defined by generally red hat and uh if you can keep certain areas defined especially important Services if you have any public facing services like a web server or DNS or anything anything

of that nature it' be good to keep them confined and uh that and uh still run other internal things that you may need to run in a unconfined domain um so I I think it's a decent compromise because you don't completely lose your security um but it's not perfect but then again we're not a perfect world so uh this by the way is the default type of uh user label and Ro label and type in the targeted policy for a user so if you were just to pull up a console and type idz uh it would tell you that you're onc confined all right we're going to move along a little bit here so this is not a part of Linux

but it's very important because anything any important information for goes to the audit logs um and we will I'll show you that a bit more in the demo later because it's important uh in the case that it can be used to automatically generate modules to allow something that has already failed um and we are going to move on to living with SE Linux and what I found this is how most people live with SE Linux and this may be difficult to see this is Google Trends and I put in SE Linux and the top result for related search was SC Linux disable uh and then we have another one down there at the bottom SC Linux

disable sentos so um I'm just going to ignore whatever this be I'm going to call this 130% of people wanted to sayc Linux um so I'm I'm trying to change that a little bit or at least have you understand what it is so this is from an older document that was published by the maintainer of uh the acinx tools and and uh packages for Red Hat Dan Walsh so I got like what 15 minutes into a presentation without mentioning them uh these are the four most common causes of errors and this too much is top down if you have a label problem you're going to get an error that's the most common thing you always see um the second one

for instance uh say you want to run a Pache on a port that's not 80 not 443 not 8080 not one of the ones in policy uh that's going to cause an error uh and then a to a lesser extent a bug and policy or application can occur and if you're compromised good luck uh so we have the tool sets here I did ah English is hard today uh SE Linux tool sets these packages aren't included by default which um kind of bugs me because those because a lot of the dises that come with SE Linux come with it enforcing by default the most important one here at the top is SE or the policy

core utils python it comes with one of the most important commands to even like add an additional Port like you want to run Apache like I said on 9090 or something of that nature you can't do it with the default uh package groups that you get from most of these operating system which is kind of terrible and you really really need sem manage in order to be able to do that and that comes in that top package there for policy cors and um I'll demo some of the pack I'm going to go over some of them real quick and then I'll get into the demo of what they um what they can do these are the two most basic things

this is how you would turn on the enforcement of the policy or turn it off and the following one is the status of it so it's set in force and get in force pretty straightforward pretty basic um another pretty basic one there are a lot of switches or booleans that are like that are built into policy um for instance this was this is one for uh things that are uh virtual devices if they're allowed to use the host USB which is actually on by default which I don't really like so I use this as an example to turn it off so you can set that um and then you can get it get the current status of whatever there may be

and I'm going to move through these little quickly because I want to I want to do the demo portion restore con means restore context So within the within the policy that's defined all your types will have labels already defined for wherever that file may be um there's a ton of Raga in there that Define certain areas um and you can tell this command to restore the label of a file that it it's very helpful very useful um certain certain uh operations will uh not label a file if if you move it for instance it won't be relabeled so this comes in handy and gets rid of uh errors pretty pretty common errors all right these are

uh two nearly magic commands for some people so if you get a failure and uh in SC Linux you're preventing something from happening you can um pipe that error um type that error through um audit to allow and it would automatically create an sc Linux module for you allowing whatever just got denied um this takes seconds and uh can prevent you from completely disabling a Linux and if that happens I'm happy so that's my goal here and there's a there's one one thing this is not related to se L but it can be important it's uh this is a search capability for the audit engine you can search specifically for audit um I'm sorry for

Linux denials so it can be quicker and then the command on may actually be magic this does everything possible that you would need to do with an asonic policy currently running um it add ports add additional context mirror context all kinds of things and then all the all the kind of traditional core utils for Linux we have lists and ID and PS and net stat and all those things if you add capital Z to them that generally will show you the uh SE Linux label all right so moving on to a demo which um probably will blow up horribly since this is live and uh if it does so was I'll ask it again is anyone

thoroughly confused at this point sure go

ahead they are stored in policy the labels are defined in policy and uh yeah it's it's a binary policy and um those labels are defined they were defined in the original reference policy and they just kind of been inherited at this point if you were to start something from scratch you could Define whatever you would like but uh that's quite an undertaking all right going to mirror this oh wow that's a much different resolution I was expecting all right is this legible anyway all right all right cool all right so first thing we're going to do is this isn't this has se Linux on right now um I can show that se Linux is currently enforcing so there's certain

things that it prevents you from doing I want to see what uh what's up with the shadow oh I I can't even list the shadow file so that's traditionally where password hashers are or kept so yeah you don't want to be able to do that another thing is this is a um I guess I should mention this is a confined user um so it doesn't have permission to do very many things uh this is just the regular user but it is confined and I'm using this as an example of what happens within a confined domain it's the easiest to show you with a user but you can apply a type of domain to anything else whether it be like an Apache domain

domain and I don't mean like like a website within the HTTP type of domain um I want to show the constraints that can be put upon something and then what happens when you turn them off so um let's just say that this person is not very uh this is a malicious user and they want to try to share their directory as a on as a web server so you can I just tried to run a simple HTP server from Python and it just completely blew up and um if I were to go back over here this is a route on the same BM so I want to display the current the current errors that just

came through within the last uh five minutes either five or 10 minutes I don't remember what recent is um it'll tell you what's going on this is hard to read if you've never seen this um but it'll tell you why it denied it and it's always Within These curly brackets so when I tried to use uh Pudu uh I it denied me for a set uid capability and uh what I was down here is where I tried to start the web server it was preventing me from doing name mind and uh there's one more portion to this let me clear this so I also maybe want to see all the processes on the system oh no I can't I can only see mine

because this is a confined domain all right so I'm going to do something this this is KEH hopefully none of you have ever run so I've disabled Linux and uh uh let's try some of these things again um so I can stat Shadow now that that's fine the permissions are 0 0 so I'm not going to be able to actually read it as a unprivileged user because DC is actually the discretionary access control is preventing me so there's some security here and by the way this is a cent West machine this uh this VM and it's completely stock this is from Cent West installed um policy is completely stock I installed the policy core utils

and that's it so there's no major changes being done here so um the process list before I saw my four processes but now I kind of see a lot more than that because I'm no longer confined by anything so I can just see everything running on the system um all right so let's do something else real quick uh not it s like because it's really s like all right so I want to start up that python server again see if that does something okay so I just started a web server out of my guess compromise domain what's this

IP all right hey cool and there's my not aim link which I kind of sim link back to dot dot do dot which leads me to the root of the system so I can just I don't know go through Etsy like passwd maybe oh look downloaded it hey look I have passwd that was kind of cool all right something else I had on here oh yeah like sent I knew there's something I had on there all right so I'm going to show one more quick demo on here and this is more of a CIS admin kind of level thing that would occur set Force I'll turn this back on so a common thing is to you want to run a we

server on a different port but uh SC Linux is going to prevent it so in this case I do have a Pache on here but I actually lied I installed the Pache as well sorry about that all right so I already have this preconfigured I'm going to add a different port of 991 which is not a default Port so if I actually try to start or might already been running uh service so it fails because it's not a default Port so sorry about this resolution it was a little bit difficult to see it's a similar kind of error that we were getting before with unable to name bind the same thing I had with python

although we can make this pretty simple through the use of that audit to allow command that I was showing you this isn't the best way to do this but I really want to show you how audit to allow can really make this easy um all right well the web server's down I mean I can't even show you that so I can't even show you a denial of any sort so we have the the recently denied here so the same command that was piping out the errors I can uh push this through to audit to allow and I'll call the module just allow 991 Apache and this is going to automatically write and generate me a

module that I can uh I mean it tells me what to do it it's pretty pretty simple I can literally run the same thing SC module then install so this is going to import it into the SC Linux policy it does take a second because it have to recompile the entire policy that's why it's hanging here for 10 to 15 seconds depends on the speed of the system lot of trailer just last yeah it's it so um is a good point and um you do have to be specific in what you're putting in there this is going to um I'd have to look to see what um the recent one was but yeah you need to

specify exactly what you want to put in there just in case you don't have it's let the demo right because it's it was within the last five minutes I'm probably good on time so I could I could have mentioned that um yes sure yes yeah of course on thatp yeah uh run your command again fill the audit and then uh pipe that out yeah yeah I mean I I could uh exactly what he said and I thought I was going to be shorter on time than I actually was uh you could just copy it into a text file for instance C the text file and pipe it it to allow and do the same exact thing that's a safer way to

do it but uh uh I kind of wanted to show more of um um now those are good points you don't want to allow more than uh than necessary but for instance I I'm now able to start the Apache service and um don't want to go to this crazy site is it oh I probably should go to the port that I just Define huh all right look so this is the default Centos page that you get when you start up Apache so I mean that instead of turning off S Linux there I made one module and it brought it back up and running in in five five minutes or so was pretty quick um there's one more thing I swear this

the last part of this demo so I have a file this is a label based issue I'm going to show you this is really common I have a file here called demo. HTML and uh the label of it is user temp can user temp run out of rww probably not so we're getting forbidden on a file that has 644 permissions that should be readable right well it because the label here the mandatory Access Control label user temp is not authoritative or is not part of policy for that domain so one of the commands I I mentioned before restore context or restore label uh demo right HTML demo and I generally do for Bose I did

not that time but all right so I change it to htb Sis content T so the same thing I didn't change any of the discretionary permissions um you can read this the page loaded I'm that's my clever phrase uh all right that's pretty much the end of the demo there I'm going to

yes so um yeah when it's not in enforcing mode yeah that that this is a this a good question um when for instance when you're setting up server a server from scratch or or something of that nature and something comes along like you wanted to use additional ports like I just showed with Apache um it may be more beneficial to run in the permissive mode temporarily because you may have more than one denial uh that comes through through and uh after the first one it's it can't move on to the next thing that wasn't allowed so for non-production systems that's that's probably the recommended way of going through initially uh because very often you could come across seven things

in a row that get denied in you don't want to be making seven modules so that is a very good point to um I wouldn't recommend it in an operational environment but yeah that's a very good good point to put there all right so my resolution is not changing back all right well that's interesting that's not what I have up here at

all all right so these are just some resources that um can be referenced for further information uh the SE Linux project Wiki is the first link that's probably the most valuable one on here the NSA link on here is just kind of historical data uh there's not too much more to that the Gen 2 Wiki has some real crazy stuff but it's great I mean it's Gen 2 uh and then of course got Man pages you can just pull up anything that has se Linux and um if anyone has any further questions that that's that's the end of this presentation I'll pull up one more slide that had all the kind of a command list of things I wanted to

cover the these are things that will help you but if anyone has any questions feel free to go ahead yeah right

um rules I'm sorry how how you would review the rules that you said you said yeah um I I don't know it off hand but uh sem manage has the ability to I think it's a Capital C with everything you throw at it it lists all the local modifications um and additionally just as a kind of a best practice thing um uh in my operational environments I will have prefix any modules I make with like local or or the host name of the system so you know that those weren't the modules that came with any sort of uh dist distribution policy um I I I don't know I don't have it off hand I believe it's Capital C where it

shows all the local changes um when you're looking in SE manage and uh there's sub subcategories of manage like for context and booleans and whatnot um it's very powerful yes yes yes you can um so with the with the distribution modules um they sit in the depending on which ver version uh or which district of Linux you're running they sit in different places um I'm just going to say they're in etsc Linux and then targeted for the targeted policy all the distribution ones um you'd have to actually remove a distribution module from the active kernel and then if you wanted to re it you'd have to point back TOS Linux targeted um but yeah you can add and

remove at will and uh yeah I it's it's rare that I've had to do it with the distrib distribution policy they've gotten pretty good by the time we got to rail six ra 7 but yeah certainly can be done we have any uh anyone else all right thank you all for coming to this presentation I know it was a lot and uh I want to thank bides for letting me present on a very a very interesting topic and uh something that's very uh close close to me yeah that was weird all right see h