HardySELinux

Differences between revisions 7 and 8
Revision 7 as of 2008-01-03 16:57:59
Size: 6486
Editor: stanford
Comment:
Revision 8 as of 2008-01-28 22:20:59
Size: 7193
Editor: stanford
Comment:
Deletions are marked like this. Additions are marked like this.
Line 86: Line 86:
==== Quick and Dirty HOWTO ====

 1. Remove apparmor-utils, because the selinux package conflicts with it. From aptitude, go to Options / Preferences, deselect 'Install recommended packages automatically'. In the future, the ubuntu-standard package should recommend "linux-security", and have apparmor-utils provide that virtual package.

 2. Install the package 'selinux' and 'refpolicy', and their associated dependencies.

 3. As the debconf message states, the user must modify his bootloader. Assuming that he has a default ubuntu install, he will need to modify his /boot/grub/menu.lst file. Find the line that begins with "#kopt" and append to it "selinux=1 enforcing=0".

 4. Reboot.

HardySELinux

  • Launchpad Entry: selinux-support

  • Created: 2007-10-25

  • Contributors: ChadSellers

  • Packages affected: selinux-policy-*, policycoreutils

Summary

Provide SELinux as an option for Ubuntu. Much of the support necessary is already inherited from Debian. The remaining pieces include turning on SELinux when loading the kernel, logic for loading the SELinux policy on boot, and tailoring a default SELinux policy.

Rationale

SELinux provides security features that are extremely useful for locking down machines, particularly servers. It provides the ability to isolate processes into domains and create security policy defining what those domains can do. This capability enables users to enforce a large number of security goals, including limiting privilege, containing exploits, preventing privilege escalation, enforcing application security architecture, controlling information flow, and many others.

SELinux is preferred over AppArmor for a number of reasons. Often, this is due to user preference of its inode-based labeling instead of AppArmor's use of pathnames. Also, customers with more stringent security requirements use SELinux. In the past, this has included users such as those from government, financial institutions, embedded systems, and others. For instance, users concerned with information flow often choose SELinux.

Use Cases

  • Sylar wants to learn more about how SELinux works. He installs the selinux packages, and they handle switching from AppArmor to SELinux, and provides a targeted policy by default.

  • Issac was using SELinux but wants to switch back to AppArmor. He uninstalls the selinux packages, which unlabels his filesystems and restores AppArmor to a working state.

  • Claire wants to contribute to the development of a strict SELinux policy. She installs selinux and is able to build, test, and share new policies.

Design

Security Policy

There are a few SELinux policies in universe (selinux-policy-default, selinux-policy-refpolicy-targeted, selinux-policy-refpolicy-strict) which are all geared toward Debian systems and need tweaking to work with Ubuntu. These policies are quite complex and have a tendency to require expert user intervention to use them. This is probably not the right direction for Ubuntu's default policy, though these policies can definitely continue to exist in universe for expert users wishing to use them. We plan to follow the general targeted model of leaving most things unconfined and offering the ability to confine network daemons, but plan to modify this to ensure that SELinux breaks user systems as infrequently as possible.

The proposed SELinux security policy should be fairly simple and modular. The idea here is to do everything we can to avoid breaking things on the system while at the same time adding some basic security controls. This would mean that all daemons would be unconfined unless the user/admin elected to confine them.

Enabling SELinux

Make SELinux an install-time and/or run-time configuration option. We do not want to replace AppArmor, but rather offer users the choice of SELinux.

Implementation

UI Changes

The only UI changes necessary will likely be those necessary to provide the user with the ability to choose to enable SELinux. This could come in two forms.

Installer Choice

The installer can provide the user with a choice of SELinux, AppArmor, or no security module. This may be an Advanced Option in the LiveCD installer.

Runtime Choice

A new Preferences UI would be provides for choosing Security mechanisms. This would be similar to the UI provided by the installer.

Code Changes

Loading SELinux Policy on Boot

SELinux requires the policy to be loaded into the kernel as early in the boot process as possible. SysVInit has been patched in other distros (Fedora, Red Hat, Debian) to do this. Basically, init loads the policy then re-exec's itself so init has the correct label. As Ubuntu uses upstart, there is no SELinux support.

Rather than modify upstart, we will add the SELinux policy load to the initramfs. This will require a few code changes:

  1. A patch to load_policy to add a flag for doing an initial policy load.
  2. Create the scripts for use in the initrd.

Note that one downside to this approach is that the initrd image in /boot must be updated after installing the SELinux packages (unless the SELinux initrd package is installed by default).

SELinux Policy

Create a new SELinux policy configuration that is less restrictive by default than those found in Fedora, Debian, or Gentoo. This policy will prevent very little, reducing the chances of breaking unsuspecting users' systems. Users will then be able to select (potentially through apt) policies for their applications that they wish to confine. Additionally, this will provide the foundation for higher-level user-friendly SELinux policy management UIs to be developed in the future.

The list of daemon's for which confinement policies will be available for user selection is still to be determined, but will at least include cups. Confining cups is necessary to ensure that no protection is lost by turning off AppArmor, which currently only confines cups by default.

Switching Security Modules

In order to switch to a security module, the appropriate security module must be loaded into the kernel and enabled. Currently, SELinux is compiled into the Gutsy kernel but disabled, and can be enabled by passing selinux=1 on the kernel command line. AppArmor is currently loaded as a module. Given this, the following is necessary to switch between them:

  • AppArmor to SELinux

    • disable loading of the AppArmor module

    • add selinux=1 to the kernel command line in grub.conf
    • reboot

  • SELinux to AppArmor

    • enable loading of the AppArmor module

    • remove selinux=1 from the kernel command line in grub.conf
    • reboot

Additionally, when switching to SELinux, the filesystem must be relabeled (as SELinux provides label-based security). This requires relabeling the filesystem during the subsequent system boot, and probably rebooting again (though the second boot can be avoided if the relabel happens early enough in the boot process).

Quick and Dirty HOWTO

  1. Remove apparmor-utils, because the selinux package conflicts with it. From aptitude, go to Options / Preferences, deselect 'Install recommended packages automatically'. In the future, the ubuntu-standard package should recommend "linux-security", and have apparmor-utils provide that virtual package.
  2. Install the package 'selinux' and 'refpolicy', and their associated dependencies.
  3. As the debconf message states, the user must modify his bootloader. Assuming that he has a default ubuntu install, he will need to modify his /boot/grub/menu.lst file. Find the line that begins with "#kopt" and append to it "selinux=1 enforcing=0".
  4. Reboot.

CategorySpec

HardySELinux (last edited 2009-09-22 12:53:50 by pool-71-114-226-175)