SpecSELinux

Introduction

SELinux is a mandatory access control (MAC) system that can be used to protect services and contain security exploits found in system daemons or user applications. SELinux constrains services to a least-privilege security domain by way of a security policy, customized by administrators, that provides fine-grain control over information flow.

SELinux was initially a research project by the US National Security agency, but since then it has gained many contributors throughout the world. It uses the Linux Security Modules framework to implement Mandatory Access Control and Role-Based Access Control (with Type Enforcement (r)), in detriment of the old Discretionary Access Control used by standard *nix systems (Linux as well). It controls access to files, sockets, devices, and other object classes. The security policy is written in a flexible configuration language. It defines explicit rules about what subjects (users, programs) can access which objects (files, sockets, devices). All other information flows are denied by the SELinux system.

Its deployment in Ubuntu Linux is the responsibility of the SecurityTeam. An Ubuntu hardened mailing list has been set up for security development.

Installing SELinux

SELinux is now available in Hardy Heron. See that page for installation instructions.

SELinux uses security labels on files that need to be backed up and restored. If a program creates a file, then the possibility exists that the file does not get the right security label. restorecon can be used to fix this; however this is not an automatic action.

In an upgrade from a non-SELinux Ubuntu, no files will have security labels. As part of the SELinux installation, all of the files on the system will be labeled.

Using SELinux

A functional SELinux setup should operate transparently to the user. All intended access controls should be encoded within the security policy; unintended or malicious actions will be denied.

Two tools exist to modify and inspect the policy. The first, still under development, is setroubleshoot. It monitors the system's audit logs for denial messages and generates policy that will permit those accesses. The other is SETools, a suite of programs that assist the user in analyzing SELinux policies.

SELinux Licensing

SELinux is licensed under the GPL; its libraries are either public domain or LGPL.

Getting Involved

The best way to assist the SELinux effort is to install SELinux on your own system. Report problems that are encountered with the default Ubuntu policy to the Ubuntu hardened mailing list.

Learning More

Many web sites on the Internet document using and resolving problems with SELinux:

Outstanding Issues

  • Hardy Heron is the first Ubuntu distribution to package a functional SELinux system. It is limited use as that it contains a policy module for a single daemon, CUPS. Thus the most important task is to provide modules for other network daemons, such as apache2 and bind9.
  • Next is to either write or port from Fedora management tools. These include adding SELinux options during user and group creation, graphical interfaces to customize tunable and boolean values, and integrating SELinux directly into Ubiquity.

People in charge of SELinux deployment in Ubuntu Linux

SpecSELinux (last edited 2009-10-08 21:09:49 by kees)