Root for All on the SE Linux Play Machine

Since the middle of 2001, I have been working on NSA Security Enhanced Linux [see page 20 in this issue] both on packaging it for Debian and in general development. When describing the project to Linux users, I find much confusion exists about what SE Linux does; it is difficult to gain a full understanding of SE Linux from reading the documentation or attending a presentation. Also, many people who have prior experience in security want to gain some practical experience but don't have the time to install SE Linux to experiment. I decided that a good way to teach people about SE Linux would be to set up a machine with public access for anyone to use.

Demonstrating SE Linux in a regular configuration is not particularly exciting, as the only noticeable operations it restricts for non-root users are ps ax and dmesg. In a default configuration, ps ax shows an unpriviledged user only the other processes in the same user domain, and dmesg is blocked. This is similar to the restrictions imposed by OpenWall and is nothing new in itself. I decided to grant root access to the world using only SE Linux for security, so users can see exactly what it is capable of doing.

On June 6–9, 2002, at LinuxTag in Karlsruhe, Germany, I ran an SE Linux demo machine at the Debian stand. This was the first SE Linux play machine. At the time, the default policy was less restrictive than it currently is. It allowed setuid and DAC_OVERRIDE capabilities for regular users (user_t domain). For a regular SE Linux configuration, this is fine. SE Linux does not use uids when deciding whether to grant access, and DAC_OVERRIDE allows overriding the UNIX access controls, but not any SE controls. The reason these capabilities were granted was to allow running setuid programs from the user_t domain without needing SE Linux domains for such programs. So although those capabilities were satisfactory for the typical user, they were not suitable for the unusual situation of having a root user who should be banned from accessing other uids in the same domain. I removed these capabilities from user_t, restricted the root account to the user_r role and it was ready to go.

In recent releases, the default policy has changed to not grant setuid or DAC_OVERRIDE capabilities to user_t. So, the most significant security policy difference between my play machine and a real server is that on the play machine unprivileged users are permitted to read the kernel message log (dmesg) and the security policy source as an aid to understanding SE Linux.

My SE Linux challenge is based on a machine deliberately configured to be less secure than real servers, by granting log file access, granting read access to the security policy and allowing unprivileged users root access. In spite of these factors, little success was had in breaking the security.

On the first day of LinuxTag, a potential issue with /boot files was reported. A user believed he could determine the LILO password from the LILO map file. I immediately changed the policy to restrict the access to /boot to prevent such problems. Of course, if you have physical access to a machine you usually can break the security somehow, but we want to make it as difficult as possible.

During the event, I started work on support for multiple user roles. The initial reason for this was one of my colleagues used the play machine for more serious purposes. He lost all his files, because they were created by the root:user_r:user_t security context as uid root, the same as users who were testing the security. The standard test that everyone ran as root was rm -rf /, which deleted all his files. The system itself was unharmed, as files in /bin, /etc and other system directories cannot be unlinked or written to by user_t. After I gave my friend an account with the domain user1_t, his files could not be accessed by a root user in domain user_t.

On June 17, 2002, I set up an SE play machine on a Cobalt Qube that is available on the Internet for everyone to use. The first machine was on-line intermittently until July 11. The uptime for the play machines has not been great, because they need to be monitored continually. Such a machine would have the potential to become a risk to everyone, including me, my ISP and people who use it, if it was cracked and I didn't respond fast enough. So whenever I go on holidays or am busy with work, I have to take it off-line.

The machine had its own iptables setup to prevent undesired network access from leaving the local machine. It also was placed behind a firewall, which applied similar restrictions on data transfers. This setup prevented any user from even probing my firewall from the inside unless they first cracked the security of the play machine. I initially allowed most outbound network connections other than SMTP, but I soon changed this to allow only outbound connections to a Web proxy. SSH tunnels could be used for other Net access. Also, I denied X forwarding so that if a user mistakenly enables it on his client, his machine can't be attacked by other users on the play machine.