Loading
Networking in NSA Security-Enhanced Linux
Break through the complexity of SELinux with a working example that shows how to add SELinux protection to a simple network server.
The system_u user and object_r role are default values for system objects. It wouldn't make any sense for a port to have a real user or role; it's not owned by anyone and it doesn't initiate any actions that require a verdict from SELinux.
A socket is labeled by its associated inode and is categorized as either a generic socket or one of the following socket subclasses:
UNIX stream.
UNIX datagram.
TCP.
UDP.
Raw (includes ICMP and other non-TCP/UDP).
Netlink families.
Packet.
Key (pfkeyv2).
Subclasses of sockets can be distinguished in security policy, providing for fine-grained control and flexibility over different network protocols:
allow lpd_t printer_port_t:tcp_socket name_bind;
This rule allows only a TCP socket created in the lpd_t domain to bind to a port of type printer_port_t.
IPv4 and IPv6 ports are labeled implicitly within the kernel, as specified by policy. The format for labeling port types is:
portcon protocol { port number | port range }
context
The following defines a security context for labeling the standard printer port:
portcon tcp 515 system_u:object_r:printer_port_t
Each network interface (netif) is labeled with a security context, as specified in policy. Network interfaces are labeled as follows:
netifcon interface context default_msg_context
The default_msg_context parameter is intended to be used for labeling messages arriving on the interface, but is not currently used.
Here are some examples of netif labeling in policy:
netifcon eth0 system_u:object_r:netif_intranet_t [...] netifcon eth1 system_u:object_r:netif_extranet_t [...]
Under SELinux, a node refers to an IPv4 or IPv6 address and netmask. It allows host and network addresses to be labeled with security contexts via policy.
The format for labeling nodes is:
nodecon address mask context
Here are examples of labeling localhost addresses:
nodecon 127.0.0.1 255.255.255.255
system_u:object_r:node_lo_t
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
system_u:object_r:node_lo_t
Access-control hooks are implemented for every socket system call, allowing all socket-based network protocols to be mediated by SELinux policy. A few hooks are used only for housekeeping, but otherwise, hooks generally are used to check one or more access-control permissions.
As there are a large number of generic socket controls, see Table 1 for the relationships between the hooks, socket system calls and permissions.
Table 1. The Relationships between Hooks, Socket System Calls and Permissions
| Hook | System Call | SELinux Permission |
|---|---|---|
| selinux_socket_create | socket | create |
| selinux_socket_post_create | socket | n/a |
| selinux_socket_bind | bind | bind |
| selinux_socket_connect | connect | connect |
| selinux_socket_listen | listen | listen |
| selinux_socket_accept | accept | accept |
| selinux_socket_sendmsg | sendmsg, send, sendto | write |
| selinux_socket_recvmsg | recvmsg, recv, recvfrom | read |
| selinux_socket_getsockname | getsockname | getattr |
| selinux_socket_getpeername | getpeername | getattr |
| selinux_socket_setsockopt | setsockopt | setopt |
| selinux_socket_getsockopt | getsockopt | getopt |
| selinux_socket_shutdown | shutdown | shutdown |
Internally, the socket() system call is decomposed into two hooks. The selinux_socket_create hook is used to check whether the process can create a socket of the type requested. The selinux_socket_post_create management hook is used to assign a security label and socket class to the newly allocated inode associated with the socket.
The SELinux permissions also abstract the way system calls and other operations are viewed from a security point of view. Note, for example, that the getattr permission is used for the getsockname() and getpeername() system calls. They are seen to be equivalent security-wise by SELinux. Similarly, all of the sendmsg()- and recvmsg()-based system calls are reduced for security management purposes into simply read and write. For the curious, the code behind these hooks can be found in the 2.6 kernel, in security/selinux/hooks.c.
As sockets are also files, they inherit some of the access controls associated with files. Table 2 lists the file-specific hooks and permissions inherited by sockets.
Table 2. File-Specific Hooks and Permissions
| Hook | System Call | SELinux Permission |
|---|---|---|
| selinux_file_ioctl | ioctl | ioctl |
| selinux_inode_getattr | fstat | getattr |
| selinux_inode_setattr | fchmod, fchown | setattr |
| selinux_file_fcntl | fcntl | lock |
| selinux_file_lock | fcntl, flock | lock |
| selinux_file_permission | write, write, read | append, write, read |
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Home, My Backup Data Center
- New Products
- Developer Poll
- Trying to Tame the Tablet
- Python Programming for Beginners
- Hey God - You may not be
4 hours 11 min ago - Reply to comment | Linux Journal
6 hours 44 min ago - Drupal is an Awesome CMS and a Crappy development framework
11 hours 23 min ago - IT industry leaders
13 hours 46 min ago - Reply to comment | Linux Journal
1 day 6 hours ago - Reply to comment | Linux Journal
1 day 9 hours ago - Reply to comment | Linux Journal
1 day 10 hours ago - great post
1 day 10 hours ago - Google Docs
1 day 11 hours ago - Reply to comment | Linux Journal
1 day 16 hours ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Comments
Total bewilderment
What a wonderful example of why kernel hackers shouldn't write magazine articles! I really wanted to understand this SELinux stuff, but this is an impenetrable mess.
Here's how not to do it: first, ensure you don't define your audience. I initially thought this was aimed at developers, but now I think perhaps it's aimed at systems administrators. Second, throw in a whole load of acronyms, right the beginning: MAC, TE, RBAC DAC, LSM (trying to ensure you never use them again in the rest of the piece). Then make life hard for the reader by giving a "general form" containing 3 lines, followed by an example containing 1 line. Still with us? Great. Throw in a few more undefined terms, like "security context", "target context" and "source context", then a few references to system calls (a couple of dozen should be enough). Next present a config file that is longer than the source of the program it is supposed to protect, plus tweaks to 3 other obscure files, the purpose of each remaining unexplained. Then throw in a "make" command without explaining that either. Finish up with a set of obscure commands to prove the example works, carefully labelling it as a "simple demonstration". Job done!
Perhaps I'm in a flippant mood this morning. Perhaps it's because I'm an application developer, not a sysadmin. Perhaps I haven't had enough caffeine. Or perhaps, just possibly, this article is written from the inside out, and is therefore only accessible to those who already understand what the heck it's on about.
If you want to understand mor
If you want to understand more about the underlying concepts, I'd suggest looking at the Faye Coker article listed in the resources, http://www.linuxjournal.com/article/7864
The article is aimed at anyone interested in how SELinux works underneath, and documents a lot of previously undocumented aspects of the networking. I guess it may have been better to drop the introductory section (instead referring to other resources) and include a short glossary.
There is no Faye Cocker article
I looked at that link, http://www.linuxjournal.com/article/7864
There is no Faye Coker article listed on that page. I did a find on the entire web page for "faye" and "coker", nothing.