Core Policy Management Infrastructure for SELinux

Similar documents
Design and Implementation of the SELinux Policy Management Server

Security Enhanced Linux. Thanks to David Quigley

What's New with SELinux

Application Virtualization and Desktop Security

RASS Framework for a Cluster-Aware SELinux

PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX

Editing and Configuring Policies

SELinux. Don Porter CSE 506

SELinux Policy Development. Jason Zaman FOSSASIA 2018 March 24 blog.perfinion.com

Advanced Systems Security: Principles

Madison: A New Approach to Policy Generation

Reference Policy for Security Enhanced Linux Christopher J. PeBenito, Frank Mayer, Karl MacMillan Tresys Technology

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Though numerous security tools exist for protecting specific services, as well as user

Advanced Systems Security: Security-Enhanced Linux

Type Enforcement Rules and Macros

Roles and Users Security Policy Development Primer for Security Enhanced Linux (Module 8)

SELinux. Daniel J Walsh SELinux Lead Engineer

Landlock LSM: toward unprivileged sandboxing

SEEdit: SELinux Security Policy Configuration System with Higher Level Language

Concurrency Control Service 7

File access-control per container with Landlock

Modellistica Medica. Maria Grazia Pia, INFN Genova. Scuola di Specializzazione in Fisica Sanitaria Genova Anno Accademico

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Security Enhanced Linux

Discriminating Hierarchical Storage (DHIS)

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

What is orbac? ability to group several authorizations in to profiles to easily add/remove a set of authorizations to an employee

SELi He nux a dlin in F e edora 8 Dan N W am als e h Red D H a at te

Secure Sharing of an ICT Infrastructure Through Vinci

Practical Techniques to Obviate Setuid-to-Root Binaries

SELinux. Sven Vermeulen

Security Configuration Domain Specific Language (DSL) SELinux Developers Summit Ottawa 2008

A new Distributed Security Model for Linux Clusters

Using GConf as an Example of How to Create an Userspace Object Manager

Partner Center: Secure application model

Module 4: Access Control

PRAGATHI TECHNOLOGIES BTM Marathahalli Ph:

SELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany

SELinux For Mere Mortals

EE382 Processor Design. Processor Issues for MP

Meeting Critical Security Objectives with Security-Enhanced Linux

Dynamic Metadata Management for Petabyte-scale File Systems

Oracle System Administrator Fundamentals It s All about Controlling What Users Can See and Do

Real Application Security Administration

Static Lock Capabilities for Deadlock-Freedom

Trust is the Foundations for Computer Security

Advanced Systems Security: Principles

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Advanced Systems Security: Security-Enhanced Linux

Design Patterns. Manuel Mastrofini. Systems Engineering and Web Services. University of Rome Tor Vergata June 2011

NFS version 4 LISA `05. Mike Eisler Network Appliance, Inc.

The Functionality-based Application Confinement Model

Database Systems: Design, Implementation, and Management Tenth Edition. Chapter 9 Database Design

SAS Environment Manager A SAS Viya Administrator s Swiss Army Knife

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Fun with SELinux. Writing SELinux Policy Permissive Domains Real bugs. Miroslav Grepl Presented by

Database Management Systems

Configuring RBAC Using Admin UI

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

W11 Hyper-V security. Jesper Krogh.

NFSv4 Multi-Domain Access. Andy Adamson ABFAB WG, IETF 80 March 2011

Liferay Security Features Overview. How Liferay Approaches Security

Pastures: Towards Usable Security Policy Engineering

SELinux: A New Approach to Secure Systems

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

MobiControl v13: Package Rules to Profiles Migration Guide. January 2016

NFSv4.1 Using pnfs PRESENTATION TITLE GOES HERE. Presented by: Alex McDonald CTO Office, NetApp

Java Model of Basic Algebraic Structures

Distributed File Systems Issues. NFS (Network File System) AFS: Namespace. The Andrew File System (AFS) Operating Systems 11/19/2012 CSC 256/456 1

Produced by. Design Patterns. MSc in Communications Software. Eamonn de Leastar

MULTIPROCESSORS AND THREAD-LEVEL. B649 Parallel Architectures and Programming

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

MULTIPROCESSORS AND THREAD-LEVEL PARALLELISM. B649 Parallel Architectures and Programming

Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt

EC 513 Computer Architecture

Access Control/Capabili1es

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

NFSv4.1 Plan for a Smooth Migration

Securing Inter-process Communications in SELinux Spencer Shimko, Joshua Brindle Tresys Technology, LLC

SELinux Sandbox. Daniel Walsh Red Hat

Using the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0

Panzura White Paper Panzura Distributed File Locking

Databases - Transactions II. (GF Royle, N Spadaccini ) Databases - Transactions II 1 / 22

LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER

Google on BeyondCorp: Empowering employees with security for the cloud era

Open Verification Methodology (OVM)

Distributed Meta-data Servers: Architecture and Design. Sarah Sharafkandi David H.C. Du DISC

Introduction p. 1 The purpose and fundamentals of access control p. 2 Authorization versus authentication p. 3 Users, subjects, objects, operations,

NeuroLOG WP1 Sharing Data & Metadata

ONOS OVERVIEW. Architecture, Abstractions & Application

System Security Features

Making Serverless Computing More Serverless

B2SAFE metadata management

Tecniche di Progettazione: Design Patterns

Managing Group Policy application and infrastructure

Designing and Implementing a Server Infrastructure

Informatica ActiveVOS

CSCD01 Engineering Large Software Systems. Design Patterns. Joe Bettridge. Winter With thanks to Anya Tafliovich

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Transcription:

Core Policy Management Infrastructure for SELinux 2005 SELinux Symposium Karl MacMillan <kmacmillan@tresys.com> Tresys Technology http://www.tresys.com

Core Policy Management Infrastructure Production systems need policy management addition and removal of application policy updates to existing policy user and role administration Required to fully leverage dynamic policy core capability available supporting infrastructure required Infrastructure needs to be secure and robust ideally across multiple systems

Policy Management Robustness Current policy management not robust changes and updates use a compile process errors are compile errors requires complete development environment no strong dependency model source policy is closely coupled difficult to automate with tools Current weaknesses force compromises Fedora / RHEL does not require source policy prevents important local customizations Some workarounds available transformation of binary policy on load

Policy Management Security Policy modifications are controlled but only in a granular way Single permission for policy loading grants access to change any portion of the policy no provision for least-privilege e.g., seuser granted complete policy control No secure delegation of policy administration give ability to change portion of a policy ensure that overall policy intent not changed No means to verify security goals on policy change e.g., automated analysis Policy managed on a single system basis

User-space Object Managers User-space object managers enforce access control over internal resources using the SELinux access control model DBus, passwd, and X are current examples Creates additional object classes currently requires kernel modifications no dynamic object class registration All policy loaded into kernel even policy only enforced in user-space wastes precious kernel resources

Policy Management Projects Tresys working on two projects policy modules policy server Both addresses robustness and security Policy modules functionally complete submission for upstream soon Policy server in progress continuation of module work prototype available Projects available on Sourceforge http://www.sf.net/projects/sepolicy-server

Policy Module Introduction Three main goals create manageable binary policy modules different from existing kernel binary format including labeling information support loosely coupled policies strong dependency model infrastructure to securely manage modules manage and link modules on production systems maintain consistent, coherent policy at all times verify security goals on policy change Other design goals migration path from existing infrastructure preserve existing kernel binary format

Policy Module Architecture Introduction Two major components development tools checkmodule, sepackagemodule,... policy module store and tools semodule Development tools allow policy developers to create policy modules Policy module store and tools manage policy modules on production systems

Policy Module Infrastructure file contexts application source checkmodule policy module policy package Module Store modules base module linker K development production semodule linked policy e r n file contexts expander e l policy source checkmodule base module base package file contexts kernel binary

Policy Module Challenges Linking modules requires preserving and expanding attributes expanding wildcards ( * and ~ ) in both rules and declarations addition and awareness of identifier scope Required widespread changes to libsepol modified libsepol supports kernel binary format base module format module format security-server functionality only supports kernel format

Policy Store and Tools Policy store is structured files and directories protected by the policy contains modules and file contexts semodule manages the policy store provides atomic transactions multiple modules can be added or removed failures result in abort of entire transaction enforces consistency and coherency performs locking against multiple writers executes policy verification applications creates and loads kernel binary

Checkmodule New policy compiler for modules Introduces new language features language subset for modules - excludes object class declaration labeling statements dependency handling of policy identifiers users, roles, types, attributes, object classes, and bools both required and optional identifier sets link-time conditional policy statements based on optional identifier sets Shares substantial code with checkpolicy

Module Language Example module test 1.0; require { class file { getattr setattr read write ioctl read execute entrypoint lock };... attribute domain, userdomain, file_type, exec_type; role sysadm_r, user_r, system_r; type sysadm_t, user_t; } optional gnome { type gnome_t, xserver_t; } type test_t, domain; type test_exec_t, file_type, exec_type; role sysadm_r types test_t; role user_r types test_t; domain_auto_trans(userdomain, test_exec_t, test_t) ifopt (gnome) { allow test_t gnome_t : file { getattr read }; allow test_t xserver_t : file { read write ioctl getattr setattr }; }

Policy Server Introduction Three goals fine-grained policy access control least-privilege on policy change delegation of policy management enhanced policy management (local and remote) robust support for user-space object managers Architecture comprised of two components policy management server user-space security server

Architecture Overview Policy management server contains canonical policy mediates all changes to policy eventually including remote changes enforces access control on policy policy object model hierarchical constraints distributes policy to security servers (user and kernel) kernel only receives kernel policy User-space security server provides access control decisions to user-space dynamic object class management / registration

Language extensions Policy object model abstraction of policy into object classes e.g., policy.user, policy.role, policy.type objects explicitly labeled policycon policy rules controls changes to policy meta-policy Hierarchical constraints introduces hierarcy into policy identifier namespaces e.g., apache, apache.cgi, apache.cgi.user children s access constrained to be a subset of the parent patches and separate verifier available

Policy Management Infrastructure QUESTIONS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback