print|close

SELinux101:WhatYouShouldKnow
ElectronicDesign
ChrisHallinan
Wed,2015032511:02

OriginallyintegratedintothemainlineLinuxkerneloveradecadeago,SELinuxisaframeworkandsetof
toolsusedtohardenLinuxsystemsagainstpotentialthreats.
TheprofoundgrowthinInternetconnecteddeviceshasheightenedtheneedforsecuresystems,beyondthe
traditionalboundsofenterpriseITgatewaysandservers.Embeddeddevicesfromwearablesto
automobiles,consumerdevices,factories,andmuchmorearebeingconnectedtotheInternetatastounding
rates.Billionsofconsumerandindustrialdevicesarenowconnected,withtrillionsmoretocome.
Recenthighprofileattacksonmajorcorporateandgovernmentcomputersystemshaveheightenedthe
publicawarenessofcomputersystemsecurity.Thesehighlypublicizedcyberattackscompromisedthe
personalinformationofmillionsofconsumers,resultinginthereissueofmillionsofcreditcardswhose
numbershadbeenstolenbythecybercriminalsbehindtheseattacks.Softwarevulnerabilitieswithnames
likeHeartbleedandShellshockbecamefamiliartermsevenoutsideofcomputercircles.Fortheseand
otherreasons,buildingsecureInternetconnecteddeviceshasneverbeenmoreimportant.
Related
What'sTheDifferenceBetweenPOSIXACLsandSELinux?
Interview:MentorGraphics'ChrisHallinanDiscussesTheYoctoProject
SecureLinuxandWindRiver

SELinuxBackground
SELinuxisaframeworkandsetoftoolsoriginallydevelopedbytheUnitedStatesNSAthatisusedto
hardenLinuxsystemsagainstpotentialthreats.Thesethreatscanincludedeliberateattacks,misuse,and
softwarevulnerabilitiesincludingvirusesandmalware.SELinuxwasoriginallyintegratedintothemainline
Linuxkerneloveradecadeago,intheearlydaysoftheLinux2.6kernel.Whilenoframeworkcanprotect
againstcertainsoftwarebugs,SELinuxhasthepotentialtomakeasystemmuchmorerobustandfarless
vulnerabletoexternalthreatsincludingvirusesandmalware.SELinuxisanimportanttoolinthearsenalof
securityanalysts,andisusedasakeycomponentofanoverallsystemsecuritystrategy.
TraditionalUNIXandcurrentLinuxsystemsrelyonasecuritymodelcalledDiscretionaryAccessControl.In
theDACmodel,accesstosystemresourcesisbasedontheidentityofthe(user)processesandtothegroups
towhichthatuserbelongs.Itischaracterizedbyasetofusersandgroups,towhicheachprocessandfile
systemobjectbelongs,togetherwithfilesystemattributesthatincluderead,writeandexecuteinthree
categoriesforeveryfilesystemobject.Thecategoriesareuser,group,andother.

Forexample,afilecalledlogo.pngmightbelongtouserchrisandgrouptools.Thefilesattributescouldbe
user:readwrite,group:read,other:none.Thisconfigurationwouldallowuserchristohavereadwrite
accesstothefile,anyuseringrouptoolswouldhavereadaccess,whileanyothernonrootusersonthe
systemnotingroupToolswouldbedeniedaccess.ThisisthetraditionalDACaccessmodel.
Figure1illustratestheseconceptsinsimplifiedform.Inthefigurewedefinetwousersandthreefilesystem
objects.UserSuebelongstogroupsfinanceandmktg,whileuserBobbelongstotheadmingroup.File
AisownedbySueandisinthefinancegroup.FileBisownedbytherootuser,andisintheadmingroup.
FileCisownedbyBobandisinthemktggroup.

Figure1depictstheaccessrightsforeachuseroneachfile,togetherwiththeattributesforeachfile.Notice
thateachuserhasread/writeaccesstofilesthattheyrespectivelyown,butonlyBobintheadmingrouphas
anyaccesstothefileownedbyroot,becauseheisamemberoftheadmingroup,andFileBisalso.
Bycontrast,SELinuxenabledsystemsarebuiltaroundasecuritymodelcalledMandatoryAccessControl.
MACbasedsystemsextendthesecurityarchitecturebeyondusers,groupsandfilepermissions.SELinux
usestheLinuxSecurityModules(LSM)frameworkoftheLinuxkerneltoextendthesecuritycapabilitiesof
stockLinuxsystems.ThefundamentalmodelforSELinuxMACinvolvesasubject(process),attemptingto
performanaction(read,write,allocatememory,etc)onanobject(systemresource).Insecuritycircles,this
architectureisoftenreferredtoasasubjectaccessobjectmodel.
Discretionaryandmandatoryaccesscontrolsystemsdifferinafundamentalway.Thebestwayto
understandthedifferenceisthefollowing:InasimpleLinuxsystemusingonlytheusualDACaccess
mechanisms,ausercanmakehisowndecisionsandspecifytheaccesspermissionsfortheresourcesthathe
owns.Inotherwords,theaccesspermissionsforhisownresourcesareathisowndiscretion.InaMAC
system,accesspermissionsforeveryresourceonthesystem,independentofownership,iscentrally
controlledbyasystemwidesecuritypolicy.MACsecuritypolicyoverlaysDAC,butdoesnoteliminateit.
Thatis,assumingtheglobalSELinuxpolicyallowsuserSuereadaccessfileA,Suestillmusthavetraditional
DACreadpermissionstoreadfileA.InSELinux,allactionsbysubjectsonobjectsmustbeexplicitlygranted
bytheSELinuxpolicy.

Thisexplanationmightsoundcomplicatedbutthefundamentalconceptsarenotdifficult.Letsassumethat
asubject(oftenaprocessactingonbehalfofauser)wishestoopenafileonaspecificfilesystem.Arule
mustbecreatedthatinstructsSELinuxtoallowthatspecificprocesstoexerciseopenandread/write
permissionsforthatparticularfile.Ofcourse,thisexampleisoverlysimplistic,butdescribestheconceptual
behavior.
ELinuxusesaglobalsetoflabelsthatmustfirstbe
S
attachedtoeachsubjectandobjectinthesystem.When
aLinuxsystemisinitiallyconfiguredforSELinux,or
whentheSELinuxpolicyischanged,aspecialsystem
processtraversestheentirefilesystemandapplies(or
relabels,asitscalledintheSELinuxvocabulary)every
fileinthefilesystemaccordingtotemplatessupplied
withtheSELinuxframework.SELinuxpreventsaccessto
anysystemresourcethatisnotlabeled.Forexample,ifa
USBdriveisinsertedonanSELinuxsysteminenforcing
mode,thefilesonthatUSBdriveareunreadablebyany
useronthesystem,includingtherootuser,unlessthe
systempolicyhasspecificrulestoallowsuchaccess.
Acentraldatabasecontainsasetofrulesthatexplicitly
definestheaccessrightstoaspecifiedobjectforanygivenactionbyasubject.Thissetofrulesassociatesthe
labelsfromsubjectsandobjectstograntaccessrightsbasedontheselabels.Collectivelythesetofaccess
rulesisreferredtoasthesystempolicy.Severalpoliciescanexistonthesamesystem.AglobalSELinux
configurationfileselectswhichpolicyistobeusedduringtheuptimeofaLinuxsystem.ManyLinux
distributionssupportseveralpolicies.SomeembeddedLinuxdistributionsshipwithaminimumpolicy,
whichprovidesaninitialframeworkthatallowstheembeddeddevelopercompletecontroland
customizationofthesystemsbehavior.

SELinuxisarchitectedsuchthatthemechanismforgoverningaccesscontrolisentirelyseparatefromthe
policythatisusedtoenforceagivensecuritymodel.Thekernelisresponsiblesolelyforenforcement
control,andmakesnopolicydecisionsastowhethertherequestedactionisallowableornot.Apolicyrule
eitherallowsaparticularactionbyasubjectonanobject,oritdoesnot.Thekernelknowsnothingofthis
policy,andactsonlytoallowordenyactionsbasedontherulesgeneratedbythepolicy.Furthermore,when
SELinuxissettoenforcingmode,accessisdeniedbydefaultunlessarulespecificallygrantsaccesstoa
givenresourcebyaspecificsubject.

EnablingSELinux
SELinuxmustbeenabledonaLinuxsystembeforeitcanbeused.TheLinuxkernelmustbecompiledwith
supportfortheSELinuxsecurityinfrastructure.SeveralkernelconfigurationparametersenableSELinux
andsetthisasthedefaultsecuritymodel.SeeCONFIG_SECURITY_SELINUX*intheLinuxkernel
configurationmenufordetails.Detailedinformationoncompilingthekernelwiththeseconfiguration
parametersisbeyondthescopeofthisarticle.
ManyLinuxdistributions,includingembeddedLinuxdistributionscomewithoptionstoeasilyenable
SELinux.IfyouareworkingwithoneofthesecommercialLinuxdistributions,youshouldfind
documentationonhowtoenablethekernelforSELinuxwithinthedocumentationthataccompaniesyour
distribution.
OncethekernelhasbeencompiledforSELinuxsupportitmustbeenabled.SELinuxhasthreemodes.
DisabledTheinfrastructureispresentandoperational,buthasbeeneffectivelyturnedoff.
PermissiveSELinuxisenabledandfullyfunctional,butbydefaultallowsallactions.Actionsarelogged
foruseincreatingcustomrules.
EnforcingSELinuxisworkingandpreventingunauthorizedactions.
WhenSELinuxisrunningindisabledmode,itdoesnothing.SELinuxpolicyrulesarenotenforced,and
auditloggingiscompletelydisabled.PermissivemodeisusefulfordevelopmentanddebugofSELinux
policy.InPermissivemode,SELinuxallowsallaccesses,butlogseachaccessusingasyntaxthatcaneasilybe
convertedintoaruleorsetofrulesthatwillallowtheaccess.AnSELinuxutilitycalledaudit2allowcan
actuallycreatearulefromalogentry,makingsystemconfigurationmucheasierforthosenewtoSELinux.
EnforcingmodeshouldbeobviousSELinuxisenabledandactivelyprotectingthesystemresourcesfrom
unauthorizedaccessoutsideofthoseallowedbythepolicy.
Bydefault,whenSELinuxhasbeenenabledinthekernel,itwillbeenabledaftersystemboot.Aglobal
configurationfiledeterminesitsoperationalmodeatboottime.Thisfilehasdifferentnamesandlocations
dependingontheLinuxdistributioninuse,butacommonpathformostdistributionsison
/etc/selinux/config.ThisglobalconfigurationfileselectstworuntimeparametersforSELinux.Thefirstis
themodeenumeratedinthelistabove.Thesecondisthepolicytousebydefault.Theformatofthe
configurationfileisquitesimple:
SELINUX=enforcing
SELINUXTYPE=default
TheseentriesintheSELinuxglobalconfigurationfileinstructSELinuxtoentertheenforcingmodeanduse
thepolicycalleddefault.ManyLinuxdistributionsshipwithseveralexamplepolicies,orhavethem

availablefordownload.Othersmayincludestandardandmls,ormultilevelsecurity.Itisimportantto
understandthatthesearetemplatepolicies,providedfortheusersconvenience,andarealmostneverused
unmodifiedinaproductionsystem.Itisuptothesystemdesigneroradministratortomodifyandextend
thesepoliciesforaspecificproductapplication.
PolicynamescanvarydependingontheLinuxdistributioninuse.Somecommonpolicynamesandtheir
descriptionsfollows:
minimumSimpleentrylevelpolicythatprovidesforasmallnumberofprotecteddomainsfor
applicationssuchashttpserver,ftpserver,etc.Mostprocessesinaminimalpolicywillrununconstrained.
standardTypicalpolicyoftenusedfordesktopapplications.
mlsSupportsamultilevel,heirarchicalpolicyforhighlycriticalsystemssuchasthoseusedinmilitaryand
governmentapplications.
refpolicyThisistheSELinuxreferencepolicypublishedongithubthatcanbeusedforavarietyof
systemsandmakesagoodstartingpointforbuildingacomprehensivecustomizedpolicy,andinmany
distributions,isthebaseforthestandardpolicy.IthasitsrootsintheoriginalNSAexamplepolicy.
OnecaneasilydiscoverwhetherSELinuxisenabledandoperational.Simplyusethegetenforcecommand
fromtheLinuxcommandline:
root@pluto:#getenforce

Enforcing
ThistrivialcommandreportsthatSELinuxhasbeenconfiguredandenabledwiththeenforcingmodeas
describedabove.AnotherusefulcommandisusedtoexaminethestateofanSELinuxenabledsystem.
sestatusissuedwithoutparameters,willlistsomepertinentinformationabouttheSELinuxinstallation,
includingitscurrentstatus(thesameinformationasreportedbythegetenforcecommandasshownabove)
aswellasthecurrentmode,policynameandversionandotherrelevantdata.
root@pluto:~#sestatus
SELinuxstatus:enabled
SELinuxfsmount:/sys/fs/selinux
SELinuxrootdirectory:/etc/selinux
Loadedpolicyname:minimum
Currentmode:permissive
Modefromconfigfile:enforcing
PolicyMLSstatus:enabled
Policydeny_unknownstatus:allowed
Maxkernelpolicyversion:28

SELinuxSecurityContext
InatraditionalLinuxsystem,usersaretypicallyassociatedwithhumansthatinteractwiththesystem.In
SELinux,auserisnotgenerallyassociatedwithaspecifichuman(useraccount)asitoftenisintraditional
Linuxsystems,butmoreoftenrepresentsaclassofusers.Forexample,atypicalSELinuxembeddedsystem
configuredwithaminimalpolicymighthave6usersbydefault:sysadmin,system,root,staff,userand
unconfined.IntypicalSELinuxsyntax,theseuserclasseswouldbenamedsystem_u,user_u,etc.However,
thereisnothinginSELinuxthatenforcesthisnamingstyleithasbecomeconventioninthedesignand
managementofSELinuxpolicytodecoratethelabelwithanunderscoreandletterrepresentingoneofuser
(u),role(r)ortype(t).
AroleisusedinSELinuxsystemstocontrolwhichdomainsauserisallowedtooccupy.Rolesinatypical
embeddedLinuxsystemconfiguredwithaminimalpolicymightincludestaff_r,user_r,object_r,
sysadm_r,system_randunconfined_r.Noticeagaintheconventionofdecoratingtherolenamewithan
underscorer.
InSELinux,allsubjectsandobjectsareassociatedwitha
typewhichtakentogethergovernstheaccess
permissionsforspecificusers.Thecombinationof
user:role:typeiscalledthesecuritycontext.(Additional
fieldscalledsensitivityandcategoryexisttosupportmultilevelsecuritypolicies,buttheseareoftenunused
whereMLSisnotrequired.)Figure4illustratestheformatofanSELinuxcontext.NoticethattheSensitivity
andCategoryfieldsareinparenthesis,indicatingthattheyareoptionalandoftenunusedorsettodefault
values.
InSELinuxenabledsystems,commonLinuxutilitieshavebeenenhancedtoshowthesecuritycontextasan
aidtotroubleshootingaccesspermissionsanddesigningnewsecuritymodulesforcustomapplications.For
example,mostrelevantutilitieswillhonortheZswitchtoshowSELinuxsecuritycontextoutput.For
example,usingthelscommandwiththeZswitchyieldsthis:
root@pluto:~#lsZ/lib|headn5
system_u:object_r:lib_t:s0depmod.d
system_u:object_r:lib_t:s0firmware
system_u:object_r:lib_t:s0ldlinuxarmhf.so.3
system_u:object_r:lib_t:s0ldlinux.so.3
system_u:object_r:lib_t:s0libacl.so.1
Theseobjectsfoundinthe/libdirectoryhaveauserofsystem_u,roleofobject_r,andtypeoflib_t.
Inordertoimplementsecuritycontext,SELinuxapplieslabelstoeveryfilesystemobjectandcontrolled
resourceinthesystem.SELinuxenabledsystemsperformthisfilesystemlabelinguponfirstboot,orwhen
thepolicyischanged.Youcanalsomanuallyrelabelthefilesystem.WhenyoufirstenableanSELinux
system,youmaynoticearebootdirectlyafterstartupwhileSELinuxperformsthefilesystemrelabeling
operation.WhenasystemisenabledwithSELinux,thesupportedfilesystemsmakeuseofextended
attributesdesignedtoholdthesecuritycontextinformation.

SELinuxPolicyTypes
OneofthecriticismsofSELinuxisthatitisverycomplexandacustomsecuritypolicyisverydifficultto
design,configureandmanage.Indeed,thereferencepoliciesthatcomewithmostdistributionshave
thousandsofrules.Theminimumpolicyusedasthebasisofthisarticle,whichoriginatesfromtheYocto
Projectcontainsjustshortoffourthousandallowrules.SELinuxrunningonacomplexmultiuserserver
mightcontaintensofthousandstoevenonehundredthousandormoreallowrules.
IfyouweretoexaminethesourcecodeforanSELinuxreferencepolicy,itwouldresemblethesourcetreeof
arelativelycomplexsoftwareproject.Ithasabuildinfrastructure,configurationfiles,andmultiple
subdirectoriesofpolicysource.Thereferencepolicyisbuiltinafashionsimilartoacomplexsoftware
package.Thesourcetreeisconfigured,followedbyabuildstep,andthenapackagestep.Oncebuilt,the
result(asetofbinarypolicyobjects)canbeinstalledonasystemasareferencepolicy.Thereferencepolicy
ismaintainedasasourcetreeongithubatgithub.com/TresysTechnology/refpolicy.
SELinuxaccessrulesareconstructedbasedonasecuritycontext,consistingofthetripletuser:role:type.In
orderforaprocesstoaccessasystemobject,theymustbeinthesamedomain.Considerthedomainas
synonymouswiththetypefieldofthecontext.Accessrulesallowtheprocesstotransitiontothedomainof
anobject,whileotherrulesallowtheprocesstoaccessspecificresourcesbasedonuserandsometimesrole.
ThetypicalapproachtocustomizingaSELinuxsystemistoaddtoadefaultpolicyinamodularfashion.
SELinuxsupportstheconceptofapolicymoduletocontainchangesrequiredforaspecificapplicationorset
ofapplications.
Thesemoduleutilityisusedtolist,add,remove,enable,disable,orupgradeSELinuxpolicymodules.In
ordertogiveacustomapplicationpermissiontorunonthesystem,amodulecanbeaddedspecifyingthe
rulesrequiredforthatapplication.
SELinuxsystemscontainasearchutilitytoviewtheconfiguredrules.Thesesearchutilityprovidesthe
systemdeveloperwiththeabilitytosearchthroughthepolicyforspecificrules,ortoprintthemall.The
seconutilitydisplaysthesecuritycontextforaspecifiedobject.
AtypicalSELinuxrulemightlooklikethis:
allowuser_tuser_home_t:file{createreadwriteunlink}
Thisexamplerule,takenfromtheexcellentSELinuxwikiatselinuxproject.org,allowsanyprocesslabeled
withtypeuser_ttocreate,read,writeordeleteanyfileslabeledwithtypeuser_home_t.

Summary
SELinuxcanbeusedasoneelementofanoverallsecurityarchitecture.Whenenabled,aglobalpolicy
defineswhatoperationsasubject(usuallyaprocess)canperformonobjects(usuallyfilesandothersystem
resources).ThisisreferredtoasMandatoryAccessControl.Simplystated,unlessthepolicyexplicitlystates
programAisallowedtoperformactionXthenitwillnotbeallowed.SELinuxcanpartitionapplicationsor
groupsofapplicationstotheirowndomain,effectivelyisolatingthemfromtherestofthesystem.A
properlydesignedsecuritypolicywillsignificantlylimitthedamageincaseasoftwarevulnerabilityor
maliciousattackergainsaccesstoanapplication.
ItisimportanttounderstandthatwhilemanySELinuxenableddistributionscomewithdefaultpolicies,
thesearevirtuallyneverusedwithoutmodificationinproductionsystems.Somelevelofdesign,

implementationandmostimportantly,validationisrequiredbeforeasystemcanbedeployedconfidently.
WhilesomemaycriticizeSELinuxasbeingdifficulttomasterandconfigure,itislittledifferentfrom
learninganynewprogramminglanguageoroperatingsystem.Alearningcurveistobeexpectedbutthe
protectionprovidedbySELinuxforInternetconnecteddevicesfaroutweighsthedevelopmentoverhead.
SourceURL:http://electronicdesign.com/embedded/selinux101whatyoushouldknow