41. Linux Security Modules

Question 1

Learning Objectives

By the end of this chapter, you should be able to:

• Understand how the Linux Security Module framework works and how it is deployed.
• List the various LSM implementations available.
• Delineate the main features of SELinux.
• Explain the different modes and policies available.
• Grasp the importance of contexts and how to get and set them.
• Know how to use the important SELinux utility programs.
• Gain some familiarity with AppArmor.

Question 2

What Are Linux Security Modules?

An LSM is code compiled directly into the Linux ___ that, utilizing the LSM framework, can ___ _ ___ access to important kernel objects.

The types of objects protected ___…

Answer 2

• kernel
• deny a process
• include files, inodes, task structures, credentials, and interprocess communication objects

Question 3

What Are Linux Security Modules?

The idea behind LSM is to implement mandatory access controls over the variety of requests made to the kernel, but to do so a way that: (3)

Answer 3

Minimizes changes to the kernel

Minimizes overhead on the kernel

Permits flexibility and choice between different implementations, each of which is presented as a self-contained LSM (Linux Security Module).

Question 4

What Are Linux Security Modules?

The basic idea of LSM is to ___ into/between system calls; insert code whenever an application requests a transition to kernel (system) mode in order to accomplish work that requires enhanced abilities; this code makes sure permissions are valid, malicious intent is protected against, etc. It does this by invoking security-related functional steps ___ a system call is fulfilled by the kernel.

Answer 4

• hook
• before and/or after

Question 5

Main LSM Choices

For a long time, the only enhanced security model implemented was ___. When the project was first floated upstream in 2001 to be included directly in the kernel, there were objections about using only one approach to enhanced security.

As a result, the LSM approach was adopted, where alternative modules to ___ could be used as they were developed and was incorporated into the Linux kernel in 2003.

The current LSM implementations are:

1. ___
2. ___
3. ___
4. ___

Answer 5

• SELinux
• SELinux

Question 6

Main LSM Choices

Originally, only 1 LSM could be used at a time as they can potentially modify the same parts of the Linux kernel. However, since 2019 it has been possiable to combine (stack) LSMs in certain specified orders.

What are the avaliable current LSM implementations?

1. ___
2. ___
3. ___
4. ___

Answer 6

1. SELinux
2. AppArmor
3. Smack
4. Tomoyo

Question 7

Main LSM Choices

LSMs are now considered as either ___ or ___ when configuring their combination.

We will concentrate primarily on SELinux and secondarily on AppArmor in order of usage volume.

Answer 7

• major
• minor

Question 8

SELinux Overview

SELinux was originally developed by the United States ___ and has been integral to ___ disto for a very long time, which has brought it a large usage base.

Answer 8

• NSA (National Security Administration)
• RHEL

Question 9

SELinux Overview

Operationally, SELinux is a set of security rules that are used to determine which processes can access which files, directories, ports, and other items on the system.

It works with 3 conceptual quantities, what are they?

Describe the the 3 conceptual quantities work together?

Answer 9

SELinux Conceptual Quantities:

1. Contexts
   
   • Contexts are labels to files, processes and ports. Examples of contexts are SELinux user, role and type.
2. Rules
   
   • Rules describe access control in terms of contexts, processes, files, ports, users, etc.
3. Policies
   
   • Policies are a set of rules that describe what system-wide access control decisions should be made by SELinux.

• A SELinux context is a name used by a rule to define how users, processes, files and ports interact with each other. As the default policy is to deny any access, rules are used to describe allowed actions on the system.

Question 10

SELinux Enforcement Modes

SELinux can be run under one of three modes.

What are the 3 modes?

These modes are selected (and explained) in ___ (CentOS and openSUSE) or ___ (Ubuntu).

The ___ utility can display the current mode and policy.

Answer 10

SELinux Modes:

1. Enforcing
   
   • All SELinux code is operative and access is denied according to policy. All violations are audited and logged.
2. Permissive
   
   • Enables SELinux code, but only audits and warns about operations that would be denied in enforcing mode.
3. Disabled
   
   • Completely disables SELinux kernel and application code, leaving the system without any of its protections.

• /etc/sysconfig/selinux (centos/openSUSE)
• /etc/selinux/config (ubuntu)
• sestatus

Question 11

LSM - SELinux utility

What 2 command do you use to set/get LSM mode to be one of the mode it supports? (modes: enforcing, permissive, disabled)

Answer 11

• getenforce
• setenforce

Examples:

$ getenforce
Enforcing

$ sudo setenforce Permissive
$ getenforce
Permissive

Question 12

LSM - SELinux utility

___ can be used to switch between ___ and ___ modes on the fly while the system is in operation. However, changing in or out of the ___ mode cannot be done this way.

Answer 12

• setenforce
  
  • enforcing
  • permissive
• ​disabled

Question 13

LSM - SELinux utility

While ___ allows you to switch between permissive and enforcing modes, it does not allow you to disable SELinux completely. There are at least 2 different ways to disable SELinux. What are they?

1. ___
2. ___

Answer 13

• setenforce
  1. Configuration file
  
  • Edit the SELinux configuration file (usually /etc/selinux/config) and set SELINUX=disabled. This is the default method and should be used to permanently disable SELinux.
    
    2. Kernel parameter
  • ​Add selinux=0 to the kernel parameter list when rebooting.

Question 14

Disabling SELinux

It is important to note that disabling SELinux on systems in which SELinux will be ___ is not recommended. It is preferable to use the ___ mode instead of disabling SELinux, so as to avoid relabeling the entire filesystem, which can be time-consuming.

Answer 14

• re-enabled
• permissive

Question 15

SELinux Policies

The same configuration file that sets the mode, usually ___ , also sets the SELinux policy. Multiple policies are allowed, but only one can be ___ . Changing the policy may require a reboot of the system and a time-consuming re-labeling of filesystem contents. Each policy has files which must be installed under ___.

What are the 3 most common SELinux policies? describe them.

Answer 15

• /etc/sysconfig/selinux
• active at a time
• etc/selinux/[SELINUXTYPE]

1. targeted
   
   • The default policy in which SELinux is more restricted to targeted processes. User processes and init processes are not targeted, while network service processes are targeted. SELinux enforces memory restrictions for all processes, which reduces the vulnerability to buffer overflow attacks.
2. minimum
   
   • A modification of the targeted policy where only selected processes are protected.
3. MLS
   
   • The Multi-Level Security policy is much more restrictive; all processes are placed in fine-grained security domains with particular policies.

Question 16

SELinux Context Utilities

As mentioned earlier, contexts (in terms of SELinux) are labels applied to ___, ___, ___, and ___. Those labels are used to describe ___ ___. There are four SELinux contexts:

1. User
2. Role
3. Type
4. Level

Answer 16

1. files
2. directories
3. ports
4. processes

• access rules

Question 17

SELinux Context Utilities

As mentioned earlier, contexts are labels applied to files, directories, ports, and processes. Those labels are used to describe access rules. There are four SELinux attributes that apply to a context what are they?

1. ___
2. ___
3. ___
4. ___

Answer 17

1. User
2. Role
3. Type
4. Level.

Question 18

Context Utilities

However, we will focus on type context attribute, which is the most ___ utilized context attribute. The label naming convention determines that type context labels should end with ___, as in ___.

Answer 18

• commonly
• _t
• kernel_t

Question 19

Context Utilities

What is the command to see the context of a

1. file/directory
2. process
3. port

Answer 19

• Use the -Z option to see the context with
  
  • ls -Z
  • ps -Z

Examples:

View file/directory context attributes:

• $ ls -Z

View process context attributes:

• $ ps auZ

Question 20

LSM Context Utilities

What is the command to change the context attibute of a file/directory, process, port?

Answer 20

• chcon

Examples:

$ ls -Z

-rw-rw-r–. dog dog unconfined_u:object_r:user_home_t:s0 somefile

$ chcon -t etc_t somefile
$ ls -Z

-rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile

$ ls -Z

• rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile
• rw-rw-r–. dog dog unconfined_u:object_r:user_home_t:s0 somefile1

$ chcon –reference somefile somefile1
$ ls -Z

• rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile
• rw-rw-r–. dog dog unconfined_u:object_r:etc_t:s0 somefile1

Question 21

SELinux and Standard Commands

Many standard command line commands, such as ls and ps, were extended to support SELinux, and corresponding sections were added to their man pages explaining the details. Often the parameter Z is passed to standard command line tools, as in:

Other tools that were extended to support SELinux include ___, ___, and ___.

!!Note that if you have disabled SELinux, no useful information is displayed in the related fields from these utilities.

Answer 21

• cp
• mv
• mkdir

Question 22

LSM Context

When viewing the context attributes of this file what are the context attributes displayed?

1. ___
2. ___
3. ___
4. ___

ls -Z

-rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile

Answer 22

• User
• Role
• Type
• Level

Question 23

SELinux Context Inheritance

Newly created files inherit the context from their parent directory, but when ___ files, it is the context of the source directory which may be preserved, which can cause problems.

Continuing the previous example, we see the context of tmpfile was not changed by moving the file from /tmp to /home/jimih:

$ cd /tmp/
$ touch tmpfile
$ ls -Z tmpfile

-rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile

$ cd
$ touch homefile
$ ls -Z homefile

-rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile

$ mv /tmp/tmpfile.
$ ls -Z

• rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
• rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile

The classical example in which moving files creates a SELinux issue is moving files to the DocumentRoot directory of the httpd server. On SELinux-enabled systems, the web server can only access files with the correct context labels. Creating a file in /tmp, and then moving it to the DocumentRoot directory, will make the file unaccessible to the httpd server until the SELinux context of the file is adjusted.

Answer 23

• moving

Question 24

SELinux Restoring Context

___ resets file contexts, based on parent ___ settings. In the following example, ___ resets the default label recursively for all files at the home directory:

$ ls -Z

• rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
• rw-rw-r–. jimih jimih unconfined_u:object_r:user_tmp_t:s0 tmpfile

$ ___ -Rv /home/jimih

___ reset /home/jimih/tmpfile context \
unconfined_u:object_r:user_tmp_t:s0 >unconfined_u:object_r:user_home_t:s0

$ ls -Z

• rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 homefile
• rw-rw-r–. jimih jimih unconfined_u:object_r:user_home_t:s0 tmpfile

Note that the context for tmpfile has been reset to the default context for files created at the home directory. The type was changed from user_tmp_t to user_home_t.

Answer 24

• restorecon
  
  • ​directory
• restorecon
• restorecon

Question 25

SELinux change context default

Another issue is how to configure the default context for a newly created directory. ___ ___ (provided by the policycoreutils-python package) can change and display the default context of files and directories. Note that ___ ___ only changes the default settings; it does not apply them to existing objects. This requires calling ___ afterwards.

For example:

[root@rhel7 /]# mkdir /virtualHosts
[root@rhel7 /]# ls -Z

…
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 virtualHosts

[root@rhel7 /]# ___ ___ -a -t httpd_sys_content_t /virtualHosts

[root@rhel7 /]# ls -Z

…
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 virtualHosts

[root@rhel7 /]# ___ -RFv /virtualHosts

restorecon reset /virtualHosts context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

[root@rhel7 /]# ls -Z
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 virtualHosts

The context change from default_t to httpd_sys_content_t is thus only applied after the call to ___.

Answer 25

• semanage fcontext
• semanage fcontext
• restorecon
• semanage fcontext
• restorecon
• restorecon

Question 26

Using SELinux Booleans

SELinux policy behavior can be configured at ___ without rewriting the policy. This is accomplished by configuring SELinux Booleans, which are policy parameters that can be enabled and disabled.

What is the command to see the run time booleans avalaible to change policy behavior during ___? ___

What is the command to set the run time booleans to change policy behavior during ___? ___

What is the command to see persistent run time booleans to change policy behavior during ___? ___

Answer 26

• runtime
• getsebool - to see booleans
• setsebool - to set booleans
• semanage boolean -l - to see persistent boolean settings.

You can see what you need to do to list all booleans of the current policy, including the current status and a short description in the screenshot below.

$ setsebool allow_ftpd_anon_write on
$ getsebool allow_ftpd_anon_write

allow_ftpd_anon_write -> on

$ semanage boolean -l | grep allow_ftpd_anon_write

allow_ftpd_anon_write -> off

Note not persistent (above)

$ setsebool -P allow_ftpd_anon_write on
$ semanage boolean -l | grep allow_ftpd_anon_write

allow_ftpd_anon_write -> on

Now persistent (above).

Question 27

Monitoring SELinux Access

SELinux comes with a set of tools that collect issues at run time, log these issues and propose solutions to prevent same issues from happening again. These utilities are provided by the ___ package. Here is an example of their use:

Answer 27

• setroubleshoot-server

Example after installing setroubleshoot-server package

[root@rhel7 ~]# echo ‘File created at /root’ > rootfile
[root@rhel7 ~]# mv rootfile /var/www/html/
[root@rhel7 ~]# wget -O - localhost/rootfile

–2014-11-21 13:42:04– http://localhost/rootfile
Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2014-11-21 13:42:04 ERROR 403: Forbidden.

[root@rhel7 ~]# tail /var/log/messages

*Nov 21 13:42:04 rhel7 setroubleshoot: Plugin Exception restorecon
Nov 21 13:42:04 rhel7 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file .
For complete SELinux messages. run sealert -l d51d34f9-91d5-4219-ad1e-5531e61a2dc3
Nov 21 13:42:04 rhel7 python: SELinux is preventing /usr/sbin/httpd from getattr access on the file .
….
Do allow this access for now by executing
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects [file]
Source httpd
Source Path /usr/sbin/httpd*

….

Question 28

AppArmor

AppArmor is an LSM ___ to SELinux. Support for it has been incorporated in the Linux kernel since 2006. It has been used by SUSE, Ubuntu and other distributions.

Answer 28

alternative

Question 29

AppArmor

AppArmor:

• Provides Mandatory Access Control (MAC)
• Allows administrators to associate a security profile to a program which restricts its capabilities
• Is considered easier (by some but not all) to use than SELinux
• Is considered filesystem-neutral (no security labels required).

AppArmor supplements the traditional UNIX Discretionary Access Control (DAC) model by providing Mandatory Access Control (MAC).

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program’s typical behavior.

Question 30

AppArmor Checking Status

Distributions that come with AppArmor tend to enable it and load it by default. Note that the Linux kernel has to have it turned on as well, and, in most cases, only one LSM can run at a time.

Assuming ​you have the AppArmor kernel module available, on a systemd-equipped system what is the command to manage the apparmor service? (starting, stopping, restarting, view status)

Answer 30

$ sudo systemctl [start|stop|restart|status] apparmor

Question 31

AppArmor Checking Status

What is the command to to cause apparmor to be loaded or not loaded at boot?

Answer 31

​$ sudo systemctl [enable|disable} apparmor

Question 32

AppArmor Checking Status

What is the command to see the current status of the apparmor service?

Answer 32

$ sudo apparmor_status

apparmor module is loaded.
25 profiles are loaded.
25 profiles are in enforce mode.
/sbin/dhclient
…

Question 33

AppArmor Checking status

AppArmor profiles and processes are in either enforce or complain mode, directly analogous to SELinux’s enforcing and permissive modes.​ Note that in the process, listing the PID is given:

$ ps aux | grep libvirtd

root 787 0.0 0.9 527200 35936 ? Ssl 10:54 0:00 /usr/sbin/libvirtd
student 3346 0.0 0.0 13696 2204 pts/16 S+ 11:42 0:00 grep –color=auto libvirtd

Question 34

AppArmor

AppArmor is another ___. Just like SELinux.

Answer 34

• LSM (Linux Security Module)

Question 35

AppArmor

AppArmor LSM runs in two modes what are they?

Similar to SELinux’s mode of Enforcing and Permissive mode.

Answer 35

• Enforce Mode
  
  • Applications are prevented from acting in ways which are restricted. Attempted violations are reported to the system logging files. This is the default mode. A profile can be set to this mode with aa-enforce.
• Complain Mode
  
  • Policies are not enforced, but attempted policy violations are reported. This is also called the learning mode. A profile can be set to this mode with aa-complain.

Question 36

AppArmor Modes and Profiles

Linux distributions come with​ ___ profiles, typically installed either when a given package is installed, or with an AppArmor package, such as apparmor-profiles. These profiles are stored in ___.

When installing new software, new profiles can be created specific to any executables in the package.​

Exactly what AppArmor profiles are installed on your system depends on your selection of software packages. For example, on one particular Ubuntu system:

Student@ubuntu: /etc/apparmor.d$ ls​
abstractions usr.lib.dovecot.anvil usr.lib.telepathy
apache2.d usr.lib.dovecot.auth usr.sbin.avahi-daemon
bin.ping usr.lib.dovecot.config usr.sbin.cups-brows
…

​Full documentation on what can go in these files ​can be obtained by doing ___.

Answer 36

• pre-packaged
• /etc/apparmor.d
• man apparmor.d

Question 37

AppArmor Utilities

AppArmor has quite a few administrative utilities for monitoring and control.

Note that many of these utilities can be invoked with either their short or long names; e.g.:

Name a few of them and what they do (7).

Answer 37

• apparmor_status
  
  • Show status of all profiles and processes with profiles
• apparmor_notify
  
  • Show a summary for AppArmor log messages
• complain
  
  • Set a specified profile to complain mode
• enforce
  
  • Set a specified profile to enforce mode
• disable
  
  • Unload a specified profile from the current kernel and prevent from being loaded on system startup
• logprof
  
  • Scan log files, and, if AppArmor events that are not covered by existing profiles have been recorded, suggest how to take into account, and, if approved, modify and reload
• easyprof
  
  • Help set up a basic AppArmor profile for a program

Question 38

AppArmor Utilities

What aa command show status of all profiles and processes with profiles?

Answer 38

• apparmor_status

Question 39

AppArmor Utilities

What aa command show a summary for AppArmor log messages?

Answer 39

• apparmor_notify

Question 40

AppArmor Utilities

What aa command set a specified profile to complain mode?

Note that many of these utilities can be invoked with either their short or long names; e.g.:

Answer 40

• aa-complain or complain

Question 41

AppArmor Utilities

What aa command set a specified profile to enforce mode?

Note that many of these utilities can be invoked with either their short or long names; e.g.:

Answer 41

• aa-enforce or enforce

Question 42

AppArmor Utilities

What aa command unload a specified profile from the current kernel and prevent from being loaded on system startup?

Note that many of these utilities can be invoked with either their short or long names; e.g.:

Answer 42

• aa-disable or disable

Question 43

AppArmor Utilities

What aa command scan log files, and, if AppArmor events that are not covered by existing profiles have been recorded, suggest how to take into account, and, if approved, modify and reload?

Note that many of these utilities can be invoked with either their short or long names; e.g.:

Answer 43

• aa-logprof or logprof

Question 44

AppArmor Utilities

What aa command help set up a basic AppArmor profile for a program?

Note that many of these utilities can be invoked with either their short or long names; e.g.:

Answer 44

• aa-easyprof or easyprof

Question 45

AppArmor Understanding

AppArmor provides ___ aka MAC functionality to Linux and is used to supplement the traditional ___ aka DAC (file permissions) functionality that the OS provides.

DAC = “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”.

DAC = gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects. Subjects are empowered and control their data. Standard UNIX and Windows operating systems use DAC for file systems: subjects can grant other subjects access to their files, change their attributes, alter them, or delete them.

DAC = is based on Access Control Lists (ACLs). The ACL lists which users have access to an object and what they can do with the object. The ACL will list users and permissions. You can give permissions or specifically deny permissions.

MAC = systems use a more distributed administrative architecture. In a MAC model, access is determined by the object owner. So, if you are the owner of an object, you have full control in determining who else can access that object.

Answer 45

• Mandatory Access Control
• Discretionary Access Control

Question 46

AppArmor Understanding

AppArmor will monitor a ___ that match a AppArmor ___ and decide if a specific ___ is permitted or denied by the profiles policy that was setup.

Answer 46

• processes
• profile
• ​action