Friday, December 08, 2006

SE Linux on Debian in 5 minutes

Following from my 5 minute OSDC talk yesterday on 5 security improvements needed in Linux distributions I gave a 5 minute talk on installing SE Linux on Debian etch. To display the notes I formatted them such that they were in 24 line pages and used less at a virtual console to display them. The ultra-light laptop I was using has only 64M of RAM which isn't enough for a modern X environment and I couldn't be bothered getting something like Familiar going on it.

After base install you install the policy and the selinux-basics package:

# apt-get install selinux-basics selinux-policy-refpolicy-targeted
The following extra packages will be installed:
checkpolicy libsemanage1 mime-support policycoreutils python python-minimal
python-selinux python-semanage python-support python2.4 python2.4-minimal
selinux-utils
Suggested packages:
python-doc python-tk python-profiler python2.4-doc logcheck syslog-summary
The following NEW packages will be installed:
checkpolicy libsemanage1 mime-support policycoreutils python python-minimal
python-selinux python-semanage python-support python2.4 python2.4-minimal
selinux-basics selinux-policy-refpolicy-targeted selinux-utils
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 6362kB of archives.
After unpacking 41.5MB of additional disk space will be used.
Do you want to continue [Y/n]?

The package install process also configures the policy for the machine. The next step is to label the filesystems, this took 26 seconds on my Celeron 500MHz laptop with 20,000 files on an old IDE disk. The time is in proportion to number of files, often bottlenecked on CPU. A more common install might have 5* as many files with a 5* faster CPU so 30 seconds is probably common for labelling. See the following:

# fixfiles relabel

Files in the /tmp directory may be labeled incorrectly, this command
can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.

Do you wish to clean out the /tmp directory [N]? y
Cleaning out /tmp
/sbin/setfiles: labeling files under /
matchpathcon_filespec_eval: hash table stats: 14599 elements, 14245/65536 buckets used, longest chain length 2
/sbin/setfiles: labeling files under /boot
matchpathcon_filespec_eval: hash table stats: 19 elements, 19/65536 buckets used, longest chain length 1
/sbin/setfiles: Done.

The next step is to edit /boot/grub/menu.list to enable SE Linux, auditing, and put it in enforcing mode:

title   Debian GNU/Linux, kernel 2.6.17-2-686
root (hd0,1)
kernel /vmlinuz-2.6.17-2-686 root=/dev/x selinux=1 audit=1 ro enforcing=1
initrd /initrd.img-2.6.17-2-686

Then reboot.

After rebooting view the context of your shell, note that the login shell will have a domain of unconfined_t when the targeted policy is used:
# id -Z
system_u:system_r:unconfined_t

Now let's view all processes that are confined:
# ps axZ |grep -v unconfined_t|grep -v kernel_t|grep -v initrc_t
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:init_t 1 ? Ss 0:02 init [2]
system_u:system_r:udev_t 1999 ? S.s 0:01 udevd --daemon
system_u:system_r:syslogd_t 3306 ? Ss 0:00 /sbin/syslogd
system_u:system_r:klogd_t 3312 ? Ss 0:00 /sbin/klogd -x
system_u:system_r:apmd_t 3372 ? Ss 0:00 /usr/sbin/acpid -c /etc
system_u:system_r:gpm_t 3376 ? Ss 0:00 /usr/sbin/gpm -m /dev/i
system_u:system_r:crond_t 3402 ? Ss 0:00 /usr/sbin/cron
system_u:system_r:local_login_t 3423 tty1 Ss 0:00 /bin/login --
system_u:system_r:local_login_t 3424 tty2 Ss 0:00 /bin/login --
system_u:system_r:getty_t 3425 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
system_u:system_r:getty_t 3426 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
system_u:system_r:getty_t 3429 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
system_u:system_r:getty_t 3430 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
system_u:system_r:dhcpc_t 3672 ? S.s 0:00 dhclient3 -pf /var/run/
The initial install of policy inserts modules to match installed software, if you install new software then you need to add new modules with the semodule command:

# semodule -i /usr/share/selinux/refpolicy-targeted/apache.pp
security: 3 users, 7 roles, 824 types, 67 bools
security: 58 classes, 11813 rules
audit(1165532434.664:21): policy loaded auid=4294967295
# semodule -i /usr/share/selinux/refpolicy-targeted/bind.pp
security: 3 users, 7 roles, 836 types, 68 bools
security: 58 classes, 12240 rules
audit(1165532467.874:22): policy loaded auid=4294967295

Note that the security and audit messages come from the kernel via printk, it is displayed on console login but you need to view the system log if logged in via ssh or running an xterm. Now you have to relabel the files that are related to the new policy:

# restorecon -R -v /etc /usr/sbin /var/run /var/log
restorecon reset /etc/bind context system_u:object_r:etc_t->system_u:object_r:named_zone_t
restorecon reset /etc/bind/named.conf context system_u:object_r:etc_t->system_u:object_r:named_conf_t
[...]
restorecon reset /etc/apache2 context system_u:object_r:etc_t->system_u:object_r:httpd_config_t
restorecon reset /etc/apache2/httpd.conf context system_u:object_r:etc_runtime_t->system_u:object_r:httpd_config_t
[...]
restorecon reset /usr/sbin/named context system_u:object_r:sbin_t->system_u:object_r:named_exec_t
restorecon reset /usr/sbin/apache2 context system_u:object_r:sbin_t->system_u:object_r:httpd_exec_t
restorecon reset /usr/sbin/rndc context system_u:object_r:sbin_t->system_u:object_r:ndc_exec_t
restorecon reset /usr/sbin/named-checkconf context system_u:object_r:sbin_t->system_u:object_r:named_checkconf_exec_t
[...]
restorecon reset /var/run/bind context system_u:object_r:var_run_t->system_u:object_r:named_var_run_t
restorecon reset /var/run/bind/run context system_u:object_r:var_run_t->system_u:object_r:named_var_run_t
restorecon reset /var/run/bind/run/named.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:named_var_run_t
restorecon reset /var/run/motd context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /var/run/apache2 context system_u:object_r:var_run_t->system_u:object_r:httpd_var_run_t
restorecon reset /var/run/apache2/cgisock.3558 context system_u:object_r:var_run_t->system_u:object_r:httpd_var_run_t
restorecon reset /var/run/apache2.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:httpd_var_run_t
restorecon reset /var/log/apache2 context system_u:object_r:var_log_t->system_u:object_r:httpd_log_t
restorecon reset /var/log/apache2/error.log context system_u:object_r:var_log_t->system_u:object_r:httpd_log_t
restorecon reset /var/log/apache2/access.log context system_u:object_r:var_log_t->system_u:object_r:httpd_log_t

The -v option to restorecon causes it to give verbose output concerning it's operations. Often you won't do it in real use, but it's good to illustrate the use.

Now you have to restart the daemons:

# killall -9 apache2
# /etc/init.d/apache2 start
Starting web server (apache2)....
# /etc/init.d/bind9 restart
Stopping domain name service...: bind.
Starting domain name service...: bind.

Apache and BIND now run in confined domains, see the following ps output:

system_u:system_r:httpd_t   3833 ?     Ss     0:00 /usr/sbin/apache2 -k start
system_u:system_r:httpd_t 3834 ? S 0:00 /usr/sbin/apache2 -k start
system_u:system_r:httpd_t 3839 ? Sl 0:00 /usr/sbin/apache2 -k start
system_u:system_r:httpd_t 3841 ? Sl 0:00 /usr/sbin/apache2 -k start
system_u:system_r:named_t 3917 ? Ssl 0:00 /usr/sbin/named -u bind

It's not particularly difficult. I covered the actual install of SE Linux in about 1.5 minutes. I had considered just ending my talk there on a note of "it's so easy I don't need 5 minutes to talk about it" but decided that it was best to cover something that you need to do once it's installed.

If you want to know more about SE Linux then ask on the mailing list (see http://www.nsa.gov/selinux for subscription details), or ask on #selinux on freenode.

8 comments:

Np237 said...

Explained this way, activating SELinux doesn't seem to take much time... when you already know what this is all about.

All of this could gain of some automation, with a script that would do all of this for you. Ideally, of course, it could be done by just installing a metapackage.

etbe said...

Yes, we are moving in that direction.

Np237 said...

Great!

Anonymous said...

it is totally inacceptable that people are still talking about this NSA backdoor as if it was a seriuos security application. We all have been warned - remember the LOGIN-backdoor!!!

This is one of the most not talked about issues in the free software scene.

people, are you dumb? It is NSA, not Santa!

If you want to be secure, use OPENBSD.

etbe said...

The source code in Debian is available for everyone, anyone who thinks that there is a back-door is free to audit the code and try and find it. The code has been reviewed by many people.

Brian Sniffen said...

This looks fantastic---but I'm nervous about running it on a machine where I have to pay for physical access. Am I likely to hurt myself or lock myself out of SSHd this way?

Anonymous said...

doesn't work here on Debian sid.

fixfiles relabel stops after cleaning out /tmp.

spent three days reading arcana and trying many, many different approaches, but IMHO SELinux is worthless for a real, operating machine.

Back to BSD...

etbe said...

anon: Pity you didn't bother to ask on IRC or contact me via email. I can't imagine how you managed to spend three days without taking such basic actions.

I'm sure that if you take the same approach to BSD (try the development stuff, not ask questions, and give up when something doesn't work) then you'll be looking for a new OS again soon.