Hi all! Especially for course students we have prepared a translation of the official FAQ of the SELinux project. It seems to us that this translation can be useful not only for students, so we share it with you.
We have tried to answer some of the most frequently asked questions about the SELinux project. The questions are currently divided into two main categories. All questions and answers are given .
Review
Review
- What is Security-Enhanced Linux?
Security-enhanced Linux (SELinux) is the reference implementation of the Flask security architecture for flexible, enforced access control. It was created to demonstrate the usefulness of flexible enforcement mechanisms and how such mechanisms can be added to an operating system. The Flask architecture was subsequently integrated into Linux and ported to several other systems, including the Solaris operating system, the FreeBSD operating system, and the Darwin kernel, giving rise to a wide range of related work. The Flask architecture provides general support for enforcing many types of access control enforcement policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. - What does security-enhanced Linux provide that standard Linux can't?
The security-enhanced Linux kernel enforces enforced access control policies that restrict user programs and system servers to the minimum set of privileges they require to do their job. With this restriction, the ability of these user programs and system daemons to cause harm in the event of a compromise (for example, due to a buffer overflow or misconfiguration) is reduced or eliminated. This restriction mechanism works independently of traditional Linux access control mechanisms. It does not have the concept of a "root" superuser, and does not share the well-known shortcomings of traditional Linux security mechanisms (eg, dependency on setuid/setgid binaries).
The security of an unmodified Linux system depends on the correctness of the kernel, all privileged applications, and each of their configurations. A problem in any of these areas can compromise the entire system. In contrast, the security of a modified system based on the security-enhanced Linux kernel depends primarily on the correctness of the kernel and the configuration of its security policy. While problems with application correctness or configuration may allow limited compromise of individual user programs and system daemons, they do not pose a security risk to other user programs and system daemons or to the security of the system as a whole. - What is she good for?
The new security-enhanced features of Linux are designed to provide segregation of information based on confidentiality and integrity requirements. They are designed to prevent processes from reading data and programs, tampering with data and programs, bypassing application security mechanisms, executing untrusted programs, or interfering with other processes in violation of system security policy. They also help to limit the potential damage that can be caused by malware or incorrect programs. They should also be useful to ensure that users with different security permissions can use the same system to access different kinds of information with different security requirements without compromising those requirements. - How can I get a copy?
Many Linux distributions include support for SELinux already built in as a default feature or as an optional package. The core SELinux userland code is available at . End users should generally use the packages provided by their distribution. - What is included in your release?
The NSA release of SELinux includes the core SELinux userland code. Support for SELinux is already included in the mainstream Linux 2.6 kernel, available from kernel.org. The core SELinux userland code consists of a library for binary policy manipulation (libsepol), a policy compiler (checkpolicy), a library for security applications (libselinux), a library for policy management tools (libsemanage), and several policy-related utilities (policycoreutils).
In addition to the SELinux-enabled kernel and basic userland code, you'll need a policy and some SELinux patched userspace packages to use SELinux. The policy can be obtained from . - Can I install hardened Linux on an existing Linux system?
Yes, you can only install SELinux modifications on an existing Linux system, or you can install a Linux distribution that already includes SELinux support. SELinux consists of a Linux kernel with SELinux support, a core set of libraries and utilities, some modified user packages, and a policy configuration. To install it on an existing Linux system that lacks SELinux support, you must be able to compile the software and also have other required system packages. If your Linux distribution already includes support for SELinux, you do not need to build or install the NSA release of SELinux. - How compatible is security-enhanced Linux with unmodified Linux?
Security-enhanced Linux provides binary compatibility with existing Linux applications and with existing Linux kernel modules, but some kernel modules may require modification to interact properly with SELinux. These two compatibility categories are discussed in detail below:- Application compatibility
SELinux provides binary compatibility with existing applications. We have extended the kernel data structures to include new security attributes and added new API calls for security applications. However, we have not changed any application-visible data structures, nor have we changed the interface of any existing system calls, so existing applications can still run as long as the security policy allows them to. - Kernel module compatibility
Initially, SELinux only provided initial compatibility for existing kernel modules; it was necessary to recompile such modules with modified kernel headers to pick up the new security fields added to the kernel data structures. Because LSM and SELinux are now integrated into the mainstream Linux 2.6 kernel, SELinux now provides binary compatibility with existing kernel modules. However, some kernel modules may not interact well with SELinux without modification. For example, if a kernel module directly allocates and sets up a kernel object without using the normal initialization functions, then the kernel object may not have the proper security information. Some kernel modules may also lack proper security controls on their operations; any existing calls to kernel functions or permission functions will also trigger SELinux permission checks, but more fine-grained or additional controls may be required to enforce MAC policies.
Security-enhanced Linux should not create interoperability problems with regular Linux systems if all necessary operations are allowed by the security policy configuration.
- Application compatibility
- What is the purpose of the security policy configuration example?
At a high level, the goal is to demonstrate the flexibility and security of enforced access controls and to provide a simple working system with minimal application changes. At a lower level, a policy has a set of goals, described in the policy documentation. These goals include controlling raw access to data, protecting the integrity of the kernel, system software, system configuration information and system logs, limiting the potential damage that could be caused by exploiting a vulnerability in a process that requires privileges, protecting privileged processes from executing malicious code, protect the admin role and domain from logging in without user authentication, prevent normal user processes from interfering with system or admin processes, and protect users and administrators from exploiting vulnerabilities in their browser by malicious mobile code. - Why was Linux chosen as the base platform?
Linux was chosen as the platform for the initial reference implementation of this work due to its growing success and open development environment. Linux provides an excellent opportunity to demonstrate that this functionality can be successful on a host operating system and, at the same time, contribute to the security of a widely used system. The Linux platform also provides an excellent opportunity for this work to get the widest possible view and perhaps serve as a basis for additional security research by other enthusiasts. - Why did you do this work?
The National Security Agency is responsible for research and advanced technology development to enable the NSA to provide information security solutions, products, and services to information infrastructures critical to U.S. national security interests.
Creating a viable secure operating system remains a major research challenge. Our goal is to create an efficient architecture that provides the necessary support for security, runs programs in a largely transparent manner to the user, and is attractive to vendors. We believe that an important step in achieving this goal is to demonstrate how forced access control mechanisms can be successfully integrated into the main operating system. - How does this relate to previous OS NSA research?
Researchers at the NSA's National Assurance Research Laboratory have partnered with the Secure Computing Corporation (SCC) to develop a powerful and flexible enforcement architecture based on Type Enforcement, a mechanism pioneered by the LOCK system. The NSA and SCC developed two prototype architectures based on Mach: DTMach and DTOS (). The NSA and SCC then worked with the Flux Research Group at the University of Utah to port the architecture to the Fluke Research Operating System. During this migration, the architecture has been refined to provide better support for dynamic security policies. This improved architecture has been named Flask (). Now NSA has integrated the Flask architecture into the Linux operating system to bring the technology to the wider developer and user community. - Is Linux with enhanced security a reliable operating system?
The phrase "Trusted Operating System" generally refers to an operating system that provides sufficient support for layered security and validation to meet a specific set of government requirements. Security-enhanced Linux incorporates useful insights from these systems, but focuses on enforced access control. The original goal of developing security-enhanced Linux was to create useful functionality that provides tangible security benefits in a wide range of real world environments to demonstrate this technology. SELinux is not itself a trusted operating system, but it does provide a critical security feature—enforced access control—necessary for a trusted operating system. SELinux has been integrated into Linux distributions that have been rated according to the Labeled Security Protection Profile. Information about tested and tested products can be found at . - Is she really protected?
The concept of a secure system includes many attributes (for example, physical security, personnel security, etc.), and Linux with enhanced security addresses only a very narrow set of these attributes (that is, the operating system's enforcement controls). In other words, "secure system" means secure enough to protect some information in the real world from a real adversary against which the owner and/or user of the information is warned. Security-enhanced Linux is only meant to showcase the required controls in a modern operating system like Linux, and so on its own is unlikely to fit any interesting definition of a secure system. We believe that the technology demonstrated in security-enhanced Linux will be useful to people who build secure systems. - What have you done to improve the guarantee?
The goal of this project was to add forced access controls with minimal changes to Linux. This last goal severely limits what can be done to improve warranty, so there has been no work to improve Linux warranty. On the other hand, the improvements build on previous work on designing a high-security security architecture, and most of these design principles have been carried over to Security-enhanced Linux. - Will CCEVS evaluate Linux with enhanced security?
By itself, Linux with enhanced security is not designed to address the full set of security problems represented by a security profile. While it would be possible to evaluate only its current functionality, we believe that such an evaluation would be of limited value. However, we have worked with others to include this technology in Linux distributions that have been evaluated and distributions that are in evaluation. Information about tested and tested products can be found at . - Have you tried to fix any vulnerabilities?
No, we did not look for or find any vulnerabilities in the course of our work. We've only contributed enough of the bare minimum to add our new gears. - Is this system approved for government use?
Security-enhanced Linux has no special or additional approval for government use over any other version of Linux. Security-enhanced Linux has no special or additional approval for government use over any other version of Linux. - How is this different from other initiatives?
Security-enhanced Linux has a well-defined architecture for flexible enforced access control that has been experimentally tested with several prototype systems (DTMach, DTOS, Flask). Detailed studies have been performed on the ability of the architecture to support a wide range of security policies and are available in и .
The architecture provides fine-grained control over many kernel abstractions and services that are not controlled by other systems. Some of the distinguishing characteristics of a Linux system with extended security are:- Pure separation of policy from enforcement rights
- Well defined policy interfaces
- Independence from specific policies and policy languages
- Independence from specific formats and content of security labels
- Separate Labels and Controls for Kernel Objects and Services
- Caching Access Decisions for Efficiency
- Support for policy changes
- Control over process initialization and inheritance and program execution
- Manage file systems, directories, files, and open file descriptions
- Managing sockets, messages and network interfaces
- Control over the use of "Opportunities"
- What are the licensing restrictions for this system?
All source code found on the site , is distributed under the same terms as the original source codes. For example, fixes for the Linux kernel and fixes for many of the existing utilities available here are released under the terms . - Are there export controls?
There are no additional export controls for Linux with extended security compared to any other version of Linux. - Does the NSA plan to use it domestically?
For obvious reasons, the NSA does not comment on operational use. - Does the July 26, 2002 Statement of Warranties from the Secure Computing Corporation change the NSA's position that SELinux was made available under the GNU General Public License?
The position of the NSA has not changed. The NSA still believes that the terms and conditions of the GNU General Public License govern the use, copying, distribution, and modification of SELinux. Cm. . - Does the NSA support open source software?
The NSA's software security initiatives span both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. The NSA's work to improve software security is motivated by one simple consideration: to make the most of our resources to provide NSA customers with the best possible security options in their most widely used products. The goal of the NSA's research program is to develop technological advances that can be shared with the software development community through a variety of transfer mechanisms. The NSA does not endorse or promote any particular software product or business model. Rather, the NSA promotes security. - Does the NSA support Linux?
As noted above, the NSA does not endorse or promote any particular software product or platform; The NSA only contributes to increased security. The Flask architecture demonstrated in the SELinux reference implementation has been ported to several other operating systems including Solaris, FreeBSD, and Darwin, ported to the Xen hypervisor, and applied to applications such as the X Window System, GConf, D-BUS, and PostgreSQL. Flask architecture concepts are broadly applicable to a wide range of systems and environments.
Cooperation
- How do we plan to interact with the Linux community?
We have , which will serve as our main way to publish security-enhanced Linux information. If you are interested in Linux with improved security, we encourage you to join the developer mailing list, view the source code, and provide your feedback (or code). To join the developer mailing list, see . - Who can help?
SELinux is now maintained and improved by the open source Linux software community. - Does the NSA fund any follow-up work?
The NSA is not currently considering proposals for further work. - What type of support is available?
We intend to resolve issues through the mailing list [email protected], but we will not be able to answer all questions related to a particular site. - Who helped? What did they do?
The security-enhanced Linux prototype was developed by the NSA with research partners from NAI Labs, Secure Computing Corporation (SCC), and MITER Corporation. Much more material followed after the initial public release. . - How can I find out more?
We encourage you to visit our web pages, read documentation and past research papers, and participate in our mailing list. [email protected]
Do you find the translation helpful? Write comments!
Source: habr.com