Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
SELinux support principles discussion
swift at gentoo
Jul 15, 2014, 11:02 AM
Post #1 of 3 (1694 views)
Permalink
Hi guys

As I'm preparing for my yearly vacation, I would like to initiate a quick
poll (or discussion) regarding a principle that I'd like to finish up with.

As some of you are aware, I'm a big proponent for principles in development.
For SELinux, a high-level principle document is available at
https://wiki.gentoo.org/wiki/Project:SELinux/Development_policy but after my
holidays I want to document this further. Whenever a decision needs to be
made with respect to SELinux policies, I try to use the principles
documented there to make the choice.

But I'm not going to ask right now for rewrites on the documentation, but to
focus on some decisions that we should do right now in order to give our
policy a good "general direction" sense.

I hope to get some good feedback on this, so that after my holidays I can
jump into the proper changes (together with perfinion and other developers),
as we have a lot of work to work through this year ;-)

Role segregation
================

Right now, our policy only provides a limited set of roles: sysadm_r (for
system administration tasks), staff_r and user_r (for regular user
activities, where staff_r is the only one allowed to switch to other roles
as well). And of course "unconfined_r" for only very lightly-restricted
domains.

Which roles to make available?
------------------------------

Do we want to include more roles in our policy? "Popular" roles are:

auditadm_r :: Audit administration
Used for a highly privileged, but generally read-only
administration role. Meant not just to "manage audit logs", but
instead to grant to IT Auditors that want to take a look on the
system without granting them any change privileges (except for
managing the audit logs apparently).

This one is available through refpolicy

logadm_r :: Log administration
Used for managing system logging.

This one is available through refpolicy

secadm_r :: Security administration
Used for managing the SELinux policy. If used, the question
that follows is if sysadm_r should still be allowed to manage
the SELinux policy as well (if not, this will be a challenge to
implement, but not impossible)

This one is available through refpolicy

dbadm_r :: Database administration
Used for database administrators

This one is not available through refpolicy

webadm_r :: Web (Application/Server) administration
Used for web administrators (Apache, nginx, Tomcat, ...)

This one is not available through refpolicy

guest_r :: More restricted role than user_r
Used to grant a minimum set of privileges, requiring the
(security) administrator to grant specific application
privileges. If used, then we would grant most/all application
privileges to the staff_r and user_r as "counter-example" role

This one is not available through refpolicy

xguest_r :: Like guest_r, but with X11 support
Used for implementations such as Kiosk mode, requiring the
(security) administrator to grant specific application
privileges.

This one is not available through refpolicy

My opinion: I don't mind to support them all (i.e. document the use and the
principles behind them and making these roles available through the base
policy). I have most of them (except logadm_r) running on all my production
systems anyway so I might as well support them through Gentoo Linux.

Differentiation between staff_r and user_r?
-------------------------------------------

The staff_r is meant as the "unprivileged" role for the administrator,
whereas user_r is meant for the "unprivileged" role for users with no
specific role(s) assigned otherwise. This would mean that staff_r == user_r,
but with newrole_t (and other role switching domains) support.

Depending on the outcome of the previous question, there are two approaches
to take between staff_r and user_r:

1. Have staff_r and user_r remain "in sync" with just the newrole_t
difference, or
2. Only support "less risky" domains in staff_r and reduce user domain
privileges

The idea behind option (2.) is that many users will have their daily tasks
run as staff_r, and perhaps enable password-less role switching. If application
vulnerabilities would result in account hijacking on staff_r, then these
might jeopardise the system.

To counter-act this, we could only grant well restricted application domains
to staff_r (those that are needed for administrators to do their
"unprivileged" jobs), such as running browsers and so, but not to (just to
name something) run rtorrent (personally, I wouldn't like my admins to run
rtorrent through their administrative account, even in an unprivileged
role).

The problem with (2.) however is to decide what to allow on staff_r and what
not. Something to think about.

Init script support
===================

Transparent full system administration?
---------------------------------------

Do we want the sysadm_r role (by default assigned to system administrators)
to be able to run all possible init scripts on the system (/etc/init.d/*)
without requiring the user to prepend the commands with "run_init"?

So not this: ~# run_init rc-service nfs start
But this: ~# rc-service nfs start

If so, then we can either make sure that sysadm_t is always allowed to do
this policy-wise (which might be as simple as enabling the DIRECT_INITRC
option in the build), or through the integrated run_init support of OpenRC.

The base premise however is to set this as a principle, so that we know what
to aim for (and let us decide on the "how").

Advantages: works out-of-the-box, "system administration role" is a somewhat
fully privileged role which is what many users expect.

Disadvantages: no strict role separation (users who want more role
separation will need to create their own roles)


sysadm_r for System operational administration only?
----------------------------------------------------

If not then perhaps we want to allow sysadm_r to manage true system
operational services (those needed to boot the system) but not those that
are "hosted on" the system. So the NFS service might not be assigned to the
sysadm_r role by default (okay, this is debatable - take tor then as an
example), whereas sysctl is.

Users that want to extend the privileges of sysadm_r will always be allowed
to, but this does mean that "run_init" would not be allowed anymore for the
sysadm_r role (as run_init in its current form allows the user to invoke any
service).

If this is selected, then we'll improve our documentation to inform users
how to assign additional privileges to the sysadm_r role (for those that
want to manage their system fully) while staying quite strict in the default
policy.

Advantages: minimal privileges, users tweak the system further to the extend
they want

Disadvantages: new users will notice things don't work out-of-the-box

Follow the Gentoo-is-about-choice paradigm and support both through USE?
------------------------------------------------------------------------

We can implement a situation where we focus on the strict implementation,
but where users can build the policy differently using a USE flag that
enables the other support as well. I don't think we can do it with a SELinux
boolean (due to limitations of what can be within a conditional statement)
though.

Advantages: best of both worlds

Disadvantages: implementation possibilities are reduced (but hey, what do
you care, right?)
Re: SELinux support principles discussion [ In reply to ]
jason at perfinion
Jul 20, 2014, 5:28 AM
Post #2 of 3 (1652 views)
Permalink
On Tue, Jul 15, 2014 at 06:02:32PM +0000, Sven Vermeulen wrote:
> jump into the proper changes (together with perfinion and other developers),
^.^

> Role segregation
> ================
>
> Which roles to make available?
> ------------------------------
>
> My opinion: I don't mind to support them all (i.e. document the use and the
> principles behind them and making these roles available through the base
> policy). I have most of them (except logadm_r) running on all my production
> systems anyway so I might as well support them through Gentoo Linux.

The ones that are in refpolicy are probably not hard to support. The issue is
more of what type of machine it is. My things are all mostly personal machines
so I dont want to have 10 different accounts and keep changing between for
single commands. For companies tho I can definitely see them using all the
roles for different people in the company. Currently if people want to use all
of them they will need a lot of work because we dont provide much for it.

Do we happen to have any information about big installations that use
gentoo and selinux and what their use-cases are?

> Differentiation between staff_r and user_r?
> -------------------------------------------
>
> Depending on the outcome of the previous question, there are two approaches
> to take between staff_r and user_r:
>
> 1. Have staff_r and user_r remain "in sync" with just the newrole_t
> difference, or
> 2. Only support "less risky" domains in staff_r and reduce user domain
> privileges

I personally use staff_r as my main account and do not use user_r at all
so I just end up having an extra policy which enables things that are
in user but not staff (wine, dropbox etc) on my laptop. Im not sure what
the right way to do things for this is. I think having most of the
things the same in staff/user is not that big of a deal since if you
dont have sec-policy/selinux-dropbox installed, the optional() block
just disappears. Although if someone can install packages then it
suddenly gets enabled but I think at that point it is already game over.

> Init script support
> ===================
>
> Transparent full system administration?
> ---------------------------------------
>
> So not this: ~# run_init rc-service nfs start
> But this: ~# rc-service nfs start

This is sort of annoying honestly, Im in favour of removing run_init in
front and make it just happen automatically. That said, I do like that
it can authenticate (I like it on my server since I dont restart things
much but dislike it on my laptop where I have less running and start
them manually when I need them. I think we should integrate this into
openrc directly but ideally i'd like to be able to keep the pam
authentication parts of it so that people can choose if they want to
type the password or not.

I also saw someone having issues with puppet or one of those cuz it just
ran the script and adding run_init in front was complicated.

> sysadm_r for System operational administration only?
> ----------------------------------------------------

This seems like it would be a big hurdle for most new (and old?) users.
If we enable more of the roles from above then perhaps there can be some
roles that are disallowed it but I think changing the current behavior
is a little strange.

> Follow the Gentoo-is-about-choice paradigm and support both through USE?
> ------------------------------------------------------------------------

There is currently a use-flag for unconfined, making similar useflags
(or a use_expand?) for how the roles should be used sounds like the
easiest way. If people install with the defaults they get staff/sysadm
like exist currently but if they enable some of the other roles then
maybe sysadm would lose some of its privs to that other role. (eg enable
secadm and sysadm is no longer able to change the policy)

> Disadvantages: implementation possibilities are reduced (but hey, what do
> you care, right?)

How are they reduced? You mean ways to implement the policy or ways to
use it as a user? How much more complicated would this become for the
policy?

-- Jason
Re: SELinux support principles discussion [ In reply to ]
sven.vermeulen at siphos
Jul 29, 2014, 9:48 AM
Post #3 of 3 (1632 views)
Permalink
On Sun, Jul 20, 2014 at 04:28:58PM +0400, Jason Zaman wrote:
> > Role segregation
> > ================
> >
> > Which roles to make available?
> > ------------------------------
> >
> > My opinion: I don't mind to support them all (i.e. document the use and the
> > principles behind them and making these roles available through the base
> > policy). I have most of them (except logadm_r) running on all my production
> > systems anyway so I might as well support them through Gentoo Linux.
>
> The ones that are in refpolicy are probably not hard to support. The issue is
> more of what type of machine it is. My things are all mostly personal machines
> so I dont want to have 10 different accounts and keep changing between for
> single commands. For companies tho I can definitely see them using all the
> roles for different people in the company. Currently if people want to use all
> of them they will need a lot of work because we dont provide much for it.
>
> Do we happen to have any information about big installations that use
> gentoo and selinux and what their use-cases are?

I asked around some time ago on the G+ community but didn't get much
feedback. What I know professionally is (not counting the "all our users are
unconfined_t" deployments) that most struggle with the users conceptually,
because they don't have a clear definition to fall back on.

Most deployments tend to follow the distribution choice, or customize. The
ones that customize we don't really need to cater much for (beyond to make
sure that these customizations aren't broken), and the ones that follow the
distribution should have a clear, well-documented approach on things.

Considering work-load, our user base, etc. I think the best way forward is
to support a bit more roles, but also make sure that their purpose remains
focused: auditadm_r, logadm_r, secadm_r, dbadm_r, webadm_r, guest_r,
xguest_r.

For those that aren't refpolicy-supported, I think they are useful for
various reasons:

- dbadm_r and webadm_r are two "example" user domains which serve a
particular administrative purpose. It can be used by others to learn how
to manage administrative user domains. The focus on databases (dbadm_r)
and web services (webadm_r) is that these are the two most popular
middleware services around which can be easily tested.

- guest_r and xguest_r would provide a very limited ("empty") user domain
for users with basic privileges. I would like to support these (using this
principle) as they are also available in RHEL and Fedora.

Because of these four additional domains, we can have

- staff_r and user_r similar (i.e. keep them in sync, except for the ability
to use sudo/su and roleswitching which is only available for staff_r) as
users who want a more "closed-down" user domain can either enhance the
xguest_r role, or copy and make their own implementation

- sysadm_r be a full-administrative domain, as users can then look at
dbadm_r and webadm_r to see how to make more "closed-down" administrator
domains

> > Differentiation between staff_r and user_r?
> > -------------------------------------------
> >
> > Depending on the outcome of the previous question, there are two approaches
> > to take between staff_r and user_r:
> >
> > 1. Have staff_r and user_r remain "in sync" with just the newrole_t
> > difference, or
> > 2. Only support "less risky" domains in staff_r and reduce user domain
> > privileges
>
> I personally use staff_r as my main account and do not use user_r at all
> so I just end up having an extra policy which enables things that are
> in user but not staff (wine, dropbox etc) on my laptop. Im not sure what
> the right way to do things for this is. I think having most of the
> things the same in staff/user is not that big of a deal since if you
> dont have sec-policy/selinux-dropbox installed, the optional() block
> just disappears. Although if someone can install packages then it
> suddenly gets enabled but I think at that point it is already game over.

The point is more about the applications that still run in the user domain
rather than their own domain. Vulnerabilities in firefox (mozilla_t)
shouldn't be able to impact the system much beyond what mozilla_t can do
(and with our own support for XDG directories, even user content can be
properly protected), but applications that /do/ run in the user domain might
have more impact to the system if they run in staff_t, as they can "try" to
elevate their privileges (depending on the system configuration, this might
be possible) whereas user_t wouldn't allow that much.

But given the user domains above, having staff_t and user_t be very similar
and keep on focusing on confining the user applications, I think we are
taking a safe route here. The worst risks aren't within the domains, but in
the applications that would still run in the user domains.

> > Init script support
> > ===================
> >
> > Transparent full system administration?
> > ---------------------------------------
> >
> > So not this: ~# run_init rc-service nfs start
> > But this: ~# rc-service nfs start
>
> This is sort of annoying honestly, Im in favour of removing run_init in
> front and make it just happen automatically. That said, I do like that
> it can authenticate (I like it on my server since I dont restart things
> much but dislike it on my laptop where I have less running and start
> them manually when I need them. I think we should integrate this into
> openrc directly but ideally i'd like to be able to keep the pam
> authentication parts of it so that people can choose if they want to
> type the password or not.
>
> I also saw someone having issues with puppet or one of those cuz it just
> ran the script and adding run_init in front was complicated.

Indeed. I think we should definitely remove the need for calling run_init
directly in any case.

> > sysadm_r for System operational administration only?
> > ----------------------------------------------------
>
> This seems like it would be a big hurdle for most new (and old?) users.
> If we enable more of the roles from above then perhaps there can be some
> roles that are disallowed it but I think changing the current behavior
> is a little strange.

Ok, I can live with that. And indeed, if we were to remove lots of
privileges from sysadm_r users would be severely impacted.

I'll see if the system operational code and "the rest" can be properly
documented in the policy files instead, so that /if/ someone would like to
instantiate a system operational role (like sysoper_r) they can copy the
sysadm_r information and remove the non-critical stuff themselves.

> > Follow the Gentoo-is-about-choice paradigm and support both through USE?
> > ------------------------------------------------------------------------
>
> There is currently a use-flag for unconfined, making similar useflags
> (or a use_expand?) for how the roles should be used sounds like the
> easiest way. If people install with the defaults they get staff/sysadm
> like exist currently but if they enable some of the other roles then
> maybe sysadm would lose some of its privs to that other role. (eg enable
> secadm and sysadm is no longer able to change the policy)

I think maintaining an expanded USE flag would become a maintenance burden,
but I'm not saying "no" here. We can do this in a second phase if the
sysadm_r role can be properly documented (cfr. paragraphs above) as we can
then include the proper ifdef() statements.

The reason I'm not in favor of taking this up right now is that we need to
support this throughout the future as well, and I don't know how to do this
with CIL in the future. Not saying it won't be possible though, just
something we might want to implement later.

> > Disadvantages: implementation possibilities are reduced (but hey, what do
> > you care, right?)
>
> How are they reduced? You mean ways to implement the policy or ways to
> use it as a user? How much more complicated would this become for the
> policy?

Policy-wise. The discussion was about the run_init support. We can make
sysadm_r support everything without needing run_init and without needing to
"integrate" run_init in OpenRC (or other init systems) by plain policy
rules.

However, the moment we make this optional, or at least user-defined through
USE flags, then the implementations must focus on at least two things:
run_init support in OpenRC (with the ability to discern calling run_init
based on USE flag settings, or based on interrogating the SELinux policy to
see if it is wanted) and policy.

Basically, if we integrate run_init in OpenRC, how do we make sure it
doesn't call it when it shouldn't (user domain has no run_init_t privileges,
but transitions to sysadm_r/initrc_t directly)?

If sysadm_r is "system operational only", then OpenRC shouldn't call
run_init except for the init scripts that are initrc_exec_t (and not say
tor_initrc_exec_t), and also not if the policy has direct_sysadm support.

But considering the ideas above, having sysadm_t be an all-encompassing
administrative domain, we only need to have OpenRC call run_init if the user
domain is sysadm_t. Other domains can be made to transition when needed
policy-wise. I think. I still need to get my head around it ;-)



I'll document the idea on the wiki (somewhere in the Project:SELinux
namespace) and expand on it some more to see if we don't have any loose
strings.

Thanks for the feedback!

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal