danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Polyinstatiation and MLS in RHEL5/FC6/Rawhide
danwalsh
One of the big new features of Red Hat Enterprise Linux 5 is MLS (Multi Level Security) policy.  This is third policy that we have added for SELinux, joining strict and targeted policy.    The goal with MLS is to allow us to get a certification of EAL4+ LSPP.  This allows SELinux to compete in the same world as the  other "Trusted"  OSs.  And allows us to sell to the Top Secret world of Government and Military sites.   MLS Policy allows us to enforce Roles Based Access Control, Bell And LaPadula and Type Enforcement Mandatory Access Control. 

SELinux and RHEL are different then other "Trusted" operating systems, in that all software components are the same whether you are running MLS, Strict or Targeted policy.  We are not shipping a RHEL5 and a Trusted RHEL5.  There is one Kernel, one set of user land packages.  The only difference is the Policy installed on the system, and the labels/contexts associated with the files.    The steps to switch from a targeted system to an MLS machine is:
  1. Install selinux-policy-mls
  2. vi /etc/selinux/config and change SELINUXTYPE to mls
  3. touch ./autorelabel; reboot
  4. When the machine is rebooting, put it in permissive mode by adding enforcing=0 to the boot line
  5. When the machine comes up login and setenforce 1
  6. The machine is now in MLS mode and will enforce all forms of MAC.

One key componant required to get LSPP is polyinstatiated file systems.   Polyinstatiation means that different login sessions looking at the same directory (/tmp) see different contents, depending on things like the username, role, sensitivity level.   This allows us to save Top Secret Documents and Secret Documents both in the virtual /tmp and apps running at Secret looking in /tmp see Secret files, Top Secret processes see Top Secret Documents.

So what is in it for those of you who don't use MLS, well polyinstatiation can actually help in a shared targeted machine.  If you allow multiple users to log on to a system.  You can give each one thier own /tmp and /var/tmp (Or share any other directory).  This prevents them from doing shared directory attacks.  Polyinstatiation is implemented via a change to the kernel that allows the creation of namespaces.   pam_namespace.so allows you to configure login sessions, to run in different namespace.  You can read the read man pam_namespace, man namespace.conf to find out how to set this up.  Russell Coker has an excellent paper describing pam_namespace also.

Polyinstatiation takes a while to get used to.  You can easily get confused.   When I experimented around with pam_namespace, I found a couple of problems, and a bug.  The first time I set it up I did not mark the directories as described in Russell's Paper.

mount --make-shared /
mount --bind /tmp /tmp
mount --make-private /tmp
mount --bind /var/tmp /var/tmp
mount --make-private /var/tmp

These lines should be added in a rc.local script or some init script.  Because if you setup the polyinstatioation and log in as a normal user, then execute one of these commands or the mount command, it will only effect your current namespace, when you log out, these mounts will be removed and will not effect other logged in sessions.  So you need this set on the initial namespace, IE Set at boot time.  So if you execute these commands and login later to mount a directory outside of /tmp or /var/tmp, all namespaces will see it.

I found a bug in pam_namespace also.  I setup namespaces to work for non root accounts.  Also I setup the pam_namespace to unmnt_only when I su to root.  But the code path in pam_namespace checked if the uid was polyinstatiated first and exited out before call the unmnt_only code path.  So this caused the /tmp, and /var/tmp directories to be still mounted when I was root.  Not what I wanted.  pam_namespace.so has been fixed in Rawhide, and there is a fix in pam-0.99.6.2-3.15.fc6 for FC6, is in testing as of this writing.  This fix should get into RHEL5 by Update 1.

In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.

Re: RHEL 5

(Anonymous)

2007-07-12 09:12 pm (UTC)

Thank you for pointing out that I missed the pam_namespace That fixes it.

You are viewing danwalsh