Friday, June 09, 2006

SELinux: MLS Under Fedora Core 5

Hearing that Multi Level Security was available in FC5, I decided to load it on a system and take a look. The original concept of MLS was to allow military and government systems to tag files as Classified, Secret, Top Secret, or Unclassified. In its current incarnation, the military labels are replaced with arbitrary codes which can be aliased to names. This means you could put a document on a server that could only be read by people with "Marketing" clearance, whether they are in the Marketing group or not.

Here's what we have to do:
1. Install a Fedora Core 5 system with SELinux active, running the targeted policy.
2. Load the selinux-policy-mls RPM.
3. Change the default policy from targeted to mls.
4. Reboot the system to allow it to add a default security level label to every file.

Unfortunately, this resulted in a kernel panic. The kernel would die at boot time, because it was expecting to find an extra security context element, which wasn't there. (SELinux uses a three part security context to flag each file. MLS gives and additional flag, which must be added.) Of course, it was suppose to boot to a relabel mode, and take care of that for us. No luck.

Rebooted the system, interrupted GRUB, and appended selinux=0 to the kernel options. Logged in as root, and issued the command fixfiles restore. It took the system about 15 minutes to relable the files with the new information. (This isn't the best way of doing this, but it was the only choice since the auto-relabel failed.)

Rebooted the system, and was offered a login prompt. Logged in as root, only to find-- I didn't have security clearance to access /bin/bash. Oops.

Rebooted the system, interrupted GRUB, and appended enforcing=0 to the kernel options. Logged in as root... and I'm in! The SELinux security system is running in the Permissive mode, however. Now I've got to get the correct clearance.

Just for fun, I switched back to the Enforcing mode. I logged into the system as an unprivileged user, and everything worked. Ha! Maybe it is not broken after all... Maybe I'm just not allowed to login as root, which (actually), is a good thing.

You see: root is living, breathing, security violation. If I have a user on my "traditional" linux system that has codename clearance for the MAJESTIC project, and I access his home directory, I could snatch documents that I am not authorized to see. Under MLS, root can not even cd into an unprivileged user's home directory. As a matter of fact, now that I've switched back to Enforcing, I can't even cd into /root!

Turns out, the problem wasn't the clearance needed to run Bash, but the clearance to access root's home. When root logs in, he has the staff_r role. To access /root, he needs the sysadm_r role. To make matters even more interesting, I wanted to return to the Permissive mode to test my theory. I issued setenforce 0 only to be greeted by a happy little message:
Permission denied

Now I'm stuck. The only way out is to reboot... Or accept the march of progress. Root is no longer God. He has gone the way of Quetzalcoatl. Maybe he was a false god all along. Kinda like the Go'ald.

The next trick is to figure out how to use MLS to create my own codewords.

No comments:

Post a Comment