SElinux protection

SElinux protection

[Stefano Carucci]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]


Hello all.

I would like to pose some questions on the type of attacks that SELinux offers a protection from.

In particular: 
1. What are the type of attacks that are inhibited?
2. What are those that are not, because not explicitly designed for, and may still affect the system?
3. Is there any countermeasure against DoS attacks?

Thank you in advance!

Stefano
_________________________________________________________________
Messenger è su Hotmail. Scopri le novità.
http://www.messenger.it/accediWebMessengerHotmail.aspx

[-- Attachment #2: Type: text/html, Size: 720 bytes --]

Re: SElinux protection

[James Morris]

On Fri, 14 Aug 2009, Stefano Carucci wrote:

> 
> Hello all.
> 
> I would like to pose some questions on the type of attacks that SELinux offers a protection from.
> 
> In particular: 
> 1. What are the type of attacks that are inhibited?

The aim for the general case is to contain software vulnerabilities in 
userland code.  Note that in commonly shipped general purpose policies, 
local login users are not confined by default; the emphasis is on locking 
down network facing services.

> 2. What are those that are not, because not explicitly designed for, and may still affect the system?

As mentioned, local login users are generally not confined by SELinux 
policy in Fedora-based systems, although this is a matter of policy 
design; it's not inherent to SELinux itself.  There are some examples of 
confining local users, such as Kiosk Mode (install the xguest package), 
and work in this area generally is expected to continue.

SELinux operates at the kernel level, so vulnerabilities in the kernel 
itself may reduce or disable the protection of SELinux.  Other mechanisms 
are required to protect the kernel.

> 3. Is there any countermeasure against DoS attacks?

No.

A lot of information on SELinux is available here:
http://selinuxproject.org/page/User_Resources

This is a very brief overview:
http://www.slideshare.net/jamesmorris/lf-japan-08-talk


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SElinux protection

[Stefano Carucci]

[-- Attachment #1: Type: text/plain, Size: 2109 bytes --]



Two further questions:

1. Does SELinux provide any countermeasure against buffer overflows attacks? 

2. I read about the possibility of keeping processes from forking. Wouldn't you consider this as a protection from DoS attacks?



> Date: Fri, 14 Aug 2009 21:28:57 +1000
> From: jmorris@namei.org
> To: stecarucci@hotmail.com
> CC: selinux@tycho.nsa.gov
> Subject: Re: SElinux protection
> 
> On Fri, 14 Aug 2009, Stefano Carucci wrote:
> 
> > 
> > Hello all.
> > 
> > I would like to pose some questions on the type of attacks that SELinux offers a protection from.
> > 
> > In particular: 
> > 1. What are the type of attacks that are inhibited?
> 
> The aim for the general case is to contain software vulnerabilities in 
> userland code.  Note that in commonly shipped general purpose policies, 
> local login users are not confined by default; the emphasis is on locking 
> down network facing services.
> 
> > 2. What are those that are not, because not explicitly designed for, and may still affect the system?
> 
> As mentioned, local login users are generally not confined by SELinux 
> policy in Fedora-based systems, although this is a matter of policy 
> design; it's not inherent to SELinux itself.  There are some examples of 
> confining local users, such as Kiosk Mode (install the xguest package), 
> and work in this area generally is expected to continue.
> 
> SELinux operates at the kernel level, so vulnerabilities in the kernel 
> itself may reduce or disable the protection of SELinux.  Other mechanisms 
> are required to protect the kernel.
> 
> > 3. Is there any countermeasure against DoS attacks?
> 
> No.
> 
> A lot of information on SELinux is available here:
> http://selinuxproject.org/page/User_Resources
> 
> This is a very brief overview:
> http://www.slideshare.net/jamesmorris/lf-japan-08-talk
> 
> 
> -- 
> James Morris
> <jmorris@namei.org>

_________________________________________________________________
Messenger è su Hotmail. Scopri le novità.
http://www.messenger.it/accediWebMessengerHotmail.aspx

[-- Attachment #2: Type: text/html, Size: 2550 bytes --]

RE: SElinux protection

[James Morris]

On Fri, 14 Aug 2009, Stefano Carucci wrote:

> 
> 
> Two further questions:
> 
> 1. Does SELinux provide any countermeasure against buffer overflows attacks? 

Here's some information on memory protection checks which may be 
controlled via SELinux policy:

http://people.redhat.com/drepper/selinux-mem.html


> 2. I read about the possibility of keeping processes from forking. 
> Wouldn't you consider this as a protection from DoS attacks?

That could be effective in this case (as would resource limits), but 
SELinux is not generally designed to counteract DoS attacks.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux protection

[Christopher Pardy]

>> 2. I read about the possibility of keeping processes from forking. 
>> Wouldn't you consider this as a protection from DoS attacks?
> 
> That could be effective in this case (as would resource limits), but 
> SELinux is not generally designed to counteract DoS attacks.

SELinux has the theoretical (has anyone done this yet) ability to take away "fork" from an entire process context, ie. killing all your webservers. This  isn't really protection so much as something you can do in reaction to an attack. Resource limits on the other hand actually provide a protection to this. Then again you can also just use kill at that point.

In response to your first question of what sort of attacks are inhibited the simple answer is that SELinux is a way of enforcing the intentions of application designers. In that sense SELinux doesn't prevent any application from being exploited it simply prevents exploited applications from doing anything they can't do anyway. The current fedora default policy targets servers as there a major source of exploits and usually behave in fairly standard ways, at least compared to user applications.

Chris Pardy

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.