MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in...
Transcript of MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in...
![Page 1: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/1.jpg)
1
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 2: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/2.jpg)
2
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 3: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/3.jpg)
3
Background
● What is multilevel security (MLS)?
● MLS implementation examples from the past and present
● The Bell–LaPadula model
● Comparing MLS with MCS
![Page 4: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/4.jpg)
4
What is multilevel security (MLS)?
● The application of a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization
● http://en.wikipedia.org/wiki/Multilevel_security
Top SecretSecretConfidentialRestrictedUnclassified
![Page 5: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/5.jpg)
5
MLS implementation examples from the past and present
● Specialized operating systems
● Forked variants mainstream operating systems
● Red Hat Enterprise Linux
![Page 6: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/6.jpg)
6
The Bell–LaPadula model
● Focuses on data confidentiality and controlled access to classified information
● “No read up, no write down”● http://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
Top SecretSecretConfidentialRestrictedUnclassified
Read Write
![Page 7: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/7.jpg)
7
The Bell–LaPadula model
● Focuses on data confidentiality and controlled access to classified information
● “No read up, no write down”● http://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
Top SecretSecretConfidentialRestrictedUnclassified
Read Write
✗
![Page 8: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/8.jpg)
8
The Bell–LaPadula model
● Focuses on data confidentiality and controlled access to classified information
● “No read up, no write down”● http://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
Top SecretSecretConfidentialRestrictedUnclassified
Read Write ReadWrite
✔✗
![Page 9: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/9.jpg)
9
The Bell–LaPadula model with write equality
● No write up
● Adds integrity, prevents noise
● Red Hat Enterprise Linux 6 MLS implements this
Top SecretSecretConfidentialRestrictedUnclassified
Read Write ReadWrite
✗=====
✔
![Page 10: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/10.jpg)
10
MLS is not MCS
● Multilevel security (MLS)● Read up/write down features (“security levels”)● Mostly military and intelligence community applications
● Multicategory security (MCS)● No concept of read up/write down (“categories”)● Military and intelligence community applications● Useful in other industries (healthcare, financial services)
● Separate billing access from medical record access
● Often easier to implement and maintain● When you want category separation and you don't have levels● Default RHEL SELinux targeted policy does MCS
![Page 11: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/11.jpg)
11
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 12: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/12.jpg)
12
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 13: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/13.jpg)
13
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 14: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/14.jpg)
14
MLS with Red Hat Enterprise Linux 6
● selinux-policy-mls RPM
● Implements the Bell–LaPadula model with write equality
● Provides role based access control (RBAC)● Can separate system admin from security admin from auditor, etc.
● Provides extra protection of type enforcement (TE)● httpd, etc., are confined by both MLS and TE
![Page 15: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/15.jpg)
15
id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHighuser role type effective cleared
![Page 16: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/16.jpg)
16
SELinux sensitivity and category
● SystemLow-SystemHigh = s0-s15:c0.c1023
● s = sensitivity (“classification level”)● 16 levels by default● Can only effectively be in one at a time
● c = category (“program you're read into”)● 1024 categories by default● Can have multiple categories
● Can be read into multiple programs
● 16 * 21024 possible labels!
![Page 17: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/17.jpg)
17
SELinux sensitivity and category example
● s0 < s5● s5 has a higher sensitivity (“classification level”) than s0● s5 can read s0 to s5 content● s0 can't read s5 content● s5 will write exactly s5 content● s0 will write exactly s0 content (no higher)● Neither have categories
● “Clearances but not read into any compartmentalized programs”
![Page 18: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/18.jpg)
18
SELinux sensitivity and category example
● s6:c133 <> s9:c296● Neither can read the other● s9 is a higher sensitivity (“classification level”) but isn't read into category
c133● c296 does not dominate c133
● Unlike sensitivities, categories have no concept of domination● c296 and c133 are just different
● s6:c133 will write exactly s6:c133 content● Role change needed to write s6 with no category
![Page 19: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/19.jpg)
19
SELinux sensitivity and category example
● s1:c2,c4,c5 < s9:c2.c6,c10● Multiple categories● Dot notation defines a contiguous range of categories (“c2 through c6”)● s9:c2.c6,c10 can read the s1:c2,c4,c5 content
● s9:c2.c6,c10 has a higher classification level and is read into c2, c4, and c5 (as well as c3, c6, and c10)
● s1:c2,c4,c5 can't read the s9:c2.c6,c10 content● s1:c2,c4,c5 is a lower sensitivity● s1:c2,c4,c5 isn't read into c3, c6, and c10
● s9:c2.c6,c10 will write exactly s9:c2.c6,c10 content
![Page 20: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/20.jpg)
20
SELinux MLS and type enforcement example
● ps ZC httpd
● system_u:system_r:httpd_t:s15:c0.c1023
● ls Z /etc/shadow
● system_u:object_r:shadow_t:s0● httpd can't read /etc/shadow
● But isn't httpd at the highest security level and is read into all categories?● httpd's SELinux type enforcement policy doesn't allow access to shadow_t!● Most other MLS implementations don't provide this additional layer of
security
![Page 21: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/21.jpg)
21
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 22: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/22.jpg)
22
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 23: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/23.jpg)
23
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 24: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/24.jpg)
24
Setup
● Install a RHEL 6 system (virtual guest totally fine)● Select “Basic Server” install
● Register system with RHN
● Update system and reboot● yum y update && reboot
● Install the SELinux MLS policy and additional tools● yum install selinuxpolicymls policycoreutilspython
![Page 25: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/25.jpg)
25
Targeted policy: one sensitivity
![Page 26: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/26.jpg)
26
Translation table
![Page 27: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/27.jpg)
27
Switch from targeted to mls SELINUXTYPE
![Page 28: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/28.jpg)
28
Relabel the file system with the MLS policy
● Tell SELinux to relabel the file system with the current (MLS) SELinux policy on next boot and reboot
● touch /.autorelabel && reboot
● Reboot will take longer than usual
![Page 29: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/29.jpg)
29
File system relabeling
![Page 30: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/30.jpg)
30
MLS policy: 16 sensitivities
![Page 31: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/31.jpg)
31
Different translation table
![Page 32: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/32.jpg)
32
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 33: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/33.jpg)
33
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 34: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/34.jpg)
34
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 35: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/35.jpg)
35
Change to secadm_r
![Page 36: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/36.jpg)
36
Separate sysadm_r from secadm_r
![Page 37: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/37.jpg)
37
Leave secadm_r
![Page 38: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/38.jpg)
38
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 39: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/39.jpg)
39
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 40: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/40.jpg)
40
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 41: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/41.jpg)
41
Customizing the translation table
![Page 42: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/42.jpg)
42
Sample translation table
![Page 43: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/43.jpg)
43
Sample colors
![Page 44: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/44.jpg)
44
Using the sample translation table
![Page 45: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/45.jpg)
45
Using the sample translation table
![Page 46: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/46.jpg)
46
Need to be secadm_r!
![Page 47: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/47.jpg)
47
Works after newrole to secadm_r
![Page 48: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/48.jpg)
48
Copy the sample colors and leave secadm_r
![Page 49: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/49.jpg)
49
Load the new mapping using mcstrans
![Page 50: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/50.jpg)
50
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 51: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/51.jpg)
51
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 52: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/52.jpg)
52
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 53: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/53.jpg)
53
Optionally relaxing security
● newrole without a root password each time
● run_init without a root password each time
![Page 54: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/54.jpg)
54
Add pam_rootok.so for newrole
![Page 55: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/55.jpg)
55
newrole works without root password each time
![Page 56: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/56.jpg)
56
Add pam_rootok.so for run_init
![Page 57: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/57.jpg)
57
run_init works without root password each time
![Page 58: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/58.jpg)
58
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 59: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/59.jpg)
59
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 60: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/60.jpg)
60
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 61: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/61.jpg)
61
Add a user
![Page 62: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/62.jpg)
62
SELinux user types
![Page 63: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/63.jpg)
63
Linux login names mapped to SELinux user types
![Page 64: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/64.jpg)
64
Add login and assign user type and range
![Page 65: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/65.jpg)
65
Log in as new user
![Page 66: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/66.jpg)
66
Create a file
![Page 67: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/67.jpg)
67
Can't write down!
![Page 68: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/68.jpg)
68
Can read down
![Page 69: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/69.jpg)
69
One fix: recursively relabel the home directory
![Page 70: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/70.jpg)
70
Now writing works!
![Page 71: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/71.jpg)
71
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 72: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/72.jpg)
72
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 73: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/73.jpg)
73
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 74: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/74.jpg)
74
ssh as a non-root user
![Page 75: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/75.jpg)
75
Escalating sensitivity within ssh
![Page 76: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/76.jpg)
76
Figure out ssh's tty and the tty's SELinux type
![Page 77: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/77.jpg)
77
Add that type to securetty_types
![Page 78: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/78.jpg)
78
Now newrole within ssh works
![Page 79: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/79.jpg)
79
ssh as a non-root user with a sensitivity
![Page 80: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/80.jpg)
80
Can change levels down within sensitivity range
![Page 81: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/81.jpg)
81
Can't change levels outside sensitivity range
![Page 82: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/82.jpg)
82
Can change levels up within sensitivity range
![Page 83: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/83.jpg)
83
ssh as a non-root user with a sensitivity range
![Page 84: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/84.jpg)
84
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 85: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/85.jpg)
85
MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE LINUX 6 AND SELINUX
David Egts, RHCA, RHCSSPrincipal Architect@davidegts
![Page 86: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/86.jpg)
86
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 87: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/87.jpg)
87
Set up secret and top_secret directories
![Page 88: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/88.jpg)
88
ssh as mlsuser at the Secret level
![Page 89: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/89.jpg)
89
ssh as mlsuser at the Secret level
![Page 90: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/90.jpg)
90
Secret can write to Secret area
![Page 91: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/91.jpg)
91
Can't read up
![Page 92: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/92.jpg)
92
Can't write up (write equality only!)
![Page 93: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/93.jpg)
93
ssh as mlsuser at the Top Secret level
![Page 94: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/94.jpg)
94
ssh as mlsuser at the Top Secret level
![Page 95: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/95.jpg)
95
Top Secret can write to Top Secret area
![Page 96: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/96.jpg)
96
Can't write down
![Page 97: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/97.jpg)
97
Can read down
![Page 98: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/98.jpg)
98
ssh as mlsuser without a sensitivity
![Page 99: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/99.jpg)
99
Can't read up
![Page 100: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/100.jpg)
100
Escalate sensitivity to TS
![Page 101: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/101.jpg)
101
And read down works
![Page 102: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/102.jpg)
102
Overview
● Part 1: Background on MLS
● Part 2: MLS with RHEL 6
● Part 3: Basic setup of MLS with RHEL 6
● Part 4: Separating system and security admin roles
● Part 5: Mapping sensitivities and categories to mission specific names
● Part 6: Optionally relaxing security
● Part 7: Adding an MLS user
● Part 8: Using ssh
● Part 9: MLS with RHEL 6 in action!
![Page 103: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/103.jpg)
103
References
● The SELinux Notebook● http://www.freetechbooks.com/the-selinux-notebook-the-foundations-
t785.html● Red Hat Enterprise Linux 6 Security-Enhanced Linux User Guide
● https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security-Enhanced_Linux/index.html
● Confining Users with SELinux● https://access.redhat.com/knowledge/videos/214723
![Page 104: MULTILEVEL SECURITY (MLS) WITH RED HAT ENTERPRISE … · The Bell–LaPadula model ... Useful in other industries (healthcare, financial services)](https://reader033.fdocuments.in/reader033/viewer/2022053022/605052eb1268864a9878a452/html5/thumbnails/104.jpg)
104
Special thanks
● Dan Walsh● http://danwalsh.livejournal.com/● @rhatdan
● Paul Moore● http://paulmoore.livejournal.com/● @paul_via_tweet
● Ted Brunell
● Rick Ring
● Bob St. Clair
● Mark St. Laurent