Cyber security is on everyone’s minds these days. Embedded devices like cameras have been used by bad guys to launch attacks on the Internet. People worry about data leaking from voice command devices or home automation systems. And this goes for the roll-your-own systems we build and deploy.
Many network-aware systems use Linux somewhere — one big example is pretty much every Raspberry Pi based project. How much do you think about security when you deploy a Pi? There is a superior security system available for Linux (including most versions you’d use on the Pi) called SELinux. The added letters on the front are for “Security-Enhanced” and this project was originally started by the NSA and RedHat. RedHat actually has — no kidding — a coloring book that helps explain some of the basic concepts.
We aren’t so sure the coloring book format is really the right approach here, but it is a light and informative read (we didn’t stay in the lines very well, though). Our one complaint is that it doesn’t really show you anything in practice, it just explains the ideas behind the different kind of protections available in SELinux. If you want to actually set it up on Pi, there’s a page on the Pi site that will help. If you have an hour, you can get a good overview of using SELinux in the video below.
By default, the Linux security model is pretty simple. You have four conceptual groups of people: the root user, the owner of something, groups of users, and everyone who doesn’t fit in any of the previous categories. Files and things that look like files can have read, write, and execute permissions that apply to the owner, the owner’s group, and everyone. There are some special rules for directories and a few other features, but that’s it in a nutshell. It is easy to make a file (like a shell script) that you can read, write and execute. Maybe users in your group can read and execute, and everyone else can only execute. On some Pi systems, this is probably fine because you are the only user anyway, so groups and all don’t make much sense. However (as you’ll see in the video) using it to control access from, say, a web server, can make your system less vulnerable to attack.
With SELinux you can put labels on processes and file system objects and use those to control access. The example in the coloring book focuses on making sure dogs eat the right dog food and cats eat cat food. You can get very fine-grained control using these methods. You can also use MLS (multi-level security) like the government does and have things be secret, top secret, etc.
Take some time to make sure you get basic Linux security right. This way hackers (the bad kind, not our kind) will have to work a lot harder to cause mayhem. We’ve seen some pretty incredible efforts like hacking a modern Linux box with 6502 code aimed at the Nintendo. It is no secret that Internet-connected devices are becoming a target of choice for the black hats.
Not new at all, but it is always a good time to share that knowledge.
SELinux is one of those things that 99% of people turn off. I’ve never seen software install that says “Make sure SELinux is enabled”, because understanding it and setting the correct entries is a PITA. Making the concepts easier to understand will lead to better adoption and eventually safer systems.
There’s a message hidden in “can make your system less vulnerable to attack”.
What SELinux does is to reduce the impact of a successfull attack.
For example, if the webservice of your fancy RGB-WiFi-Remote-IoT clock gets hacked SELinux will hopefully prevent the attacker to gain root access.
But SELinux will not help you if the hacked service has access to the attackers target by default, i.e. the alarm time or garage door opener.
SELinux is impact mitigation, it will not defend against the (first) attack itself.
The real problem with SELinux is that it’s tools are painful to use and more importantly, nobody has made an easy distribution that uses it by default. Also, people have invented other ways to avoid needing it, like having a user for only one task but it’s generally insufficient.
I think fedora is pretty easy today and has selinux turned on by default.
Great Explanation. Thank you!