in terms of security all i can say – stick to the UNIX principles of keeping things as „simple and beautiful“ as possible.

Simplification – redesign and rewriting complex grown structures always pays of in terms of efficiency and security.

because with complexity the amount of errors that WILL happen (it is not a question of IF they happen – they WILL happen) is reduced – security increased.

debian8

root@Debian8:~# ll /etc/passwd
-rw-r--r-- 1 root root 2.1K Jun 19 15:21 /etc/passwd
root@Debian8:~# ll /etc/shadow
-rw-r----- 1 root shadow 1.4K Jun 19 15:21 /etc/shadow

suse12

suse12:~ # ll /etc/passwd
-rw-r--r-- 1 root root 1784 24. Apr 13:01 /etc/passwd
suse12:~ # ll /etc/shadow
-rw-r----- 1 root shadow 870 24. Apr 13:01 /etc/shadow

centos7

[root@CentOS7 ~]# ll /etc/passwd
-rw-r--r--. 1 root root 2,0K 19. Jun 16:43 /etc/passwd
[root@CentOS7 ~]# ll /etc/shadow
----------. 1 root root 1,2K 19. Jun 16:43 /etc/shadow
[root@CentOS7 ~]#

fazit:

while users are allowed to change their passwords by /bin/passwd with the SuperUserID-(SUID)-bit-set to on (user may run this program with permissions of owner (root) – it is clear – that no user but root should be able to read-access or change /etc/shaddow

suse12:~ # ll /usr/bin/passwd
-rwsr-xr-x 1 root shadow 51232 30. Sep 2016  /usr/bin/passwd

root@Debian8:~# ll /usr/bin/passwd
-rwsr-xr-x 1 root root 52K May 17 17:14 /usr/bin/passwd

[root@CentOS7 ~]# ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 28K 10. Jun 2014  /usr/bin/passwd

the . dot at the end of the /etc/shadow centos7 permissions means – the file has SELinux context.

ls -Z /etc/shadow
----------. root root system_u:object_r:shadow_t:s0    /etc/shadow

Manpages:

etc_passwd.man.txt

etc_shadow.man.txt

selinux.man.txt

About SELinux

An NSA research project called SELinux added a Mandatory Access Control architecture to the Linux Kernel, which was merged into the mainline version of Linux in August 2003.

It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface).

Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement least privilege, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP/RBACPP/CAPP/EAL4+ certifications in June 2007.[6]

„Our vital research program focuses on four critical goals:“

  • We develop the means to dominate the global computing and communications network.
  • We cope with the overload of information in our environment and turn that overload to our strategic advantage.
  • We provide the means for ubiquitous, secure collaboration both within our government and through its interactions with various partners.
  • We create the means for penetrating into the „hard“ targets that threaten our nation wherever, whenever, or whomever they may be.

src: https://www.nsa.gov/what-we-do/research/

(src)

NAME
SELinux – NSA Security-Enhanced Linux (SELinux)

DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating system.

The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security.

Background information and technical documentation about SELinux can be found at http://www.nsa.gov/research/selinux.

The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and
if enabled, whether SELinux operates in permissive mode or enforcing mode. The SELINUX vari‐
able may be set to any one of disabled, permissive, or enforcing to select one of these
options. The disabled option completely disables the SELinux kernel and application code,
leaving the system running without any SELinux protection. The permissive option enables the
SELinux code, but causes it to operate in a mode where accesses that would be denied by policy
are permitted but audited. The enforcing option enables the SELinux code and causes it to
enforce access denials as well as auditing them. Permissive mode may yield a different set of
denials than enforcing mode, both because enforcing mode will prevent an operation from pro‐
ceeding past the first denial and because some application code will fall back to a less privi‐
leged mode of operation if denied access.

The /etc/selinux/config configuration file also controls what policy is active on the system.
SELinux allows for multiple policies to be installed on the system, but only one policy may be
active at any given time. At present, multiple kinds of SELinux policy exist: targeted, mls
for example. The targeted policy is designed as a policy where most user processes operate
without restrictions, and only specific services are placed into distinct security domains that
are confined by the policy. For example, the user would run in a completely unconfined domain
while the named daemon or apache daemon would run in a specific domain tailored to its opera‐
tion. The MLS (Multi-Level Security) policy is designed as a policy where all processes are
partitioned into fine-grained security domains and confined by policy. MLS also supports the
Bell And LaPadula model, where processes are not only confined by the type but also the level
of the data.

You can define which policy you will run by setting the SELINUXTYPE environment variable within
/etc/selinux/config. You must reboot and possibly relabel if you change the policy type to
have it take effect on the system. The corresponding policy configuration for each such policy
must be installed in the /etc/selinux/{SELINUXTYPE}/ directories.

A given SELinux policy can be customized further based on a set of compile-time tunable options
and a set of runtime policy booleans. system-config-selinux allows customization of these
booleans and tunables.

Many domains that are protected by SELinux also include SELinux man pages explaining how to
customize their policy.

FILE LABELING
All files, directories, devices … have a security context/label associated with them. These
context are stored in the extended attributes of the file system. Problems with SELinux often
arise from the file system being mislabeled. This can be caused by booting the machine with a
non SELinux kernel. If you see an error message containing file_t, that is usually a good
indicator that you have a serious problem with file system labeling.

The best way to relabel the file system is to create the flag file /.autorelabel and reboot.
system-config-selinux, also has this capability. The restorecon/fixfiles commands are also
available for relabeling files.

AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.

FILES
/etc/selinux/config

SEE ALSO
booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8), fixfiles(8),
restorecon(8), setfiles(8), semanage(8), sepolicy(8), seinfo(8), sesearch(8)

Every confined service on the system has a man page in the following format:

<servicename>_selinux(8)

For example, httpd has the httpd_selinux(8) man page.

man -k selinux

Will list all SELinux man pages.

 

dwalsh@redhat.com 29 Apr 2005 selinux(8)

 

Videos:

Links:

http://dwaves.de/2016/09/24/primitive-paranoia-investigating-selinux-work-in-progress/

http://dwaves.de/2014/02/03/nsas-selinux-installed-per-default-on-debian-ubuntu-and-android-spylux-since-2003/

admin