When a major release hits the street, documentation and digital press tends to focus on new or improved user features, seldom do underlying platform changes make the spotlight. Each BIG-IP release have plenty new customer-centric features but one unsung massive update is SELinux’s extensive enforcing mode policy across the architecture. This isn’t one change nor is this one development group making a few updates. This represents a commitment by F5's Product Development to ensure their code and modules comply with the ever-increasing security requirements the industry look for from our platforms. We practice what we preach; F5 is a security company. BIG-IP and SELinux are no strangers, having coexisted since 2009, but comparing our original efforts to our current SELinux implementation is akin to having your kid's youth soccer team shoot penalties against David Seaman.
A Brief Understanding of SELinux
In Linux land, security is enforced via Discretionary Access Controls (DAC). A resource is associated with a user/group and given a permission set (read, write, execute). The permissions of a resource are validated against the requestor and granted or denied based on those permissions. This is useful for user access to resources but most processes run root level permissions; you know, the account you’re not supposed to run things as if you don’t have to. An application or user running as root, if compromised, negates the security defined on the system.
SELinux (Security-Enhanced Linux) provides secondary granular security complimenting DAC with Mandatory Access Control (MAC) policies. SELinux implements a policy database to govern how a subject is allowed to interact with an object, and either grants permission or denies access based on those predefined rules. A subject in this context is any process that “acts” on something; an object is whatever is being acted on by the subject. This could be an http daemon (subject) requesting a port (object) or mysql (subject) accessing it’s own database files (object). Since an object can be a directory, file, socket, pipe, memory, IPC… the amount of potential policy rules one can create on a system is overwhelming. Now you’re starting to realize how large this undertaking this can be.
BIG-IP and SELinux
SELinux can run in Permissive or Enforcing mode, where permissive will log denials but still allow the interaction of subject and object (disabled is also a mode, albeit not useful in our case). Enforcing mode will log and prohibit any policy violations and is how security appliances should work. To run sestatus and see Current mode: enforcing is only step A. If the SELinux policy is empty, you’re enforcing nothing. To get a better idea of the massive policy expansion between 11.6 and current versions, we can compare policy summaries on each version using checkpolicy:
Note the growth in rules and in conditional rules as versions mature. Product development has been very busy to ensure functional parity while further restricting permission maps of how processes operate in their respective domains against their intended targets. Any attempt to override or elevate privileges on processes or objects would be met with a denial and log entry.
SELinux on BIG-IP is one of those features you should be excited about but don’t actually play with, and that’s ok. For the SELinux admin, you understand the effort required and it’s quite impressive. For those new to SELinux and think this isn't a big deal, there are plenty of information on the internet to help understand how it can improve and complicate your various systems. In BIG-IP we took care of the heavy lifting for you. Below are more resources for further reading so you can be the life of any party. Thanks for playing.