SELinux – Addressing Access Control Security in LabVIEW RIO Devices

インダストリアルIoT（IIoT）には、情報を相互で通信・共有できるような技術を組み込んだ物理的な対象物、システム、プラットフォーム、アプリケーションでネットワークを構築するという前提があります。産業用システムをつなぐこの巨大なネットワークは、データアナリティクスを使い、ローカル処理と通信によってマシンをスマート化することで、工業パフォーマンスの向上と問題の解決を図ります。しかし、このアプローチには常にセキュリティ面での課題がつきまといます。

CompactRIOシステムなどのLabVIEW RIOデバイスには、IIoTのアプリケーションを保護する様々なセキュリティ機能があります。LabVIEW RIOデバイスのセキュリティ対策は、ホワイトペーパー「RIOシステムのセキュリティ最善策（英語）」にまとめられているので、そちらをご覧ください。Security-Enhanced Linux（SELinux）は、NI Linux Real-Timeベースデバイスにアクセス制御セキュリティポリシーを追加できるようにすることで、セキュリティ機能を拡張します。このホワイトペーパーでは、SELinux管理の概要と高度な設定に関するリソースについてご紹介します。

SELinux was originally created to provide a mechanism to confine the damage caused by malicious applications by enforcing the separation of information based on confidentiality and integrity requirements. SELinux is a Linux kernel security module that provides mechanisms to support mandatory access control (MAC) security policies. Its goal is to separate enforcement of security decisions from the security policy itself by providing flexible mandatory access control (MAC) directly in the operating system.

SELinux defines the access and transition rights of users, applications, processes, and files on the system. These interactions are governed by the security policy to protect the system from malicious applications that could potentially harm or destroy the system. When an application attempts to access a file or resource, if that access would be permitted by the traditional Unix permissions, SELinux performs an additional check against the security context defined by the installed policy to decide whether to allow or deny access to that resource.

The SELinux policy contains the set of rules that govern the interactions between processes and objects. Every process has a label and similarly every object has a label associated to it. This is also truth for ports, devices, and even hostnames. This way, SELinux is a labeling system that uses policies containing rules to control the access of a process label to an object label like a file. The kernel is responsible for enforcing these rules and this action is known as Mandatory Access Control (MAC).

Figure 1. Security-Enhanced Linux Decision Process

The SELinux primary model of enforcement is called type enforcement. This means, that the definition of the label of a process is based on its type. Similarly, the label of an object such as a file is based on its type. For example, the objects in the home directory could be labeled as user_home_t. This represents the type, and in this case this means that the policy should treat all the objects with that label as home directory files. This is also the case for processes, for example a web browser could be running as webbrowser_t. Based on these labels, type enforcement allows you to specify what application label can access what resource label. For instance, the instruction allow webbrowser_t user_home_t : file { read write }; allows the web browser process running as webbrowser_t to read and write files in the home directory, labeled as user_home_t. This way, SELinux isolates objects and processes based on its type by denying access to processes not considered in the definition of the policy.

NI Linux Real-Time targets include a default reference policy containing a set of standard rules. This policy only restricts access to a few widely exposed services. Thus, user sessions are not restricted and legitimate user operations will be allowed. However, this does not enhance the security of services running on the embedded hardware target. Since most applications differ in terms of security needs, custom policies can be defined in SELinux to serve such purposes.  We recommend users unfamiliar with this tool to work directly with third party SELinux integrators to define tailored policies for specific applications.

SELinux has 2 main modes of operation: Enforcing and Permissive. In normal operation, an SELinux hardened system will run with SELinux in enforcing mode. This means that the SELinux policy is in effect and accesses that it does not explicitly permit will be denied. However, for testing and debugging purposes, SELinux can also be switched to permissive mode.

The permissive mode allows a system to run with SELinux enabled, while still allowing all the accesses that would otherwise be denied by the running policy. This means that a system running in permissive mode is not protected by SELinux.  The purpose is to log what SElinux would have denied, allowing the administrator an insight into what would happen with SELinux in enforcing mode. This is useful when creating a new policy or debugging unexpected denials with an existing policy.

Enforcing – The SELinux security policy is enforced

Permissive- The SElinux security policy is not enforced but SELinux still prints warnings for debugging and troubleshooting purposes

SELinuxの設定方法および使用方法の詳細については、次のリンク先をご覧ください。

NI Reference Policy

SELinuxコミュニティ

登録商標Linux®は、全世界における商標保持者Linus Torvalds氏から排他的ライセンスを受けているLMI（Linux Mark Institute）からの許諾により使用しています。ペンギンの画像の使用および修正はLarry Ewing and The GIMPにより許可されます。