Hardening Your Linux Desktop with Mandatory Access Control and Namespace Isolation

Introduction to Linux Hardening

I’ve seen many Linux systems compromised due to lack of proper hardening. To prevent this, you can use a combination of Mandatory Access Control (MAC) and namespace isolation. These two security features can help prevent unauthorized access to sensitive data and system resources. In this article, we’ll explore how to implement MAC and namespace isolation on a Linux desktop.

Mandatory Access Control

Mandatory Access Control is a security feature that enforces a set of rules defining what actions a user or process can perform on a system. One popular MAC system for Linux is SELinux (Security-Enhanced Linux), which was integrated into the Linux kernel in 2003. SELinux provides a robust security framework that can help prevent attacks such as buffer overflows and privilege escalation. Don’t bother with other MAC systems unless you have a specific reason to - SELinux is well-maintained and widely supported.

To enable SELinux on a Linux system, you can install the selinux package and configure the SELinux policy. For example, on a Debian-based system, you can install SELinux using the following command:

sudo apt-get install selinux

Once SELinux is installed, you can configure the policy using the semanage command. The real trick is to get the policy right - it’s easy to lock down your system too tightly and prevent legitimate access. For example, to enable the httpd policy, you can use the following command:

sudo semanage fcontext -a -t httpd_sys_content_t /var/www/html

This command sets the context of the /var/www/html directory to httpd_sys_content_t, which allows the httpd process to read and write files in that directory.

Namespace Isolation

Namespace isolation is a feature that allows you to isolate processes and resources from each other. This can help prevent a compromised process from accessing sensitive data or system resources. One popular tool for namespace isolation is unshare, which allows you to create a new namespace for a process. I usually start with unshare to create a new namespace, and then use SELinux to restrict access to sensitive data and system resources.

To use unshare, you can use the following command:

unshare -n -p -f --mount-proc=/proc /bin/bash

This command creates a new namespace for the bash shell, isolating it from the rest of the system. The -n option creates a new network namespace, the -p option creates a new PID namespace, and the -f option creates a new file system namespace. In practice, you’ll want to use unshare to create a new namespace for each process that needs to be isolated.

Combining MAC and Namespace Isolation

To combine MAC and namespace isolation, you can use SELinux to enforce a policy that restricts access to sensitive data and system resources, and then use unshare to isolate processes and resources from each other. This is where people usually get burned - they either use MAC or namespace isolation, but not both. By using both, you can create a robust security framework that prevents unauthorized access to sensitive data and system resources.

To learn more about SELinux and namespace isolation, you can visit the SELinux project page or the Linux kernel documentation for more information.

Practical Example

Here is an example of how to use SELinux and unshare to harden a Linux desktop:

# Create a new namespace for the web server process
unshare -n -p -f --mount-proc=/proc /bin/bash

# Enable SELinux and configure the policy
sudo apt-get install selinux
sudo semanage fcontext -a -t httpd_sys_content_t /var/www/html

# Start the web server process in the new namespace
httpd -D FOREGROUND

This example creates a new namespace for the web server process using unshare, enables SELinux and configures the policy, and then starts the web server process in the new namespace.

Troubleshooting

When using SELinux and unshare, you may encounter some issues. For example, if you encounter a permission denied error when trying to access a file or directory, you can use the seaudit command to view the SELinux audit logs and determine the cause of the error. You can also use the unshare command with the -v option to view the namespace configuration and determine if there are any issues with the namespace setup. I’ve seen this go wrong when the namespace configuration is incorrect - make sure to double-check your configuration before troubleshooting.

For more information on troubleshooting SELinux and unshare, you can visit the SELinux troubleshooting page or the Linux kernel documentation for more information.

See also

• Hardening SSH with Linux Kernel's Built-in Features and a Few Surprising sysctl Tweaks
• Hardening Your Linux Desktop with Mandatory Access Control and a Little Bit of Common Sense
• Using Mandatory Access Control to Lock Down Your Linux Desktop with AppArmor
• Hardening Your Linux Laptops for Coffee Shop Combat: Firewall Rules and Network Profiles for the Paranoid Traveler
• Using seccomp to Lock Down Container Privileges in Linux