the selinux notebook the foundations 3rd edition
TRANSCRIPT
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
1/364
The SELinux Notebook - The Foundations
The SELinuxNotebook
The
Foundations(3rd Edition)
Page 1
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
2/364
The SELinux Notebook - The Foundations
0. Notebook Information
0.1 Copyright Information
Copyright © 2012 Richard Haines.Permission is granted to copy, distribte and!or modi"y this docment nder the terms
o" the #$% &ree 'ocmentation icense, ersion 1.3 or any *ater +ersion pb*ished
by the &ree o"t-are &ondation -ith no /n+ariant ections, no &rontCo+er ets,
and no ac4Co+er ets.
5 copy o" the *icense is inc*ded in the section entit*ed 6#$%&ree 'ocmentation
icense7.
he scripts and sorce code in this $oteboo4 are co+ered by the #$% #enera* Pb*ic
icense. he scripts and code are "ree sorce8 yo can redistribte it and!or modi"y it
nder the terms o" the #$% #enera* Pb*ic icense as pb*ished by the &ree o"t-are
&ondation, either +ersion 3 o" the icense, or any *ater +ersion.
hese are distribted in the hope that they -i** be se"* in researching Ein, bt
9/H:% 5$; 95RR5$; -ithot e+en the imp*ied -arranty o"
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
3/364
The SELinux Notebook - The Foundations
Term Definition
AVC 5ccess ector Cache
L! e**a Pad*a
CC Common Criteria
C"L Common /ntermediate angage
C#$ Compartmented
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
4/364
The SELinux Notebook - The Foundations
0.# In!e$
, N(TE((' "NF()#AT"(N .
0.1 C:P;R/#H / $&:R
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
5/364
The SELinux Notebook - The Foundations
2.13.2 (eference #olic- ....................................................................................... 46
2.13.3 #olic- unctionalit- ase" on Na$e or /-,e .......................................... 4)
2.13.4 Custo$ #olic- ........................................................................................... 4)
2.13.% 0onolitic #olic- ...................................................................................... 4
2.13.6 Loa"able 0o"ule #olic- ........................................................................... 4
2.13.L.1 :ptiona* Po*icy ................................................................................... JA2.13.) Con"itional #olic- .................................................................................... 4
2.13. inar- #olic- ............................................................................................ 4
2.13. #olic- 5ersions ......................................................................................... 4
2.1J E/$%I PER
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
6/364
The SELinux Notebook - The Foundations
2.22.3.2 'etermine :< Ietension :pcode ................................................ 102
2.22.3.3 Con"igre :< En"orcement l Overview .................................................................................... 1*
2.24.3 Installin' SE8#ost'reS
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
7/364
The SELinux Notebook - The Foundations
3.4.3 booleans.subs ile ..................................................................................... 142
3.4.4 setrans.conf ile ........................................................................................ 143
3.4.% secolor.conf ile ....................................................................................... 14%
3.4.6 ,olic-;,olic-.Bver ile ........................................................................... 146
3.4.) contexts;custo$iDable+t-,es ile .............................................................. 14)
3.4. contexts;"efault+contexts ile .................................................................. 14)3.4. contexts;"bus+contexts ile ...................................................................... 14
3.4.1* contexts;"efault+t-,e ile ....................................................................... 1%*
3.4.11 contexts;failsafe+context ile .................................................................. 1%*
3.4.12 contexts;initrc+context ile ..................................................................... 1%1
3.4.13 contexts;netfilter+contexts ile ............................................................... 1%2
3.4.14 contexts;re$ovable+context ile ............................................................ 1%2
3.4.1% contexts;securett-+t-,es ile .................................................................. 1%2
3.4.16 contexts;se,'s>l+contexts ile ................................................................ 1%3
3.4.1) contexts;userel,er+context ile ........................................................... 1%4
3.4.1 contexts;virtual+"o$ain+context ile ..................................................... 1%4
3.4.1 contexts;virtual+i$a'e+context ile ....................................................... 1%%3.4.2* contexts;x+contexts ile ......................................................................... 1%%
3.4.21 contexts;files;file+contexts ile ............................................................... 1%)
3.4.22 contexts;files;file+contexts.local ile ...................................................... 1%
3.4.23 contexts;files;file+contexts.o$e"irs ile ............................................... 1%
3.4.24 contexts;files;file+contexts.subs @ file+contexts.subs+"ist ile .............. 1%
3.4.2% contexts;files;$e"ia ile ........................................................................ 1%
3.4.26 contexts;users;seuser+i"F ile ............................................................... 1%
3.4.2) lo'ins;Blinuxuser+i" ile ..................................................................... 16*
3.4.2 users;local.users ile .............................................................................. 161
0 SEL"N*+ !(L"C4 LAN2*A2E %5.
J.1 / $R:'%C/:$...................................................................................................... 1L2
4.1.1 CIL Overview ............................................................................................ 162
4.1.2 Notebook Exa$,le #olic- ......................................................................... 16%
J.2 P:/C; 5E
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
8/364
The SELinux Notebook - The Foundations
4.%.3 t-,e+$e$ber (ule ..................................................................................... 13
J.L :%$' 5E
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
9/364
The SELinux Notebook - The Foundations
4.16.% ,er$issive State$ent ............................................................................... 226
J.1F :MEC C5 5$' PER
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
10/364
The SELinux Notebook - The Foundations
K.L.1.F temp*ate
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
11/364
The SELinux Notebook - The Foundations
A.K $E9:RG :MEC C5E ................................................................................... 31@
.%.1 I#Sec Network Ob!ect Classes .................................................................. 322
.%.2 Netlink Ob!ect Classes .............................................................................. 323
.%.3 0iscellaneous Network Ob!ect Classes .................................................... 32%
A.L /PC :MEC C5E ........................................................................................... 32L
A.F PR:CE :MEC C5 ........................................................................................ 32LA.A EC%R/; :MEC C5 ....................................................................................... 32F
A.@ ;E
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
12/364
The SELinux Notebook - The Foundations
1. %he &'(in)$ Notebook
1.1 Intro!)ction
his $oteboo4 sho*d he*p -ith ep*aining8a) Ein and its prpose in *i"e.
b) he < ! Ein architectre, its spporting ser+ices and ho- they are
imp*emented -ithin #$% ! in.
c) Ein $et-or4ing, irta*
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
13/364
The SELinux Notebook - The Foundations
(b>e
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
14/364
The SELinux Notebook - The Foundations
2. &'(in)$ +verview
2.1 Intro!)ction
Ein is the primary
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
15/364
The SELinux Notebook - The Foundations
3. Ein can con"ine an app*ication -ithin its o-n BdomainB and a**o- it to
ha+e the minimm pri+i*edges reired to do its ob. ho*d the app*ication
reire access to net-or4s or other app*ications (or their data), then (as part o"
the secrity po*icy design), this access -o*d need to be granted (so at *east it
is 4no-n -hat interactions are a**o-ed and -hat are not a good secrity
goa*).
J. ho*d an app*ication Bdo somethingB it is not a**o-ed by po*icy (intentiona* or
other-ise), then Ein -o*d stop these actions.
K. ho*d an app*ication Bdo somethingB it is a**o-ed by po*icy, then Ein
may contain any damage that maybe done intentiona* or other-ise. &or
eamp*e i" an app*ication is a**o-ed to de*ete a** o" its data "i*es or database
entries, and the bg, +irs or ma*icios ser gains these pri+i*edges then it
-o*d be ab*e to do the same, ho-e+er the good ne-s is that i" the po*icy
Bcon"inedB the app*ication and data, a** yor other data sho*d sti** be there.
L. %ser *ogin sessions can be con"ined to their o-n domains. his a**o-s c*ients
they rn to be gi+en on*y the pri+i*edges they need (e.g. admin sers, sa*es
sta"" sers, HR sta"" sers etc.). his again -i** con"ine!*imit any damage or
*ea4age o" data.
F. ome app*ications (I9indo-s "or eamp*e) are di""ic*t to con"ine as they
are genera**y designed to ha+e tota* access to a** resorces. Ein can
genera**y o+ercome these isses by pro+iding sandboing ser+ices.
A. Ein -i** not stop memory *ea4s or b""er o+errns (becase its not
designed to do this), ho-e+er it may contain the damage that maybe done.
@. Ein -i** not stop a** +irses!ma*-are getting into the system (as there are
many -ays they co*d be introdced (inc*ding by *egitimate sers), ho-e+erit sho*d *imit the damage or *ea4s they case.
10. Ein -i** not stop 4erne* +*nerabi*ities, ho-e+er it may *imit their
e""ects.
11. /t is +ery easy to add ne- r*es to an Ein po*icy sing too*s sch as
audit2allow!"# i" a ser has the re*e+ant permissions, ho-e+er be a-arethat this may start opening ho*es, so chec4 -hat r*es are rea**y reired.
12. &ina**y, Ein cannot stop anything a**o-ed by the secrity po*icy, so good
design is important.
he "o**o-ing maybe se"* in pro+iding a practia* +ie- o" Ein8
1. 5 discssion regarding 5pache ser+ers and Ein that may *oo4 negati+e at
"irst bt high*ights the containment points abo+e. his is the initia* stdy8
http8!!b*og.ptsecrity.com!2012!0A!se*ininpracticed+-atest.htm*, and
this is a response to the stdy8 http8!!dan-a*sh.*i+eorna*.com!KLFL0.htm*.
Ho-e+er -ith care"* design and 4no-n secrity goa*s the Ein B5pache !
Ein P*sB ser+ices co*d be sed to bi*d a more secre -eb ser+ice (a*so
see http8!!code.goog*e.com!p!sepgs*!-i4i!5pacheNEinNp*s).
2. Ein ser+ices ha+e been added to 5ndriod, prodcing E5ndroid. he
presentation She Case "or ecrity Enhanced (E)5ndroidS gi+es secases
Page 1K
http://blog.ptsecurity.com/2012/08/selinux-in-practice-dvwa-test.htmlhttp://danwalsh.livejournal.com/56760.htmlhttp://code.google.com/p/sepgsql/wiki/Apache_SELinux_plushttp://blog.ptsecurity.com/2012/08/selinux-in-practice-dvwa-test.htmlhttp://danwalsh.livejournal.com/56760.htmlhttp://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
16/364
The SELinux Notebook - The Foundations
and types o" 5ndroid ep*oits that Ein co*d ha+e o+ercome. he
presentation is a+ai*ab*e at8
https8!!e+ents.*in"ondation.org!images!stories!pd"!*"Nabs12Nsma**ey.pd"
2.2 Core &'(in)$ Components&igre 2.1 sho-s a high *e+e* diagram o" the Ein core components that manage
en"orcement o" the po*icy and comprise o" the "o**o-ing8
1. 5 sbect that mst be present to case an action to be ta4en by an obect
(sch as read a "i*e as in"ormation on*y "*o-s -hen a sbect is in+o*+ed).
2. 5n :bect uests.
&igre 2.2 sho-s a more comp*e diagram o" 4erne* and serspace -ith a nmber o"
spporting ser+ices that are sed to manage the Ein en+ironment. his diagram-i** be re"erenced a nmber o" times to ep*ain areas o" Ein, there"ore starting
"rom the bottom8
a) /n the crrent imp*ementation o" Ein the secrity ser+er is embedded in
the 4erne* -ith the po*icy being *oaded "rom serspace +ia a series o"
"nctions contained in the libselinux *ibrary (see Ein %serspace
ibraries "or detai*s).
he obect managers (:e
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
17/364
The SELinux Notebook - The Foundations
Figure .. /igh Le:el SELinux Ar
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
18/364
The SELinux Notebook - The Foundations
kernel spa
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
19/364
The SELinux Notebook - The Foundations
this $oteboo4, ho-e+er it is not recommended "or rea*-or*d po*icy
de+e*opment.
ii) sing the Re"erence Po*icy that ses high *e+e* macros to de"ine po*icy
r*es. his is the standard -ay po*icies are no- bi*t "or Ein
distribtions sch as Red Hat and 'ebian and is discssed in the
Re"erence Po*icy section.
e) o be ab*e to compi*e and *in4 the sorce code then *oad it into the secrity
ser+er reires a nmber o" too*s (top o" &igre 2.2). hese are sed to bi*d
the samp*e po*icy mod*es -here their se is described.
") o enab*e system administrators to manage the po*icy, the Ein
en+ironment and *abe* "i*e systems reires too*s and modi"ied #$% ! in
commands. hese are mentioned throghot the $oteboo4 as needed and
smmarised in 5ppendi O Ein Commands. $ote that there are many
other app*ications to manage po*icy, ho-e+er this $oteboo4 on*y concentrates
on the core ser+ices.
g) o ensre secrity e+ents are *ogged, #$% ! in has an adit ser+ice that
captres po*icy +io*ations. he 5diting Ein E+ents section describes the
"ormat o" these secrity e+ents.
h) Ein spports net-or4 ser+ices that are described in the Ein
$et-or4ing pport section.
he in ecrity
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
20/364
The SELinux Notebook - The Foundations
Figure .1 !ro
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
21/364
The SELinux Notebook - The Foundations
he Ein ser name is the "irst component o" a Bsecrity contetB and by
con+ention Ein ser names end in B_uB, ho-e+er this is not en"orced by any
Ein ser+ice (i.e. it is on*y to identi"y the ser component).
2.# Roease! Access Contro -RAC
o "rther contro* access to E domains Ein ma4es se o" ro*ebased access
contro* (R5C). his "eatre a**o-s Ein sers to be associated to one or more
ro*es, -here each ro*e is then associated to one or more domain types as sho-n in
&igre 2.J.
he Ein ro*e name is the second component o" a Bsecrity contetB and by
con+ention Ein ro*es end in B_rB, ho-e+er this is not en"orced by any Ein
ser+ice (i.e. it is on*y sed to identi"y the ro*e component).
Figure .0 )ole ased A
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
22/364
The SELinux Notebook - The Foundations
it comes do-n to nderstanding ho- they are a**ocated in the po*icy itse*" and ho-
they are sed by Ein ser+ices.
asica**y i" the type identi"ier is sed to re"erence a sbect it is re"erring to a in
process or co**ection o" processes (a domain or domain type). /" the type identi"ier is
sed to re"erence an obect then it is speci"ying its obect type (i.e. "i*e type).
9hi*e Ein re"ers to a sbect as being an acti+e process that is associated to a
domain type, the scope o" an Ein type en"orcement domain can +ary -ide*y. &or
eamp*e in the simp*e po*icy bi*t in the basic-selinux-policy directory o"
the sorce tarba**, a** the processes on the system rn in the unconfined_t
domain, there"ore e+ery process is ?o" type unconfined_tT (that means it can do
-hate+er it *i4es -ithin the *imits o" the standard in '5C po*icy).
/t is on*y -hen additiona* po*icy statements are added to the simp*e po*icy, that areas
start to be con"ined. &or eamp*e, an eterna* gate-ay is rn in its o-n iso*ated
domain (ext_gateway_t) that cannot be ?inter"eredT -ith by any o" the
unconfined_t processes (ecept to rn or transition the gate-ay process into itso-n domain). his scenario is simi*ar to the ?targetedT po*icy de*i+ered as standard in
Red Hat &edora -here the maority o" ser space processes rn nder the
unconfined_t domain (a*thogh donTt thin4 the simp*e po*icies imp*emented in
sorce tarba** are ei+a*ent to the Re"erence Po*icy, they are not so do not se them
as *i+e imp*ementations).
he Ein type is the third component o" a Bsecrity contetB and by con+ention
Ein types end in B_tB, ho-e+er this is not en"orced by any Ein ser+ice (i.e.
it is on*y sed to identi"y the type component).
2..1 Constraints9ithin a E en+ironment, the -ay that sbects are a**o-ed to access an obect is +ia
an allow r*e , "or eamp*e8
allow unconfined_t ext_gateway_t : process transition8
his states that a process rnning in the unconfined_t domain has permission to
transition a process to the ext_gateway_t domain. Ho-e+er it co*d be that the
po*icy -riter -ants to constrain this "rther and state that this can on*y happen i" the
ro*e o" the sorce domain is the same as the ro*e o" the target domain. o achie+e this
a constraint can be imposed sing a constrain statement8
constrain process transition ! r" 66 r #8
his states that a process transition can on*y occr i" the sorce ro*e is the same as the
target ro*e, there"ore a constraint is a condition that mst be satis"ied in order "or one
or more permissions to be granted (i.e. a constraint imposes additiona* restrictions on
E r*es).
here are a nmber o" di""erent constraint statements -ithin the po*icy *angage to
spport areas sch as
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
23/364
The SELinux Notebook - The Foundations
2. &ec)rity Conte$t
Ein reires a secrity contet to be associated -ith e+ery process (or sbect)
and obect that are sed by the secrity ser+er to decide -hether access is a**o-ed or
not as de"ined by the po*icy.
he secrity contet is a*so 4no-n as a ?secrity *abe*T or st *abe* that can casecon"sion as there are many types o" *abe* depending on the contet (another
contetVV).
9ithin Ein, a secrity contet is represented as +ariab*e*ength strings that
de"ine the Ein ser 3, their ro*e, a type identi"ier and an optiona*
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
24/364
The SELinux Notebook - The Foundations
here"ore "or an obect the ro*e, type and *e+e*!range are the on*y re*e+ant
secrity "ie*ds that are sed in access decisions.
Eamp*es o" sing system_u and ob=ect_r can be seen in the "i*e system
a"ter re*abe*ing and rnning the ls >? command on +arios directories.
he Compting ecrity Contets section decribes ho- Ein comptes thesecrity contet components based on a sorce contet, target contet and an obect
c*ass.
he eamp*es be*o- sho- secrity contets "or processes, directories and "i*es (note
that the po*icy did not spport
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
25/364
The SELinux Notebook - The Foundations
@ !see the process example aboe#. ,he role remained asob=ect_r.
2.4 &)b5ects5 sbect is an acti+e entity genera**y in the "orm o" a person, process, or de+ice that
cases in"ormation to "*o- among obects or changes the system state.
9ithin Ein a sbect is genera**y an acti+e process and has a secrity contet
associated -ith it, ho-e+er a process can a*so be re"erred to as an obect depending on
the contet in -hich it is being ta4en, "or eamp*e8
1. 5 rnning process (i.e. an acti+e entity) is a sbect becase it cases
in"ormation to "*o- among obects or can change the system state.
2. he process can a*so be re"erred to as an obect becase each process has an
associated obect c*assJ
ca**ed ?processT. his process ?obectT, de"ines -hat permissions the po*icy is a**o-ed to grant or deny on the acti+e process.
5n eamp*e is gi+en o" the abo+e scenarios in the 5**o-ing a Process 5ccess to an
:bect section.
/n Ein sbects can be8
Trusted O #enera**y these are commands, app*ications etc. that ha+e been -ritten
or modi"ied to spport speci"ic Ein "nctiona*ity to en"orce the secrity
po*icy (e.g. the 4erne*, init, pam, inetd and *ogin). Ho-e+er, it can a*so co+er any
app*ication that the organisation is -i**ing to trst as a part o" the o+era** system.
5*thogh (depending on yor paranoia *e+e*), the best po*icy is to trst nothing
nti* it has been +eri"ied that it con"orms to the secrity po*icy. #enera**y thesetrsted app*ications -o*d rn in either their o-n domain (e.g. the adit daemon
co*d rn nder auditd_t) or groped together (e.g. the semanage!F# andsemodule!F# commands co*d be groped nder semanage_t).
*ntrusted O E+erything e*se.
2.6 +b5ects
9ithin Ein an obect is a resorce sch as "i*es, soc4ets, pipes or net-or4
inter"aces that are accessed +ia processes (a*so 4no-n as sbects). hese obects are
c*assi"ied according to the resorce they pro+ide -ith access permissions re*e+ant totheir prpose (e.g. read, recei+e and -rite), and assigned a secrity contet as
described in the "o**o-ing sections.
2.6.1 +b5ect Casses an! 7ermissions
Each obect consists o" a c*ass identi"ier that de"ines its prpose (e.g. file, socket)
a*ong -ith a set o" permissionsK that describe -hat ser+ices the obect can hand*e
(read, write, send etc.). 9hen an obect is instantiated it -i** be a**ocated a name
(e.g. a "i*e co*d be ca**ed config or a soc4et my_connection) and a secrity
J he obect c*ass and its associated permissions are ep*ained in the Process :bect C*ass section.K 5*so 4no-n in Ein as 5ccess ectors (5).
Page 2K
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
26/364
The SELinux Notebook - The Foundations
contet (e.g. system_u:ob=ect_r:selinux_config_t) as sho-n in &igre
2.K.
Figure .6 (b>e
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
27/364
The SELinux Notebook - The Foundations
allow Hule source_domain target_type : class permission-----------!---------------!------------------------!------------allow unconfined_t ext_gateway_t : process transition8
$here
allow he Ein *angage allow r*e.
unconfined_t he sorce domain (or sbect) identi"ier O in this case theshell that -ants to eec the gate-ay app*ication.
ext_gateway_t he target obect identi"ier O the obect instance o" thegate-ay app*ication process.
process he target obect c*ass the ?processT obect c*ass.
transition he permission granted to the sorce domain on thetargets obect O in this case the unconfined_t domain
has transition permission on the ext_gateway_t?processT obect.
Figure .5 The allow rule 9 Sowin' tat te sub!ect Hte ,rocesses runnin'in te unconfined_t "o$ain as been 'iven te transition ,er$ission on te
ext_gateway_t J processK ob!ect.
/t sho*d be noted that there is more to a domain transition than described abo+e, "or a
more detai*ed ep*anation, see the 'omain ransition section.
2.6.3 (abeing +b5ects
9ithin a rnning Ein enab*ed #$% ! in system the *abe*ing o" obects is
managed by the system and genera**y nseen by the sers (nti* *abe*ing goes
-rong VV). 5s processes and obects are created and destroyed, they either8
1. /nherit their *abe*s "rom the parent process or obect.
2. he po*icy type, ro*e and range transition statements a**o- a di""erent *abe* to
be assigned as discssed in the 'omain and :bect ransitions section.
3. Eina-are app*ications can en"orce a ne- *abe* (-ith the po*icies
appro+a* o" corse) sing the libselinux 5P/ "nctions.
Page 2F
ext_gateway_tunconfined_t
Sub>ee
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
28/364
The SELinux Notebook - The Foundations
J. 5n obect manager (:
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
29/364
The SELinux Notebook - The Foundations
@ system_u:ob=ect_r:admin_home_t:s0
2.9.3.1.1 Copying and Moving Files
5ssming that the correct permissions ha+e been granted by the po*icy, the e""ects onthe secrity contet o" a "i*e -hen copied or mo+ed di""er as "o**o-s8
• copy a "i*e O ta4es on *abe* o" ne- directory n*ess the OW option is sed.
• mo+e a "i*e O retains the *abe* o" the "i*e.
Ho-e+er, i" the restorecond daemon is rnning and the restorecond.conf
"i*e is correct*y con"igred, then other secrity contets can be associated to the "i*e as
it is mo+ed or copied (pro+ided it is a +a*id contet and speci"ied in the
file_contexts "i*e).
he eamp*es be*o- sho- the e""ects o" copying and mo+ing "i*es8
@ ,hese are the test files in the /root directory and their current security@ context:@-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t copied-file-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t moed-file
@ ,hese are the commands used to copy / moe the files:@@ %tandard copy file:cp copied-file /usr/message_5ueue/in_5ueue
@ 1opy using >? to set the files context:cp -? unconfined_u:ob=ect_r:unconfined_t copied-file J/usr/message_5ueue/in_5ueue/copied-file-with-?
@ %tandard moe file:m moed-file /usr/message_5ueue/in_5ueue
@ ,he target directory !/usr/message_5ueue/in_5ueue# is label Lin_5ueue_tI.@ ,he results of Lls >?I on target the directory are:@-rw-r--r-- root root unconfined_u:ob=ect_r:in_5ueue_t copied-file-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t copied-file-with-?-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t moed-file
Ho-e+er, i" the restorecond daemon is rnning8
@ (f the restorecond daemon is running with a restorecond.conf file entry of:
@/usr/message_5ueue/in_5ueue/M
@ A)C the file_context file has an entry of:@/usr/message_5ueue/in_5ueue!/.M#N -- system_u:ob=ect_r:in_file_t
@ ,hen all the entries would be set as follows when the daemon detects the files@ creation:@-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t copied-file-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t copied-file-with-?-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t moed-file
@ ,his is because the restorecond process will set the contexts defined in@ the file_contexts file to the context specified as it is created in the@ new directory.
Page 2@
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
30/364
The SELinux Notebook - The Foundations
his is becase the restorecond process -i** set the contets de"ined in the
file_contexts "i*e to the contet speci"ied as it is created in the ne- directory.
2.6.3.2 (abeing &)b5ects
:n a rnning #$% ! in system, processes inherit the secrity contet o" the parent process. /" the ne- process being spa-ned has permission to change its contet, then
a ?type transitionT is a**o-ed that is discssed in the 'omain ransition section.
he /nitia* oot oading the Po*icy section discsses ho- #$% ! in is initia*ised
and the processes *abe*ed "or the *ogin process.
he po*icy *angage spports a nmber o" statements to either assign *abe*
components or *abe*s to processes sch as8
user, role and type statements.
and manage their scope8
role allow and constrain
and manage their transition8
type _transition , role_transition and range_transition
2.6." +b5ect Re)se
5s #$% ! in rns, it creates instances o" obects and manages the in"ormation
they contain (read, -rite, modi"y etc.) nder the contro* o" processes, and at some
stage these obects may be de*eted or re*eased a**o-ing the resorce (sch as memory
b*oc4s and dis4 space) to be a+ai*ab*e "or rese.
#$% ! in hand*es obect rese by ensring that -hen a resorce is rea**ocated, it
is c*eared. his means that -hen a process re*eases an obect instance (e.g. re*ease
a**ocated memory bac4 to the poo*, de*ete a directory entry or "i*e), there may be
in"ormation *e"t behind that co*d pro+e se"* i" har+ested. /" this sho*d be an isse,
then the process itse*" sho*d c*ear or shred the in"ormation be"ore re*easing the obect
(-hich can be di""ic*t in some cases n*ess the sorce code is a+ai*ab*e).
2.10 Comp)ting &ec)rity Conte$ts
Ein ses a nmber o" po*icy *angage statements and *ibse*in "nctions to
compte a secrity contet +ia the 4erne* secrity ser+er.
9hen secrity contets are compted, the di""erent 4erne*, serspace too*s and po*icy
+ersions can in"*ence the otcome. his is becase patches ha+e been app*ied o+er
the years that gi+e greater "*eib*ity in compting contets. &or eamp*e a 2.L.3@
4erne* -ith Ein serspace ser+ices spporting po*icy +ersion 2L can in"*ence
the compted ro*e.
he secrity contet is compted "or an obect sing the "o**o-ing components8 a
sorce contet, a target contet and an obect c*ass.
he libselinux serspace "nctions sed to compte a secrity contet are8
avc_compute_create!3# and security_compute_create!3#
Page 30
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
31/364
The SELinux Notebook - The Foundations
avc_compute_member!3# and security_compute_member!3#
security_compute_relabel!3#
$ote that the 4erne* has ei+a*ent "nctions in the secrity ser+er, ho-e+er they are
not co+ered here.
he po*icy *angage statements that in"*ence a compted secrity contet are8
type_transition, role_transition, range_transition,
type_member and type_change and a*so their corresponding C/ *angage
statements8 typetransition ! filetransition, roletransition,
rangetransition, typemember and typechange. here are a*so the
default_user, default_role, default_type and default_range
statements that -i** be a+ai*ab*e in *ater re*eases.
he sections that "o**o- ep*ain ho- secrity contets are compted -hen sing the
libselinux "nctions and the po*icy statements that in"*ence the otcome (note
that the ei+a*ent 4erne* ser+ices beha+e eact*y the same).
2.10.1 avc_compute_create and security_compute_create
he tab*e be*o-A sho-s ho- the components "rom the sorce contet scon, target
contet tcon and c*ass tclass are sed to compte the ne- contet newcon
(re"erenced by /'s "or avc_compute_create!3#. he "o**o-ing notes a*soapp*y8
a) 5ny +a*id po*icy role_transition, type_transition and
range_transition en"orcement r*es -i** in"*ence the "ina* otcome as
sho-n. b) &or 4erne*s *ess than 2.L.3@ the contet generated -i** depend on -hether the
c*ass is process or any other c*ass.
c) &or 4erne*s 2.L.3@ and abo+e the "o**o-ing a*so app*ies8
i. hose c*asses s""ied by socket -i** a*so be inc*ded in the
process c*ass otcome.
ii. /" a +a*id role_transition r*e "or tclass, then se that instead
o" the de"a*t ob=ect_r. 5*so reires po*icy +ersion 2L or greater
see security_policyvers!3#.
iii. /" the type_transition r*e is c*assed as the B"i*e name transition
r*eB (i.e. it has an ob=ect_name parameter), then pro+ided the
obect name in the r*e matches the *ast component o" the obects name
(in this case a "i*e or directory name), then se the r*es
default_type (note C/ ses the filetransition r*e). 5*so
reires po*icy +ersion 2K or greater.
d) &or 4erne*s 3.K and abo+e -ith po*icy +ersion 2F or greater, the
default_user, default_role, default_range statements -i**
in"*ence the user, role and range o" the compted contet "or the
speci"ied c*ass tclass. 9ith po*icy +ersion 2A or greater theA he tab*e on*y contains the 4erne* +ersion, the tet gi+es the po*icy +ersion a*so reired.
Page 31
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
32/364
The SELinux Notebook - The Foundations
default_type statement can a*so in"*ence the type in the compted
contet.
user role type range
/" 4erne* >X 3.K -ith adefault_user tclasssource r*e then se scon
user
()
/" 4erne* >X 3.K -ith adefault_user tclasstarget r*e then se tcon
user
ELSE
%se scon user
/" 4erne* >X2.L.3@, andthere is a +a*idrole_transition r*e then se the r*es
new_role
()
/" 4erne* >X 3.K -ithdefault_role tclasssource r*e then se scon
role
()
/" 4erne* >X 3.K -ithdefault_role tclasstarget r*e then se tcon
role()
/" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon
role
()
/" 4erne* =X 2.L.3A andtclass is process, then
se scon role
ELSE
%se ob"ect_r
/" there is a +a*idtype_transitionr*e then se the r*esdefault_type
()
/" 4erne* >X 3.K -ithdefault_type tclasssource r*e then se scon
type
()
/" 4erne* >X 3.K -ithdefault_type tclasstarget r*e then se tcon
type
() /" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon
type
()
/" 4erne* =X 2.L.3A andtclass is process, then
se scon type
ELSE
%se tcon type
/" there is a +a*idrange_transition r*e then se the r*es ne-Nrange
()
/" 4erne* >X 3.K -ithdefault_range tclasssource low r*e then se
scon low
()
/" 4erne* >X 3.K -ithdefault_range tclasssource high r*e then se
scon high
()
/" 4erne* >X 3.K -ithdefault_range tclasssource low_high r*e then
se scon range
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget low r*e then se
tcon low
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget high r*e then se
tcon high
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget low_high r*e then
se tcon range
()
/" 4erne* >X 2.L.3@ and tclass
is process or Msocket, thense scon range
()
/" 4erne* =X 2.L.3A and tclass
is process, then se sconrange
ELSE
%se scon low
2.10.2 avc_compute_member an! security_compute_member
he tab*e be*o-@ sho-s ho- the components "rom the sorce contet, scon target
contet, tcon and c*ass, tclass are sed to compte the ne- contet newcon
(re"erenced by /'s "or avc_compute_member!3#. he "o**o-ing notes a*soapp*y8
@ he tab*e on*y contains the 4erne* +ersion, the tet gi+es the po*icy +ersion a*so reired.
Page 32
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
33/364
The SELinux Notebook - The Foundations
a) 5ny +a*id po*icy type_member en"orcement r*es -i** in"*ence the "ina*
otcome as sho-n.
b) &or 4erne*s *ess than 2.L.3@ the contet generated -i** depend on -hether the
c*ass is process or any other c*ass.
c) &or 4erne*s 2.L.3@ and abo+e, those c*asses s""ied by socket are a*soinc*ded in the process c*ass otcome.
d) &or 4erne*s 3.K and abo+e -ith po*icy +ersion 2A or greater, the
default_user, default_role, default_range statements -i**
in"*ence the user, role and range o" the compted contet "or the
speci"ied c*ass tclass. 9ith po*icy +ersion 2A or greater the
default_type statement can a*so in"*ence the type in the compted
contet.
user role type range
/" 4erne* >X 3.K -ith adefault_user tclasssource r*e then se scon
user
()
/" 4erne* >X 3.K -ith adefault_user tclasstarget r*e then se tcon
user
ELSE
%se tcon user
/" 4erne* >X 3.K -ithdefault_role tclasssource r*e then se scon
role
()
/" 4erne* >X 3.K -ithdefault_role tclasstarget r*e then se tcon
role
()
/" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon
role
()
/" 4erne* =X 2.L.3A andtclass is process, then
se scon role
ELSE
%se ob"ect_r
/" there is a +a*idtype_member
r*e then se the r*esmember _type
()
/" 4erne* >X 3.K -ithdefault_type tclasssource r*e then se scon
type
()
/" 4erne* >X 3.K -ithdefault_type tclasstarget r*e then se tcon
type
()
/" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon
type
()
/" 4erne* =X 2.L.3A andtclass is process, then
se scon type
ELSE
%se tcon type
/" 4erne* >X 3.K -ithdefault_range tclasssource low r*e then se
scon low
()
/" 4erne* >X 3.K -ithdefault_range tclasssource high r*e then se
scon high
()
/" 4erne* >X 3.K -ithdefault_range tclasssource low_high r*e then
se scon range
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget low r*e then se
tcon low
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget high r*e then se
tcon high
()
/" 4erne* >X 3.K -ith
default_range tclasstarget low_high r*e then
se tcon range
()
/" 4erne* >X 2.L.3@ and tclass
is process or Msocket, thense scon range
()
/" 4erne* =X 2.L.3A and tclass
is process, then se sconrange
ELSE
%se scon low
Page 33
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
34/364
The SELinux Notebook - The Foundations
2.10.3 security_compute_relabel
he tab*e be*o-10 sho-s ho- the components "rom the sorce contet, scon target
contet, tcon and c*ass, tclass are sed to compte the ne- contet newcon "or
security_compute_relabel!3#. he "o**o-ing notes a*so app*y8
a) 5ny +a*id po*icy type_change en"orcement r*es -i** in"*ence the "ina*otcome sho-n in the tab*e.
b) &or 4erne*s *ess than 2.L.3@ the contet generated -i** depend on -hether the
c*ass is process or any other c*ass.
c) &or 4erne*s 2.L.3@ and abo+e, those c*asses s""ied by socket are a*soinc*ded in the process c*ass otcome.
d) &or 4erne*s 3.K and abo+e -ith po*icy +ersion 2A or greater, the
default_user, default_role, default_range statements -i**
in"*ence the user, role and range o" the compted contet "or the
speci"ied c*ass tclass. 9ith po*icy +ersion 2A or greater thedefault_type statement can a*so in"*ence the type in the compted
contet.
10 he tab*e on*y contains the 4erne* +ersion, the tet gi+es the po*icy +ersion a*so reired.
Page 3J
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
35/364
The SELinux Notebook - The Foundations
user role type range
/" 4erne* >X 3.K -ith adefault_user tclasssource r*e then se scon
user
()
/" 4erne* >X 3.K -ith adefault_user tclasstarget r*e then se tcon
user
ELSE
%se scon user
/" 4erne* >X 3.K -ithdefault_role tclasssource r*e then se scon
role
()
/" 4erne* >X 3.K -ithdefault_role tclasstarget r*e then se tcon
role
()
/" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon
role
()
/" 4erne* =X 2.L.3A andtclass is process, then
se scon role
ELSE
%se ob"ect_r
/" there is a +a*idtype_change
r*e then se the r*eschange _type
()
/" 4erne* >X 3.K -ithdefault_type tclasssource r*e then se scon
type
()
/" 4erne* >X 3.K -ithdefault_type tclasstarget r*e then se tcon
type
()
/" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon
type()
/" 4erne* =X 2.L.3A andtclass is process, then
se scon type
ELSE
%se tcon type
/" 4erne* >X 3.K -ithdefault_range tclasssource low r*e then se
scon low
()
/" 4erne* >X 3.K -ithdefault_range tclasssource high r*e then se
scon high
()
/" 4erne* >X 3.K -ithdefault_range tclasssource low_high r*e then
se scon range
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget low r*e then se
tcon low()
/" 4erne* >X 3.K -ithdefault_range tclasstarget high r*e then se
tcon high
()
/" 4erne* >X 3.K -ithdefault_range tclasstarget low_high r*e then
se tcon range
()
/" 4erne* >X 2.L.3@ and tclass
is process or Msocket, thense scon range
()
/" 4erne* =X 2.L.3A and tclass
is process, then se sconrange
ELSE
%se scon low
2.11 8omain an! +b5ect %ransitions
his section discsses the type_transition statement that is sed to81. ransition a process "rom one domain to another (a domain transition).
2. ransition an obect "rom one type to another (an obect transition).
hese transitions can a*so be achie+ed sing the libselinux 5P/ "nctions "or
Eina-are app*ications.
2.11.1 8omain %ransition
5 domain transition is -here a process in one domain starts a ne- process in another
domain nder a di""erent secrity contet. here are t-o -ays a process can de"ine a
domain transition8
Page 3K
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
36/364
The SELinux Notebook - The Foundations
1. %sing a type_transition statement, -here the eec system ca** -i**
atomatica**y per"orm a domain transition "or programs that are not
themse*+es Eina-are. his is the most common method and -o*d be in
the "orm o" the "o**o-ing statement8
type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8
2. Eina-are app*ications can speci"y the domain o" the ne- process sing
the libselinux 5P/ ca** setexeccon!3#. o achie+e this the Eina-are app*ication mst a*so ha+e the setexec permission, "or eamp*e8
allow crond_t self : process setexec8
Ho-e+er, be"ore any domain transition can ta4e p*ace the po*icy mst speci"y that8
1. he sorce "o$ain has permission to transition into the target domain.
2. he app*ication binary "i*e needs to be executable in the sorce domain.3. he app*ication binary "i*e needs an entr- ,oint into the target domain.
he "o**o-ing is a type_transition statement ta4en "rom the eamp*e *oadab*e
mod*e message "i*ter ext_gateway.conf (described in the sorce tarba**) that
-i** be sed to ep*ain the transition process118
type_transition source_domain target_type : class target_domain8----------------!---------------!--------------------------------- !----------------type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8
his type_transition statement states that -hen a ,rocess rnning in the
unconfine"+t domain (the sorce domain) eectes a "i*e *abe*ed secure+services+exec+t , the ,rocess sho*d be changed to ext+'atewa-+t (the target
domain) i" a**o-ed by the po*icy (i.e. transition "rom the unconfine"+t domain to the
ext+'atewa-+t domain).
Ho-e+er, as stated abo+e to be ab*e to transition to the ext+'atewa-+t domain, the
"o**o-ing minimm permissions mst be granted in the po*icy sing allow r*es ,
-here (note that the b**et nmbers correspond to the nmbers sho-n in &igre 2.F)8
1. he "o$ain needs permission to transition into the ext+'atewa-+t (target)
domain8
allow unconfined_t ext_gateway_t : process transition8
2. he eectab*e "i*e needs to be executable in the unconfine"+t (sorce)
domain, and there"ore a*so reires that the "i*e is readab*e8
allow unconfined_t secure_serices_exec_t : file O execute read getattr P8
3. he eectab*e "i*e needs an entr- ,oint into the ext+'atewa-+t (target)
domain8
11
&or re"erence, the eterna* gate-ay ses a ser+er app*ication ca**ed secure_serer that istransitioned to the ext_gateway_t domain "rom the unconfined_t domain. he
secure_serer eectab*e is *abe*ed secure_serices_exec_t .
Page 3L
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
37/364
The SELinux Notebook - The Foundations
allow ext_gateway_t secure_serices_exec_t : file entrypoint8
hese are sho-n in &igre 2.F -here unconfined_t "or4s a chi*d process, that
then eecTs the ne- program into a ne- domain ca**ed ext_gateway_t. $ote that
becase the type_transition statement is being sed, the transition is
atomatica**y carried ot by the Ein enab*ed 4erne*.
Figure .& Domain Transition 9 9ere te secure+server is execute" witin te
unconfined_t "o$ain an" ten transitione" to te ext_gateway_t "o$ain.
2.11.1.1 %ype 'nforcement R)es
9hen bi*ding the ext_gateway.conf and int_gateway.conf mod*es the
intention -as to ha+e both o" these transition to their respecti+e domains +ia
type_transition statements. he ext_gateway_t statement -o*d be8
type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8
and the int_gateway_t statement -o*d be8
type_transition unconfined_t secure_serices_exec_t : process int_gateway_t8
Ho-e+er, -hen *in4ing these t-o *oadab*e mod*es into the po*icy, the "o**o-ing
error -as gi+en8
Page 3F
allow unconfined_t secure_services_exec_t : file
type_transition unconfined_t
secure_services_exec_t : process ext_gateway_t#
unconfined_t
!arent !ro
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
38/364
The SELinux Notebook - The Foundations
semodule - -s modular-test -i int_gateway.pp -i ext_gateway.ppAttempting to install module Qint_gateway.ppQ:k: return alue of 0.Attempting to install module Qext_gateway.ppQ:k: return alue of 0.1ommitting changes:libsepol.expand_terule_helper: conflicting ,& rule for !unconfined_tG
secure_serices_exec_t:process#: old was ext_gateway_tG new is int_gateway_tlibsepol.expand_module: &rror during expandlibsemanage.semanage_expand_sandbox: &xpand module failedsemodule: RailedS
his happened becase the type en"orcement r*es -i** on*y a**o- a sing*e ?de"a*tT
type "or a gi+en sorce and target (see the ype En"orcement R*es section). /n the
abo+e case there -ere t-o type_transition statements -ith the same sorce
and target, bt di""erent de"a*t domains. he ext_gateway.conf mod*e had the
"o**o-ing statements8
@ Allow the client/serer to transition for the gateways:allow unconfined_t ext_gateway_t : process O transition P8
allow unconfined_t secure_serices_exec_t : file O read execute getattr P8allow ext_gateway_t secure_serices_exec_t : file O entrypoint P8type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8
5nd the int_gateway.conf mod*e had the "o**o-ing statements8
@ Allow the client/serer to transition for the gateways:allow unconfined_t int_gateway_t : process O transition P8allow unconfined_t secure_serices_exec_t : file O read execute getattr P8allow int_gateway_t secure_serices_exec_t : file O entrypoint P8type_transition unconfined_t secure_serices_exec_t : process int_gateway_t8
9hi*e the a**o- r*es are +a*id to enab*e the transitions to proceed, the t-o
type_transition statements had di""erent ?de"a*tT types (or target domains),that brea4 the type en"orcement r*e.
/t -as decided to reso*+e this by8
1. Geeping the type_transition r*e "or the ?de"a*tT type o"
ext_gateway_t and a**o- the secre ser+er process to be eecTed "rom
unconfined_t as sho-n in &igre 2.F, by simp*y rnning the command
"rom the prompt as "o**o-s8
@ Hun the external gateway Tsecure sererU application on port EEEE and@ let the policy transition the process to the ext_gateway_t domain:
secure_serer EEEEE
2. %se the Ein runcon!"# command to ensre that the interna* gate-ayrns in the correct domain by rnning runcon "rom the prompt as "o**o-s8
@ Hun the internal gateway Tsecure sererU application on port """" and@ use runcon to transition the process to the int_gateway_t domain:
runcon -t int_gateway_t -r message_filter_r secure_serer """"
@ )ote > ,he role is re5uired as a role transition that is defined in the@ policy.
he runcon command ma4es se o" a nmber o" libselinux 5P/ "nctions tochec4 the crrent contet and set p the ne- contet ("or eamp*e getfilecon!3#
Page 3A
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
39/364
The SELinux Notebook - The Foundations
is sed to get the eectab*e "i*es contet and setexeccon!3# is sed to set thene- process contet). /" the a** contets are correct, then the execvp!# system ca**is eected that eecTs the secure_serer app*ication -ith the argment o"
?""""T into the int_gateway_t domain -ith the message_filter_r ro*e.
he runcon sorce can be "ond in the coreutils pac4age.
:ther -ays to reso*+e this isse are8
1. %se the runcon command "or both gate-ays to transition to their respecti+e
domains. he type_transition statements are there"ore not reired.
2. %se di""erent names "or the secre ser+er eectab*e "i*es and ensre they ha+e
a di""erent type (i.e. instead o" secure_serice_exec_t *abe* the
eterna* gate-ay ext_gateway_exec_t and the interna* gate-ay
int_gateway_exec_t. his -o*d in+o*+e ma4ing a copy o" the
app*ication binary (-hich has a*ready been done as part o" the mod*e testing
by ca**ing the ser+er ?sererT and *abe*ing it unconfined_t and then
ma4ing a copy ca**ed secure_serer and *abe*ing it
secure_serices_exec_t).
3. /mp*ement the po*icy sing the Re"erence Po*icy ti*ising the temp*ate
inter"ace princip*es discssed in the template
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
40/364
The SELinux Notebook - The Foundations
his type_transition statement states that -hen a ,rocess rnning in the
ext+'atewa-+t domain (the sorce domain) -ants to create a file obect in the
directory that is *abe*ed in+>ueue+t , the "i*e sho*d be re*abe*ed in+file+t i" a**o-ed by
the po*icy (i.e. *abe* the "i*e in+file+t ).
Ho-e+er, as stated abo+e to be ab*e to create the "i*e, the "o**o-ing minimm
permissions need to be granted in the po*icy sing allow r*es , -here8
1. he sorce domain needs permission to a"" file entries into te "irector-8
allow ext_gateway_t in_5ueue_t : dir O write search add_name P8
2. he sorce domain needs permission to create file entries8
allow ext_gateway_t in_file_t : file O write create getattr P8
3. he po*icy can then ensre (+ia the Ein 4erne* ser+ices) that "i*es created
in the in_5ueue are re*abe*ed8
type_transition ext_gateway_t in_5ueue_t : file in_file_t8
5n eamp*e otpt "rom a directory *isting sho-s the res*ting "i*e *abe*s8
ls -?a /usr/message_5ueue/in_5ueuedrwxr-xr-x root root unconfined_u:ob=ect_r:in_5ueue_t .drwxr-xr-x root root system_u:ob=ect_r:unconfined_t ..-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t Dessage-"-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t Dessage-
2.12 ,)ti(eve &ec)rity an! ,)tiCategory &ec)rity
5s stated in the
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
41/364
The SELinux Notebook - The Foundations
Figure .7 Se
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
42/364
The SELinux Notebook - The Foundations
Se
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
43/364
The SELinux Notebook - The Foundations
&or
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
44/364
The SELinux Notebook - The Foundations
Se s3:c".c
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
45/364
The SELinux Notebook - The Foundations
%sing &igre 2.@8
1. o a**o- -ritep, the sorce *e+e* (l") mst be dominated b= the target
*e+e* (l)8
orce *e+e* X s0:c3 or s":c"
arget *e+e* X s:c".c4
5s can be seen, either o" the sorce *e+e*s are dominated b= the target *e+e*.
2. o a**o- readdo-n, the sorce *e+e* (l") mst dominate the target *e+e*
(l)8
orce *e+e* X s:c".c4
arget *e+e* X s0:c3
5s can be seen, the sorce *e+e* does dominate the target *e+e*.Ho-e+er in the rea* -or*d the Ein
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
46/364
The SELinux Notebook - The Foundations
on*y, Red Hat C5PP and PP. here"ore a*-ays *oo4 at the protection
pro"i*es as they de"ine -hat -as acta**y e+a*ated.
2.13 %ypes of &'(in)$ 7oicy
his section describes the di""erent type o" po*icy descriptions and +ersions that can be "ond -ithin Ein.
he types o" Ein po*icy can described in a nmber o" -ays8
1. orce code O hese can be described as8 Eamp*e, Re"erence Po*icy or
Cstom
2. he sorce code descriptions or bi*ds can a*so be sbc*assi"ied as8
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
47/364
The SELinux Notebook - The Foundations
2.13.3 7oicy *)nctionaity ase! on Name or %ype
#enera**y a po*icy is insta**ed -ith a gi+en name sch as targeted, mls,
refpolicy or minimum that attempts to describes its "nctiona*ity. his name then
becomes the entry in8
1. he directory pointing to the po*icy *ocation (e.g. i" the name is targeted,then the po*icy -i** be insta**ed in /etc/selinux/targeted).
2. he %&'()*+,& entry in the /etc/selinux/config "i*e -hen it is
the acti+e po*icy (e.g. i" the name is targeted, then a
%&'()*+,&6targeted entry -o*d be in the
/etc/selinux/config "i*e).
his is ho- the re"erence po*icies distribted -ith &1F are named, -here8
minimum O spports a minima* set o" con"ined daemons -ithin their o-n
domains. he remainder rn in the unconfined_t space. Red Hat pre
con"igre
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
48/364
The SELinux Notebook - The Foundations
2.13.# ,onoithic 7oicy
5
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
49/364
The SELinux Notebook - The Foundations
"*ag. his is o"ten sed to enab*e or disab*e "eatres -ithin the po*icy (i.e. change the
po*icy en"orcement r*es).
he boo*ean "*ag stats is he*d in 4erne* and can be changed sing the
setsebool!F# command either persistent*y across system reboots or temporari*y(i.e. on*y +a*id nti* a reboot). he "o**o-ing eamp*e sho-s a persistent conditiona*
po*icy change8
setsebool > ext_gateway_audit false
he conditiona* po*icy *angage statements are the bool tatement that de"ines the
boo*ean "*ag identi"ier and its initia* stats, and the if tatement that a**o-s certain
r*es to be eected depending on the state o" the boo*ean +a*e or +a*es.
2.13.4 inary 7oicy
he binary po*icy is the po*icy "i*e that is *oaded into the 4erne* and is a*-ays *ocatedat /etc/selinux/$%&'()*+,&/policy/policy.$ersion. 9here
$%&'()*+,& is the po*icy name speci"ied in the Ein con"igration "i*e
/etc/selinux/config and $ersion is the Ein po*icy +ersion.
he binary po*icy can be bi*t "rom sorce "i*es spp*ied by the Eamp*e Po*icy, the
Re"erence Po*icy or cstom bi*t sorce "i*es as described in the in the Samp*e
Po*icy orceS $oteboo4.
5n eamp*e /etc/selinux/config "i*e is sho-n be*o- -here the
%&'()*+,&6targeted entry identi"ies the po*icy name that -i** be sed to
*ocate and *oad the acti+e po*icy8
%&'()*+6permissie
S1345678P19targeted
&rom the abo+e eamp*e, the acta* binary po*icy "i*e -o*d be *ocated at
/etc/selinux/targeted/policy and be ca**ed policy.7 (as +ersion 2L
is spported by &1L)8
/etc/selinux/targeted/policy/policy.7
2.13.6 7oicy :ersions
Ein has a po*icy database (de"ined the libsepol *ibrary) that describes the
"ormat o" data he*d -ithin a binary po*icy, ho-e+er, i" any ne- "eatres are added to
Ein (genera**y *angage etensions) this can res*t in a change to the po*icy
database. 9hene+er the po*icy database is pdated, the po*icy +ersion is incremented.
he sestatus!F# command -i** sho- the maimm po*icy +ersion nmberspported by the 4erne* in its otpt as "o**o-s8
%&'inux status: enabled
%&'inuxfs mount: /sys/fs/selinux1urrent mode: enforcing
Page J@
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
50/364
The SELinux Notebook - The Foundations
Dode from config file: permissiePolicy version: 2olicy from config file: modular-test
he &1L 4erne* po*icy +ersion is ?7T -ith ab*e 3 describing the di""erent +ersions.
here is a*so another +ersion that app*ies to the mod*ar po*icy, ho-e+er the main po*icy database +ersion is the one that is genera**y oted (some Ein ti*ities
gi+e both +ersion nmbers).
policy db
Version
modular db
Version Description
1K J he base +ersion -hen Ein -as merged into the
4erne*.
1L 5dded Conditiona* Po*icy spport (the bool "eatre).
1F 5dded spport "or /P+L.
1A 5dded $et*in4 spport.1@ K 5dded
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
51/364
The SELinux Notebook - The Foundations
policy db
Version
modular db
Version Description
2A 1L pport setting obect de"a*ts "or the type component
-hen compting a ne- contet. Reires 4erne* 3.K
minimm.
2@ 1L 5dds an /P address to the Ein port statement +ia aEin node *abe*. $ote that the 4erne* and serspace
+ersions containing this "eatre is not yet 4no-n.
Table 1 !oli
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
52/364
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
53/364
The SELinux Notebook - The Foundations
Keyword Description
type &or Ein 5C e+ents this can be8
type6AW1 "or 4erne* e+ents
type6*%&H_AW1 "or serspace obect manager e+ents
$ote that once the 5C e+ent has been *ogged, another e+ent -ith
type6%%1A'' may "o**o- that contains "rther in"ormation
regarding the e+ent.
he AW1 e+ent can a*-ays be tied to the re*e+ant %%1A'' e+ent
as they ha+e the same serial_number in the
msg6audit!time:serial_number# "ie*d as sho-n in the
"o**o-ing eamp*e8
type9A; msg6audit!"4333;0".;44:.+.#: ac: denied O getattr Pfor pid6;"4 comm6XlsX path6X/usr/lib/locale/locale-archieXde6dm-0 ino63
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
54/364
The SELinux Notebook - The Foundations
Keyword Description
fport
path /" a &i*e oc4et e+ent then *og the path (AR_*)(+).
saddr /" a $et-or4 e+ent then *og the orce ! 'estination addresses and ports -ith the net-or4 inter"ace "or /PJ or /PL net-or4s
(AR_()&,).src
daddr
dest
netif
sauid /Pec secrity association identi"iers
hostname
addr
terminal
resid I9indo-s resorce /' and type.
restype
scontext he secrity contet o" the sorce or sbect.
tcontext he secrity contet o" the target or obect.
tclass he obect c*ass o" the target or obect.
Table 0 AVC Audit #essage Des
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
55/364
The SELinux Notebook - The Foundations
type6*%&H_AW1 msg6audit!"7;
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
56/364
The SELinux Notebook - The Foundations
Change boo*ean +a*e DA1_1)R(Y_1ZA)Y& his e+ent -as generated -hen
setsebool!F# -as rn to change a boo*ean. $ote that the bo*ean name p*s ne-and o*d +a*es are sho-n in the DA1_1)R(Y_1ZA)Y& type e+ent -ith the
%%1A'' e+ent sho-ing -hat process eected the change.
type6DA1_1)R(Y_1ZA)Y& msg6audit!"33777
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
57/364
The SELinux Notebook - The Foundations
type6%&'()*+_&HH msg6audit!"3""E4;"3F.440:"7#: op6security_bounded_transitionresult6denied oldcontext6system_u:system_r:httpd_t:s0-s0:c0.c300newcontext6system_u:system_r:anon_webapp_t:s0-s0:c0Gc"00Gc00
type6%%1A'' msg6audit!"3""E4;"3F.440:"7#: arch6c000003e syscall6" success6noexit6-" a06b a"6;f"E
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
58/364
The SELinux Notebook - The Foundations
o c*ari"y po*yinstantiation spport8
1. Ein has *ibse*in "nctions and a po*icy r*e to spport
po*yinstantiation.
2. he po*yinstantiation o" directories is a "nction o" #$% ! in not Ein
(as more correct*y, the #$% ! in ser+ices sch as P5< ha+e beenmodi"ied to spport po*yinstantiation o" directories and ha+e a*so been made
Eina-are. here"ore their ser+ices can be contro**ed +ia po*icy).
3. he po*yinstantiation o" I-indo-s se*ections and properties is a "nction o"
the IEin :bect
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
59/364
The SELinux Notebook - The Foundations
2. Entries added to the /etc/security/namespace.conf "i*e that de"ines
the directories to be po*yinstantiated by P5< (and other ser+ices that may
need to se the namespace ser+ice). he entries are ep*ained in the
namespace.conf Con"igration &i*e section, -ith the de"a*t entries in &
1F being (note that the entries are commented ot in the distribtion)8
=polydir instance-prefix method list_of_uids/tmp /tmp-inst/ leel rootGadm/ar/tmp /ar/tmp/tmp-inst/ leel rootGadm\ZD& \ZD&/\*%&H.inst/ leel
:nce these "i*es ha+e been con"igred and a ser *ogs in (a*thogh not root or adm
in the abo+e eamp*e), the P5< pam_namespace mod*e -o*d nshare the
crrent namespace "rom the parent and mont namespaces according to the r*es
de"ined in the namespace.conf "i*e. he &1F con"igration a*so inc*des an
/etc/security/namespace.init script that is sed to initia*ise the
namespace e+ery time a ne- directory instance is set p. his script recei+es "or parameters8 the po*yinstantiated directory path, the instance directory path, a "*ag to
indicate i" a ne- instance, and the ser name. /" a ne- instance is being set p, the
directory permissions are set and the restorecon!F# command is rn to set thecorrect "i*e contets.
2.1.2.1 namespace(conf Config)ration *ie
Each *ine in the namespace.conf "i*e is "ormatted as "o**o-s8
polydir instance_prefix method list_of_uids
$here
polydir he abso*te path name o" the directory to po*yinstantiate. he optiona* strings \*%&H and \ZD&
-i** be rep*aced by the ser name and home directory
respecti+e*y.
instance_prefix 5 string pre"i sed to bi*d the pathname "or the po*yinstantiated directory. he optiona* strings \*%&H
and \ZD& -i** be rep*aced by the ser name and home
directory respecti+e*y.
method his is sed to determine the method o" po*yinstantiation -ith +a*id entries being8
user Po*yinstantiation is based on ser name.
leel Po*yinstantiation is based on the ser name
and
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
60/364
The SELinux Notebook - The Foundations
list_of_uids 5 comma separated *ist o" ser names that -i** not ha+e po*yinstantiated directories. /" b*an4, then a** sers are
po*yinstantiated. /" the *ist is preceded -ith an ?]T
character, then on*y the sers in the *ist -i** ha+e
po*yinstantiated directories.
here are a nmber o" optiona* "*ags a+ai*ab*e that are
described in the namespace(conf!
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
61/364
The SELinux Notebook - The Foundations
@ user name as a part of the polyinstantiated directory@ name as follows:
@ /tmp/tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch
@ /ar/tmp:/ar/tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch
@ \ZD&/home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch
2.1.3 7oyinstantiation s)pport in
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
62/364
The SELinux Notebook - The Foundations
gdm, gdm-autologin, login, remote and sshd, and at +arios points in this
$oteboo4 the gdm con"igration "i*e has been modi"ied to a**o- root *ogin and the
pam_namespace.so mod*e sed to manage po*yinstantiated directories "or sers.
here are a*so a nmber o" P5< re*ated con"igration "i*es in /etc/security,
a*thogh on*y one is direct*y re*ated to Ein that is described in the/etc/security/sepermit.conf "i*e section.
he main *ogin ser+ice re*ated P5< con"igration "i*es (e.g. gdm) consist o" m*tip*e
*ines o" in"ormation that are "ormatted as "o**o-s8
serice type control module-path arguments
9here8
serice he ser+ice name sch as gdm and login re"*ecting the
*ogin app*ication. /" there is a /etc/pam.d directory, then
this is the name o" a con"igration "i*e name nder thisdirectory. 5*ternati+e*y, a con"igration "i*e ca**ed
/etc/pam.conf can be sed. &1F ses the /etc/pam.d
con"igration.
type hese are the management grops sed by P5< -ith +a*identries being8 account, auth, password and session
that correspond to the descriptions gi+en abo+e. 9here there
are m*tip*e entries o" the same ?typeT, the order they appear
co*d be signi"icant.
control his entry states ho- the mod*e sho*d beha+e -hen thereested tas4 "ai*s. here can be t-o "ormats8 a sing*e
4ey-ord sch as r e5uired, optional, and include or
m*tip*e space separated entries enc*osed in sare brac4ets
consisting o" 8
9alue"6action" alue6action ..
oth "ormats are sho-n in the eamp*e "i*e be*o-, ho-e+er
see the pam.conf man pages "or the gory detai*s.
module-path Either the "** path name o" the mod*e or its *ocation re*ati+e
to /lib/security (bt does depend on the systemarchitectre).
arguments 5 space separated *ist o" the argments that are de"ined "orthe mod*e.
5n eamp*e P5< con"igration "i*e is as "o**o-s, a*thogh note that the ?sericeT
parameter is acta**y the "i*e name becase &1F ses the /etc/pam.d directory
con"igration (in this case gdm "or the #nome *ogin ser+ice).
@ /etc/pam.d/gdm configuration rule entry.@ %&HW(1& 6 file name !gdm#
@ ,& 1),H' A,Z AHY*D&),%
Page L2
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
63/364
The SELinux Notebook - The Foundations
@[AD-".0auth 9success6done ignore6ignore default6bad pam_selinux_permit(soauth re5uired pam_succeed_if.so user S6 root 5uietauth re5uired pam_en.soauth substack system-authauth optional pam_gnome_keyring.soaccount re5uired pam_nologin.so
account include system-authpassword include system-authsession re
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
64/364
The SELinux Notebook - The Foundations
2.14.1 %he (&, ,o!)e
he < is the in secrity "rame-or4 that a**o-s 3rd party access contro*
mechanisms to be *in4ed into the #$% ! in 4erne*. Crrent*y there are "i+e 3 rd
party ser+ices that ti*ise the
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
65/364
The SELinux Notebook - The Foundations
Program eection &i*esystem operations /node operations
&i*e operations as4 operations $et*in4 messaging
%ni domain net-or4ing oc4et operations I&R< operations
Gey
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
66/364
The SELinux Notebook - The Foundations
2.14.2 %he &'(in)$ ,o!)e
his section does not go into detai* o" a** the Ein mod*e "nctiona*ity as ZRe" L[
does this, ho-e+er it attempts to high*ight the -ay some areas -or4 by sing the "or4
and transition process eamp*e described in the 'omain ransition section and a*so
by describing the boot process.
he maor 4erne* Ein sorce "i*es (re*ati+e to ./linux-
3.3/security/selinux) that "orm the Ein secrity mod*e are sho-n
inab*e A. he diagrams sho-n in &igre 2.2 and &igre 2.12 can be sed to see ho-
some o" these 4erne* sorce mod*es "it together.
Name Fun
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
67/364
The SELinux Notebook - The Foundations
Name Fun
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
68/364
The SELinux Notebook - The Foundations
he context_struct_compute_a!# "nction carries ot many chec4
to +a*idate -hether access is a**o-ed. he steps are (assming the access is
+a*id)8
a) /nitia*ise the 5 strctre so that it is c*ear.
b) Chec4 the obect c*ass and permissions are correct. /t a*so chec4s thestats o" the allow_unknown "*ag (see the Ein &i*esystem,
/etc/selinux/semanage.conf "i*e and Re"erence Po*icy
i*d :ptions build.conf *)2_&HD% sections).
c) Chec4s i" there are any type en"orcement r*es (A''K,
A*C(,_A''K, A*C(,_C&)).
d) Chec4 -hether any conditiona* statements are in+o*+ed +ia the
cond_compute_a!# "nction in conditional.c.
e) Remo+e permissions that are de"ined in any constraint +ia the
constraint_expr_eal!# "nction ca** (in serices.c).his "nction -i** a*so chec4 any
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
69/364
The SELinux Notebook - The Foundations
Figure .%, /ooks for the fork s=stem hooks(c his contains the Ein "nctions. $ote that the task_create
"nction a*so ca**s a "nction in t he secondary_ops "nction t ab*e.
static int selinux_task_create!unsigned long clone_flags#O
int rc8
rc 6 secondary_ops-?task_create!clone_flags#8if !rc# @> 3f secondary gives error' then return @>
return rc8
return task_has_perm !currentG currentG H1&%%__RH2#8P....
....
static int task_has_perm !struct task_struct Mtsk"G struct task_struct MtskG
u3 perms#
O
struct task_security_struct Mtsec"G Mtsec8
tsec" 6 tsk"-security8
tsec 6 tsk-security8
return avc_has_perm !tsec"-sidG tsec-sidG %&11'A%%_H1&%%G permsG )*''#8
P
capability(cstatic int cap_task_create !unsigned long clone_flags#
O
return 08
P
secondary_ops function pointer structurehis contains a pointer to the task_create "nction in capabi*ity.c8
security_task_create-?cap_task_create
selinux>ss>services(ch is contains th e ecrity er+er "nctions.
he ca** to security_compute_av -i**
res*t in the secrity ser+er chec4ing -hether
the reested access is a**o-ed or not and
retrn th e res*t t o t he ca**ing "nction.
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
70/364
The SELinux Notebook - The Foundations
2.14.2.2 7rocess %ransition =akthoro)gh
his section -a*4s throgh the exece!# and chec4ing -hether a process transition
to the ext_gateway_t domain is a**o-ed, and i" so obtain a ne- /' "or the
contet (unconfined_u:message_filter_r:ext_gateway_t) as sho-n
in &igre 2.F.he process starts -ith the in operating system issing a do_exece!#"4 ca**
"rom the CP% speci"ic architectre code to eecte a ne- program ("or eamp*e, "rom
arch/ia74/kernel/process.c). he do_exece!# "nction is *ocated in
the fs/exec.c sorce code mod*e and does the *oading and "ina* eec as
described be*o-.
do_exece!# has a nmber o" ca**s to security_bprm_M "nctions that are a
part o" the < (see security.h), and are hoo4ed by Ein dring the
initia*isation process (in hooks.c). ab*e @ brie"*y describes these
security_bprm "nctions that are hoo4s "or +a*idating program *oading and
eection (a*thogh see security.h or ZRe". L[ "or greater detai*).
LS# SElinux Fun
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
71/364
The SELinux Notebook - The Foundations
he security_bprm_alloc!#-selinux_bprm_alloc_security!#
"nction is then ca**ed (in hooks.c) -here Ein -i** a**ocate memory
"or the bprm secrity strctre and set the bsec-set "*ag to 0 indicating
this is the "irst time throgh this process "or this eec reest.
2. ia the prepare_binprm!# "nction ca** the %/' and #/'s are chec4edand a ca** issed to security_bprm_set!# that -i** carry ot the
"o**o-ing8
a) he selinux_bprm_set_security!# "nction -i** ca** the
secondary_ops-bprm_set_security "nction in
capability.c, that is e""ecti+e*y a noop.
b) he bsec-set "*ag -i** be chec4ed and i" " -i** retrn as this
"nction can be ca**ed m*tip*e times dring the eec process.
c) he target /' is chec4ed to see -hether a transition is reired (in
this case it is), there"ore a ca** -i** be made to thesecurity_transition_sid!# "nction in serices.c. his
"nction -i** compte the /' "or a ne- sbect or obect (sbect in
this case) +ia the security_compute_sid!# "nction that -i**
(assming there are no errors)8
i. earch the /' tab*e "or the sorce and target /'s.
ii. ets the Ein ser identity.
iii. et the sorce ro*e and type.
i+. Chec4s that a type_transition r*e eists in the 5 tab*e
and ! or the conditiona* 5 tab*e (see &igre 2.12).+. /" a type_transition, then a*so chec4 "or a
role_transition (there is a ro*e change in the
ext_gateway.conf po*icy mod*e), set the ro*e.
+i. Chec4 i" any
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
72/364
The SELinux Notebook - The Foundations
this part o" the "nction is not eected again "or this exec, "ina**y
contro* is passed bac4 to the do_exece "nction.
3. arios strings are copied (args etc.) and a chec4 is made to see i" the eec
scceeded or not (in this case it did), there"ore the
security_bprm_free!# "nction is ca**ed to "ree the bprm secritystrctre.
J. he End.
Page F2
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
73/364
The SELinux Notebook - The Foundations
Figure .%% !rouire" to ceck if a
transition is allowe" fro$ te unconfined_t "o$ain to te ext_gateway_t "o$ain.
Page F3
.d
fsexepersona*ity QX
^PERNCE5RN:$NE/'
bprm>eNgid X inode>iNgi d
_
_
ret+a* X se
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
74/364
The SELinux Notebook - The Foundations
Figure .%. The #ain LS# SELinux #odules 9 /e fork an" exec functions link to i'ure 2.) were te transition ,rocess is "escribe".
Page FJ
a+cNhasNperms
'ernel Ser:i
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
75/364
The SELinux Notebook - The Foundations
2.14.2.3 &'(in)$ *iesystem
ab*e 10 sho-s the in"ormation contained in the Ein "i*esystem (selinuxfs) /sys/fs/selinux (or /selinux on o*der systems)
-here the Ein 4erne* eports in"ormation regarding its con"igration and acti+e po*icy. selinuxfs is a read!-rite inter"ace sed by
Ein *ibrary "nctions sch as the libselinux *ibrary "or serspace Eina-are app*ications and obect managers. $ote -hi*e it is
possib*e "or serspace app*ications to read!-rite to this inter"ace, it is not recommended se the libselinux *ibrary.
selinuxfs Directory and File Names Permissions Comments
>sys>fs>selinux irectory his is the root directory -here the Ein 4erne* eports re*e+ant in"ormation regarding its
con"igration and acti+e po*icy "or se by the libselinux *ibrary.
access -rw-rw-rw- Compte access decision inter"ace that is sed by the security_compute_av!3#,security_compute_av_flags!3#, avc_has_perm !3#andavc_has_perm_noaudit!3# "nctions.
he 4erne* secrity ser+er (see serices.c) con+erts the contets to /'s and then ca**s the
security_compute_a_user "nction to compte the ne- /' that is then con+erted to
a contet string.
Reires security Ocompute_aP permission.
checkre5prot -rw-r--r-- 0 X Chec4 reested protection app*ied by 4erne*.
" X Chec4 protection reested by app*ication. his is the de"a*t.
hese app*y to the mmap and mprotect 4erne* ca**s. 'e"a*t +a*e can be changed at boot
time +ia the checkre5prot6 parameter.
Reires security Osetcheckre5protP permission.
commit_pending_bools --w------- Commit ne- boo*ean +a*es to the 4erne* po*icy.
Reires security OsetboolP permission.
context -rw-rw-rw- a*idate contet inter"ace sed by the security_check_context!3# "nction.
Reires security Ocheck_contextP permission.
Page FK
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
76/364
The SELinux Notebook - The Foundations
selinuxfs Directory and File Names Permissions Comments
create -rw-rw-rw- Compte create *abe*ing decision inter"ace that is sed by thesecurity_compute_create!3# and avc_compute_create!3# "nctions.
he 4erne* secrity ser+er (see serices.c) con+erts the contets to /'s and then ca**s the
security_transition_sid_user "nction to compte the ne- /' that is then
con+erted to a contet string.
Reires security Ocompute_createP permission.
deny_unknown -r--r--r-- hese t-o "i*es eport deny_unknown (read by security_deny_unknown!3#"nction) and re=ect_unknown stats to ser space.
hese are ta4en "rom the handle-unknown parameter set
1K
in the/etc/selinux/semanage.conf "i*e -hen po*icy is being bi*t and are set as "o**o-s8
deny:re=ect
0:0 X 5**o- n4no-n obect c*ass ! permissions. his -i** set the retrned 5 -ith a**
1Bs.
":0 X 'eny n4no-n obect c*ass ! permissions (the de"a*t). his -i** set the retrned
5 -ith a** 0Bs.
":" X Reect *oading the po*icy i" it does not contain a** the obect c*asses ! permissions.
re=ect_unknown -r--r--r--
disable --w------- 'isab*e Ein nti* net reboot.
enforce -rw-r--r-- #et or set en"orcing stats.
Reires security OsetenforceP permission.
load -rw------- oad po*icy inter"ace.
Reires security Oload_policyP permission.
member -rw-rw-rw- Compte po*yinstantiation membership decision inter"ace that is sed by thesecurity_compute_member!3# and avc_compute_member!3# "nctions.
he 4erne* secrity ser+er (see serices.c) con+erts the contets to /'s and then ca**s thesecurity_member_sid "nction to compte the ne- /' that is then con+erted to a
contet string.
Reires security Ocompute_memberP permission.
mls -r--r--r-- Retrns " i"
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
77/364
The SELinux Notebook - The Foundations
selinuxfs Directory and File Names Permissions Comments
null crw-rw-rw- he Ein ei+a*ent o" /de/null "or "i*e descriptors that ha+e been redirected by
Ein.
policyers -r--r--r-- Retrns spported po*icy +ersion "or 4erne*. Read by security_policyvers!3#"nction.
relabel -rw-rw-rw- Compte re*abe*ing decision inter"ace that is sed by thesecurity_compute_relabel!3# "nction.
he 4erne* secrity ser+er (see serices.c) con+erts the contets to /'s and then ca**s the
security_change_sid "nction to compte the ne- /' that is then con+erted to a
contet string.Reires security Ocompute_relabelP permission.
status -r--r--r-- his can be sed to obtain en"orcing mode and po*icy *oad changes -ith mch *ess o+erheadthan sing the libselinux net*in4 ! ca** bac4s. his -as added "or :bect
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
78/364
The SELinux Notebook - The Foundations
selinuxfs Directory and File Names Permissions Comments
>sys>fs>selinux>avc irectory his directory contains in"ormation regarding the 4erne* 5C that can be disp*ayed by theacstat command.
cache_stats -r--r--r-- ho-s the 4erne* 5C *oo4ps, hits, misses etc.
cache_threshold -rw-r--r-- he de"a*t +a*e is K12, ho-e+er caching can be trned o"" (bt per"ormance s""ers) by8echo 0 /selinux/ac/cache_threshold
Reires security OsetsecparamP permission.
hash_stats -r--r--r-- ho-s the nmber o" 4erne* 5C entries, *ongest chain etc.
>sys>fs>selinux>booleans irectory his directory contains one "i*e "or each boo*ean de"ined in the acti+e po*icy.
secmark_audit
......
......
-rw-r--r-- Each "i*e contains the crrent and pending stats o" the boo*ean (0 X "a*se or 1 X tre). he
getsebool!F#, setsebool!F# and sestatus -b commands se this inter"ace +ia thelibselinux *ibrary "nctions.
>sys>fs>selinux>initial_contexts irectory his directory contains one "i*e "or each initia* /' de"ined in the acti+e po*icy.
any_socket
denull
.....
-r--r--r-- Each "i*e contains the initia* contet o" the initia* /' as de"ined in the acti+e po*icy (e.g.
any_socket -as assigned system_u:ob=ect_r:unconfined_t).
>sys>fs>selinux>policy_capabilities irectory his directory contains the po*icy capabi*ities that ha+e been con"igred by de"a*t in the4erne* +ia the po*icycap tatement in the acti+e po*icy. hese are genera**y ne- "eatres that
can be enab*ed "or testing by sing the policycap tatement in po*icy.
network_peer_controls -r--r--r-- &or the &1F Re"erence Po*icy this "i*e contains ?1T (tre) -hich means that the "o**o-ingnetwork_peer_controls are enab*ed by de"a*t8
node: sendto recfrom
netif: ingress egress
peer: rec
open_perms -r--r--r-- &or the &1F Re"erence Po*icy this "i*e contains ?1T (tre) -hich means that open permissions
are enab*ed by de"a*t on the "o**o-ing obects8 dir, file, fifo_file, chr_file,
blk_file.
ptrace_child -r--r--r-- his -i** be enab*ed 4erne* 3.J to a**o- "iner contro* o" ptrace. Reires po*icy spport and thesecurity c*ass permission ptrace_child.
Page FA
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
79/364
The SELinux Notebook - The Foundations
selinuxfs Directory and File Names Permissions Comments
>sys>fs>selinux>class irectory his directory contains a *ist o" c*asses and their permissions as de"ined -ithin the po*icy.
>sys>fs>selinux>class>appletalk_socket irectory Each c*ass has its o-n directory -here each one is named sing the appropriate c*ass statement"rom the po*icy (i.e. class appletalk_socket). Each directory contains the "o**o-ing8
index -r--r--r-- his "i*e contains the a**ocated class nmber (e.g. appletalk_socket is ?KLT in
flask.h).
>sys>fs>selinux>class>appletalk_socket>perms irectory his directory contains one "i*e "or each permission de"ined in the po*icy.
accept
append
bind
....
-r--r--r-- Each "i*e is named by the permission assigned in the po*icy and contains a nmber that
represents its position in the *ist (e.g. accept is the 1Jth permission *isted in
a_permission.h "or appletalk_socket and there"ore contains B1JB.
Table %, >selinux File and Dire
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
80/364
The SELinux Notebook - The Foundations
2.16 ibsein)$ (ibrary
libselinux contains a** the Ein "nctions necessary to bi*d serspace
Eina-are app*ications and obect managers sing BCB, Python, Rby and PHP
*angages.
he *ibrary hides the *o- *e+e* "nctiona*ity o" (bt not *imited to)8
• he Ein "i*esystem that inter"aces to the Ein 4erne* secrity ser+er.
• he proc "i*esystem that maintains process state in"ormation and secrity
contets see proc!
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
81/364
The SELinux Notebook - The Foundations
oc4et Creation abe*ing #et and set soc4et creation contets.
%ser ession
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
82/364
The SELinux Notebook - The Foundations
2.20 &'(in)$ Networking &)pport
Ein spports the "o**o-ing types o" net-or4 *abe*ing8
"nternal labeling O his is -here net-or4 obects are *abe*ed and managed
interna**y -ithin a sing*e machine (i.e. their *abe*s are not transmitted as part o"
the session -ith remote systems). here are three types spported8 those 4no-n as?compat_netT contro*s that *abe* nodes, inter"aces and ports EC
-
8/17/2019 The SELinux Notebook the Foundations 3rd Edition
83/364
The SELinux Notebook - The Foundations
he crrent Ein port de"inition does not inc*de an /P address -hich ma4es it
di""ic*t to restrict connect!# and bind!# operations sing Ein. Po*icy
+ersion 2@ so*+es this prob*em by adding an /P address to the Ein port de"inition
+ia a Ein node *abe* (ho-e+er, note that the 4erne* and serspace +ersions
containing this "eatre are not yet 4no-n).
2.20.2