The SELinux Notebook the Foundations 3rd Edition

8/17/2019 The SELinux Notebook the Foundations 3rd Edition

1/364

The SELinux Notebook - The Foundations

The SELinuxNotebook

The

Foundations(3rd Edition)

Page 1


2/364


0. Notebook Information

0.1 Copyright Information

Copyright © 2012 Richard Haines.Permission is granted to copy, distribte and!or modi"y this docment nder the terms

o" the #$% &ree 'ocmentation icense, ersion 1.3 or any *ater +ersion pb*ished

by the &ree o"t-are &ondation -ith no /n+ariant ections, no &rontCo+er ets,

and no ac4Co+er ets.

5 copy o" the *icense is inc*ded in the section entit*ed 6#$%&ree 'ocmentation

icense7.

he scripts and sorce code in this $oteboo4 are co+ered by the #$% #enera* Pb*ic

icense. he scripts and code are "ree sorce8 yo can redistribte it and!or modi"y it

nder the terms o" the #$% #enera* Pb*ic icense as pb*ished by the &ree o"t-are

&ondation, either +ersion 3 o" the icense, or any *ater +ersion.

hese are distribted in the hope that they -i** be se"* in researching Ein, bt

9/H:% 5$; 95RR5$; -ithot e+en the imp*ied -arranty o"


3/364


Term Definition

AVC 5ccess ector Cache

L! e**a Pad*a

CC Common Criteria

C"L Common /ntermediate angage

C#$ Compartmented


4/364


0.# In!e$

, N(TE((' "NF()#AT"(N .

0.1 C:P;R/#H / $&:R


5/364


2.13.2 (eference #olic- ....................................................................................... 46

2.13.3 #olic- unctionalit- ase" on Na$e or /-,e .......................................... 4)

2.13.4 Custo$ #olic- ........................................................................................... 4)

2.13.% 0onolitic #olic- ...................................................................................... 4

2.13.6 Loa"able 0o"ule #olic- ........................................................................... 4

2.13.L.1 :ptiona* Po*icy ................................................................................... JA2.13.) Con"itional #olic- .................................................................................... 4

2.13. inar- #olic- ............................................................................................ 4

2.13. #olic- 5ersions ......................................................................................... 4

2.1J E/$%I PER


6/364


2.22.3.2 'etermine :< Ietension :pcode ................................................ 102

2.22.3.3 Con"igre :< En"orcement l Overview .................................................................................... 1*

2.24.3 Installin' SE8#ost'reS


7/364


3.4.3 booleans.subs ile ..................................................................................... 142

3.4.4 setrans.conf ile ........................................................................................ 143

3.4.% secolor.conf ile ....................................................................................... 14%

3.4.6 ,olic-;,olic-.Bver ile ........................................................................... 146

3.4.) contexts;custo$iDable+t-,es ile .............................................................. 14)

3.4. contexts;"efault+contexts ile .................................................................. 14)3.4. contexts;"bus+contexts ile ...................................................................... 14

3.4.1* contexts;"efault+t-,e ile ....................................................................... 1%*

3.4.11 contexts;failsafe+context ile .................................................................. 1%*

3.4.12 contexts;initrc+context ile ..................................................................... 1%1

3.4.13 contexts;netfilter+contexts ile ............................................................... 1%2

3.4.14 contexts;re$ovable+context ile ............................................................ 1%2

3.4.1% contexts;securett-+t-,es ile .................................................................. 1%2

3.4.16 contexts;se,'s>l+contexts ile ................................................................ 1%3

3.4.1) contexts;userel,er+context ile ........................................................... 1%4

3.4.1 contexts;virtual+"o$ain+context ile ..................................................... 1%4

3.4.1 contexts;virtual+i$a'e+context ile ....................................................... 1%%3.4.2* contexts;x+contexts ile ......................................................................... 1%%

3.4.21 contexts;files;file+contexts ile ............................................................... 1%)

3.4.22 contexts;files;file+contexts.local ile ...................................................... 1%

3.4.23 contexts;files;file+contexts.o$e"irs ile ............................................... 1%

3.4.24 contexts;files;file+contexts.subs @ file+contexts.subs+"ist ile .............. 1%

3.4.2% contexts;files;$e"ia ile ........................................................................ 1%

3.4.26 contexts;users;seuser+i"F ile ............................................................... 1%

3.4.2) lo'ins;Blinuxuser+i" ile ..................................................................... 16*

3.4.2 users;local.users ile .............................................................................. 161

0 SEL"N*+ !(L"C4 LAN2*A2E %5.

J.1 / $R:'%C/:$...................................................................................................... 1L2

4.1.1 CIL Overview ............................................................................................ 162

4.1.2 Notebook Exa$,le #olic- ......................................................................... 16%

J.2 P:/C; 5E


8/364


4.%.3 t-,e+$e$ber (ule ..................................................................................... 13

J.L :%$' 5E


9/364


4.16.% ,er$issive State$ent ............................................................................... 226

J.1F :MEC C5 5$' PER


10/364


K.L.1.F temp*ate


11/364


A.K $E9:RG :MEC C5E ................................................................................... 31@

.%.1 I#Sec Network Ob!ect Classes .................................................................. 322

.%.2 Netlink Ob!ect Classes .............................................................................. 323

.%.3 0iscellaneous Network Ob!ect Classes .................................................... 32%

A.L /PC :MEC C5E ........................................................................................... 32L

A.F PR:CE :MEC C5 ........................................................................................ 32LA.A EC%R/; :MEC C5 ....................................................................................... 32F

A.@ ;E


12/364


1. %he &'(in)$ Notebook

1.1 Intro!)ction

his $oteboo4 sho*d he*p -ith ep*aining8a) Ein and its prpose in *i"e.

b) he < ! Ein architectre, its spporting ser+ices and ho- they are

imp*emented -ithin #$% ! in.

c) Ein $et-or4ing, irta*


13/364


(b>e


14/364


2. &'(in)$ +verview

2.1 Intro!)ction

Ein is the primary


15/364


3. Ein can con"ine an app*ication -ithin its o-n BdomainB and a**o- it to

ha+e the minimm pri+i*edges reired to do its ob. ho*d the app*ication

reire access to net-or4s or other app*ications (or their data), then (as part o"

the secrity po*icy design), this access -o*d need to be granted (so at *east it

is 4no-n -hat interactions are a**o-ed and -hat are not a good secrity

goa*).

J. ho*d an app*ication Bdo somethingB it is not a**o-ed by po*icy (intentiona* or

other-ise), then Ein -o*d stop these actions.

K. ho*d an app*ication Bdo somethingB it is a**o-ed by po*icy, then Ein

may contain any damage that maybe done intentiona* or other-ise. &or

eamp*e i" an app*ication is a**o-ed to de*ete a** o" its data "i*es or database

entries, and the bg, +irs or ma*icios ser gains these pri+i*edges then it

-o*d be ab*e to do the same, ho-e+er the good ne-s is that i" the po*icy

Bcon"inedB the app*ication and data, a** yor other data sho*d sti** be there.

L. %ser *ogin sessions can be con"ined to their o-n domains. his a**o-s c*ients

they rn to be gi+en on*y the pri+i*edges they need (e.g. admin sers, sa*es

sta"" sers, HR sta"" sers etc.). his again -i** con"ine!*imit any damage or

*ea4age o" data.

F. ome app*ications (I9indo-s "or eamp*e) are di""ic*t to con"ine as they

are genera**y designed to ha+e tota* access to a** resorces. Ein can

genera**y o+ercome these isses by pro+iding sandboing ser+ices.

A. Ein -i** not stop memory *ea4s or b""er o+errns (becase its not

designed to do this), ho-e+er it may contain the damage that maybe done.

@. Ein -i** not stop a** +irses!ma*-are getting into the system (as there are

many -ays they co*d be introdced (inc*ding by *egitimate sers), ho-e+erit sho*d *imit the damage or *ea4s they case.

10. Ein -i** not stop 4erne* +*nerabi*ities, ho-e+er it may *imit their

e""ects.

11. /t is +ery easy to add ne- r*es to an Ein po*icy sing too*s sch as

audit2allow!"# i" a ser has the re*e+ant permissions, ho-e+er be a-arethat this may start opening ho*es, so chec4 -hat r*es are rea**y reired.

12. &ina**y, Ein cannot stop anything a**o-ed by the secrity po*icy, so good

design is important.

he "o**o-ing maybe se"* in pro+iding a practia* +ie- o" Ein8

1. 5 discssion regarding 5pache ser+ers and Ein that may *oo4 negati+e at

"irst bt high*ights the containment points abo+e. his is the initia* stdy8

http8!!b*og.ptsecrity.com!2012!0A!se*ininpracticed+-atest.htm*, and

this is a response to the stdy8 http8!!dan-a*sh.*i+eorna*.com!KLFL0.htm*.

Ho-e+er -ith care"* design and 4no-n secrity goa*s the Ein B5pache !

Ein P*sB ser+ices co*d be sed to bi*d a more secre -eb ser+ice (a*so

see http8!!code.goog*e.com!p!sepgs*!-i4i!5pacheNEinNp*s).

2. Ein ser+ices ha+e been added to 5ndriod, prodcing E5ndroid. he

presentation She Case "or ecrity Enhanced (E)5ndroidS gi+es secases

Page 1K

http://blog.ptsecurity.com/2012/08/selinux-in-practice-dvwa-test.htmlhttp://danwalsh.livejournal.com/56760.htmlhttp://code.google.com/p/sepgsql/wiki/Apache_SELinux_plushttp://blog.ptsecurity.com/2012/08/selinux-in-practice-dvwa-test.htmlhttp://danwalsh.livejournal.com/56760.htmlhttp://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus


16/364


and types o" 5ndroid ep*oits that Ein co*d ha+e o+ercome. he

presentation is a+ai*ab*e at8

https8!!e+ents.*in"ondation.org!images!stories!pd"!*"Nabs12Nsma**ey.pd"

2.2 Core &'(in)$ Components&igre 2.1 sho-s a high *e+e* diagram o" the Ein core components that manage

en"orcement o" the po*icy and comprise o" the "o**o-ing8

1. 5 sbect that mst be present to case an action to be ta4en by an obect

(sch as read a "i*e as in"ormation on*y "*o-s -hen a sbect is in+o*+ed).

2. 5n :bect uests.

&igre 2.2 sho-s a more comp*e diagram o" 4erne* and serspace -ith a nmber o"

spporting ser+ices that are sed to manage the Ein en+ironment. his diagram-i** be re"erenced a nmber o" times to ep*ain areas o" Ein, there"ore starting

"rom the bottom8

a) /n the crrent imp*ementation o" Ein the secrity ser+er is embedded in

the 4erne* -ith the po*icy being *oaded "rom serspace +ia a series o"

"nctions contained in the libselinux *ibrary (see Ein %serspace

ibraries "or detai*s).

he obect managers (:e


17/364


Figure .. /igh Le:el SELinux Ar


18/364


kernel spa


19/364


this $oteboo4, ho-e+er it is not recommended "or rea*-or*d po*icy

de+e*opment.

ii) sing the Re"erence Po*icy that ses high *e+e* macros to de"ine po*icy

r*es. his is the standard -ay po*icies are no- bi*t "or Ein

distribtions sch as Red Hat and 'ebian and is discssed in the

Re"erence Po*icy section.

e) o be ab*e to compi*e and *in4 the sorce code then *oad it into the secrity

ser+er reires a nmber o" too*s (top o" &igre 2.2). hese are sed to bi*d

the samp*e po*icy mod*es -here their se is described.

") o enab*e system administrators to manage the po*icy, the Ein

en+ironment and *abe* "i*e systems reires too*s and modi"ied #$% ! in

commands. hese are mentioned throghot the $oteboo4 as needed and

smmarised in 5ppendi O Ein Commands. $ote that there are many

other app*ications to manage po*icy, ho-e+er this $oteboo4 on*y concentrates

on the core ser+ices.

g) o ensre secrity e+ents are *ogged, #$% ! in has an adit ser+ice that

captres po*icy +io*ations. he 5diting Ein E+ents section describes the

"ormat o" these secrity e+ents.

h) Ein spports net-or4 ser+ices that are described in the Ein

$et-or4ing pport section.

he in ecrity


20/364


Figure .1 !ro


21/364


he Ein ser name is the "irst component o" a Bsecrity contetB and by

con+ention Ein ser names end in B_uB, ho-e+er this is not en"orced by any

Ein ser+ice (i.e. it is on*y to identi"y the ser component).

2.# Roease! Access Contro -RAC

o "rther contro* access to E domains Ein ma4es se o" ro*ebased access

contro* (R5C). his "eatre a**o-s Ein sers to be associated to one or more

ro*es, -here each ro*e is then associated to one or more domain types as sho-n in

&igre 2.J.

he Ein ro*e name is the second component o" a Bsecrity contetB and by

con+ention Ein ro*es end in B_rB, ho-e+er this is not en"orced by any Ein

ser+ice (i.e. it is on*y sed to identi"y the ro*e component).

Figure .0 )ole ased A


22/364


it comes do-n to nderstanding ho- they are a**ocated in the po*icy itse*" and ho-

they are sed by Ein ser+ices.

asica**y i" the type identi"ier is sed to re"erence a sbect it is re"erring to a in

process or co**ection o" processes (a domain or domain type). /" the type identi"ier is

sed to re"erence an obect then it is speci"ying its obect type (i.e. "i*e type).

9hi*e Ein re"ers to a sbect as being an acti+e process that is associated to a

domain type, the scope o" an Ein type en"orcement domain can +ary -ide*y. &or

eamp*e in the simp*e po*icy bi*t in the basic-selinux-policy directory o"

the sorce tarba**, a** the processes on the system rn in the unconfined_t

domain, there"ore e+ery process is ?o" type unconfined_tT (that means it can do

-hate+er it *i4es -ithin the *imits o" the standard in '5C po*icy).

/t is on*y -hen additiona* po*icy statements are added to the simp*e po*icy, that areas

start to be con"ined. &or eamp*e, an eterna* gate-ay is rn in its o-n iso*ated

domain (ext_gateway_t) that cannot be ?inter"eredT -ith by any o" the

unconfined_t processes (ecept to rn or transition the gate-ay process into itso-n domain). his scenario is simi*ar to the ?targetedT po*icy de*i+ered as standard in

Red Hat &edora -here the maority o" ser space processes rn nder the

unconfined_t domain (a*thogh donTt thin4 the simp*e po*icies imp*emented in

sorce tarba** are ei+a*ent to the Re"erence Po*icy, they are not so do not se them

as *i+e imp*ementations).

he Ein type is the third component o" a Bsecrity contetB and by con+ention

Ein types end in B_tB, ho-e+er this is not en"orced by any Ein ser+ice (i.e.

it is on*y sed to identi"y the type component).

2..1 Constraints9ithin a E en+ironment, the -ay that sbects are a**o-ed to access an obect is +ia

an allow r*e , "or eamp*e8

allow unconfined_t ext_gateway_t : process transition8

his states that a process rnning in the unconfined_t domain has permission to

transition a process to the ext_gateway_t domain. Ho-e+er it co*d be that the

po*icy -riter -ants to constrain this "rther and state that this can on*y happen i" the

ro*e o" the sorce domain is the same as the ro*e o" the target domain. o achie+e this

a constraint can be imposed sing a constrain statement8

constrain process transition ! r" 66 r #8

his states that a process transition can on*y occr i" the sorce ro*e is the same as the

target ro*e, there"ore a constraint is a condition that mst be satis"ied in order "or one

or more permissions to be granted (i.e. a constraint imposes additiona* restrictions on

E r*es).

here are a nmber o" di""erent constraint statements -ithin the po*icy *angage to

spport areas sch as


23/364


2. &ec)rity Conte$t

Ein reires a secrity contet to be associated -ith e+ery process (or sbect)

and obect that are sed by the secrity ser+er to decide -hether access is a**o-ed or

not as de"ined by the po*icy.

he secrity contet is a*so 4no-n as a ?secrity *abe*T or st *abe* that can casecon"sion as there are many types o" *abe* depending on the contet (another

contetVV).

9ithin Ein, a secrity contet is represented as +ariab*e*ength strings that

de"ine the Ein ser 3, their ro*e, a type identi"ier and an optiona*


24/364


here"ore "or an obect the ro*e, type and *e+e*!range are the on*y re*e+ant

secrity "ie*ds that are sed in access decisions.

Eamp*es o" sing system_u and ob=ect_r can be seen in the "i*e system

a"ter re*abe*ing and rnning the ls >? command on +arios directories.

he Compting ecrity Contets section decribes ho- Ein comptes thesecrity contet components based on a sorce contet, target contet and an obect

c*ass.

he eamp*es be*o- sho- secrity contets "or processes, directories and "i*es (note

that the po*icy did not spport


25/364


@ !see the process example aboe#. ,he role remained asob=ect_r.

2.4 &)b5ects5 sbect is an acti+e entity genera**y in the "orm o" a person, process, or de+ice that

cases in"ormation to "*o- among obects or changes the system state.

9ithin Ein a sbect is genera**y an acti+e process and has a secrity contet

associated -ith it, ho-e+er a process can a*so be re"erred to as an obect depending on

the contet in -hich it is being ta4en, "or eamp*e8

1. 5 rnning process (i.e. an acti+e entity) is a sbect becase it cases

in"ormation to "*o- among obects or can change the system state.

2. he process can a*so be re"erred to as an obect becase each process has an

associated obect c*assJ

ca**ed ?processT. his process ?obectT, de"ines -hat permissions the po*icy is a**o-ed to grant or deny on the acti+e process.

5n eamp*e is gi+en o" the abo+e scenarios in the 5**o-ing a Process 5ccess to an

:bect section.

/n Ein sbects can be8

Trusted O #enera**y these are commands, app*ications etc. that ha+e been -ritten

or modi"ied to spport speci"ic Ein "nctiona*ity to en"orce the secrity

po*icy (e.g. the 4erne*, init, pam, inetd and *ogin). Ho-e+er, it can a*so co+er any

app*ication that the organisation is -i**ing to trst as a part o" the o+era** system.

5*thogh (depending on yor paranoia *e+e*), the best po*icy is to trst nothing

nti* it has been +eri"ied that it con"orms to the secrity po*icy. #enera**y thesetrsted app*ications -o*d rn in either their o-n domain (e.g. the adit daemon

co*d rn nder auditd_t) or groped together (e.g. the semanage!F# andsemodule!F# commands co*d be groped nder semanage_t).

*ntrusted O E+erything e*se.

2.6 +b5ects

9ithin Ein an obect is a resorce sch as "i*es, soc4ets, pipes or net-or4

inter"aces that are accessed +ia processes (a*so 4no-n as sbects). hese obects are

c*assi"ied according to the resorce they pro+ide -ith access permissions re*e+ant totheir prpose (e.g. read, recei+e and -rite), and assigned a secrity contet as

described in the "o**o-ing sections.

2.6.1 +b5ect Casses an! 7ermissions

Each obect consists o" a c*ass identi"ier that de"ines its prpose (e.g. file, socket)

a*ong -ith a set o" permissionsK that describe -hat ser+ices the obect can hand*e

(read, write, send etc.). 9hen an obect is instantiated it -i** be a**ocated a name

(e.g. a "i*e co*d be ca**ed config or a soc4et my_connection) and a secrity

J he obect c*ass and its associated permissions are ep*ained in the Process :bect C*ass section.K 5*so 4no-n in Ein as 5ccess ectors (5).

Page 2K


26/364


contet (e.g. system_u:ob=ect_r:selinux_config_t) as sho-n in &igre

2.K.

Figure .6 (b>e


27/364


allow Hule source_domain target_type : class permission-----------!---------------!------------------------!------------allow unconfined_t ext_gateway_t : process transition8

$here

allow he Ein *angage allow r*e.

unconfined_t he sorce domain (or sbect) identi"ier O in this case theshell that -ants to eec the gate-ay app*ication.

ext_gateway_t he target obect identi"ier O the obect instance o" thegate-ay app*ication process.

process he target obect c*ass the ?processT obect c*ass.

transition he permission granted to the sorce domain on thetargets obect O in this case the unconfined_t domain

has transition permission on the ext_gateway_t?processT obect.

Figure .5 The allow rule 9 Sowin' tat te sub!ect Hte ,rocesses runnin'in te unconfined_t "o$ain as been 'iven te transition ,er$ission on te

ext_gateway_t J processK ob!ect.

/t sho*d be noted that there is more to a domain transition than described abo+e, "or a

more detai*ed ep*anation, see the 'omain ransition section.

2.6.3 (abeing +b5ects

9ithin a rnning Ein enab*ed #$% ! in system the *abe*ing o" obects is

managed by the system and genera**y nseen by the sers (nti* *abe*ing goes

-rong VV). 5s processes and obects are created and destroyed, they either8

1. /nherit their *abe*s "rom the parent process or obect.

2. he po*icy type, ro*e and range transition statements a**o- a di""erent *abe* to

be assigned as discssed in the 'omain and :bect ransitions section.

3. Eina-are app*ications can en"orce a ne- *abe* (-ith the po*icies

appro+a* o" corse) sing the libselinux 5P/ "nctions.

Page 2F

ext_gateway_tunconfined_t

Sub>ee


28/364


J. 5n obect manager (:


29/364


@ system_u:ob=ect_r:admin_home_t:s0

2.9.3.1.1 Copying and Moving Files

5ssming that the correct permissions ha+e been granted by the po*icy, the e""ects onthe secrity contet o" a "i*e -hen copied or mo+ed di""er as "o**o-s8

• copy a "i*e O ta4es on *abe* o" ne- directory n*ess the OW option is sed.

• mo+e a "i*e O retains the *abe* o" the "i*e.

Ho-e+er, i" the restorecond daemon is rnning and the restorecond.conf

"i*e is correct*y con"igred, then other secrity contets can be associated to the "i*e as

it is mo+ed or copied (pro+ided it is a +a*id contet and speci"ied in the

file_contexts "i*e).

he eamp*es be*o- sho- the e""ects o" copying and mo+ing "i*es8

@ ,hese are the test files in the /root directory and their current security@ context:@-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t copied-file-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t moed-file

@ ,hese are the commands used to copy / moe the files:@@ %tandard copy file:cp copied-file /usr/message_5ueue/in_5ueue

@ 1opy using >? to set the files context:cp -? unconfined_u:ob=ect_r:unconfined_t copied-file J/usr/message_5ueue/in_5ueue/copied-file-with-?

@ %tandard moe file:m moed-file /usr/message_5ueue/in_5ueue

@ ,he target directory !/usr/message_5ueue/in_5ueue# is label Lin_5ueue_tI.@ ,he results of Lls >?I on target the directory are:@-rw-r--r-- root root unconfined_u:ob=ect_r:in_5ueue_t copied-file-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t copied-file-with-?-rw-r--r-- root root unconfined_u:ob=ect_r:unconfined_t moed-file

Ho-e+er, i" the restorecond daemon is rnning8

@ (f the restorecond daemon is running with a restorecond.conf file entry of:

@/usr/message_5ueue/in_5ueue/M

@ A)C the file_context file has an entry of:@/usr/message_5ueue/in_5ueue!/.M#N -- system_u:ob=ect_r:in_file_t

@ ,hen all the entries would be set as follows when the daemon detects the files@ creation:@-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t copied-file-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t copied-file-with-?-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t moed-file

@ ,his is because the restorecond process will set the contexts defined in@ the file_contexts file to the context specified as it is created in the@ new directory.

Page 2@


30/364


his is becase the restorecond process -i** set the contets de"ined in the

file_contexts "i*e to the contet speci"ied as it is created in the ne- directory.

2.6.3.2 (abeing &)b5ects

:n a rnning #$% ! in system, processes inherit the secrity contet o" the parent process. /" the ne- process being spa-ned has permission to change its contet, then

a ?type transitionT is a**o-ed that is discssed in the 'omain ransition section.

he /nitia* oot oading the Po*icy section discsses ho- #$% ! in is initia*ised

and the processes *abe*ed "or the *ogin process.

he po*icy *angage spports a nmber o" statements to either assign *abe*

components or *abe*s to processes sch as8

user, role and type statements.

and manage their scope8

role allow and constrain

and manage their transition8

type _transition , role_transition and range_transition

2.6." +b5ect Re)se

5s #$% ! in rns, it creates instances o" obects and manages the in"ormation

they contain (read, -rite, modi"y etc.) nder the contro* o" processes, and at some

stage these obects may be de*eted or re*eased a**o-ing the resorce (sch as memory

b*oc4s and dis4 space) to be a+ai*ab*e "or rese.

#$% ! in hand*es obect rese by ensring that -hen a resorce is rea**ocated, it

is c*eared. his means that -hen a process re*eases an obect instance (e.g. re*ease

a**ocated memory bac4 to the poo*, de*ete a directory entry or "i*e), there may be

in"ormation *e"t behind that co*d pro+e se"* i" har+ested. /" this sho*d be an isse,

then the process itse*" sho*d c*ear or shred the in"ormation be"ore re*easing the obect

(-hich can be di""ic*t in some cases n*ess the sorce code is a+ai*ab*e).

2.10 Comp)ting &ec)rity Conte$ts

Ein ses a nmber o" po*icy *angage statements and *ibse*in "nctions to

compte a secrity contet +ia the 4erne* secrity ser+er.

9hen secrity contets are compted, the di""erent 4erne*, serspace too*s and po*icy

+ersions can in"*ence the otcome. his is becase patches ha+e been app*ied o+er

the years that gi+e greater "*eib*ity in compting contets. &or eamp*e a 2.L.3@

4erne* -ith Ein serspace ser+ices spporting po*icy +ersion 2L can in"*ence

the compted ro*e.

he secrity contet is compted "or an obect sing the "o**o-ing components8 a

sorce contet, a target contet and an obect c*ass.

he libselinux serspace "nctions sed to compte a secrity contet are8

avc_compute_create!3# and security_compute_create!3#

Page 30


31/364


avc_compute_member!3# and security_compute_member!3#

security_compute_relabel!3#

$ote that the 4erne* has ei+a*ent "nctions in the secrity ser+er, ho-e+er they are

not co+ered here.

he po*icy *angage statements that in"*ence a compted secrity contet are8

type_transition, role_transition, range_transition,

type_member and type_change and a*so their corresponding C/ *angage

statements8 typetransition ! filetransition, roletransition,

rangetransition, typemember and typechange. here are a*so the

default_user, default_role, default_type and default_range

statements that -i** be a+ai*ab*e in *ater re*eases.

he sections that "o**o- ep*ain ho- secrity contets are compted -hen sing the

libselinux "nctions and the po*icy statements that in"*ence the otcome (note

that the ei+a*ent 4erne* ser+ices beha+e eact*y the same).

2.10.1 avc_compute_create and security_compute_create

he tab*e be*o-A sho-s ho- the components "rom the sorce contet scon, target

contet tcon and c*ass tclass are sed to compte the ne- contet newcon

(re"erenced by /'s "or avc_compute_create!3#. he "o**o-ing notes a*soapp*y8

a) 5ny +a*id po*icy role_transition, type_transition and

range_transition en"orcement r*es -i** in"*ence the "ina* otcome as

sho-n. b) &or 4erne*s *ess than 2.L.3@ the contet generated -i** depend on -hether the

c*ass is process or any other c*ass.

c) &or 4erne*s 2.L.3@ and abo+e the "o**o-ing a*so app*ies8

i. hose c*asses s""ied by socket -i** a*so be inc*ded in the

process c*ass otcome.

ii. /" a +a*id role_transition r*e "or tclass, then se that instead

o" the de"a*t ob=ect_r. 5*so reires po*icy +ersion 2L or greater

see security_policyvers!3#.

iii. /" the type_transition r*e is c*assed as the B"i*e name transition

r*eB (i.e. it has an ob=ect_name parameter), then pro+ided the

obect name in the r*e matches the *ast component o" the obects name

(in this case a "i*e or directory name), then se the r*es

default_type (note C/ ses the filetransition r*e). 5*so

reires po*icy +ersion 2K or greater.

d) &or 4erne*s 3.K and abo+e -ith po*icy +ersion 2F or greater, the

default_user, default_role, default_range statements -i**

in"*ence the user, role and range o" the compted contet "or the

speci"ied c*ass tclass. 9ith po*icy +ersion 2A or greater theA he tab*e on*y contains the 4erne* +ersion, the tet gi+es the po*icy +ersion a*so reired.

Page 31


32/364


default_type statement can a*so in"*ence the type in the compted

contet.

user role type range

/" 4erne* >X 3.K -ith adefault_user tclasssource r*e then se scon

user

()

/" 4erne* >X 3.K -ith adefault_user tclasstarget r*e then se tcon

user

ELSE

%se scon user

/" 4erne* >X2.L.3@, andthere is a +a*idrole_transition r*e then se the r*es

new_role

()

/" 4erne* >X 3.K -ithdefault_role tclasssource r*e then se scon

role

()

/" 4erne* >X 3.K -ithdefault_role tclasstarget r*e then se tcon

role()

/" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon

role

()

/" 4erne* =X 2.L.3A andtclass is process, then

se scon role

ELSE

%se ob"ect_r

/" there is a +a*idtype_transitionr*e then se the r*esdefault_type

()

/" 4erne* >X 3.K -ithdefault_type tclasssource r*e then se scon

type

()

/" 4erne* >X 3.K -ithdefault_type tclasstarget r*e then se tcon

type

() /" 4erne* >X 2.L.3@ andtclass is process orMsocket, then se scon

type

()


se scon type

ELSE

%se tcon type

/" there is a +a*idrange_transition r*e then se the r*es ne-Nrange

()

/" 4erne* >X 3.K -ithdefault_range tclasssource low r*e then se

scon low

()

/" 4erne* >X 3.K -ithdefault_range tclasssource high r*e then se

scon high

()

/" 4erne* >X 3.K -ithdefault_range tclasssource low_high r*e then

se scon range

()

/" 4erne* >X 3.K -ithdefault_range tclasstarget low r*e then se

tcon low

()

/" 4erne* >X 3.K -ithdefault_range tclasstarget high r*e then se

tcon high

()

/" 4erne* >X 3.K -ithdefault_range tclasstarget low_high r*e then

se tcon range

()

/" 4erne* >X 2.L.3@ and tclass

is process or Msocket, thense scon range

()

/" 4erne* =X 2.L.3A and tclass

is process, then se sconrange

ELSE

%se scon low

2.10.2 avc_compute_member an! security_compute_member

he tab*e be*o-@ sho-s ho- the components "rom the sorce contet, scon target

contet, tcon and c*ass, tclass are sed to compte the ne- contet newcon

(re"erenced by /'s "or avc_compute_member!3#. he "o**o-ing notes a*soapp*y8

@ he tab*e on*y contains the 4erne* +ersion, the tet gi+es the po*icy +ersion a*so reired.

Page 32


33/364


a) 5ny +a*id po*icy type_member en"orcement r*es -i** in"*ence the "ina*

otcome as sho-n.

b) &or 4erne*s *ess than 2.L.3@ the contet generated -i** depend on -hether the


c) &or 4erne*s 2.L.3@ and abo+e, those c*asses s""ied by socket are a*soinc*ded in the process c*ass otcome.

d) &or 4erne*s 3.K and abo+e -ith po*icy +ersion 2A or greater, the



speci"ied c*ass tclass. 9ith po*icy +ersion 2A or greater the

default_type statement can a*so in"*ence the type in the compted

contet.



user

()


user

ELSE

%se tcon user


role

()


role

()


role

()


se scon role

ELSE

%se ob"ect_r

/" there is a +a*idtype_member

r*e then se the r*esmember _type

()


type

()


type

()


type

()


se scon type

ELSE

%se tcon type


scon low

()


scon high

()


se scon range

()


tcon low

()


tcon high

()

/" 4erne* >X 3.K -ith

default_range tclasstarget low_high r*e then

se tcon range

()



()



ELSE

%se scon low

Page 33


34/364


2.10.3 security_compute_relabel

he tab*e be*o-10 sho-s ho- the components "rom the sorce contet, scon target

contet, tcon and c*ass, tclass are sed to compte the ne- contet newcon "or

security_compute_relabel!3#. he "o**o-ing notes a*so app*y8

a) 5ny +a*id po*icy type_change en"orcement r*es -i** in"*ence the "ina*otcome sho-n in the tab*e.

b) &or 4erne*s *ess than 2.L.3@ the contet generated -i** depend on -hether the


c) &or 4erne*s 2.L.3@ and abo+e, those c*asses s""ied by socket are a*soinc*ded in the process c*ass otcome.

d) &or 4erne*s 3.K and abo+e -ith po*icy +ersion 2A or greater, the



speci"ied c*ass tclass. 9ith po*icy +ersion 2A or greater thedefault_type statement can a*so in"*ence the type in the compted

contet.

10 he tab*e on*y contains the 4erne* +ersion, the tet gi+es the po*icy +ersion a*so reired.

Page 3J


35/364




user

()


user

ELSE

%se scon user


role

()


role

()


role

()


se scon role

ELSE

%se ob"ect_r

/" there is a +a*idtype_change

r*e then se the r*eschange _type

()


type

()


type

()


type()


se scon type

ELSE

%se tcon type


scon low

()


scon high

()


se scon range

()


tcon low()


tcon high

()

/" 4erne* >X 3.K -ithdefault_range tclasstarget low_high r*e then

se tcon range

()



()



ELSE

%se scon low

2.11 8omain an! +b5ect %ransitions

his section discsses the type_transition statement that is sed to81. ransition a process "rom one domain to another (a domain transition).

2. ransition an obect "rom one type to another (an obect transition).

hese transitions can a*so be achie+ed sing the libselinux 5P/ "nctions "or

Eina-are app*ications.

2.11.1 8omain %ransition

5 domain transition is -here a process in one domain starts a ne- process in another

domain nder a di""erent secrity contet. here are t-o -ays a process can de"ine a

domain transition8

Page 3K


36/364


1. %sing a type_transition statement, -here the eec system ca** -i**

atomatica**y per"orm a domain transition "or programs that are not

themse*+es Eina-are. his is the most common method and -o*d be in

the "orm o" the "o**o-ing statement8

type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8

2. Eina-are app*ications can speci"y the domain o" the ne- process sing

the libselinux 5P/ ca** setexeccon!3#. o achie+e this the Eina-are app*ication mst a*so ha+e the setexec permission, "or eamp*e8

allow crond_t self : process setexec8

Ho-e+er, be"ore any domain transition can ta4e p*ace the po*icy mst speci"y that8

1. he sorce "o$ain has permission to transition into the target domain.

2. he app*ication binary "i*e needs to be executable in the sorce domain.3. he app*ication binary "i*e needs an entr- ,oint into the target domain.

he "o**o-ing is a type_transition statement ta4en "rom the eamp*e *oadab*e

mod*e message "i*ter ext_gateway.conf (described in the sorce tarba**) that

-i** be sed to ep*ain the transition process118

type_transition source_domain target_type : class target_domain8----------------!---------------!--------------------------------- !----------------type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8

his type_transition statement states that -hen a ,rocess rnning in the

unconfine"+t domain (the sorce domain) eectes a "i*e *abe*ed secure+services+exec+t , the ,rocess sho*d be changed to ext+'atewa-+t (the target

domain) i" a**o-ed by the po*icy (i.e. transition "rom the unconfine"+t domain to the

ext+'atewa-+t domain).

Ho-e+er, as stated abo+e to be ab*e to transition to the ext+'atewa-+t domain, the

"o**o-ing minimm permissions mst be granted in the po*icy sing allow r*es ,

-here (note that the b**et nmbers correspond to the nmbers sho-n in &igre 2.F)8

1. he "o$ain needs permission to transition into the ext+'atewa-+t (target)

domain8

allow unconfined_t ext_gateway_t : process transition8

2. he eectab*e "i*e needs to be executable in the unconfine"+t (sorce)

domain, and there"ore a*so reires that the "i*e is readab*e8

allow unconfined_t secure_serices_exec_t : file O execute read getattr P8

3. he eectab*e "i*e needs an entr- ,oint into the ext+'atewa-+t (target)

domain8

11

&or re"erence, the eterna* gate-ay ses a ser+er app*ication ca**ed secure_serer that istransitioned to the ext_gateway_t domain "rom the unconfined_t domain. he

secure_serer eectab*e is *abe*ed secure_serices_exec_t .

Page 3L


37/364


allow ext_gateway_t secure_serices_exec_t : file entrypoint8

hese are sho-n in &igre 2.F -here unconfined_t "or4s a chi*d process, that

then eecTs the ne- program into a ne- domain ca**ed ext_gateway_t. $ote that

becase the type_transition statement is being sed, the transition is

atomatica**y carried ot by the Ein enab*ed 4erne*.

Figure .& Domain Transition 9 9ere te secure+server is execute" witin te

unconfined_t "o$ain an" ten transitione" to te ext_gateway_t "o$ain.

2.11.1.1 %ype 'nforcement R)es

9hen bi*ding the ext_gateway.conf and int_gateway.conf mod*es the

intention -as to ha+e both o" these transition to their respecti+e domains +ia

type_transition statements. he ext_gateway_t statement -o*d be8

type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8

and the int_gateway_t statement -o*d be8

type_transition unconfined_t secure_serices_exec_t : process int_gateway_t8

Ho-e+er, -hen *in4ing these t-o *oadab*e mod*es into the po*icy, the "o**o-ing

error -as gi+en8

Page 3F

allow unconfined_t secure_services_exec_t : file

type_transition unconfined_t

secure_services_exec_t : process ext_gateway_t#

unconfined_t

!arent !ro


38/364


semodule - -s modular-test -i int_gateway.pp -i ext_gateway.ppAttempting to install module Qint_gateway.ppQ:k: return alue of 0.Attempting to install module Qext_gateway.ppQ:k: return alue of 0.1ommitting changes:libsepol.expand_terule_helper: conflicting ,& rule for !unconfined_tG

secure_serices_exec_t:process#: old was ext_gateway_tG new is int_gateway_tlibsepol.expand_module: &rror during expandlibsemanage.semanage_expand_sandbox: &xpand module failedsemodule: RailedS

his happened becase the type en"orcement r*es -i** on*y a**o- a sing*e ?de"a*tT

type "or a gi+en sorce and target (see the ype En"orcement R*es section). /n the

abo+e case there -ere t-o type_transition statements -ith the same sorce

and target, bt di""erent de"a*t domains. he ext_gateway.conf mod*e had the

"o**o-ing statements8

@ Allow the client/serer to transition for the gateways:allow unconfined_t ext_gateway_t : process O transition P8

allow unconfined_t secure_serices_exec_t : file O read execute getattr P8allow ext_gateway_t secure_serices_exec_t : file O entrypoint P8type_transition unconfined_t secure_serices_exec_t : process ext_gateway_t8

5nd the int_gateway.conf mod*e had the "o**o-ing statements8

@ Allow the client/serer to transition for the gateways:allow unconfined_t int_gateway_t : process O transition P8allow unconfined_t secure_serices_exec_t : file O read execute getattr P8allow int_gateway_t secure_serices_exec_t : file O entrypoint P8type_transition unconfined_t secure_serices_exec_t : process int_gateway_t8

9hi*e the a**o- r*es are +a*id to enab*e the transitions to proceed, the t-o

type_transition statements had di""erent ?de"a*tT types (or target domains),that brea4 the type en"orcement r*e.

/t -as decided to reso*+e this by8

1. Geeping the type_transition r*e "or the ?de"a*tT type o"

ext_gateway_t and a**o- the secre ser+er process to be eecTed "rom

unconfined_t as sho-n in &igre 2.F, by simp*y rnning the command

"rom the prompt as "o**o-s8

@ Hun the external gateway Tsecure sererU application on port EEEE and@ let the policy transition the process to the ext_gateway_t domain:

secure_serer EEEEE

2. %se the Ein runcon!"# command to ensre that the interna* gate-ayrns in the correct domain by rnning runcon "rom the prompt as "o**o-s8

@ Hun the internal gateway Tsecure sererU application on port """" and@ use runcon to transition the process to the int_gateway_t domain:

runcon -t int_gateway_t -r message_filter_r secure_serer """"

@ )ote > ,he role is re5uired as a role transition that is defined in the@ policy.

he runcon command ma4es se o" a nmber o" libselinux 5P/ "nctions tochec4 the crrent contet and set p the ne- contet ("or eamp*e getfilecon!3#

Page 3A


39/364


is sed to get the eectab*e "i*es contet and setexeccon!3# is sed to set thene- process contet). /" the a** contets are correct, then the execvp!# system ca**is eected that eecTs the secure_serer app*ication -ith the argment o"

?""""T into the int_gateway_t domain -ith the message_filter_r ro*e.

he runcon sorce can be "ond in the coreutils pac4age.

:ther -ays to reso*+e this isse are8

1. %se the runcon command "or both gate-ays to transition to their respecti+e

domains. he type_transition statements are there"ore not reired.

2. %se di""erent names "or the secre ser+er eectab*e "i*es and ensre they ha+e

a di""erent type (i.e. instead o" secure_serice_exec_t *abe* the

eterna* gate-ay ext_gateway_exec_t and the interna* gate-ay

int_gateway_exec_t. his -o*d in+o*+e ma4ing a copy o" the

app*ication binary (-hich has a*ready been done as part o" the mod*e testing

by ca**ing the ser+er ?sererT and *abe*ing it unconfined_t and then

ma4ing a copy ca**ed secure_serer and *abe*ing it

secure_serices_exec_t).

3. /mp*ement the po*icy sing the Re"erence Po*icy ti*ising the temp*ate

inter"ace princip*es discssed in the template


40/364


his type_transition statement states that -hen a ,rocess rnning in the

ext+'atewa-+t domain (the sorce domain) -ants to create a file obect in the

directory that is *abe*ed in+>ueue+t , the "i*e sho*d be re*abe*ed in+file+t i" a**o-ed by

the po*icy (i.e. *abe* the "i*e in+file+t ).

Ho-e+er, as stated abo+e to be ab*e to create the "i*e, the "o**o-ing minimm

permissions need to be granted in the po*icy sing allow r*es , -here8

1. he sorce domain needs permission to a"" file entries into te "irector-8

allow ext_gateway_t in_5ueue_t : dir O write search add_name P8

2. he sorce domain needs permission to create file entries8

allow ext_gateway_t in_file_t : file O write create getattr P8

3. he po*icy can then ensre (+ia the Ein 4erne* ser+ices) that "i*es created

in the in_5ueue are re*abe*ed8

type_transition ext_gateway_t in_5ueue_t : file in_file_t8

5n eamp*e otpt "rom a directory *isting sho-s the res*ting "i*e *abe*s8

ls -?a /usr/message_5ueue/in_5ueuedrwxr-xr-x root root unconfined_u:ob=ect_r:in_5ueue_t .drwxr-xr-x root root system_u:ob=ect_r:unconfined_t ..-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t Dessage-"-rw-r--r-- root root unconfined_u:ob=ect_r:in_file_t Dessage-

2.12 ,)ti(eve &ec)rity an! ,)tiCategory &ec)rity

5s stated in the


41/364


Figure .7 Se


42/364


Se


43/364


&or


44/364


Se s3:c".c


45/364


%sing &igre 2.@8

1. o a**o- -ritep, the sorce *e+e* (l") mst be dominated b= the target

*e+e* (l)8

orce *e+e* X s0:c3 or s":c"

arget *e+e* X s:c".c4

5s can be seen, either o" the sorce *e+e*s are dominated b= the target *e+e*.

2. o a**o- readdo-n, the sorce *e+e* (l") mst dominate the target *e+e*

(l)8

orce *e+e* X s:c".c4

arget *e+e* X s0:c3

5s can be seen, the sorce *e+e* does dominate the target *e+e*.Ho-e+er in the rea* -or*d the Ein


46/364


on*y, Red Hat C5PP and PP. here"ore a*-ays *oo4 at the protection

pro"i*es as they de"ine -hat -as acta**y e+a*ated.

2.13 %ypes of &'(in)$ 7oicy

his section describes the di""erent type o" po*icy descriptions and +ersions that can be "ond -ithin Ein.

he types o" Ein po*icy can described in a nmber o" -ays8

1. orce code O hese can be described as8 Eamp*e, Re"erence Po*icy or

Cstom

2. he sorce code descriptions or bi*ds can a*so be sbc*assi"ied as8


47/364


2.13.3 7oicy *)nctionaity ase! on Name or %ype

#enera**y a po*icy is insta**ed -ith a gi+en name sch as targeted, mls,

refpolicy or minimum that attempts to describes its "nctiona*ity. his name then

becomes the entry in8

1. he directory pointing to the po*icy *ocation (e.g. i" the name is targeted,then the po*icy -i** be insta**ed in /etc/selinux/targeted).

2. he %&'()*+,& entry in the /etc/selinux/config "i*e -hen it is

the acti+e po*icy (e.g. i" the name is targeted, then a

%&'()*+,&6targeted entry -o*d be in the

/etc/selinux/config "i*e).

his is ho- the re"erence po*icies distribted -ith &1F are named, -here8

minimum O spports a minima* set o" con"ined daemons -ithin their o-n

domains. he remainder rn in the unconfined_t space. Red Hat pre

con"igre


48/364


2.13.# ,onoithic 7oicy

5


49/364


"*ag. his is o"ten sed to enab*e or disab*e "eatres -ithin the po*icy (i.e. change the

po*icy en"orcement r*es).

he boo*ean "*ag stats is he*d in 4erne* and can be changed sing the

setsebool!F# command either persistent*y across system reboots or temporari*y(i.e. on*y +a*id nti* a reboot). he "o**o-ing eamp*e sho-s a persistent conditiona*

po*icy change8

setsebool > ext_gateway_audit false

he conditiona* po*icy *angage statements are the bool tatement that de"ines the

boo*ean "*ag identi"ier and its initia* stats, and the if tatement that a**o-s certain

r*es to be eected depending on the state o" the boo*ean +a*e or +a*es.

2.13.4 inary 7oicy

he binary po*icy is the po*icy "i*e that is *oaded into the 4erne* and is a*-ays *ocatedat /etc/selinux/$%&'()*+,&/policy/policy.$ersion. 9here

$%&'()*+,& is the po*icy name speci"ied in the Ein con"igration "i*e

/etc/selinux/config and $ersion is the Ein po*icy +ersion.

he binary po*icy can be bi*t "rom sorce "i*es spp*ied by the Eamp*e Po*icy, the

Re"erence Po*icy or cstom bi*t sorce "i*es as described in the in the Samp*e

Po*icy orceS $oteboo4.

5n eamp*e /etc/selinux/config "i*e is sho-n be*o- -here the

%&'()*+,&6targeted entry identi"ies the po*icy name that -i** be sed to

*ocate and *oad the acti+e po*icy8

%&'()*+6permissie

S1345678P19targeted

&rom the abo+e eamp*e, the acta* binary po*icy "i*e -o*d be *ocated at

/etc/selinux/targeted/policy and be ca**ed policy.7 (as +ersion 2L

is spported by &1L)8

/etc/selinux/targeted/policy/policy.7

2.13.6 7oicy :ersions

Ein has a po*icy database (de"ined the libsepol *ibrary) that describes the

"ormat o" data he*d -ithin a binary po*icy, ho-e+er, i" any ne- "eatres are added to

Ein (genera**y *angage etensions) this can res*t in a change to the po*icy

database. 9hene+er the po*icy database is pdated, the po*icy +ersion is incremented.

he sestatus!F# command -i** sho- the maimm po*icy +ersion nmberspported by the 4erne* in its otpt as "o**o-s8

%&'inux status: enabled

%&'inuxfs mount: /sys/fs/selinux1urrent mode: enforcing

Page J@


50/364


Dode from config file: permissiePolicy version: 2olicy from config file: modular-test

he &1L 4erne* po*icy +ersion is ?7T -ith ab*e 3 describing the di""erent +ersions.

here is a*so another +ersion that app*ies to the mod*ar po*icy, ho-e+er the main po*icy database +ersion is the one that is genera**y oted (some Ein ti*ities

gi+e both +ersion nmbers).

policy db

Version

modular db

Version Description

1K J he base +ersion -hen Ein -as merged into the

4erne*.

1L 5dded Conditiona* Po*icy spport (the bool "eatre).

1F 5dded spport "or /P+L.

1A 5dded $et*in4 spport.1@ K 5dded


51/364


policy db

Version

modular db

Version Description

2A 1L pport setting obect de"a*ts "or the type component

-hen compting a ne- contet. Reires 4erne* 3.K

minimm.

2@ 1L 5dds an /P address to the Ein port statement +ia aEin node *abe*. $ote that the 4erne* and serspace

+ersions containing this "eatre is not yet 4no-n.

Table 1 !oli


52/364


53/364


Keyword Description

type &or Ein 5C e+ents this can be8

type6AW1 "or 4erne* e+ents

type6*%&H_AW1 "or serspace obect manager e+ents

$ote that once the 5C e+ent has been *ogged, another e+ent -ith

type6%%1A'' may "o**o- that contains "rther in"ormation

regarding the e+ent.

he AW1 e+ent can a*-ays be tied to the re*e+ant %%1A'' e+ent

as they ha+e the same serial_number in the

msg6audit!time:serial_number# "ie*d as sho-n in the

"o**o-ing eamp*e8

type9A; msg6audit!"4333;0".;44:.+.#: ac: denied O getattr Pfor pid6;"4 comm6XlsX path6X/usr/lib/locale/locale-archieXde6dm-0 ino63


54/364


Keyword Description

fport

path /" a &i*e oc4et e+ent then *og the path (AR_*)(+).

saddr /" a $et-or4 e+ent then *og the orce ! 'estination addresses and ports -ith the net-or4 inter"ace "or /PJ or /PL net-or4s

(AR_()&,).src

daddr

dest

netif

sauid /Pec secrity association identi"iers

hostname

addr

terminal

resid I9indo-s resorce /' and type.

restype

scontext he secrity contet o" the sorce or sbect.

tcontext he secrity contet o" the target or obect.

tclass he obect c*ass o" the target or obect.

Table 0 AVC Audit #essage Des


55/364


type6*%&H_AW1 msg6audit!"7;


56/364


Change boo*ean +a*e DA1_1)R(Y_1ZA)Y& his e+ent -as generated -hen

setsebool!F# -as rn to change a boo*ean. $ote that the bo*ean name p*s ne-and o*d +a*es are sho-n in the DA1_1)R(Y_1ZA)Y& type e+ent -ith the

%%1A'' e+ent sho-ing -hat process eected the change.

type6DA1_1)R(Y_1ZA)Y& msg6audit!"33777


57/364


type6%&'()*+_&HH msg6audit!"3""E4;"3F.440:"7#: op6security_bounded_transitionresult6denied oldcontext6system_u:system_r:httpd_t:s0-s0:c0.c300newcontext6system_u:system_r:anon_webapp_t:s0-s0:c0Gc"00Gc00

type6%%1A'' msg6audit!"3""E4;"3F.440:"7#: arch6c000003e syscall6" success6noexit6-" a06b a"6;f"E


58/364


o c*ari"y po*yinstantiation spport8

1. Ein has *ibse*in "nctions and a po*icy r*e to spport

po*yinstantiation.

2. he po*yinstantiation o" directories is a "nction o" #$% ! in not Ein

(as more correct*y, the #$% ! in ser+ices sch as P5< ha+e beenmodi"ied to spport po*yinstantiation o" directories and ha+e a*so been made

Eina-are. here"ore their ser+ices can be contro**ed +ia po*icy).

3. he po*yinstantiation o" I-indo-s se*ections and properties is a "nction o"

the IEin :bect


59/364


2. Entries added to the /etc/security/namespace.conf "i*e that de"ines

the directories to be po*yinstantiated by P5< (and other ser+ices that may

need to se the namespace ser+ice). he entries are ep*ained in the

namespace.conf Con"igration &i*e section, -ith the de"a*t entries in &

1F being (note that the entries are commented ot in the distribtion)8

=polydir instance-prefix method list_of_uids/tmp /tmp-inst/ leel rootGadm/ar/tmp /ar/tmp/tmp-inst/ leel rootGadm\ZD& \ZD&/\*%&H.inst/ leel

:nce these "i*es ha+e been con"igred and a ser *ogs in (a*thogh not root or adm

in the abo+e eamp*e), the P5< pam_namespace mod*e -o*d nshare the

crrent namespace "rom the parent and mont namespaces according to the r*es

de"ined in the namespace.conf "i*e. he &1F con"igration a*so inc*des an

/etc/security/namespace.init script that is sed to initia*ise the

namespace e+ery time a ne- directory instance is set p. his script recei+es "or parameters8 the po*yinstantiated directory path, the instance directory path, a "*ag to

indicate i" a ne- instance, and the ser name. /" a ne- instance is being set p, the

directory permissions are set and the restorecon!F# command is rn to set thecorrect "i*e contets.

2.1.2.1 namespace(conf Config)ration *ie

Each *ine in the namespace.conf "i*e is "ormatted as "o**o-s8

polydir instance_prefix method list_of_uids

$here

polydir he abso*te path name o" the directory to po*yinstantiate. he optiona* strings \*%&H and \ZD&

-i** be rep*aced by the ser name and home directory

respecti+e*y.

instance_prefix 5 string pre"i sed to bi*d the pathname "or the po*yinstantiated directory. he optiona* strings \*%&H

and \ZD& -i** be rep*aced by the ser name and home

directory respecti+e*y.

method his is sed to determine the method o" po*yinstantiation -ith +a*id entries being8

user Po*yinstantiation is based on ser name.

leel Po*yinstantiation is based on the ser name

and


60/364


list_of_uids 5 comma separated *ist o" ser names that -i** not ha+e po*yinstantiated directories. /" b*an4, then a** sers are

po*yinstantiated. /" the *ist is preceded -ith an ?]T

character, then on*y the sers in the *ist -i** ha+e

po*yinstantiated directories.

here are a nmber o" optiona* "*ags a+ai*ab*e that are

described in the namespace(conf!


61/364


@ user name as a part of the polyinstantiated directory@ name as follows:

@ /tmp/tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch

@ /ar/tmp:/ar/tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch

@ \ZD&/home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch

2.1.3 7oyinstantiation s)pport in


62/364


gdm, gdm-autologin, login, remote and sshd, and at +arios points in this

$oteboo4 the gdm con"igration "i*e has been modi"ied to a**o- root *ogin and the

pam_namespace.so mod*e sed to manage po*yinstantiated directories "or sers.

here are a*so a nmber o" P5< re*ated con"igration "i*es in /etc/security,

a*thogh on*y one is direct*y re*ated to Ein that is described in the/etc/security/sepermit.conf "i*e section.

he main *ogin ser+ice re*ated P5< con"igration "i*es (e.g. gdm) consist o" m*tip*e

*ines o" in"ormation that are "ormatted as "o**o-s8

serice type control module-path arguments

9here8

serice he ser+ice name sch as gdm and login re"*ecting the

*ogin app*ication. /" there is a /etc/pam.d directory, then

this is the name o" a con"igration "i*e name nder thisdirectory. 5*ternati+e*y, a con"igration "i*e ca**ed

/etc/pam.conf can be sed. &1F ses the /etc/pam.d

con"igration.

type hese are the management grops sed by P5< -ith +a*identries being8 account, auth, password and session

that correspond to the descriptions gi+en abo+e. 9here there

are m*tip*e entries o" the same ?typeT, the order they appear

co*d be signi"icant.

control his entry states ho- the mod*e sho*d beha+e -hen thereested tas4 "ai*s. here can be t-o "ormats8 a sing*e

4ey-ord sch as r e5uired, optional, and include or

m*tip*e space separated entries enc*osed in sare brac4ets

consisting o" 8

9alue"6action" alue6action ..

oth "ormats are sho-n in the eamp*e "i*e be*o-, ho-e+er

see the pam.conf man pages "or the gory detai*s.

module-path Either the "** path name o" the mod*e or its *ocation re*ati+e

to /lib/security (bt does depend on the systemarchitectre).

arguments 5 space separated *ist o" the argments that are de"ined "orthe mod*e.

5n eamp*e P5< con"igration "i*e is as "o**o-s, a*thogh note that the ?sericeT

parameter is acta**y the "i*e name becase &1F ses the /etc/pam.d directory

con"igration (in this case gdm "or the #nome *ogin ser+ice).

@ /etc/pam.d/gdm configuration rule entry.@ %&HW(1& 6 file name !gdm#

@ ,& 1),H' A,Z AHY*D&),%

Page L2


63/364


@[AD-".0auth 9success6done ignore6ignore default6bad pam_selinux_permit(soauth re5uired pam_succeed_if.so user S6 root 5uietauth re5uired pam_en.soauth substack system-authauth optional pam_gnome_keyring.soaccount re5uired pam_nologin.so

account include system-authpassword include system-authsession re


64/364


2.14.1 %he (&, ,o!)e

he < is the in secrity "rame-or4 that a**o-s 3rd party access contro*

mechanisms to be *in4ed into the #$% ! in 4erne*. Crrent*y there are "i+e 3 rd

party ser+ices that ti*ise the


65/364


Program eection &i*esystem operations /node operations

&i*e operations as4 operations $et*in4 messaging

%ni domain net-or4ing oc4et operations I&R< operations

Gey


66/364


2.14.2 %he &'(in)$ ,o!)e

his section does not go into detai* o" a** the Ein mod*e "nctiona*ity as ZRe" L[

does this, ho-e+er it attempts to high*ight the -ay some areas -or4 by sing the "or4

and transition process eamp*e described in the 'omain ransition section and a*so

by describing the boot process.

he maor 4erne* Ein sorce "i*es (re*ati+e to ./linux-

3.3/security/selinux) that "orm the Ein secrity mod*e are sho-n

inab*e A. he diagrams sho-n in &igre 2.2 and &igre 2.12 can be sed to see ho-

some o" these 4erne* sorce mod*es "it together.

Name Fun


67/364


Name Fun


68/364


he context_struct_compute_a!# "nction carries ot many chec4

to +a*idate -hether access is a**o-ed. he steps are (assming the access is

+a*id)8

a) /nitia*ise the 5 strctre so that it is c*ear.

b) Chec4 the obect c*ass and permissions are correct. /t a*so chec4s thestats o" the allow_unknown "*ag (see the Ein &i*esystem,

/etc/selinux/semanage.conf "i*e and Re"erence Po*icy

i*d :ptions build.conf *)2_&HD% sections).

c) Chec4s i" there are any type en"orcement r*es (A''K,

A*C(,_A''K, A*C(,_C&)).

d) Chec4 -hether any conditiona* statements are in+o*+ed +ia the

cond_compute_a!# "nction in conditional.c.

e) Remo+e permissions that are de"ined in any constraint +ia the

constraint_expr_eal!# "nction ca** (in serices.c).his "nction -i** a*so chec4 any


69/364


Figure .%, /ooks for the fork s=stem hooks(c his contains the Ein "nctions. $ote that the task_create

"nction a*so ca**s a "nction in t he secondary_ops "nction t ab*e.

static int selinux_task_create!unsigned long clone_flags#O

int rc8

rc 6 secondary_ops-?task_create!clone_flags#8if !rc# @> 3f secondary gives error' then return @>

return rc8

return task_has_perm !currentG currentG H1&%%__RH2#8P....

....

static int task_has_perm !struct task_struct Mtsk"G struct task_struct MtskG

u3 perms#

O

struct task_security_struct Mtsec"G Mtsec8

tsec" 6 tsk"-security8

tsec 6 tsk-security8

return avc_has_perm !tsec"-sidG tsec-sidG %&11'A%%_H1&%%G permsG )*''#8

P

capability(cstatic int cap_task_create !unsigned long clone_flags#

O

return 08

P

secondary_ops function pointer structurehis contains a pointer to the task_create "nction in capabi*ity.c8

security_task_create-?cap_task_create

selinux>ss>services(ch is contains th e ecrity er+er "nctions.

he ca** to security_compute_av -i**

res*t in the secrity ser+er chec4ing -hether

the reested access is a**o-ed or not and

retrn th e res*t t o t he ca**ing "nction.


70/364


2.14.2.2 7rocess %ransition =akthoro)gh

his section -a*4s throgh the exece!# and chec4ing -hether a process transition

to the ext_gateway_t domain is a**o-ed, and i" so obtain a ne- /' "or the

contet (unconfined_u:message_filter_r:ext_gateway_t) as sho-n

in &igre 2.F.he process starts -ith the in operating system issing a do_exece!#"4 ca**

"rom the CP% speci"ic architectre code to eecte a ne- program ("or eamp*e, "rom

arch/ia74/kernel/process.c). he do_exece!# "nction is *ocated in

the fs/exec.c sorce code mod*e and does the *oading and "ina* eec as

described be*o-.

do_exece!# has a nmber o" ca**s to security_bprm_M "nctions that are a

part o" the < (see security.h), and are hoo4ed by Ein dring the

initia*isation process (in hooks.c). ab*e @ brie"*y describes these

security_bprm "nctions that are hoo4s "or +a*idating program *oading and

eection (a*thogh see security.h or ZRe". L[ "or greater detai*).

LS# SElinux Fun


71/364


he security_bprm_alloc!#-selinux_bprm_alloc_security!#

"nction is then ca**ed (in hooks.c) -here Ein -i** a**ocate memory

"or the bprm secrity strctre and set the bsec-set "*ag to 0 indicating

this is the "irst time throgh this process "or this eec reest.

2. ia the prepare_binprm!# "nction ca** the %/' and #/'s are chec4edand a ca** issed to security_bprm_set!# that -i** carry ot the

"o**o-ing8

a) he selinux_bprm_set_security!# "nction -i** ca** the

secondary_ops-bprm_set_security "nction in

capability.c, that is e""ecti+e*y a noop.

b) he bsec-set "*ag -i** be chec4ed and i" " -i** retrn as this

"nction can be ca**ed m*tip*e times dring the eec process.

c) he target /' is chec4ed to see -hether a transition is reired (in

this case it is), there"ore a ca** -i** be made to thesecurity_transition_sid!# "nction in serices.c. his

"nction -i** compte the /' "or a ne- sbect or obect (sbect in

this case) +ia the security_compute_sid!# "nction that -i**

(assming there are no errors)8

i. earch the /' tab*e "or the sorce and target /'s.

ii. ets the Ein ser identity.

iii. et the sorce ro*e and type.

i+. Chec4s that a type_transition r*e eists in the 5 tab*e

and ! or the conditiona* 5 tab*e (see &igre 2.12).+. /" a type_transition, then a*so chec4 "or a

role_transition (there is a ro*e change in the

ext_gateway.conf po*icy mod*e), set the ro*e.

+i. Chec4 i" any


72/364


this part o" the "nction is not eected again "or this exec, "ina**y

contro* is passed bac4 to the do_exece "nction.

3. arios strings are copied (args etc.) and a chec4 is made to see i" the eec

scceeded or not (in this case it did), there"ore the

security_bprm_free!# "nction is ca**ed to "ree the bprm secritystrctre.

J. he End.

Page F2


73/364


Figure .%% !rouire" to ceck if a

transition is allowe" fro$ te unconfined_t "o$ain to te ext_gateway_t "o$ain.

Page F3

.d

fsexepersona*ity QX

^PERNCE5RN:$NE/'

bprm>eNgid X inode>iNgi d

_

_

ret+a* X se


74/364


Figure .%. The #ain LS# SELinux #odules 9 /e fork an" exec functions link to i'ure 2.) were te transition ,rocess is "escribe".

Page FJ

a+cNhasNperms

'ernel Ser:i


75/364


2.14.2.3 &'(in)$ *iesystem

ab*e 10 sho-s the in"ormation contained in the Ein "i*esystem (selinuxfs) /sys/fs/selinux (or /selinux on o*der systems)

-here the Ein 4erne* eports in"ormation regarding its con"igration and acti+e po*icy. selinuxfs is a read!-rite inter"ace sed by

Ein *ibrary "nctions sch as the libselinux *ibrary "or serspace Eina-are app*ications and obect managers. $ote -hi*e it is

possib*e "or serspace app*ications to read!-rite to this inter"ace, it is not recommended se the libselinux *ibrary.

selinuxfs Directory and File Names Permissions Comments

>sys>fs>selinux irectory his is the root directory -here the Ein 4erne* eports re*e+ant in"ormation regarding its

con"igration and acti+e po*icy "or se by the libselinux *ibrary.

access -rw-rw-rw- Compte access decision inter"ace that is sed by the security_compute_av!3#,security_compute_av_flags!3#, avc_has_perm !3#andavc_has_perm_noaudit!3# "nctions.

he 4erne* secrity ser+er (see serices.c) con+erts the contets to /'s and then ca**s the

security_compute_a_user "nction to compte the ne- /' that is then con+erted to

a contet string.

Reires security Ocompute_aP permission.

checkre5prot -rw-r--r-- 0 X Chec4 reested protection app*ied by 4erne*.

" X Chec4 protection reested by app*ication. his is the de"a*t.

hese app*y to the mmap and mprotect 4erne* ca**s. 'e"a*t +a*e can be changed at boot

time +ia the checkre5prot6 parameter.

Reires security Osetcheckre5protP permission.

commit_pending_bools --w------- Commit ne- boo*ean +a*es to the 4erne* po*icy.

Reires security OsetboolP permission.

context -rw-rw-rw- a*idate contet inter"ace sed by the security_check_context!3# "nction.

Reires security Ocheck_contextP permission.

Page FK


76/364



create -rw-rw-rw- Compte create *abe*ing decision inter"ace that is sed by thesecurity_compute_create!3# and avc_compute_create!3# "nctions.


security_transition_sid_user "nction to compte the ne- /' that is then

con+erted to a contet string.

Reires security Ocompute_createP permission.

deny_unknown -r--r--r-- hese t-o "i*es eport deny_unknown (read by security_deny_unknown!3#"nction) and re=ect_unknown stats to ser space.

hese are ta4en "rom the handle-unknown parameter set

1K

in the/etc/selinux/semanage.conf "i*e -hen po*icy is being bi*t and are set as "o**o-s8

deny:re=ect

0:0 X 5**o- n4no-n obect c*ass ! permissions. his -i** set the retrned 5 -ith a**

1Bs.

":0 X 'eny n4no-n obect c*ass ! permissions (the de"a*t). his -i** set the retrned

5 -ith a** 0Bs.

":" X Reect *oading the po*icy i" it does not contain a** the obect c*asses ! permissions.

re=ect_unknown -r--r--r--

disable --w------- 'isab*e Ein nti* net reboot.

enforce -rw-r--r-- #et or set en"orcing stats.

Reires security OsetenforceP permission.

load -rw------- oad po*icy inter"ace.

Reires security Oload_policyP permission.

member -rw-rw-rw- Compte po*yinstantiation membership decision inter"ace that is sed by thesecurity_compute_member!3# and avc_compute_member!3# "nctions.

he 4erne* secrity ser+er (see serices.c) con+erts the contets to /'s and then ca**s thesecurity_member_sid "nction to compte the ne- /' that is then con+erted to a

contet string.

Reires security Ocompute_memberP permission.

mls -r--r--r-- Retrns " i"


77/364



null crw-rw-rw- he Ein ei+a*ent o" /de/null "or "i*e descriptors that ha+e been redirected by

Ein.

policyers -r--r--r-- Retrns spported po*icy +ersion "or 4erne*. Read by security_policyvers!3#"nction.

relabel -rw-rw-rw- Compte re*abe*ing decision inter"ace that is sed by thesecurity_compute_relabel!3# "nction.


security_change_sid "nction to compte the ne- /' that is then con+erted to a

contet string.Reires security Ocompute_relabelP permission.

status -r--r--r-- his can be sed to obtain en"orcing mode and po*icy *oad changes -ith mch *ess o+erheadthan sing the libselinux net*in4 ! ca** bac4s. his -as added "or :bect


78/364



>sys>fs>selinux>avc irectory his directory contains in"ormation regarding the 4erne* 5C that can be disp*ayed by theacstat command.

cache_stats -r--r--r-- ho-s the 4erne* 5C *oo4ps, hits, misses etc.

cache_threshold -rw-r--r-- he de"a*t +a*e is K12, ho-e+er caching can be trned o"" (bt per"ormance s""ers) by8echo 0 /selinux/ac/cache_threshold

Reires security OsetsecparamP permission.

hash_stats -r--r--r-- ho-s the nmber o" 4erne* 5C entries, *ongest chain etc.

>sys>fs>selinux>booleans irectory his directory contains one "i*e "or each boo*ean de"ined in the acti+e po*icy.

secmark_audit

......

......

-rw-r--r-- Each "i*e contains the crrent and pending stats o" the boo*ean (0 X "a*se or 1 X tre). he

getsebool!F#, setsebool!F# and sestatus -b commands se this inter"ace +ia thelibselinux *ibrary "nctions.

>sys>fs>selinux>initial_contexts irectory his directory contains one "i*e "or each initia* /' de"ined in the acti+e po*icy.

any_socket

denull

.....

-r--r--r-- Each "i*e contains the initia* contet o" the initia* /' as de"ined in the acti+e po*icy (e.g.

any_socket -as assigned system_u:ob=ect_r:unconfined_t).

>sys>fs>selinux>policy_capabilities irectory his directory contains the po*icy capabi*ities that ha+e been con"igred by de"a*t in the4erne* +ia the po*icycap tatement in the acti+e po*icy. hese are genera**y ne- "eatres that

can be enab*ed "or testing by sing the policycap tatement in po*icy.

network_peer_controls -r--r--r-- &or the &1F Re"erence Po*icy this "i*e contains ?1T (tre) -hich means that the "o**o-ingnetwork_peer_controls are enab*ed by de"a*t8

node: sendto recfrom

netif: ingress egress

peer: rec

open_perms -r--r--r-- &or the &1F Re"erence Po*icy this "i*e contains ?1T (tre) -hich means that open permissions

are enab*ed by de"a*t on the "o**o-ing obects8 dir, file, fifo_file, chr_file,

blk_file.

ptrace_child -r--r--r-- his -i** be enab*ed 4erne* 3.J to a**o- "iner contro* o" ptrace. Reires po*icy spport and thesecurity c*ass permission ptrace_child.

Page FA


79/364



>sys>fs>selinux>class irectory his directory contains a *ist o" c*asses and their permissions as de"ined -ithin the po*icy.

>sys>fs>selinux>class>appletalk_socket irectory Each c*ass has its o-n directory -here each one is named sing the appropriate c*ass statement"rom the po*icy (i.e. class appletalk_socket). Each directory contains the "o**o-ing8

index -r--r--r-- his "i*e contains the a**ocated class nmber (e.g. appletalk_socket is ?KLT in

flask.h).

>sys>fs>selinux>class>appletalk_socket>perms irectory his directory contains one "i*e "or each permission de"ined in the po*icy.

accept

append

bind

....

-r--r--r-- Each "i*e is named by the permission assigned in the po*icy and contains a nmber that

represents its position in the *ist (e.g. accept is the 1Jth permission *isted in

a_permission.h "or appletalk_socket and there"ore contains B1JB.

Table %, >selinux File and Dire


80/364


2.16 ibsein)$ (ibrary

libselinux contains a** the Ein "nctions necessary to bi*d serspace

Eina-are app*ications and obect managers sing BCB, Python, Rby and PHP

*angages.

he *ibrary hides the *o- *e+e* "nctiona*ity o" (bt not *imited to)8

• he Ein "i*esystem that inter"aces to the Ein 4erne* secrity ser+er.

• he proc "i*esystem that maintains process state in"ormation and secrity

contets see proc!


81/364


oc4et Creation abe*ing #et and set soc4et creation contets.

%ser ession


82/364


2.20 &'(in)$ Networking &)pport

Ein spports the "o**o-ing types o" net-or4 *abe*ing8

"nternal labeling O his is -here net-or4 obects are *abe*ed and managed

interna**y -ithin a sing*e machine (i.e. their *abe*s are not transmitted as part o"

the session -ith remote systems). here are three types spported8 those 4no-n as?compat_netT contro*s that *abe* nodes, inter"aces and ports EC


83/364


he crrent Ein port de"inition does not inc*de an /P address -hich ma4es it

di""ic*t to restrict connect!# and bind!# operations sing Ein. Po*icy

+ersion 2@ so*+es this prob*em by adding an /P address to the Ein port de"inition

+ia a Ein node *abe* (ho-e+er, note that the 4erne* and serspace +ersions

containing this "eatre are not yet 4no-n).

2.20.2

The SELinux Notebook the Foundations 3rd Edition

Documents