Understanding SELinux, Part 3

PortCon

PortCon or Port Security Contexts are similar to File Security Contexts, but are applied to Network Sockets or ports. In a SELinux policy, access to various ports by subjects is critical. Portcon or Port Security Context Labels are based on protocol and port number(s)/range.

As an example, under the SELinux Targeted Policy, the httpd subject can only listen on standard ports. If the system administrators change the default ports from 80 (http) or 443 (https), they will need to add a new portcon in the SELinux policy to allow httpd to bind to this port.

To view the defined Port Security Contexts in the loaded SELinux policy, issue the following command:

[root@vbg ~]# seinfo -p

As you can see, the Port Context information contains the protocol, port and the security context. As an example, the http_port security contexts defined in the Red Hat Targeted policy are:

portcon tcp 80 system_u:object_r:http_port_t:s0
portcon tcp 443 system_u:object_r:http_port_t:s0
portcon tcp 488 system_u:object_r:http_port_t:s0
portcon tcp 8008 system_u:object_r:http_port_t:s0
portcon tcp 8009 system_u:object_r:http_port_t:s0
portcon tcp 8443 system_u:object_r:http_port_t:s0

As you can see, the first line of the output above labels the network Port 80 for TCP protocol with the security context:

system_u:object_r:http_port_t:s0

For the GUI initiated, policy details such as Booleans and Port Contexts can be viewed/modified by the system-config-selinux tool.

[root@vbg services]# system-config-selinux

Do execute this command under the X environment to view and comprehend the building blocks of a SELinux Security Policy.

NodeCon

Node Security contexts are labelled by the nodecon statements in an SELinux policy. They can be used to apply access control restrictions from various hosts/nodes in the network. An effective security policy for network access to services can be created by creatively applying node context access restrictions.

To list the default node contexts in the loaded SELinux policy, issue the following command:

[root@vbg ~]# seinfo -o

The output specifies security contexts assigned to various hosts:

[root@vbg ~]# seinfo -o
nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0
nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0
nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0
nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0
nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0
nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0
nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0

Classes

Classes, or more specifically ‘Object Classes’, are the resources on which SELinux Access Restrictions are applied. Examples of Object Classes include file, dir and network sockets. An instance of an Object Class is called an Object.

To see the various Object Classes in the default loaded SELinux Policy, issue the following command:

[root@vbg ~]# seinfo -c

A file on your system, a network socket or a process—all of these are instances of Object Classes. A list of file related Object Classes in the default-loaded policy in my system is shown below:

   blk_file  - Block File
   chr_file  - Character File
   lnk_file  - Symbolic Links
   fifo_file - Named Pipes
   file      - Normal Files
   sock_file - UNIX domain sockets
   filesystem - Partitions etc
   dir        - Directories
   fd         - File Descriptors

Pages: 1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *