Understanding SELinux, Part 4

SELinux, as mentioned in the first article of the series, is an implementation of MAC (Mandatory Access Controls). These controls are affected through a set of rules that check the security context of the subject (e.g., the processes) and the object (e.g., the file), and allow or disallow the particular action.

There are various rules defined in an SELinux policy. To view them, use the seinfo command discussed earlier.

[root@vbg ~]# seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.21
Policy Version & Type: v.21 (binary, MLS)

   Classes:            61    		Permissions:       220
   Types:            1514    		Attributes:        148
   Users:               3    		Roles:               6
   Booleans:          211   		Cond. Expr.:       187
   Sensitivities:       1    		Categories:       1024
   Allow:           82576    		Neverallow:          0
   Auditallow:         28    		Dontaudit:        5086
   Role allow:          5    		Role trans:          0
   Type_trans:       1399    		Type_change:        17
   Type_member:         0    		Range_trans:        23
   Constraints:        47    		Validatetrans:       0
   Fs_use:             15    		Genfscon:           64
   Portcon:           264    		Netifcon:            0
   Nodecon:             8    		Initial SIDs:       27

Text formatted in bold in the above output represents the information section on rules. As we can see, the default policy loaded in my system has:

  • 82,756 Allow Rules
  • 1,399 Type Transition Rules
  • 5,086 Don’t Audit Rules, and so on.

To view these rules and get an understanding of how they work, let us explore the sesearch command.

[root@vbg ~]# sesearch -a

Found 87690 av rules:
   allow bluetooth_helper_tmp_t bluetooth_helper_tmp_t : filesystem associate ;
   allow httpd_bugzilla_script_t httpd_bugzilla_script_t : lnk_file { ioctl read getattr lock };
   allow avahi_t avahi_t : fifo_file { read write };
   allow avahi_t avahi_t : tcp_socket { ioctl read write create getattr setattr append bind connect listen accept getopt setopt shutdown };
   allow aide_t newrole_t : fd use ;

The sesearch command allows us to query a policy for Type Enforcement rules. Let us explore the first of these rules—the Allow Rule.

Allow Rule

Allow Rules specifically allow ‘access’ to an ‘object’ by a ‘subject’. Here:

  • access is defined by access permissions—such as read, write, execute, etc.
  • object is defined by:
    • the security context called the target context (tcontext)
    • the class of the object called the target class (tclass). Examples of the target class can be file, dir, socket, etc.
  • subject is defined by the security context called the source context (scontext)

A typical allow rule can be described as follows: Allow the Web Process (Apache server) to read the file (/var/www/html/index.html).

If the above rule is not present in the policy, the Apache process will not be able to read a file in its default ‘documentroot’ folder and will be denied access.

To implement the above allow rule, we need to evaluate Access Permissions Required, Target Context (tcontext), Target Class (tclass), and Source Context (scontext).

For our example, the results will be as follows:

  • Access Permissions Required — read
  • Target Context (tcontext) — security context of /var/www/html/index.html
    [root@vbg ~]# ls -Z /var/www/html/index.html
    system_u:object_r:httpd_sys_content_t:s0
  • Target Class (tclass) — file Source Context (scontext): (security context of the httpd process)
    [root@vbg ~]# ps axZ | grep httpd
    user_u:system_r:httpd_t:s0

Taking the above into consideration, our allow rule changes from:

Allow the Web Process (Apache server) to read the file (/var/www/html/index.html)

…to:

Allow the Source Context user_u:system_r:httpd_t:s0 permission to read on the class file bearing a Target Context of system_u:object_r:httpd_sys_content_t:s0

Pages: 1 2

One Comment

  1. Charles Bradshaw says:

    This is a great tutorial. Part 9 was written in 2010. Perhaps we need an update!

    There’s a small typo in the Allow Rule parameter for the sesearch command. -a should be -A, at in the Fedora 17 version.

Leave a Reply

Your email address will not be published. Required fields are marked *