Understanding SELinux, Part 8

In Part 7, we had developed an SELinux policy module called test (version 1.1.1) for type enforcement. To do that, we had created a file called test.te which contained our Allow Rules and the new type (lfy_t) that we created in the system. We had written rules that allowed us to change the type of the /var/www/html/index.html file from the default http_sys_content_t to lfy_t.

[root@vbg-work ~]# ls -lZ /var/www/html/index.html
-rw-r--r--. root root unconfined_u:object_r:lfy_t:s0 /var/www/html/index.html

The only problem with this approach is that a restoration of file contexts would cause this file’s security context to be relabelled back to httpd_sys_content_t. To check this, we can run the restorecon command:

[root@vbg-work ~]# restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:lfy_t:s0->system_u:object_r:httpd_sys_content_t:s0

[root@vbg-work ~]# ls -lZ /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

[root@vbg-work ~]#

To avoid this issue and to set the default type of this file to lfy_t, we will need to add information to our policy module test. Entries that map files to desired security contexts are not specified in the .te (type enforcement) files.

A closer look at our development folder reveals that the make command (used to compile our source to a binary policy module) has already created two new files: test.fc and test.if. We will understand the purpose and the utility of the .fc (file contexts) file in this article.

A sample .fc file, example.fc, is provided by the SELinux development RPM. The default location of this file is /usr/share/selinux/devel/example.fc. Let us have a look at the syntax:

[vbg@vbg-work test-selinux]$ cat example.fc
# myapp executable will have:
# # label: system_u:object_r:myapp_exec_t
# # MLS sensitivity: s0
# # MCS categories:
#
/usr/sbin/myapp		--	gen_context(system_u:object_r:myapp_exec_t,s0)

[root@vbg-work ~]#

Simply put, this file has three columns:

  1. The first column contains the name of the file (or a regular expression pattern) to be labelled (since everything is a file in Linux).
  2. The second column indicates the type of the file (‘–‘ means any type of file).
  3. The third column contains the default security context to be allotted to this file. It is very similar to file /etc/selinux/targeted/contexts/files/file_contexts that we covered in the second article of this series. (You may wish to revisit that article for the detailed explanation.)

To begin with, you can omit the use of macro gen_context(). We will cover macros in a later part of this series. After that, we will revisit the gen_context() macro. For our current purpose, let’s create the file, test.fc, containing the following line:

/var/www/html/index.html	--	system_u:object_r:lfy_t:s0

…and recompile our policy module. Do remember to increase the version number in the type enforcement file, test.te.

Let us update our test module:

[root@vbg-work ~]# semodule -u /home/vbg/test-selinux/test.pp

To see the effect of our new test.fc file, let’s check the current context of the file /var/www/html/index.html and then restore it to its default context:

[root@vbg-work ~]# ls -lZ /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

[root@vbg-work ~]# restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:lfy_t:s0

[root@vbg-work ~]# ls -lZ /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:lfy_t:s0       /var/www/html/index.html

[root@vbg-work ~]#

Now we can see that the default context of the file has been set to lfy_t. What context does a newly created file get?

Let us test this by creating a new file /var/www/html/test.html by using the touch command:

[root@vbg-work html]# touch /var/www/html/test.html
[root@vbg-work html]# ls -lZ /var/www/html/test.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test.html
[root@vbg-work html]#

This shows that the default security context of the created file takes the type httpd_sys_content_t. Why is it so?

Let us create a new folder under /var/www/html/:

root@vbg-work html]# mkdir /var/www/html/test

[root@vbg-work html]# ls -lZ /var/www/html
-rw-r--r--. root root system_u:object_r:lfy_t:s0       index.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test.html

[root@vbg-work html]#

The newly created folder also gets a security context with the type httpd_sys_content_t.

Now let us set the type of this new folder to lfy_t and then create new files under it:

[root@vbg-work html]# chcon -t lfy_t /var/www/html/test
[root@vbg-work html]# touch /var/www/html/test/test1.html
[root@vbg-work html]# ls -lZ /var/www/html/test/
-rw-r--r--. root root unconfined_u:object_r:lfy_t:s0 test1.html
[root@vbg-work html]#

Surprise! The new files are of type lfy_t. This tells us about the default behaviour when applying security contexts to newly created files. As observed above, newly created files take the security context of the parent folder.

Is it really so? Let us test this with a few more examples.

Security context of the root folder is root_t:

[root@vbg-work html]# ls -lZd /
dr-xr-xr-x. root root system_u:object_r:root_t:s0    /

Create a new file under the root folder and check its security context. Going by the above logic, the type of a newly created file (for example, test.txt) should be root_t:

[root@vbg-work html]# touch /test.txt
[root@vbg-work html]# ls -lZ /test.txt
-rw-r--r--. root root unconfined_u:object_r:etc_runtime_t:s0 /test.txt
[root@vbg-work html]#

What happened? The file test.txt under folder / (type = root_t) was supposed to bear a security context with type root_t. Instead, its type is etc_runtime_t.

Why is the type of the file not root_t? Why and how did the type of this file change?

Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *