Understanding SELinux, Part 9

The previous article (Part 8) in this series covered Type Transition rules and explored how newly created files are allotted security contexts. Files are stored in hard disks or permanent storage and, therefore, the security contexts are persistent across reboots.

This article discusses security contexts for subjects (typically, processes) and how they are assigned. To view the list of processes on your system, along with their hierarchy, use the pstree command:

[root@vbg-work ~]# pstree

init-+-NetworkManager-+-dhclient
     |                `-{NetworkManager}
     |-abrtd
     |-acpid
     |-atd
     |-auditd-+-audispd-+-sedispatch
     |        |         `-{audispd}
     |        `-{auditd}
     |-avahi-daemon---avahi-daemon
     |-bonobo-activati---{bonobo-activat}
     |-cimserver---3*[{cimserver}]
     |-clock-applet
     |-console-kit-dae---63*[{console-kit-da}]
     |-crond
     |-cupsd
     |-2*[dbus-daemon---{dbus-daemon}]
     |-2*[dbus-launch]
     |-devkit-disks-da---devkit-disks-da
     |-devkit-power-da
     |-evolution---7*[{evolution}]
     |-evolution-alarm---{evolution-alar}
     |-evolution-data----2*[{evolution-data}]
     |-gconf-im-settin
     |-gconfd-2
     |-gdm-binary---gdm-simple-slav-+-Xorg
     |                              `-gdm-session-wor---gnome-session-+-abrt-applet
     |                                                                |-bluetooth-apple
     |                                                                |-gdu-notificatio
     |                                                                |-gnome-panel---{gnome-panel}
     |                                                                |-gnome-power-man
     |                                                                |-gnome-volume-co
     |                                                                |-gpk-update-icon---{gpk-update-ico}
     |                                                                |-metacity---{metacity}
     |                                                                |-nautilus---{nautilus}
     |                                                                |-nm-applet
     |                                                                |-polkit-gnome-au

The above output shows the process tree on my system (starting with the init process). init is the first one to be executed by the kernel after the basic system has been set up. All processes are children of init. When the system is shut down, init is the last process to terminate before the kernel executes its own shutdown.

To view the security contexts allotted to all system processes, execute the pstree command with the -Z option:

[root@vbg-work ~]# pstree -Z
init(`system_u:system_r:init_t:s0')
 |-NetworkManager(`system_u:system_r:NetworkManager_t:s0')
 |  |-dhclient(`system_u:system_r:dhcpc_t:s0')
 |  `-{NetworkManager}(`system_u:system_r:NetworkManager_t:s0')
 |-abrtd(`system_u:system_r:abrt_t:s0-s0:c0.c1023')
 |-acpid(`system_u:system_r:apmd_t:s0')
 |-atd(`system_u:system_r:crond_t:s0-s0:c0.c1023')
 |-auditd(`system_u:system_r:auditd_t:s0')
 |  |-audispd(`system_u:system_r:audisp_t:s0')
 |  |  |-sedispatch(`system_u:system_r:audisp_t:s0')
 |  |  `-{audispd}(`system_u:system_r:audisp_t:s0')
 |  `-{auditd}(`system_u:system_r:auditd_t:s0')
 |-avahi-daemon(`system_u:system_r:avahi_t:s0')
 |  `-avahi-daemon(`system_u:system_r:avahi_t:s0')
 |-bonobo-activati(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
 |  `-{bonobo-activat}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
 |-cimserver(`system_u:system_r:initrc_t:s0')
 |  |-{cimserver}(`system_u:system_r:initrc_t:s0')
 |  |-{cimserver}(`system_u:system_r:initrc_t:s0')
 |  `-{cimserver}(`system_u:system_r:initrc_t:s0')
 |-clock-applet(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
 |-console-kit-dae(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
 |  |-{console-kit-da}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')

Now, we can see the security contexts associated with all the processes. How did init get a type of init_t? Why are the security contexts of some child processes different from those of the parent (else all processes in the system should have had the type init_t)? How are these different security types assigned?

Consider another scenario: The httpd process on a Fedora/RHEL server is started with the command service httpd start or /etc/init.d/httpd start. Start the Web server process, if it’s not already running, with the following command:

[root@vbg-work ~]# /etc/init.d/httpd start

Check the security context associated with the httpd process:

[root@vbg-work ~]# ps axZ | grep httpd
unconfined_u:system_r:httpd_t:s0 3099 ?        Ss     0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3102 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3103 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3104 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3105 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3106 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3107 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3108 ?        S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 3109 ?        S      0:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3113 pts/0 S+   0:00 grep httpd

As you can see, the httpd process gets a security context type of httpd_t.

Pages: 1 2 3

7 Comments

  1. Snehal says:

    we are waiting for more :) Hurry up :) Thanks

  2. Snehal says:

    we are waiting for more :) Hurry up :) Thanks

  3. kpn says:

    Awesome Series :) Waiting for next series. Please Upload

  4. Rahulchandrak says:

    Hi I am working on securing apache web server using SELinux on RHEL 5. By default Apache server is installed with OS and when the SElinux is enabled, the httpd_t domain/policy is applied. In my case, we are not using the default apache webserver, instead, we are uninstalling the default webserver and we are compiling it from source. The location of the webserver is /usr/local/apache2214. By default the default SElinux type assigned for all the files/directories under /usr is usr_t. I now want to assign the httpd_t(apache server domain/type) to the my own apache installed at /usr/local/apache2214. I want to reuse the existing selinux rules on my apache.

  5. Rahulchandrak says:

    Hi I am working on securing apache web server using SELinux on RHEL 5. By default Apache server is installed with OS and when the SElinux is enabled, the httpd_t domain/policy is applied. In my case, we are not using the default apache webserver, instead, we are uninstalling the default webserver and we are compiling it from source. The location of the webserver is /usr/local/apache2214. By default the default SElinux type assigned for all the files/directories under /usr is usr_t. I now want to assign the httpd_t(apache server domain/type) to the my own apache installed at /usr/local/apache2214. I want to reuse the existing selinux rules on my apache.

    • Vaneet Gupta says:

      For this you need to create your own policy in selinux. You can’t use the existing policy to apply in the /usr/local/apache22

  6. A Reader says:

    Thanks for the awesome series.
    This might be best article publicly posted for Selinux.

    Really appreciate your effort.

Leave a Reply

Your email address will not be published. Required fields are marked *