9.2. SECURITY-ENHANCED LINUX 133
These specifications are provided in what we call the labeling state of the mandatory protection
system in Definition 2.4. The labeling state is an immutable policy that defines how newly created
processes and system resources are labeled. SELinux provides four ways in which an objects label
can be defined.
First, an object may be labeled based on its location in the file system. Suppose the files
/etc/passwd and /etc/shadow are provided in a Linux package for the passwd program. In this
case, the file already exists in some form and needs to be labeled when it is installed. SELinux uses
file contexts to label existing files or files provided in packages. A file context specification maps a file
path expression to an object context. The file path expression is a regular expression that describes
a set of files whose file path matches that expression. Below, we list two file contexts specific ations.
<file path expr> <context>
/etc/shadow.* system_u:object_r:shadow_t:s0
/etc/*.* system_u:object_r:etc_t:s0
For example,the second file context specification above defines the object context for files in the
/etc directory. /etc/shadow gets a special context while other files in /etc (e.g., /etc/passwd)
get the default context
3
.
Second, for dynamically created objects, their labels are inherited from their parent object.
For files, this is determined by the parent directory. For all files dynamically created in the /etc
director y, they inherit the label defined for the directory, etc_t.
Third, type_transition rules can be specified in the SELinux policy that override the
default object labeling. Below, we show a type_transition rule that relabels all files created by
processes with the passwd_t type that would be assigned the etc_t label by default to the passwd_t
label.
type_transition <creator_type> <default_type>:<class> <resultant_type>
type_transition passwd_t etc_t:file shadow_t
Note that the creating process context must be authorized to relabel these etc_t files to
passwd_t files
4
. If we use the passwd process to create /etc/shadow, where /etc has the etc_t
label, it would be assigned a shadow_t label instead based on this rule.
The SELinux labeling state enforces security goals through the administrator-specified file
contexts,default labeling,and authorized type_transition rules.The labeling state enables precise
control over labeling, but does not necessarily ensure a coherent security goal (i.e., information flow).
An external analysis is necessary to determine whether labeling state achieves the desired security,
as we discuss in the SELinux evaluation.
3
Note that the user and role for all SELinux objects are system_u:object_r:.
4
In order to relabel an object from type T1 to type T2, the subject must have allow rules that permit relabelfrom T1 and
relabelto T2.

Get Operating System Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.