9.2. SECURITY-ENHANCED LINUX 133
These speciﬁcations are provided in what we call the labeling state of the mandatory protection
system in Deﬁnition 2.4. The labeling state is an immutable policy that deﬁnes how newly created
processes and system resources are labeled. SELinux provides four ways in which an object’s label
can be deﬁned.
First, an object may be labeled based on its location in the ﬁle system. Suppose the ﬁles
/etc/passwd and /etc/shadow are provided in a Linux package for the passwd program. In this
case, the ﬁle already exists in some form and needs to be labeled when it is installed. SELinux uses
ﬁle contexts to label existing ﬁles or ﬁles provided in packages. A ﬁle context speciﬁcation maps a ﬁle
path expression to an object context. The ﬁle path expression is a regular expression that describes
a set of ﬁles whose ﬁle path matches that expression. Below, we list two ﬁle contexts speciﬁc ations.
<file path expr> <context>
For example,the second ﬁle context speciﬁcation above deﬁnes the object context for ﬁles in the
/etc directory. /etc/shadow gets a special context while other ﬁles in /etc (e.g., /etc/passwd)
get the default context
Second, for dynamically created objects, their labels are inherited from their parent object.
For ﬁles, this is determined by the parent directory. For all ﬁles dynamically created in the /etc
director y, they inherit the label deﬁned for the directory, etc_t.
Third, type_transition rules can be speciﬁed in the SELinux policy that override the
default object labeling. Below, we show a type_transition rule that relabels all ﬁles created by
processes with the passwd_t type that would be assigned the etc_t label by default to the passwd_t
type_transition <creator_type> <default_type>:<class> <resultant_type>
type_transition passwd_t etc_t:file shadow_t
Note that the creating process context must be authorized to relabel these etc_t ﬁles to
. If we use the passwd process to create /etc/shadow, where /etc has the etc_t
label, it would be assigned a shadow_t label instead based on this rule.
The SELinux labeling state enforces security goals through the administrator-speciﬁed ﬁle
contexts,default labeling,and authorized type_transition rules.The labeling state enables precise
control over labeling, but does not necessarily ensure a coherent security goal (i.e., information ﬂow).
An external analysis is necessary to determine whether labeling state achieves the desired security,
as we discuss in the SELinux evaluation.
Note that the user and role for all SELinux objects are system_u:object_r:.
In order to relabel an object from type T1 to type T2, the subject must have allow rules that permit relabelfrom T1 and