book

SELinux

by Bill McCarty

October 2004

Intermediate to advanced

256 pages

8h 16m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Organization of This Book
Keyboard Accelerators
Software Threats and the InternetSoftware complexityNetwork connectivityActive content and mobile codePrivilege EscalationThe Patch Cycle and the 0-Day ProblemProtecting Against 0-DaysNetwork and Host DefensesNetwork defensesNetwork firewallsNetwork intrusion detection and prevention systemsHost defensesHost firewalls and intrusion detection systemsLogging and auditingMemory protectionSandboxesAccess-control listsDiscretionary and Mandatory Access ControlDiscretionary access controlMandatory access control
How SELinux WorksSELinux Components and Linux Security Modules (LSM)

Mailing Lists
Subjects and Objects
Kernel-Level CodeThe SELinux Shared LibraryThe SELinux Security PolicySELinux ToolsSELinux commandsModified Linux commands and programsSupplementary SELinux toolsReferences
SELinux Versions
Fedora Core 2
Debian GNU/LinuxGentoo LinuxInstalling SELinux to a fresh Gentoo systemInstalling SELinux to an existing Gentoo Linux systemRPM-Based DistributionsRed Hat Enterprise LinuxSUSE Linux
System Modes and SELinux Tuning
Switching ModesSetting the initial operating modeDynamically setting the operating modeDisabling SELinux at boot timeLoading the SELinux Security PolicyThe SELinux MakefileThe SELinux policy compiler (checkpolicy)The load_policy utilityLabeling Filesystems and FilesUsing the Makefile to label or relabel filesystemsUsing commands to label or relabel files or filesystemsThe chcon utilityThe fixfiles utilityThe restorecon utilityThe setfiles utilityTuning Fedora Core 2 SELinuxTuning via macrosTuning via policy BooleansSetting Booleans via the /selinux filesystem
Entering a RoleChanging rolesViewing Security ContextsViewing the user security contextViewing a file security contextViewing a process security contextAdding UsersAssociating a user with a nondefault roleHow default roles are assignedSetting user passwordsStarting and Controlling DaemonsStarting non-init daemons and programs
SELinux Log Message FormatSELinux Logging SubtletiesThe Audit2allow Utility
Boot ProblemsLocal Login ProblemsProgram Execution ProblemsDaemon ProblemsX Problems
The SELinux Policy
The snort.fc FileThe snort.te FileThe type lineThe allow linesMacro invocations
The flask SubdirectoryThe flask/initial_sids fileThe flask/security_classes fileThe flask/access_vectors fileThe macros SubdirectoryThe file_contexts SubdirectoryThe types SubdirectoryThe domains SubdirectoryThe appconfig SubdirectoryThe Policy Source Directory
The SELinux Role-Based Access Control Model
What Railroad Diagrams DoHow Railroad Diagrams Work
Basic Policy Elements
Role Type DeclarationsRole Dominance DeclarationsRole Transition DeclarationsRole Allow Declarations
The SELinux Type-Enforcement Model
Type DeclarationsType-Alias DeclarationsAttribute DeclarationsTE Access-Vector DeclarationsSpecial notations for types, classes, and permissionsMacros that specify and authorize transitionsTransition DeclarationsBoolean DeclarationsConditional Declarations
Constraint Declarations
Syntax of Initial SID Context DeclarationsSyntax of Filesystem Labeling DeclarationsSyntax of Genfs DeclarationsSyntax of Network DeclarationsPortcon declarationsNetifcon declarationsNodecon declarations
Syntax of security_classesSyntax of initial_sidsSyntax of access_vectors
The SELinux Policy Source Tree
Adding a System AdministratorAdding an Ordinary User
Determine What Files Are Related to the DomainDetermine the Security Contexts of the FilesDecide on Appropriate Security Contexts for the New DomainCreate a Basic TE FileCreate a Basic FC FileDelete Conflicting Specifications from Other FC FilesLoad the Revised Policy and Label the DomainsTest and Revise the TE and FC Files as Needed
ApolPolicy componentsPolicy rulesAnalysisSeauditSepcutSeuserx

Content preview from SELinux

Allowing a User Access to an Existing Domain

Let’s continue the case study from the preceding section by observing that users other than the system administrator can’t use Nmap:

# id -Z
root:staff_r:staff_t
# nmap -sT 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 11:13 PDT
Unable to find nmap-services!  Resorting to /etc/services
socket troubles in massping : Permission denied

The relevant AVC log message is:

avc:  denied  { create } for  pid=8940 exe=/usr/bin/nmap scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=rawip_socket

The message tells us that the staff_r role is not authorized to create a raw IP socket. We could authorize the domain to do so. But this naive approach would likely confer excessive permissions. Indeed, it’s debatable whether we should allow staff_r access to Nmap at all. But let’s presume that we do want to authorize access to Nmap without generally authorizing creation of raw IP sockets.

Warning

Unless you have a good reason, I don’t recommend that you authorize staff_r users to access Nmap. Limiting the permissions available to staff_r users is consistent with the principle of least privilege. If you do choose to authorize Nmap access, carefully consider whether to do so by using the approach explained here, which authorizes access to the entire traceroute_t domain, rather than only the Nmap program. The following section shows a more focused alternative approach.

Apparently, the problem is that staff_r is not authorized ...