Overview
By the end of this article you should be able to answer the following questions:
Announcement
You can find all my latest posts on medium.Apply a SELinux label to absolutely everything, e.g. files, folders, processes, user accounts…etc.
– SELinux contexts
# or
– Security contexts
$ ls -lZ testfile.txt
An SELinux context comprised of 4 colon delimited strings. Each string is referred to as a “security attribute”
The Policy Type
You can think of it as really big text book, and this book contains an entry for each security attribute, followed by a list of other security attributes that it is allowed to access.
– policy rule
# or simply:
– policy
$ sesearch –-allow | grep httpd_content_type
# this outputs:
allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
allow httpd_t httpd_content_type : dir { getattr search open } ;
allow httpd_suexec_t httpd_content_type : dir { getattr search open } ;
allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
allow httpd_t httpd_content_type : dir { ioctl read getattr lock search open } ;
Allow an object of the type ‘httpd_t’ to access other objects of the type ‘httpd_content_type’, as long as these objects are ‘file’ objects. Furthermore they are allowed to have { ioctl read getattr lock open } types of access.
SELinux operates at the kernel level. This means that when one objects (e.g. a process) attempts to access another object (e.g. config file), the kernel checks the relevant “policy” for the given objects to see if the access should be permitted, the kernel then either grants or deny access.
The heart of SELinux comprises of 2 parts:
- Security Contexts
- Policy Type
Security Contexts
SELinux assigns a label to every single “object” on your machine. An “object” can be absolutely anything, including:
- user accounts
- user groups
- files
- folders
- processes
These labels are referred to as SELinux Contexts, aka security contexts.
A lot of commands have a “-Z” option for displaying security contexts. For example the ls command has a -Z option:
$ touch testfile.txt $ ls -lZ testfile.txt -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 testfile.txt
Notice that SELinux automatically assigns a security context to newly created objects.
As you can see each SELinux context is made up of (colon delimited parts) 4 parts, which in this case are:
- unconfined_u
- object_r
- admin_home_t
- s0
These items are referred to as “Security Attributes”. We will cover more about Security contexts and Security attributes later.
These Security Contexts on their own are useless, and it is the “policy types” that gives them meaning.
Policy Type
You can think of a policy type as really big text book, and this book contains an entry for each security attribute, followed by a list of other security attributes that it is permitted to access.
$ sesearch --all | wc -l ERROR: Cannot get avrules: Neverallow rules requested but not available 70620 [root@puppetmaster ~]# sesearch --all | head ERROR: Cannot get avrules: Neverallow rules requested but not available Found 17669 semantic te rules: type_transition sosreport_t sssd_initrc_exec_t : process initrc_t; type_transition certmonger_unconfined_t sssd_initrc_exec_t : process initrc_t; type_transition piranha_pulse_t prelude_audisp_exec_t : process prelude_audisp_t; type_transition authconfig_t NetworkManager_initrc_exec_t : process initrc_t; type_transition dbadm_sudo_t sudo_exec_t : process dbadm_t; type_transition anaconda_t sssd_initrc_exec_t : process initrc_t; type_transition ricci_modservice_t ddclient_initrc_exec_t : process initrc_t; type_transition kdumpctl_t lsassd_exec_t : process lsassd_t;
Each entry in the policy type is referred to as a policy rule, or just policy. You can modify these mapping at a higher level by configuring sebooleans, we’ll cover this later.
There’s also 3 different policy types to choose from, (i.e. three different books). We’ll cover these 3 policy types later. There are several types of of policy rules, which you learn about via sesearch’s man page. One of the type is the “allow” policy rule.
Here are several allow policy rules relating to httpd_content_type:
$ sesearch --allow | grep httpd_content_type allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ; allow httpd_t httpd_content_type : dir { getattr search open } ; allow httpd_suexec_t httpd_content_type : dir { getattr search open } ; allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ; allow httpd_t httpd_content_type : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_content_type : lnk_file { read getattr } ;
Let’s break down the very first rules in this list. This rule says that an object of the type httpd_t is allowed to access an object of the type httpd_content_type, as long as that object is a file. Further more it can only have { ioctl read getattr lock open } types of access.
All “allow” policy rules are structured like this.