SELinux by Example

Using Security Enhanced Linux

Frank Mayer, Karl MacMillan, David Caplan

#-# Upper Saddle River, NJ • Boston • Indianapolis • San Francisco

* * New York • Toronto • Montreal • London • Munich • Paris
HALL Madrid • Cape Town • Sydney • Tokyo • Singapore • Mexico City
 Contents

Part I SELinux Overview 1

Chapter 1 Background 3

1.1 The Inevitability of Software Failure 4

1.2 The Evolution of Access Control Security in Operating Systems 5
1.2.1 The Reference Monitor Concept 6
1.2.2 The Problem with Discretionary Access Control 7
1.2.3 The Origins of Mandatory Access Control 8
1.2.4 A Better Form of Mandatory Access Control 10
1.2.5 The Evolution of SELinux 11
1.3 Summary 13
Exercises 13

Chapter 2 Concepts 15

2.1 Security Contexts for Type Enforcement 16

2.1.1 Comparing SELinux with Standard Linux 17
2.1.2 More on Security Contexts 18
2.2 Type Enforcement Access Control 19
2.2.1 Type Enforcement by Example 21
2.2.2 The Problem of Domain Transitions 22
2.2.3 Review of SetUID Programs in Standard Linux Security 23
2.2.4 Domain Transitions 25
2.2.5 Default Domain Transitions: type_transition Statement 28
2.3 The Role of Roles 29
2.4 Multilevel Security in SELinux 31
2.5 SELinux Features Familiarization 32
2.5.1 Revisiting the Passwd Example 33

vii
viii Contents

2.5.2 Perusing the Policy File 34

2.6 Summary 36
Exercises 37

Chapter 3 Architecture 39

3.1 The Kernel Architecture 40

3.1.1 LSM Framework 40
3.1.2 SELinuxLSM Module 42
3.2 Userspace Object Managers 43
3.2.1 Kernel Support for Userspace Object Managers 44
3.2.2 Policy Server Architecture 45
3.3 SELinux Policy Language 47
3.3.1 The Native SELinux Policy Language Compiler 48
3.3.2 Source Policy Modules in a Monolithic Policy 50
3.3.3 Loadable Policy Modules 50
3.3.4 Building and Installing Monolithic Policies 51
3.4 Summary 53
Exercises 54

Part II SELinux Policy Language 57

Chapter 4 Object Classes and Permissions 59

4.1 Purpose of Object Classes in SELinux 60

4.2 Defining Object Classes in SELinux Policy 61
4.2.1 Declaring Object Classes 62
4.2.2 Declaring and Associating Object Class Permissions 63
4.3 Available Object Classes 67
4.3.1 File-Related Object Classes 67
4.3.2 Network-Related Object Classes 69
4.3.3 System V IPC Object Classes 72
4.3.4 Miscellaneous Object Classes 73
4.4 Object Class Permission Examples 73
4.4.1 File Object Class Permissions 74
4.4.2 Process Object Class Permissions 78
4.5 Exploring Object Classes with Apol 84
4.6 Summary 86
Exercises 87
Contents ix

Chapter 5 Type Enforcement 89

5.1 Type Enforcement 90

5.2 Types, Attributes, and Aliases 91
5.2.1 Declaring Types 92
5.2.2 Types and Attributes 93
5.2.3 Associating Types and Attributes 94
5.2.4 Aliases 98
5.3 Access Vector Rules 100
5.3.1 Common AV Rule Syntax 100
5.3.2 Allow Rules 108
5.3.3 Audit Rules 109
5.3.4 Neverallow Rules Ill
5.4 Type Rules 115
5.4.1 Common Type Rule Syntax 115
5.4.2 Type Transition Rules 117
5.4.3 Type Change Rules 121
5.5 Exploring Type Enforcement Rules with Apol 122
5.6 Summary 127
Exercises 128

Chapter 6 Roles and Users 129

6.1 Role-Based Access Control in SELinux 130

6.1.1 Overview of RBAC in SELinux 130
6.1.2 Managing User Privileges with Roles 132
6.1.3 Users and Roles in Object Security Contexts 135
6.2 Roles and Role Statements 135
6.2.1 Role Declaration Statement 135
6.2.2 Role Allow Rules 137
6.2.3 Role Transition Rules 138
6.2.4 Role Dominance Statement 138
6.3 Users and User Statements 140
6.3.1 Declaring Users and Associating Roles 141
6.3.2 Mapping Linux Users to SELinux Users 142
6.4 Exploring Roles and Users with Apol 144
6.5 Summary 146
Exercises 147
x Contents

Chapter 7 Constraints 149

7.1 A Closer Look at the Access Decision Algorithm 150

7.2 Constrain Statement 152
7.3 Label Transition Constraints 157
7.4 Summary 161
Exercises 161

Chapter 8 Multilevel Security 163

8.1 Multilevel Security Constraints 164

8.2 Security Contexts with MLS 165
8.2.1 Defining Security Levels 165
8.2.2 MLS Extensions to Security Contexts 169
8.3 MLS Constraints 170
8.3.1 mlsconstrain Statement 170
8.3.2 mlsvalidatetrans Statement 175
8.4 Other Impacts of MLS 179
8.5 Summary 180
Exercises 181

Chapter 9 Conditional Policies 183

9.1 Overview of Conditional Policies 184

9.2 Boolean Variables 185
9.2.1 Defining Boolean Variables 185
9.2.2 Managing Booleans in a Running System 186
9.2.3 Persistent Changes to Boolean Values 189
9.3 Conditional Statements 191
9.3.1 Conditional Expressions and Rule Lists 192
9.3.2 Conditional Statement Limitations 196
9-4 Examining Booleans and Conditional Policies with Apol 198
9.5 Summary 202
Exercises 203
Contents xi

Chapter 10 Object Labeling 205

10.1 Introduction to Object Labeling 206

10.2 File-Related Object Labeling 208
10.2.1 Extended Attribute Filesystems (fs_use_xattr) 211
10.2.2 Task-Based Filesystems (fs_use_task) 216
10.2.3 Transition-Based Filesystems (fs_use_trans) 216
10.2.4 Generalized Security Context Labeling (genfscon) 217
10.3 Network and Socket Object Labeling 221
10.3.1 Network Interface Labeling (netifcon) 222
10.3.2 Network Node Labeling (nodecon) 223
10.3.3 Network Port Labeling (portcon) 225
10.3.4 Socket Labeling 227
10.4 System V IPC 228
10.5 Miscellaneous Object Labeling 228
10.5.1 Capability Object Labeling 229
10.5.2 Process Object Labeling 229
10.5.3 System and Security Object Labeling 230
10.6 Initial Security Identifiers 230
10.7 Exploring Object Labeling with Apol 233
10.8 Summary 235
Exercises 236

Part III Creating and Writing SELinux Security Policies 237

Chapter 11 Original Example Policy 239

11.1 Methods for Managing the Build Process 240

11.2 Strict Example Policy 242
11.2.1 Overview of Policy Source File Structure 244
11.2.2 Examining an Example Policy Module 252
11.2.3 Build Options for Strict Example Policy 258
11.3 Targeted Example Policy 261
11.4 Summary 262
Exercises 263
xii Contents

Chapter 12 Reference Policy 265

12.1 Goals of the Reference Policy 266

12.2 Overview of Policy Source File Structure 268
12.2.1 Build and Support Files 268
12.2.2 Core Policy Files 269
12.3 Design Principles 271
12.3.1 Layering 271
12.3.2 Modularity 272
12.4 Examining a Reference Policy Module 281
12.5 Build Options for Reference Policy 287
12.5.1 The build.conf File 287
12.5.2 The modules.conf File 289
12.6 Summary 291
Exercises 292

Chapter 13 Managing an SELinux System 295

13.1 SELinux Configuration and Policy Management Files 296

13.1.1 The SELinux Configuration File (/etc/selinux/config) 296
13.1.2 The Policy Directories 299
13.2 Impact of SELinux on System Administration 307
13.2.1 Managing Users 307
13.2.2 Understanding Audit Messages 312
13.2.3 Fixing Problems: File-Related Object Labeling 318
13.2.4 Managing Multiple Policies 323
13.3 Summary 323
Exercises 324

Chapter 14 Writing Policy Modules 325

14.1 Overview of Writing a Policy Module 326

14.2 Preparation and Planning 327
14.2.1 Gathering Application Information 327
14.2.2 Creating a Test Environment 328
14.2.3 Specifying Security Goals 332
14.3 Creating an Initial Policy Module 332
14.3.1 Creating Policy Module Files 333
Contents xiii

14.3.2 Declaring Types 333

14.3.3 Allowing Initial Restrictive Access 337
14.3.4 Allowing Domain Transitions and Authorizing Roles 342
14.3.5 Integrating into the System Policy 343
14.3.6 Creating the Labeling Policy 345
14.3.7 Applying the Policy 347
14.4 Testing and Analyzing the Policy 349
14.4.1 Testing the Policy Module 349
14.4.2 Policy Analysis 354
14.5 Emerging Policy Development Tools 355
14.6 Complete IRC Daemon Module Listings 355
14.7 Summary 362

Appendix A Obtaining SELinux Sample Policies 363

A.l Example Policy 364

A.l.l Example Policy from Upstream SELinux Sites 364
A.l.2 Strict and Targeted Policies for Fedora Core 4 365
A. 1.3 Red Hat Enterprise Linux 4 (RHEL4) 366
A.l.4 Fedora Core Experimental and Test Policies 367
A.2 Reference Policy 367
A.2.1 Primary Reference Policy 368
A.2.2 Red Hat's Fedora Core 5 Reference Policy 368
Appendix В Participation and Further Information 369

B.l The SELinux Mail List 370

B.2 The Annual SELinux Symposium 370
B.3TheNSA 371
B.4 Tresys Technology 371
B.5 Open Source Projects 371
B.6 The SELinux IRC Channel 372
B.7 The Fedora Core Site 372
B.8 Hardened Gentoo 372
B.9 Other Related Security Information 373
xiv Contents

Appendix С Object Classes and Permissions 375

C.l Common Permission Sets 376

C.2 Object Classes and Defined Permission Sets 379
C.2.1 File-Related Object Classes 379
C.2.2 Network and Socket Object Classes 383
C.2.3 System V IPC-Related Object Classes 391
C.2.4 Miscellaneous Object Classes 392
Appendix D SELinux Commands and Utilities 401

D.l System Utilities 402

D . l . l Policy Tools 402
D.I.2 SELinux Status Information 403
D.1.3 Security Context Labeling 404
D.I.4 Security Context Changing Utilities 405
D.1.5 SELinux Modified Commands 405
D.I.6 Policy Module Manual Pages 406
D.2 SETools Suite 406
D.3 Other SELinux Tools 408

Index 409