Diskussion:SELinux/02 Kontext
SELinux/Contexts
Beschreibung
Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level.
- When running SELinux, all of this information is used to make access control decisions.
- In Red Hat Enterprise Linux, SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement (TE), and, optionally, Multi-Level Security (MLS).
The following is an example showing SELinux context.
- SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux.
- Use the following command to view the SELinux context of files and directories:
~ ls -Z file1 -rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
SELinux contexts follow the SELinux user:role:type:level syntax.
- The fields are as follows
| Bestandteil | Beispiel | Beschreibung |
|---|---|---|
| user | <name>_u | SELinux User.
|
| role | <name>_r | SELinux Role.
|
| type | <name>_t | SELinux Type - der wichtigste Bestandteil im Type-Enforcement-Modell.
|
| level | s0 | SELinux Level - die Sicherheitsstufe.
|
- SELinux user
- The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS/MCS range.
- Each Linux user is mapped to an SELinux user using SELinux policy.
- This allows Linux users to inherit the restrictions placed on SELinux users.
- The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to define what roles and levels they can enter.
- Enter the following command as root to view a list of mappings between SELinux and Linux user accounts (you need to have the policycoreutils-python package installed):
sudo semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
- Output may differ slightly from system to system
- * The Login Name column lists Linux users.
- The SELinux User column lists which SELinux user the Linux user is mapped to.
- For processes, the SELinux user limits which roles and levels are accessible.
- The MLS/MCS Range column, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS).
- The Service column determines the correct SELinux context, in which the Linux user is supposed to be logged in to the system.
- By default, the asterisk (*) character is used, which stands for any service.
- role
- Part of SELinux is the Role-Based Access Control (RBAC) security model.
- The role is an attribute of RBAC.
- SELinux users are authorized for roles, and roles are authorized for domains.
- The role serves as an intermediary between domains and SELinux users.
- The roles that can be entered determine which domains can be entered; ultimately, this controls which object types can be accessed.
- This helps reduce vulnerability to privilege escalation attacks.
- type
- The type is an attribute of Type Enforcement.
- The type defines a domain for processes, and a type for files.
- SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain.
- Access is only allowed if a specific SELinux policy rule exists that allows it.
- level
- The level is an attribute of MLS and MCS.
- An MLS range is a pair of levels, written as lowlevel-highlevel if the levels differ, or lowlevel if the levels are identical (s0-s0 is the same as s0).
- Each level is a sensitivity-category pair, with categories being optional.
- If there are categories, the level is written as sensitivity:category-set.
- If there are no categories, it is written as sensitivity.
- If the category set is a contiguous series, it can be abbreviated.
- For example, c0.c3 is the same as c0,c1,c2,c3.
- The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (that is CompanyConfidential).
- In Red Hat Enterprise Linux, targeted policy enforces MCS, and in MCS, there is just one sensitivity, s0.
- MCS in Red Hat Enterprise Linux supports 1024 different categories: c0 through to c1023. s0-s0:c0.c1023 is sensitivity s0 and authorized for all categories.
- MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments.
- To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy.
- The MLS policy shipped with Red Hat Enterprise Linux omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the upstream SELinux Reference Policy can be built that includes all program domains.
- For more information on MLS configuration, see Section 4.13, “Multi-Level Security (MLS)”.
Domain Transitions
A process in one domain transitions to another domain by executing an application that has the entrypoint type for the new domain.
- The entrypoint permission is used in SELinux policy and controls which applications can be used to enter a domain.
- The following example demonstrates a domain transition:
Procedure 2.1. An Example of a Domain Transition
- A user wants to change their password.
- To do this, they run the passwd utility.
- The /usr/bin/passwd executable is labeled with the passwd_exec_t type:
~ ls -Z /usr/bin/passwd
-rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
The passwd utility accesses /etc/shadow, which is labeled with the shadow_t type:
~ ls -Z /etc/shadow
-r--------.
- root root system_u:object_r:shadow_t:s0 /etc/shadow
- An SELinux policy rule states that processes running in the passwd_t domain are allowed to read and write to files labeled with the shadow_t type.
- The shadow_t type is only applied to files that are required for a password change.
- This includes /etc/gshadow, /etc/shadow, and their backup files.
- An SELinux policy rule states that the passwd_t domain has its entrypoint permission set to the passwd_exec_t type.
- When a user runs the passwd utility, the user's shell process transitions to the passwd_t domain.
- With SELinux, since the default action is to deny, and a rule exists that allows (among other things) applications running in the passwd_t domain to access files labeled with the shadow_t type, the passwd application is allowed to access /etc/shadow, and update the user's password.
This example is not exhaustive, and is used as a basic example to explain domain transition.
- Although there is an actual rule that allows subjects running in the passwd_t domain to access objects labeled with the shadow_t file type, other SELinux policy rules must be met before the subject can transition to a new domain.
- In this example, Type Enforcement ensures: * The passwd_t domain can only be entered by executing an application labeled with the passwd_exec_t type; can only execute from authorized shared libraries, such as the lib_t type; and cannot execute any other applications.
- Only authorized domains, such as passwd_t, can write to files labeled with the shadow_t type.
- Even if other processes are running with superuser privileges, those processes cannot write to files labeled with the shadow_t type, as they are not running in the passwd_t domain.
- Only authorized domains can transition to the passwd_t domain.
- For example, the sendmail process running in the sendmail_t domain does not have a legitimate reason to execute passwd; therefore, it can never transition to the passwd_t domain.
- Processes running in the passwd_t domain can only read and write to authorized types, such as files labeled with the etc_t or shadow_t types.
- This prevents the passwd application from being tricked into reading or writing arbitrary files.
SELinux Contexts for Processes]
Use the ps -eZ command to view the SELinux context for processes.
For example: Procedure 2.2. View the SELinux Context for the passwd Utility# Open a terminal, such as Applications → System Tools → Terminal.
- Run the passwd utility.
- Do not enter a new password:
~ passwd
Changing password for user user_name.
Changing password for user_name.
(current) UNIX password:
- Open a new tab, or another terminal, and enter the following command.
- The output is similar to the following:
~ ps -eZ | grep passwd
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
- In the first tab/terminal, press Ctrl+C to cancel the passwd utility.
In this example, when the passwd utility (labeled with the passwd_exec_t type) is executed, the user's shell process transitions to the passwd_t domain.
- Remember that the type defines a domain for processes, and a type for files.
To view the SELinux contexts for all running processes, run the ps utility again.
Note that below is a truncated example of the output, and may differ on your system:
ps -eZ system_u:system_r:dhcpc_t:s0 1869 ? 00:00:00 dhclient system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd system_u:system_r:gpm_t:s0 1964 ? 00:00:00 gpm system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond system_u:system_r:kerneloops_t:s0 1983 ? 00:00:05 kerneloops system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
The system_r role is used for system processes, such as daemons.
- Type Enforcement then separates each domain.
Contexts for Users
Use the following command to view the SELinux context associated with your Linux user:
~ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In Red Hat Enterprise Linux, Linux users run unconfined by default.
- This SELinux context shows that the Linux user is mapped to the SELinux unconfined_u user, running as the unconfined_r role, and is running in the unconfined_t domain. s0-s0 is an MLS range, which in this case, is the same as just s0.
- The categories the user has access to is defined by c0.c1023, which is all categories (c0 through to c1023).