1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>About SELinux Policies</p>
<p class="secthead"><a name="doc_chap1_sect1">SELinux Policy Language</a></p>
<p>
As described previously, SELinux uses type enforcement to describe the state of
your system. This is done by giving each resource on your system (be it a
process, a network port, a file or directory) a specific type and describe the
rules how types can work with each other.
</p>
<p>
For instance, the allow-rule to allow all regular users (which are in the
user_t domain) to execute files with the bin_t label:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Allow rule to execute bin_t files</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
allow user_t bin_t:file { read execute open };
</pre></td></tr>
</table>
<p>
Other supported rules are
</p>
<ul>
<li>
<span class="emphasis">dontaudit</span> will disable the logging of the denial message(s)
</li>
<li>
<span class="emphasis">auditallow</span> will allow the access but will also log it (by default,
allowances are not logged)
</li>
<li>
<span class="emphasis">neverallow</span> forces that a certain allow rule cannot be granted. Even
though SELinux is a positive security model (white listing), sometimes
neverallow rules might be needed. But generally you will not often see them.
</li>
</ul>
<p>
As you can imagine, defining the rules for an entire system is very
resource-intensive if you want to do it right. It not only requires a deep
insight in how the system works, but also a lot of rule writing and testing. But
even more time consuming is that you will write the same rules over and over
again for different domains. To help developers with policy writing, a
<span class="emphasis">reference policy</span> has been brought to life with the following required
functionalities:
</p>
<ul>
<li>
development of SELinux policy rules should be centralized even for different
distributions
</li>
<li>
a macro language should be supported that makes it easier to write new
policies
</li>
<li>
the policies should be modular, allowing for additional rules to be added or
removed
</li>
</ul>
<p>
By centralizing the SELinux policy rule development, SELinux users will have the
same domain naming conventions as on other distributions. This makes debugging a
lot easier, documenting a lot less distribution-specific and makes it a bit
easier for end users to get acquainted with SELinux.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Tresys Reference Policy</a></p>
<p>
The reference policy by choice is the <a href="http://oss.tresys.com/projects/refpolicy">Tresys SELinux Reference
Policy</a>. This reference policy - currently at major version 2 - is used by
almost all SELinux supporting distributions, including Gentoo Hardened, Fedora,
RedHat Enterprise Linux, Debian, Ubuntu and more. This implementation not only
offers the modular policies that users are looking for, but also enhances the
SELinux experience with additional development tools that make it easier to
work with the SELinux policies on your system.
</p>
<p>
The reference policy starts off with a <span class="emphasis">base</span> policy called
<span class="path" dir="ltr">base.pp</span>. This is a collection of policies needed to get a system up
and running and also offers the necessary functions towards the policy modules.
In Gentoo Hardened, this base policy is offered by <span class="code" dir="ltr">selinux-base-policy</span>.
</p>
<p>
The policy modules themselves also use the <span class="path" dir="ltr">.pp</span> extension, but are
named more appropriately towards their content. For instance, the policy module
that contains all policy rules for the <span class="code" dir="ltr">screen</span> application is called
<span class="path" dir="ltr">screen.pp</span>. However, don't count on all policy modules to be named
after the tool: the policy module that contains the <span class="code" dir="ltr">wpa_supplicant</span>
specific rules is called <span class="path" dir="ltr">networkmanager.pp</span>. In Gentoo Hardened, the
modular policies are available in the <span class="path" dir="ltr">sec-policy</span> category and are
named <span class="path" dir="ltr">selinux-<module></span>.
</p>
<p>
To get a list of running modules, run <span class="code" dir="ltr">semodule</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the running SELinux policy modules</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">semodule -l</span>
dbus 1.14.0
dnsmasq 1.9.0
hal 1.13.0
[...]
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Toggle Policy States</a></p>
<p>
As policies are built off from a "deny all" perspective, you can imagine that
there are thousands of rules already available in the reference policy.
Sometimes the developers know that particular rules will be active on one system
and inactive on another. Although this can be accomplished by developing two
different modules, SELinux development has opted to support <span class="emphasis">SELinux
booleans</span>.
</p>
<p>
SELinux booleans allow for rules to be conditionally applied, based on the
administrator's requirements. You can get a list of supported booleans through
<span class="code" dir="ltr">getsebool</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a list of supported booleans and their current state</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">getsebool -a</span>
allow_execheap --> off
allow_execmem --> off
[...]
fcron_crond --> off
global_ssp --> on
[...]
</pre></td></tr>
</table>
<p>
If you need to change a boolean, you can use <span class="code" dir="ltr">togglesebool</span> to switch its
value, or <span class="code" dir="ltr">setsebool</span> so explicitly set its state:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Toggling boolean states</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">getsebool user_dmesg</span>
user_dmesg --> off
~# <span class="code-input">togglesebool user_dmesg</span>
user_dmesg: active
<span class="code-comment">(Now, the state is set to 'on')</span>
~# <span class="code-input">getsebool user_dmesg</span>
user_dmesg --> on
<span class="code-comment">(Explicitly set the value to 'off')</span>
~# <span class="code-input">setsebool user_dmesg off</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Locations</a></p>
<p>
On Gentoo Hardened, the SELinux policy files are stored in
<span class="path" dir="ltr">/usr/share/selinux/strict</span> or
<span class="path" dir="ltr">/usr/share/selinux/targeted</span> (depending on your SELinux
configuration). Within this location, you will find:
</p>
<ul>
<li>
a file called <span class="path" dir="ltr">base.pp</span>, which is the SELinux base policy,
</li>
<li>
one or more files with extension <span class="path" dir="ltr">.pp</span>, which are the SELinux
policy modules, and
</li>
<li>
an <span class="path" dir="ltr">include/</span> folder which contains the necessary files for
SELinux module developers to build additional modules for this system
</li>
</ul>
<p class="secthead"><a name="doc_chap1_sect1">Policy Versions</a></p>
<p>
The SELinux policy infrastructure that is used (i.e. the capabilities and
functionalities that it offers) isn't in its first version. If you would run
<span class="code" dir="ltr">sestatus</span> now, you'll notice that we are using policy version 24. Every
time functionalities or capabilities are added which require changes to the
internal structure of the compiled policy, this version is incremented. The
following is an overview of the policy versions' history.
</p>
<dl>
<dt>Version 12</dt>
<dd>"Old API" for SELinux, which is now deprecated</dd>
<dt>Version 15</dt>
<dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd>
<dt>Version 16</dt>
<dd>Conditional policy extensions added (2.6.5)</dd>
<dt>Version 17</dt>
<dd>IPV6 support added (2.6.6 - 2.6.7)</dd>
<dt>Version 18</dt>
<dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd>
<dt>Version 19</dt>
<dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd>
<dt>Version 20</dt>
<dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd>
<dt>Version 21</dt>
<dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd>
<dt>Version 22</dt>
<dd>Policy capabilities (features) (2.6.25)</dd>
<dt>Version 23</dt>
<dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
<dt>Version 24</dt>
<dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
<dt>Version 25</dt>
<dd>Filename based transition support (2.6.39)</dd>
<dt>Version 26</dt>
<dd>Role transition support for non-process classes (3.0)</dd>
</dl>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb