1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux Types</p>
<p>
A type is a security attribute given to objects such as files, and network
ports, etc. The type of a process is commonly referred to as its domain.
The SELinux policy is primarily composed of type enforcement rules, which
describe how domains are allowed to interact with objects, and how domains
are allowed to interact with other domains. A type is generally suffixed
with a '_t', such as <span class="code" dir="ltr">sysadm_t</span>. This is the most important
attribute for a process or object, as most policy decisions are based on
the source and target types.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux Roles</p>
<p>
SELinux is type enforcement, so the SELinux role is not the same as those
in a role-based access control system. Permissions are not given to roles.
A role describes the set of types a user can use. For example, a system
administrator that is using the system for regular user tasks should be
in the <span class="code" dir="ltr">staff_r</span> role. If they need to administrate the system, then
a role change to <span class="code" dir="ltr">sysadm_r</span> is required. In SELinux terms, the
domains that a user can be in is determined by their role. If a role is not
allowed to have a certain domain, a transition to that domain will be denied,
even if the type enforcement rules allow the domain transition. A role is
generally suffixed with a '_r', such as <span class="code" dir="ltr">system_r</span>.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux Identities</p>
<p class="secthead"><a name="doc_chap1_sect1">What is a SELinux Identity?</a></p>
<p>
The SELinux identity is similar to a Linux username. The change of identity
should be limited to very specific cases, since the role-based access control
relies on the SELinux identity. Therfore, in general, a user’s SELinux
identity will not change during a session. The user ID in Linux can be
changed by set(e)uid, making it inappropriate for a SELinux identity.
If a user is given a SELinux identity, it must match the Linux username. Each
SELinux identity is allowed a set of roles.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Configure SELinux Identity Mapping</a></p>
<p>
The SELinux policy has several generic SELinux identities that should
be sufficient for all users. This mapping only needs to be configured
on the strict policy. The identity mapping for the targeted policy
need not be configured, as the default identity (user_u) is sufficient
in all cases.
</p>
<p>
When a user logs in, the SELinux identity used is determined by this mapping.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>SELinux Identity</b></td>
<td class="infohead"><b>Roles</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">system_u</td>
<td class="tableinfo">system_r</td>
<td class="tableinfo">System (non-interactive) processes. Should not be used on users.</td>
</tr>
<tr>
<td class="tableinfo">user_u</td>
<td class="tableinfo">user_r</td>
<td class="tableinfo">Generic unprivileged users. The default identity mapping.</td>
</tr>
<tr>
<td class="tableinfo">staff_u</td>
<td class="tableinfo">staff_r, sysadm_r</td>
<td class="tableinfo">System administrators that also log in to do regular user activties.</td>
</tr>
<tr>
<td class="tableinfo">sysadm_u</td>
<td class="tableinfo">sysadm_r</td>
<td class="tableinfo">System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</td>
</tr>
<tr>
<td class="tableinfo">root</td>
<td class="tableinfo">staff_r, sysadm_r</td>
<td class="tableinfo">Special identity for root. Other users should use staff_u instead.</td>
</tr>
</table>
<p>
See the <a href="selinux-handbook.xml?part=3&chap=2#doc_chap3">SELinux HOWTO</a>
for semanage syntax for configuring SELinux identity mappings.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux Contexts</p>
<p>
Using the above three security models together is called a SELinux
context. A context takes the form <span class="code" dir="ltr">identity</span>:<span class="code" dir="ltr">role</span>:<span class="code" dir="ltr">type</span>.
The SELinux context is the most important value for determining access.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Object Contexts</a></p>
<p>
A typical <span class="code" dir="ltr">ls -Z</span> may have an output similar to this:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example ls -Z output</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
drwxr-xr-x root root system_u:object_r:bin_t bin
drwxr-xr-x root root system_u:object_r:boot_t boot
drwxr-xr-x root root system_u:object_r:device_t dev
drwxr-xr-x root root system_u:object_r:etc_t etc
</pre></td></tr>
</table>
<p>
The first three columns are the typical linux permissions, user and group.
The fourth column is the file or directory's security context. Objects
are given the generic <span class="code" dir="ltr">object_r</span> role. From the other two fields of
the context, it can be seen that the files are in the system identity,
and have four different types, <span class="code" dir="ltr">bin_t</span>, <span class="code" dir="ltr">boot_t</span>, <span class="code" dir="ltr">device_t</span>,
and <span class="code" dir="ltr">etc_t</span>.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Process Contexts</a></p>
<p>
A typical <span class="code" dir="ltr">ps ax -Z</span> may have an output similar to this:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example ps ax -Z output</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
PID CONTEXT COMMAND
1 system_u:system_r:init_t [init]
2 system_u:system_r:kernel_t [keventd]
3 system_u:system_r:kernel_t [ksoftirqd_CPU0]
4 system_u:system_r:kernel_t [kswapd]
5 system_u:system_r:kernel_t [bdflush]
6 system_u:system_r:kernel_t [kupdated]
706 system_u:system_r:syslogd_t [syslog-ng]
712 system_u:system_r:httpd_t [apache]
791 system_u:system_r:sshd_t [sshd]
814 system_u:system_r:crond_t [cron]
826 system_u:system_r:getty_t [agetty]
827 system_u:system_r:getty_t [agetty]
828 system_u:system_r:getty_t [agetty]
829 system_u:system_r:getty_t [agetty]
830 system_u:system_r:getty_t [agetty]
831 system_u:system_r:httpd_t [apache]
832 system_u:system_r:httpd_t [apache]
833 system_u:system_r:httpd_t [apache]
23093 system_u:system_r:sshd_t [sshd]
23095 user_u:user_r:user_t [bash]
23124 system_u:system_r:sshd_t [sshd]
23126 user_u:user_r:user_t [bash]
23198 system_u:system_r:sshd_t [sshd]
23204 user_u:user_r:user_t [bash]
23274 system_u:system_r:sshd_t [sshd]
23275 pebenito:staff_r:staff_t [bash]
23290 pebenito:staff_r:staff_t ps ax -Z
</pre></td></tr>
</table>
<p>
In this example, the typical process information is displayed, in addition
to the process's context. By inspection, all of the system's kernel
processes and daemons run under the <span class="code" dir="ltr">system_u</span> identity, and
<span class="code" dir="ltr">system_r</span> role. The individual domains depend on the program.
There are a few users logged in over ssh, using the generic <span class="code" dir="ltr">user_u</span>
identity. Finally there is a user with the identity <span class="code" dir="ltr">pebenito</span> logged in
with the <span class="code" dir="ltr">staff_r</span> role, running in the <span class="code" dir="ltr">staff_t</span> domain.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux Policy Files</p>
<p>
The SELinux policy source files are no longer installed onto the system.
In the <span class="code" dir="ltr">/usr/share/selinux/{strict,targeted}</span> directory there are a
collection of policy packages and headers for building local modules.
The policy files are processed by m4, and then the policy compiler <span class="code" dir="ltr">checkmodule</span>
verifies that there are no syntactic errors, and a policy module is created.
Then a policy package is created with with the <span class="code" dir="ltr">semodule_package</span>
program, using the policy module and the module file contexts.
The policy packaged then can be loaded into a running SELinux kernel
by inserting it into the module store.
</p>
<p class="secthead"><a name="doc_chap1_sect1">*.pp</a></p>
<p>
Policy packages for this policy. These must be inserted into the module
store so they can be loaded into the policy. Inside the package
there is a loadable policy module, and optionally a file context file.
</p>
<p class="secthead"><a name="doc_chap1_sect1">include/</a></p>
<p>
Policy headers for this policy.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Binary Policy Versions</p>
<p>
When compiling the policy, the resultant binary policy is versioned.
The first version that was merged into 2.6 was version 15.
The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy.
For example, in 2.6.5, conditional policy extensions were added.
This required the policy version to be incremented to version 16.
</p>
<p class="secthead"><a name="doc_chap1_sect1">What Policy Version Does My Kernel Use?</a></p>
<p>
The policy version of a running kernel can be determined by executing
<span class="code" dir="ltr">sestatus</span> or <span class="code" dir="ltr">policyvers</span>. Current kernels can load
the previous version policy for compatibility. For example a version 17
kernel can also load a version 16 policy. However, this compatibility
code may be removed in the future.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
The policy management infrastructure (libsemanage) will automatically
create and use the correct version policies. No extra steps need be taken.
</p></td></tr></table>
<p class="secthead"><a name="doc_chap1_sect1">Policy Versions</a></p>
<p>
The following table contains the policy versions in 2.6 kernels.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Version</b></td>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>Kernel Versions</b></td>
</tr>
<tr>
<td class="tableinfo">12</td>
<td class="tableinfo">"Old API" SELinux (deprecated).</td>
</tr>
<tr>
<td class="tableinfo">15</td>
<td class="tableinfo">"New API" SELinux merged into 2.6.</td>
<td class="tableinfo">2.6.0 - 2.6.4</td>
</tr>
<tr>
<td class="tableinfo">16</td>
<td class="tableinfo">Conditional policy extensions added.</td>
<td class="tableinfo">2.6.5</td>
</tr>
<tr>
<td class="tableinfo">17</td>
<td class="tableinfo">IPV6 support added.</td>
<td class="tableinfo">2.6.6 - 2.6.7</td>
</tr>
<tr>
<td class="tableinfo">18</td>
<td class="tableinfo">Fine-grained netlink socket support added.</td>
<td class="tableinfo">2.6.8 - 2.6.11</td>
</tr>
<tr>
<td class="tableinfo">19</td>
<td class="tableinfo">Enhanced multi-level security.</td>
<td class="tableinfo">2.6.12 - 2.6.13</td>
</tr>
<tr>
<td class="tableinfo">20</td>
<td class="tableinfo">Access vector table size optimizations.</td>
<td class="tableinfo">2.6.14 - 2.6.18</td>
</tr>
<tr>
<td class="tableinfo">21</td>
<td class="tableinfo">Object classes in range transitions.</td>
<td class="tableinfo">2.6.19 - 2.6.24</td>
</tr>
<tr>
<td class="tableinfo">22</td>
<td class="tableinfo">Policy capabilities (features).</td>
<td class="tableinfo">2.6.25</td>
</tr>
<tr>
<td class="tableinfo">23</td>
<td class="tableinfo">Per-domain permissive mode.</td>
<td class="tableinfo">2.6.26 - 2.6.27</td>
</tr>
<tr>
<td class="tableinfo">24</td>
<td class="tableinfo">Explicit hierarchy (type bounds).</td>
<td class="tableinfo">2.6.28 - current</td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Conditional Policy Extensions</p>
<p>
The conditional policy extensions allow the enabling and disabling of policy
rules at runtime, without loading a modified policy. Using policy booleans
and expressions, policy rules can be conditionally applied.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Determine Boolean Values</a></p>
<p>
The status of policy booleans in the current running policy can be determined
two ways. The first is by using <span class="code" dir="ltr">sestatus</span>.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example sestatus output</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Policy version: 17
Policy booleans:
user_ping inactive
</pre></td></tr>
</table>
<p>
The second is <span class="code" dir="ltr">getsebool</span> which is a simple tool that displays
the status of policy booleans, and if a value change is pending.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example getsebool command</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# getsebool -a
user_ping --> active: 0 pending: 0
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Changing Boolean Values</a></p>
<p>
The value of a boolean can be toggled by using the <span class="code" dir="ltr">togglesebool</span>
command. Multiple booleans can be specified on the command line. The
new value of the boolean will be displayed.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example togglesebool command</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# togglesebool user_ping
user_ping: active
</pre></td></tr>
</table>
<p>
The value of a boolean can be set specifically by using the <span class="code" dir="ltr">setsebool</span>
command.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example setsebool command</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# setsebool user_ping 0
</pre></td></tr>
</table>
<p>
To set the value of a boolean, and make it the devault value, use the <span class="code" dir="ltr">-P</span> option.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Change default value</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# setsebool -P user_ping 1
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Policy Kernel Messages</p>
<p>
While a system is running, a program or user may attempt to do something
that violates the security policy. If the system is enforcing the policy,
the access will be denied, and there will be a message in the kernel log.
If the system is not enforcing (permissive mode), the access will be allowed,
but there will still be a kernel message.
</p>
<p class="secthead"><a name="doc_chap1_sect1">AVC Messages</a></p>
<p>
Most kernel messages from SELinux come from the access vector cache (AVC).
Understanding denials is important to understand if an attack is happening,
or if the program is requiring unexpected accesses. An example denial
may look like this:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554
scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file
</pre></td></tr>
</table>
<p>
While most AVC messages are denials, occasionally there might be an audit
message for an access that was granted:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message 2</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy
scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
</pre></td></tr>
</table>
<p>
In this case, the ability to load the policy was granted. This is a critical
security event, and thus is always audited. Another event that is always
audited is switching between enforcing and permissive modes.
</p>
<p>
SELinux will supress logging of denials if many are received in a short
amount of time. However, This does not always imply there is an attack
in progress. A program may be doing something that could cause
many denials in a short time, such as doing a stat() on device nodes in
/dev. To protect from filling up the system logs, SELinux has rate limiting
for its messages:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message 3</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
AVC: 12 messages suppressed.
</pre></td></tr>
</table>
<p>
The policy would have to be modified to not audit these accesses if they
are normal program behavior, but still need to be denied.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Other kernel messages</a></p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: inode_doinit_with_dentry</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610
</pre></td></tr>
</table>
<p>
This means that the file on /dev/hda3 with inode number 517610 has the context
system_u:object_r:bar_t, which is invalid. Objects with an invalid context
are treated as if they had the system_u:object_r:unlabeled_t context.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Dissecting a Denial</p>
<p>
Denials contain varying amounts of information, depending on the access type.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example Denials</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file
avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t
tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket
avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7
scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability
</pre></td></tr>
</table>
<p>
The most common denial relates to access of files. For better understanding,
the first denial message will be broken down:
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Component</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">avc: denied</td>
<td class="tableinfo">SELinux has denied this access.</td>
</tr>
<tr>
<td class="tableinfo">{ lock }</td>
<td class="tableinfo">The attempted access is a lock.</td>
</tr>
<tr>
<td class="tableinfo">pid=28341</td>
<td class="tableinfo">The process ID performing this access is 28341.</td>
</tr>
<tr>
<td class="tableinfo">exec=/sbin/agetty</td>
<td class="tableinfo">The full path and name of the process's executable is /sbin/agetty.</td>
</tr>
<tr>
<td class="tableinfo">path=/var/log/wtmp</td>
<td class="tableinfo">The path and name of the target object is /var/log/wtmp. Note: a complete
path is not always available.</td>
</tr>
<tr>
<td class="tableinfo">dev=03:03</td>
<td class="tableinfo">The target object resides on device 03:03 (major:minor number).
On 2.6 kernels this may resolve to a name, hda3 in this example.</td>
</tr>
<tr>
<td class="tableinfo">ino=475406</td>
<td class="tableinfo">The inode number of the target object is 475406.</td>
</tr>
<tr>
<td class="tableinfo">scontext=system_u:system_r:getty_t</td>
<td class="tableinfo">The context of the program is system_u:system_r:getty_t.</td>
</tr>
<tr>
<td class="tableinfo">tcontext=system_u:object_r:var_log_t</td>
<td class="tableinfo">The context of the target object is system_u:object_r:var_log_t.</td>
</tr>
<tr>
<td class="tableinfo">tclass=file</td>
<td class="tableinfo">The target object is a normal file.</td>
</tr>
</table>
<p>
Not all AVC messages will have all of these fields, as shown in the other
two denials. The fields vary depending on the target object's class.
However, the most important fields: access type, source and target contexts,
and the target object's class will always be in an AVC message.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Understanding the Denial</a></p>
<p>
Denials can be very confusing since they can be triggered for several reasons.
The key to understanding what is happening is to know the behavior of the
program, and to correctly interpret the denial message. The target is not
limited to files; it could also be related to network sockets,
interprocess communications, or others.
</p>
<p>
In the above example, the agetty is denied locking of a file. The file's type
is var_log_t, therefore it is implied that the target file is in /var/log.
With the extra information from the path= field in the denial message, it is
confirmed to be the file /var/log/wtmp. If path information was unavailable,
this could be further confirmed by searching for the inode. Wtmp is a file that has
information about users currently logged in, and agetty handles logins on
ttys. It can be concluded that this is an expected access of agetty, for
updating wtmp. However, why is this access being denied? Is there a flaw
in the policy by not allowing agetty to update wtmp? It turns out that wtmp
has the incorrect context. It should be system_u:object_r:wtmp_t, rather
than system_u:object_r:var_log_t.
</p>
<p>
If this access was not understood, an administrator might mistakenly allow getty_t
read/write access to var_log_t files, which would be incorrect, since agetty
only needs to modify /var/log/wtmp. This underscores how critical keeping
file contexts consistent is.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>References</p>
<p>
<a href="http://www.nsa.gov/selinux">U.S. National Security Agency</a>,
SELinux Policy README
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2009</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb