On 1/13/20 11:27 PM, zer0 0ne wrote:
> All,
>
> I am new to SELinux policy. I have several Daemons D1, D2..and each have corresponding config files C1, C2, . The config files are typed per daemon and .fc is set by individual daemon policy. However, we have a common utility that is used for manipulating all the config files and all the daemons use the utility to manipulate the config files. All daemons run exec() and invoke the utility to manipulate config file (it is ugly, legcay code).
>
> Any recommendation on how to tailor SELinux policies for a use case like this? Is there any existing SELinux policy that follows a similar model?
>
Hi Zer0,
For this purpose there are Domain Transition rules defined in SELinux
policy.
Let's follow up with your example. You have several SELinux domains for
daemons D1,D2, and corresponding config files C1,C2.
Than you can label also utility for manipulate these config files, let's
say U1.
You define that Daemons can only read own config files.
allow D1 C1:file read;
allow D2 C2:file read;
and now the tricky part. You need to allow utility U1 to write to both
config files.
allow U1 C1:file {read append write};
allow U1 C2:file {read append write};
But how to switch from D1 or D2 to U1?
Well, now Domain Transition will play its part. You can label binary
file of utility as U1_exec_t and say:
If Daemons labeled as D1(D2) will execute binary file labeled as
U1_exec_t, then the newly created process will be labeled as U1.
SELinux syntax:
type_transition D1 U1_exec_t: process U1;
This how you achieve that daemons cannot write to config files only
utility.
More info:
https://selinuxproject.org/page/NB_Domain_and_Object_Transitions
Thanks,
Lukas.
> Zer0 0ne
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
