On Wed, 2008-09-03 at 17:41 +1000, Murray McAllister wrote: > Hi, > > The following is a draft of the "Targeted Policy" sections for the > SELinux User Guide. Any comments and corrections are appreciated. > > Thanks. > > Targeted Policy > > Targeted policy is the default SELinux policy used in Fedora 10. When > using targeted policy, subjects that are targeted run in their own > domain type, and subjects that are not targeted run in the unconfined_t > domain type. When a subject runs in the unconfined_t domain type, > SELinux rules do not apply, and only DAC rules are used. Not exactly true. SELinux rules are always applied, but the unconfined_t domain is allowed (almost) all permissions in the SELinux policy/rules. > Confined Subjects > > A large number of subjects are protected, and are therefore confined by > the SELinux targeted policy, including the Apache HTTP Server (httpd), > Samba (samba), FTP (vsftpd), Kerberos (krb5-server), ISC BIND (bind and > bind-chroot), NFS (nfs-utils), and NIS (ypserv). When a subject is > confined, it runs in its own domain type, such as the httpd subject > running in the httpd_t domain type. When a confined subject is > compromised by an attacker, the damage an attacker can do and the data > they can access is greatly limited. Greatly limited might be too strong as a general statement - it is limited in accordance with the policy, and thus depends on how the policy is configured. > The following example demonstrates how SELinux prevents the Apache HTTP > Server (httpd) from reading files that are not correctly labeled, such > as files intended for use by another subject. This is an example, and > should not be used in production. It assumes that the httpd and wget > packages are installed, that the SELinux targeted policy is used, and > that SELinux is running in enforcing mode: > > 1. As the Linux root user, run the touch /var/www/html/testfile command. > > 2. Run the ls -Z /var/www/html/testfile command to view the SELinux > context: > > -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 > /var/www/html/testfile > > By default, Linux users run unconfined on Fedora 10, which is why the > testfile file object is labeled with the SELinux unconfined_u user. The > object_r role is a standard role, and does not affect access control. > The httpd_sys_content_t file type allows the httpd subject to access > this object. > > [ What is object_r really for? ] The default role value for objects, and one that avoids any restrictions on the user, type, and level combination in the object context. > 3. As the Linux root user, start the Apache HTTP Server: /sbin/service > httpd start. When the server has started, change into a directory where > your Linux user has write access to, and run the wget > http://localhost/testfile command. Unless there are any changes to the > default configuration, this command succeeds. > > 4. The /usr/bin/chcon command relabels files; however, such label > changes do not survive when the file system is relabeled. For permanent > changes that survive a file system relabel, use the /usr/sbin/semanage > command, which is discussed later. As the Linux root user, run the > /usr/bin/chcon -t samba_share_t /var/www/html/testfile command to change > the file type, to a file type that is used by Samba. Run the ls -Z > /var/www/html/testfile command to verify the changes: > > [ If a file has an entry in file_contexts, and is relabeled with > semanage fcontext, does that update > /etc/selinux/targeted/contexts/files/file_contexts with the change? I > was going to try, but forgot how to change the file type with semanage] See the EXAMPLES section of the semanage man page. semanage fcontext -a -t samba_share_t /var/www/html/testfile The semanage command will update the file_contexts file with the change, but does not immediately apply the label to any affected files - you need to run restorecon on the files in order to apply it. > > -rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 > /var/www/html/testfile > > 5. Note: the current DAC permissions allow the httpd subject access to > this file. Change into a directory where your Linux user has write > access to, and run the wget http://localhost/testfile command. Unless > there are any changes to the default configuration, this command fails: > > HTTP request sent, awaiting response... 403 Forbidden > 2008-08-22 03:48:40 ERROR 403: Forbidden. > > This example demonstrates the additional security added by SELinux. > Although the httpd subject had access to the object in step 5, because > the object was labeled with a file type that httpd subject does not have > access to, SELinux denied access. After step 5, an error such as the > following is logged to /var/log/messages: > > Aug 22 03:48:40 localhost setroubleshoot: SELinux is preventing httpd > (httpd_t) "getattr" > to /var/www/html/testfile (samba_share_t). For complete SELinux messages. > run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654 > > Also, if the audit package is installed and the auditd subject is > running, a more detailed denial is logged to /var/log/audit/audit.log. > These denials are discussed later. > > Unconfined Subjects > > Unconfined subjects run in the unconfined_t domain type. This means that > SELinux policy rules do not apply, and only DAC permissions are used. To be precise, the SELinux policy rules grant most permissions to the unconfined_t domain, making it _effectively_ unconstrained by SELinux even though the rules _are_ still applied. > When an unconfined subject is comprised, an attacker may gain access to > a large number of system resources and data. > > The following example demonstrates how the Apache HTTP Server (httpd) > can access data intended for use by another subject, when running > unconfined. Note: on Fedora 10, the httpd subject runs in the confined > httpd_t domain type by default. This is an example, and should not be > used in production. It assumes that the httpd and wget packages are > installed, that the SELinux targeted policy is used, and that SELinux is > running in enforcing mode: > > 1. As the Linux root user, run the touch /var/www/html/test2file command. > > 2. Run the ls -Z /var/www/html/test2file command to view the SELinux > context: > > -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 > /var/www/html/test2file > > By default, Linux users run unconfined on Fedora 10, which is why the > test2file file object is labeled with the SELinux unconfined_u user. The > object_r role is a standard role, and does not affect access control. > The httpd_sys_content_t file type allows the httpd subject to access > this object. > > 3. The /usr/bin/chcon command relabels files; however, such label > changes do not survive when the file system is relabeled. For permanent > changes that survive a file system relabel, use the /usr/sbin/semanage > command, which is discussed later. As the Linux root user, run the > /usr/bin/chcon -t samba_share_t /var/www/html/test2file command to > change the file type, to a file type that is used by Samba. Run the ls > -Z /var/www/html/test2file command to verify the changes: > > -rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 > /var/www/html/test2file > > 4. To simulate the httpd subject running unconfined, run the > /usr/sbin/setenforce 0 command as the Linux root user to temporarily > disable SELinux. Confirm SELinux is disabled by running the > /usr/sbin/getenforce command. When SELinux is disabled, > /usr/sbin/getenforce returns Permissive: > > $ getenforce > Permissive There are more precise ways to make httpd unconfined w/o making the entire system permissive, e.g.: 1) Label the httpd binary with unconfined_exec_t and re-start it, or 2) Making the httpd_t domain permissive (in F10 and later): semanage permissive -a httpd_t > 5. As the Linux root user, start the Apache HTTP Server: /sbin/service > httpd start. Change into a directory where your Linux user has write > access to, and run the wget http://localhost/test2file command. Unless > there are any changes to the default configuration, this command succeeds. > > 6. Enable SELinux by running /usr/sbin/setenforce 1 command. When > SELinux is enabled, /usr/sbin/getenforce returns Enforcing: > > $ getenforce > Enforcing > > The examples in these sections demonstrate how data can be protected > from a compromised confined-subject (protected by SELinux), as well as > how data is more accessible to an attacker from a compromised > unconfined-subject (not protected by SELinux). > > Confined and Unconfined User Domains > > In progress. Introduction to restrictions on certain domains (user_t, > guest_t etc). > > Are there any SELinux restrictions on what users can do when they run > unconfined? Yes. They are still restricted by MCS. There are certain booleans that can apply certain restrictions like execmem, execstack. And if they run any program with its own domain and a domain transition is defined from unconfined_t to the program's domain then they are still subject to the restrictions on that domain. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
