Linux
Linux
Linux
html
• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata
• Academic
SELinux
By Bill McCarty
Publisher: O'Reilly
Pub Date: October 2004
ISBN: 0-596-00716-7
Pages: 254
This small but information-packed book covers the wide range of knowledge needed to secure your
system using this respected extension to Linux. SELinux discusses critical topics, such as SELinux
concepts and its security model; installation instructions; system and user administration; understanding,
implementing, and developing your own SELinux security policies. With SELinux, a high-security
computer is within reach of any system administrator, and this book provides the means.
< Day Day Up >
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata
• Academic
SELinux
By Bill McCarty
Publisher: O'Reilly
Pub Date: October 2004
ISBN: 0-596-00716-7
Pages: 254
Copyright
Preface
Organization of This Book
Conventions Used in This Book
Using Code Examples
How to Contact Us
Acknowledgments
Chapter 1. Introducing SELinux
Section 1.1. Software Threats and the Internet
Section 1.2. SELinux Features
Section 1.3. Applications of SELinux
Section 1.4. SELinux History
Section 1.5. Web and FTP Sites
Chapter 2. Overview of the SELinux Security Model
Section 2.1. Subjects and Objects
Section 2.2. Security Contexts
Section 2.3. Transient and Persistent Objects
Section 2.4. Access Decisions
Section 2.5. Transition Decisions
Section 2.6. SELinux Architecture
Chapter 3. Installing and Initially Configuring SELinux
Section 3.1. SELinux Versions
Section 3.2. Installing SELinux
Section 3.3. Linux Distributions Supporting SELinux
Section 3.4. Installation Overview
Section 3.5. Installing SELinux from Binary or Source Packages
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O'Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (http://safari.oreilly.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.
Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of
O'Reilly Media, Inc. The Linux series designations, SELinux: NSA's Open Source Security Enhanced
Linux, images of the American West, and related trade dress are trademarks of O'Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O'Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps. The use of NSA's SELinux in
this book does not constitute implied or expressed endorsement of the book by National Security
Agency (NSA) or any of its agents
. While every precaution has been taken in the preparation of this book, the publisher and author assume
no responsibility for errors or omissions, or for damages resulting from the use of the information
contained herein.
Preface
As a security researcher and author of computer books, I work hard to stay abreast of the latest
technological developments. So, I'd been tracking Security Enhanced Linux (SELinux) on my technology
radar for several years. But, frankly, it didn't seem to me easy enough, or robust enough, for dependable
use by Linux system administrators.
About one year ago, SELinux seemed to grow up suddenly. I now believe that SELinux is the most
important computing technology for Linux users that I've seen in the last several years. Obviously, others
agree that SELinux is important and useful: SELinux has been incorporated into Fedora Core, Gentoo,
and SUSE Linux. And by the time this book is in print, it's expected to be part of Red Hat Enterprise
Linux.
Why the sudden popularity? In a nutshell, SELinux promises to change the way Linux users practice
computer security from a reactive posture, based on applying patches intended to close published
vulnerabilities, to a proactive posture that seeks to prevent even unpublished vulnerabilities from
compromising systems. Properly configured and administered Linux systems already hold a
well-deserved reputation for resistance to attack. SELinux significantly ups the ante on attackers and
intruders by providing Linux system administrators with access to sophisticated security technology of a
sort previously available only to administrators of high-security systems running expensive, military-grade
operating systems.
One thing SELinux: NSA's Open Source Security Enhanced Linux doesn't do is explain how to write
programs that use the SELinux API. I anticipate that this book will be useful to those who want to write
such programs. But SELinux is designed for system administrators, not programmers, and therefore
doesn't assume programming skills or expertise. Consequently, those interested in using the SELinux
API will have to supplement the material presented in this book with information obtained from SELinux
documentation and other sources.
This book is divided into nine chapters and five appendixes. Here is a brief summary of each chapter's
focus:
Chapter 1, Introducing SELinux, explains why SELinux is valuable and which common security flaws it
addresses, including the concept of the 0-day vulnerability.
Chapter 2, Overview of the SELinux Security Model, explains such basic concepts as roles, domains,
and transitions. It prepares the reader for SELinux installation.
Chapter 3, Installing and Initially Configuring SELinux, lays out the current state of SELinux support in
several GNU/Linux distributions and provides guidance for installation.
Chapter 4, Using and Administering SELinux, is a basic SELinux system guide for system administrators,
covering such techniques as user administration.
Chapter 5, SELinux Policy and Policy Language Overview, prepares the reader to write or revise
policies, which is necessary when new software is installed on an SELinux system or when policies need
to be adjusted to current system use. This chapter discusses the build process, the layout of
policy-related files, and general issues such as macros.
Chapter 6, Role-Based Access Control, introduces the syntax of policy files and describes the directives
that relate to user roles.
Chapter 7, Type Enforcement, discusses the next major aspect of SELinux policies, type-enforcement
files.
Chapter 8, Ancillary Policy Statements, finishes the explanation of policy statements with a description of
constraints and other miscellaneous directives.
Chapter 9, Customizing SELinux Policies, pulls together all the material from the book, provides
concrete examples of how to adjust SELinux systems to users' needs, and introduces tools that help
monitor the system and view policies.
Five appendixes list the classes, operations, macros, types, and attributes defined by SELinux policy files.
Italic
Used for commands, programs, and options. Italic also indicates new terms, URLs, filenames and file
extensions, and directories.
Constant Width
Used to show the contents of files or the output from commands. Constant width is also used to indicate
domains, types, roles, macros, processes, policy elements, aliases, rules, and operations.
Used in examples and tables to show commands or other text that should be typed literally by the user.
Used in examples and tables to show text that should be replaced with user-supplied values.
A final word about syntax: in many cases, the space between an option and its argument can be omitted.
In other cases, the spacing (or lack of spacing) must be followed strictly. For example, -wn (no
intervening space) might be interpreted differently from -w n. It's important to notice the spacing used in
option syntax.
Keyboard Accelerators
In a keyboard accelerator (such as Ctrl-Alt-Del), a dash indicates that the keys should be held down
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
This book is here to help you get your job done. In general, you may use the code in this book in your
programs and documentation. You do not need to contact us for permission unless you're reproducing a
significant portion of the code. For example, writing a program that uses several chunks of code from
this book does not require permission. Selling or distributing a CD-ROM of examples from O'Reilly
books does require permission. Answering a question by citing this book and quoting example code
does not require permission. Incorporating a significant amount of example code from this book into
your product's documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher,
and ISBN. For example: "SELinux: NSA's Open Source Security Enhanced Linux, by Bill McCarty.
Copyright 2004 O'Reilly Media, Inc., 0-596-00716-7."
If you feel your use of code examples falls outside fair use or the permission given above, feel free to
contact us at permissions@oreilly.com.
How to Contact Us
Please address any comments or questions concerning this book to the publisher:
O'Reilly Media, Inc.1005 Gravenstein Highway NorthSebastopol, CA 95472(800) 998-9938 (in the
U.S. or Canada)(707) 829-0515 (international/local)(707) 829-0104 (fax)
We have a web page for this book, where we list errata, examples, and any additional information. The
site also includes a link to a forum where you can discuss the book with the author and other readers.
You can access this page at:
http://www.oreilly.com/catalog/selinux
To comment or ask technical questions about this book, send email to:
bookquestions@oreilly.com
For more information about books, conferences, software, Resource Centers, and the O'Reilly
Network, see our web site at:
http://www.oreilly.com
< Day Day Up >
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Acknowledgments
Thanks to my editor, Andy Oram, who struggled alongside me through some difficult challenges of
structure and design. This book wouldn't have been nearly as clear and readable without Andy's insights
and patient influence.
Thanks also to Margot Maley of Waterside Productions, Inc., who brought this authorship opportunity
to my attention.
Several reviewers, some working for O'Reilly Media and some working elsewhere, commented on the
manuscript and suggested helpful corrections and improvements. In particular, I'd like to thank the
following people for taking time to review this book: Dr. Steve Beatty, Joshua Brindle, David Castro,
and George Chamales. I greatly appreciate their assistance and readily confess that any errors in the
manuscript were added by me after their reviews, and so are entirely my responsibility.
My family—Jennifer, Patrick, and Sara—provided their customary compassion and assistance during
this latest authorship experience. Thanks, guys!
I also acknowledge the faithfulness of my savior, Jesus Christ. His perfect love is entirely undeserved.
This chapter explains the what and why of SELinux. It begins by describing the threat environment and
why the prevalent model of security—patching against known vulnerabilities—is inadequate. The chapter
goes on to describe several security mechanisms designed to protect against both known and unknown
vulnerabilities. The chapter then presents an overview of SELinux, describing its main features,
capabilities, and history. The chapter concludes with a survey of resources helpful to SELinux users.
Because you're reading this book, it's likely that you're responsible for the management of one or more
sensitive hosts. If that's the case, you're aware that the threat level for Internet-based attacks has
increased rapidly over the last several years and continues to do so. One authoritative barometer of this
trend is the number of incident reports logged by the Computer Emergency Response Team
Coordination Center (CERT/CC) of Carnegie Mellon University's Software Engineering Institute. Table
1-1 shows the number of incident reports for 2000 through 2003. During this four-year period, incident
reports increased at an average annual rate of almost 85 percent. That is, the number of incidents has
roughly doubled each year. If this rapid rate of increase continues, the year 2010 will see over 10 million
incident reports.
Year Reports
2000 21,756
2001 52,658
2002 82,094
2003 137,529
Of course, the number of incident reports is an indirect rather than direct measure of the threat level. So
some might argue that the threat level is unchanged, and the increase in incident reports is due to system
administrators reporting a greater proportion of incidents.
Insider Threats
Not all threats arise from software or the Internet. So-called insider threats, which come
from local-area networks or proprietary wide-area networks, can present even more
serious risks. Insiders often attack systems by means other than software vulnerabilities.
For instance, employees in two work groups may collude to falsify database records to
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
SELinux is a software product that includes several mechanisms that protect against attacks exploiting
software vulnerabilities, including attacks on 0-day vulnerabilities. In particular, SELinux implements
role-based access control and sandboxing.
SELinux also provides a logging and audit facility that records attempts to exceed specified permissions.
By monitoring the system log, the administrator of an SELinux system can often discover attempts to
escalate privileges and take action to prevent an intruder or insider from interfering with operation of the
system.
SELinux is designed to protect against misuse and unauthorized use such as:
• Privilege escalation
•
Figure 1-1 depicts the operation of SELinux in a highly simplified fashion. SELinux works by associating
each program or process with a sandbox known as a domain. Each domain is assigned a set of
permissions sufficient to enable it to function properly but do nothing else. For instance, a domain is
limited in the files it can access and the types of operations it can perform on those files. To enable
specification of such permissions, each file is labeled with information called a security context. The
definition of a domain spells out what operations it can perform on files having specific security contexts.
A domain cannot access files having security contexts other than those for which it is explicitly granted
access.
To understand the value of SELinux, let's revisit the Apache and ptrace vulnerability mentioned earlier in
the sidebar "The Apache OpenSSL Attack." Unknown to the administrator of the server, the version of
Apache being run contains a vulnerability for which no patch is yet available. An attacker exploits this
vulnerability to remotely compromise Apache, thereby gaining the privileges extended to the apache user
account. Because the system's security is based on discretionary access control, these privileges are
relatively extensive. In particular, they're sufficient to allow the attacker to execute the ptrace program,
which also contains a vulnerability. Moreover, the ptrace program is a setsuid program that always runs
as the root user regardless of the identity of the user who launches it. Thus, when the attacker
compromises ptrace, he gains access to the root account and has unrestricted access to all system files
and resources. The attacker establishes a backdoor by which to conveniently reenter the system at will,
cleans the system logs to cover all traces of his intrusion, and adds the system to his list of owned hosts.
If the web server had been running on an SELinux host with properly configured policies, the scenario
would have proceeded differently. As before, the attacker would have been able to compromise
Apache by using his 0-day attack. But, having done so, the attacker would gain only those permissions
afforded the domain under which Apache was run. These would not permit the attacker to run the
ptrace program, and so he would be prevented from using the ptrace vulnerability to seize control of the
system. The domain associated with Apache would not provide the attacker with write access to the
HTML files making up the web site. Thus the attacker would be prevented from defacing it. Unless the
attack terminated the Apache process, the attack might not even interrupt the availability of web
services. Under SELinux, the effects of the attack might be largely mitigated.
SELinux, though only recently released to the public as a software product, has a substantial heritage.
SELinux descends from work that began several decades ago. In 1973, computer scientists David Bell
and Leonard LaPadula defined the concept of a secure system state and published a formal model
describing a multilevel security system.
Later, in the 1980s, the work of Bell and LaPadula strongly influenced the U.S. government's
development of the Trusted Computer System Evaluation Criteria (TCSEC, popularly known as the
Orange Book). The TCSEC defined six evaluation classes with progressively more stringent security
requirements: C1, C2, B1, B2, B3, and A1. Class C1 and C2 systems, like Linux, depended upon
discretionary access controls. Class B1 systems and systems of higher classes had to, like SELinux,
implement mandatory access controls.
During the 1990s, researchers at the U.S. National Security Agency (NSA) worked with Secure
Computing Corporation (SCC) to develop a strong and flexible mandatory access control architecture.
Initially, their work focused on theoretical proofs of the properties and characteristics of the architecture.
Eventually, working with a research team at the University of Utah, they developed a working prototype
of the architecture called Flask within Fluke, a research operating system.
Later, NSA researchers worked with Network Associates and the R&D firm MITRE to implement the
architecture within the open source Linux operating system. Their work was released to the public in
December 2000, as an open source product.
Subsequently, Linux 2.5 was modified to incorporate LSMs, a kernel feature intended to simplify
integration among SELinux, similar products, and the Linux operating system. This modification was
carried forward to Linux 2.6 when development of Linux 2.5 was deemed complete.
More recently, several Linux distributors have announced plans to support SELinux within their Linux
distributions. Among these are Red Hat, distributor of the commercial Linux distribution with the largest
market share in the U.S. and worldwide, and SUSE, distributor of Europe's leading Linux distribution.
SELinux is already a standard component of Fedora Core, the noncommercial Linux distribution whose
development is sponsored by Red Hat, and several other noncommercial Linux distributions, including
Debian GNU/Linux and Gentoo Linux.
Several Linux distributions augment SELinux with other security mechanisms. For instance, Gentoo
Linux can be configured to compile the Linux kernel and applications to work with either of two
mechanisms:
PaX
Provides a variety of protections against attacks, including Address Space Layout Randomization
(ASLR). See http://pax.grsecurity.net/docs/pax.txt.
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
http://www.nsa.gov/selinux
In addition, various Linux distributors and interested parties provide SELinux-related web pages and
FTP sites. Among the most popular and useful are:
http://www.crypt.gen.nz/selinux
http://opensource.nailabs.com/selinux
http://www.coker.com.au/selinux
http://www.microcomaustralia.com.au/debian
http://selinux.sourceforge.net
http://fedora.redhat.com/projects/selinux
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
The main purpose of this chapter is to introduce you to SELinux terms and concepts helpful in the
installation and initial configuration of SELinux, which is covered in Chapter 3. This chapter presents an
overview of the security model implemented by SELinux, which is based on the Flask architecture
designed by the NSA. (SELinux is ultimately grounded on principles that have guided the design and
administration of highly secure military systems for decades, such as those described in the so-called
"Orange Book."[1]) Because of this chapter's practical aim, its emphasis is on basic Flask and SELinux
concepts and terms. Chapter 5 explains the SELinux security model in greater detail. In addition to
providing an overview of SELinux functions, Chapter 5 provides an overview of SELinux architecture,
describing each major SELinux component.
[1] DoD Trusted Computer System Evaluation Criteria (DoD 5200.28-STD), available from the U.S.
National Institute of Standards, http://csrc.nist.gov/secpubs/rainbow/nsaorder.txt.
Like other onetime elementary and secondary students, you've probably endured many school lectures
on the subject of English grammar. If you're old enough, you may even have endured that most feared
exercise of secondary education (which is now largely extinct): the sentence diagram, like that shown in
Figure 2-1.
At the time of your elementary and secondary studies, the various parts of speech—nouns, verbs,
adjectives, adverbs, and so on—and components of sentence structure—subjects, actions, direct and
indirect objects, and so on—may not have seemed to you and your fellow students to be the most
fascinating of topics. And, unless in adult life you've worked as a writer or editor, your aversion may
seem to have been well-founded: many adults seem to get through life quite well with only a very
fragmentary understanding of English grammar.
If I claimed that knowledge of English grammar would help you better secure your computer systems,
would that influence your estimate of the value of its study? Perhaps not. But my claim would
nevertheless be true. The security model that underlies SELinux is based on simple grammatical concepts
common to English and most other human languages, as well as artificial languages such as computer
programming languages. Some scientists believe that an understanding of these concepts is more or less
intrinsic to humankind—encoded in the structure of the human mind itself—and quietly shapes the way
we view and understand reality. Of course, if grammar is truly innate, one may well wonder why it's
necessary to teach it to students. But rather than get sidetracked by a debate over psycholinguistics (as
the study of the grammatical mind is called), let's explore the relationship between grammar, SELinux,
and computer security.
• Subjects
•
• Objects
•
• Actions
Subjects are the actors within a computer system. You might initially think that users would be the
subjects of the SELinux security model, especially if your experience with computer systems has been
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
The discussion in the preceding section might lead you to believe that SELinux makes security decisions
based on the identity of individual subjects and objects. In principle, such a system could be made to
work. But the system would be unnecessarily unwieldy. Because processes related to a single program
can generally be treated the same, it's more convenient to make security decisions based on sets or
classes of subjects and objects rather than on individual objects. For example, every instance of the
SSH server should generally be given the same permissions, including read access to
/etc/ssh/sshd_config. Similarly, all the files within a given directory often can be manipulated by the
same subject. For example, the DHCP service should be permitted to manipulate any of the files in
/var/state/dhcp. To simplify decision making, similar subjects can be grouped and similar objects can be
grouped.
SELinux associates information called security attributes with subjects and objects and bases its security
decisions on the values of these attributes. Three security attributes are used:
User identity
The user identity indicates the SELinux user account associated with a subject or object. In the case of a
subject, the user identity gives the SELinux user account under which the process is running. In the case
of an object, the user identity gives the user account that owns the object.
In tracking user identities, SELinux does not use the list of user accounts
maintained by Linux in /etc/passwd. Instead, it uses its own database and a
mapping that associates SELinux users with Linux users. This approach is
consistent with the philosophy that Linux access controls and SELinux access
controls should be completely separate, so that changes to one don't affect the
other. One important benefit of keeping separate user account databases is that
changes to /etc/passwd don't invalidate the SELinux security attributes of
subjects and objects. Keeping separate user databases is not as cumbersome
as it may seem, because most systems can be configured to use only a handful
of SELinux user accounts. That is, many Linux user accounts can often be
mapped to a single SELinux user account.
Role
Under SELinux, users are authorized to enter one or more roles, each of which defines a set of
permissions a user can be granted. At a given time, a user can reside in only a single role. A user can
transition from one authorized role to another by using the special command newrole. This command
changes the user's SELinux role similar to the way the Linux su command changes a user's Linux identity.
SELinux establishes a special role, sysadm_r, used for administering SELinux facilities.
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Two kinds of objects exist within a Linux system: transient objects and persistent objects. A transient
object has a quite limited lifetime, often existing merely as a data structure within kernel space. A
process is the most common kind of transient object. SELinux can directly associate an SID with a
transient object by keeping a memory-resident table that maps transient object identities to SIDs and
thence to security contexts.
In contrast to transient objects, a persistent object has an indefinite lifetime. The most common persistent
objects are files and directories. Because persistent objects, once created, generally exist until they're
destroyed, a persistent object may exist across several system startups. Thus, a memory-resident table
can't be used to associate persistent objects with their SIDs, because the contents of memory-resident
tables are lost at system startup. Therefore, associating a persistent object with its security context is
somewhat complicated.
In general, persistent objects are associated with Linux filesystems, which can be used to store their
security contexts. Several Linux filesystem types, including the standard ext2 and ext3 filesystem types,
provide an extended attribute feature that can be enabled during compilation of a Linux kernel. SELinux
uses the extended attribute to store persistent security identifiers (PSIDs) on the filesystem. SELinux
uses memory-resident tables to map PSIDs to SIDs, and thence to security contexts.
Access decisions
Access decisions determine whether a given subject is allowed to perform a given operation on a given
object.
Transition decisions
Transition decisions, also called labeling decisions, determine the types assigned to newly created
objects, particularly processes and files.
This section explains access decisions—the more frequently made and important of the two kinds of
decisions—and the following section explains transition decisions.
Conceptually, each object class has an associated bitmap called an access vector, containing one bit for
each action defined for the class. Figure 2-3 shows a simplified bitmap for the file class. An actual
bitmap for the file class would include each of the more than one dozen actions defined for the file class,
rather than merely the common actions shown in the figure.
As explained earlier in this chapter, the SELinux security server makes access decisions by considering
the security context of the subject and object of the action, the security class of the object, and the
action requested. When the security server has made the access decision, it returns an access vector that
indicates the allowed actions. More precisely, if the security server finds one or more policy rules
matching the request, it returns three related access vectors, as shown in Figure 2-4. In the figure, the
server has granted the subject permission to append to the object or create the object.
Access decisions are one of the two basic kinds of decisions made by the SELinux security server.
Transition decisions—which are sometimes called labeling decisions—are the second.
Since every object has a security context, newly created objects must be labeled with some security
context. A transition decision decides what security context is chosen. Transition decisions come up in
two common contexts:
The new process may run in the same domain as its parent or in another authorized domain. If the
process runs in another domain, a domain transition is said to have occurred.
The new file (or file-like object, such as a directory) may be labeled with the security context of the
directory containing it or with another authorized domain. If the file's security context pertains to a
domain other than that of the directory that contains it, a file-type transition—or, more simply, a type
transition—is said to have occurred.
In SELinux, the terms domain and type are synonymous. The term domain is
more often used in reference to processes, while type is more often used in
reference to passive objects such as files.
Let's first consider process creation. Given permission, a running process—called a parent
process—may invoke the exec syscall, creating a new process—called a child process—by executing a
specified program file. Generally, the child process runs in the same SELinux domain as the parent
process and receives the same SID and security context. However, some programs are defined in the
SELinux policy as entry points to domains. When such a program is executed, the child process is given
a new security context having another domain. The process is said to have transitioned to a new domain.
Processes can also transition to new domains by using the SELinux application
programming interface (API). Programs that need to make special transitions
(for example, the login and SSH daemons) have been modified to use the
special SELinux APIs that accomplish them. In order that they not compromise
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
The preceding sections of this chapter have provided an overview of the functions that underlie SELinux.
This section provides an overview of the architecture of SELinux. SELinux consists of the following
major components:
• Kernel-level code
•
• A security policy
•
• Tools
•
When active, the SELinux kernel code monitors system activity and ensures that requested operations
are authorized under the currently configured SELinux policy, disallowing any operations not expressly
authorized. It also generates system log entries for certain allowed and denied operations, consistent with
policy specifications.
Originally, the SELinux kernel-level code was implemented as a patch to the Linux 2.2 kernel, and later
the Linux 2.4 kernel. More recently, much of the SELinux kernel-level code has been integrated within
the Linux 2.6 kernel. The Linux Security Modules (LSM) feature of Linux 2.6 was expressly designed to
support SELinux and other potential security servers.
The principal SELinux facility omitted from Linux 2.6 concerns the labeling of
network objects and the security decisions pertaining to them. Some Linux
distributors have plans to make the missing SELinux capabilities available as
one or more kernel patches, or otherwise.
Despite the integration of SELinux with the Linux 2.6 kernel, a given operational Linux 2.6 kernel may or
may not support SELinux. Like many kernel features, the level of SELinux support can be configured
when the kernel is built. SELinux can be:
•
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
This chapter presents step-by-step procedures for installing and initially configuring SELinux on several
popular Linux distributions. At the time of writing, only two popular Linux distributions officially support
SELinux: Fedora Core and Gentoo. However, SELinux is also available for Debian GNU/Linux and
SUSE, thanks to the unofficial work of independent software developers. In addition, Red Hat has
announced that Red Hat Enterprise Linux 4 will support SELinux. So those who are looking to install
SELinux can choose from a variety of Linux distributions. You may also be able to download and apply
the SELinux source release to a Linux distribution other than those mentioned. The final section of this
chapter provides an overview of this process.
Every implementation of SELinux is based on one of the official NSA versions. The NSA has published
four major versions of SELinux:
The original version of SELinux, which supported Linux 2.2 and Linux 2.4.
LSM-Based SELinux
A version of SELinux that worked with the Linux Security Modules (LSM) patch to Linux 2.4 and 2.5.
A version of SELinux that also worked with the LSM patch to Linux 2.4, but additionally required the
extended attribute (EA) patch. Apart from differences in kernel support, this version is architecturally
similar to SELinux for Linux 2.6 but is no longer under active development.
The current version of SELinux, which works with standard Linux 2.6 kernels. The Linux 2.6 kernel
natively supports SELinux and therefore does not have to be patched.
The application programming interface of the original and LSM-based versions of SELinux differs from
that of current version. Therefore, although the older versions can still be downloaded from the NSA's
web site, I don't recommend that the older versions—or third-party packages or source code based on
the older versions—be used.
Similarly, although the Linux 2.4 version of SELinux is architecturally similar to the current Linux
2.6-based SELinux release, it is not under active development and therefore lacks useful functions
present in the current release. At the time of writing, implementations of SELinux for Linux distributions
not integrally supporting SELinux tend to be based on SELinux for Linux 2.4 and are therefore
somewhat out of date. Consequently, my own preference and recommendation is that you install one of
the following SELinux implementations:
• Fedora Core 2
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
• As an integral component of a Linux distribution, installed at the same time as the distribution
•
• By using binary or source packages, such as the .deb packages used by Debian GNU/Linux; the
ebuilds used by Gentoo Linux; or the RPM packages used by Fedora Core, Red Hat Enterprise
Linux, and SUSE Linux
•
At the time of writing, only Fedora Core and Gentoo contain SELinux as a fully supported, native
facility. So unless you choose one of those distributions, you must install SELinux yourself. If you install
SELinux yourself, it's generally much more convenient to do so using packages. However, prebuilt
packages are not available for every Linux distribution. Those who are unable or unwilling to use a
distribution for which packages are available must compile the sources provided by the NSA. In many
cases, the sources must be modified in order to work properly with the distinctive characteristics of a
specific Linux distribution.
The following sections explain how to install and initially configure SELinux for several popular Linux
distributions. The final section of this chapter explains how to install SELinux using the source code
provided by the NSA.
Coaxing SELinux into working with X has proven to be somewhat difficult. Recent releases
of SELinux perform much better in this regard than older releases. But they still fall short of
perfection. It's common for SELinux users to find that the login screen doesn't appear or
that they can't log in.
The KDE Desktop has so far proven more resistant to interoperation with SELinux than its
rival desktop, GNOME. The central problem is that various KDE programs run as
identically named processes. Thus, SELinux cannot assign these KDE processes to distinct
domains. One result of this inability is that KDE's temporary files sometimes cannot be
labeled with appropriate domains. Thus, with respect to KDE, SELinux policies tend either
to be too restrictive or too lax. We can hope that a future release of KDE or SELinux will
somehow address this problem. In the meantime, for those using SELinux, GNOME is
generally a better desktop choice than KDE.
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Currently only Fedora Core supports SELinux by providing it as an integral component that is installed
without special effort on the part of the installing user. However, Red Hat has announced that Red Hat
Enterprise Linux 4 (RHEL 4) will support SELinux. The RHEL 4 implementation of SELinux is expected
to closely resemble the one in Fedora Core 2.
Fedora Core is a Linux distribution sponsored—but not supported—by Red Hat that uses the
distribution as a test bed for new technologies being considered for incorporation in Red Hat's
supported distributions, such as Red Hat Enterprise Linux. Fedora Core is freely available at
http://fedora.redhat.com. Unlike Red Hat Enterprise Linux, which contains proprietary components,
Fedora Core is fully redistributable under the terms of the GNU GPL.
Fedora Core 2 presents the most convenient implementation of SELinux available to date. To install
SELinux, you must respond selinux to the boot prompt that appears after booting from the installation
media.[1] During the installation procedure, the Firewalls screen (see Figure 3-1) provides the user with
the opportunity to choose from three levels of SELinux support:
[1] Fedora Core 2 test versions do not require you to use this special boot option.
Disabled
Disables SELinux.
Warn
Enables SELinux to log, but not prevent, attempted violations of the SELinux policy.
Active
The procedure for installing SELinux varies according to the target Linux distribution. However, it
generally includes the following operations:
The operations can be performed in any of a variety of sequences. A few of these operations can be
entirely omitted if precompiled packages are used. And additional operations are generally required, as
explained in the following sections.
Unless you choose a Linux distribution that includes built-in support for SELinux, you'll have to install
and configure SELinux yourself. It's generally easier to do so using binary or source packages than using
the source code tarballs released by the NSA. This section explains how to install and initially configure
SELinux on:
• Debian GNU/Linux
•
• Gentoo Linux
•
In addition, the section gives advice on installing and configuring SELinux to work with Red Hat
Enterprise Linux 3. As explained earlier, the forthcoming Red Hat Enterprise Linux 4 is planned to
integrally support SELinux.
At the time of writing, two releases of Debian GNU/Linux are currently in use, and a third is under
development. The two commonly used releases are:
As the release names indicate, Woody is considered the more reliable release; its component packages
have been subject to more extensive, and more thorough, testing and use than those of Sid. However,
the C compiler and libraries and other components of Woody are too old to work well with SELinux.
Consequently, this section presents an SELinux installation procedure appropriate for Sid.
If you're interested in using SELinux with Woody, you can use special packages created by Brian May,
available at http://www.microcomaustralia.com.au/debian. You can find brief instructions for using them
at http://www.coker.com.au/selinux. Because these packages are subject to change, I don't present
step-by-step instructions for installing and configuring SELinux under Woody. If you plan to install
SELinux under Woody, you can request assistance by posting to the SELinux mailing list, to which you
can subscribe using the web page identified in Chapter 1.
To install SELinux under Sid, perform the following steps. Since I presume you know how to install
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
If you want to install SELinux on a system running a Linux distribution other than one for which SELinux
support is available, you may be able to do so by using the NSA's SELinux release, available at
http://www.nsa.gov/selinux/code. However, the release is not a generic, cross-platform release. Instead,
the current release is designed to work with Fedora Core 2.
• Kernel patch
•
• Modified Linux programs, including SysVinit (modified to load SELinux policy during boot),
PAM, Linux utilities (vipw, chsh, chfn, passwd), OpenSSH, vixie cron, Shadow utilities
(programs that modify /etc/passwd and /etc/shadow), GNU core utilities, procps (modified to
display process context information), and star (backup and recovery utility)
•
• SELinux documentation
To adapt the NSA's release to a new platform generally requires modifications to build files and may
require modifications—potentially significantly difficult modifications—to userland and kernel source
code. Therefore, it's not recommended that those other than skilled programmers attempt to implement
SELinux on an unsupported platform.
At this point we'll assume your SELinux system has been installed and that you are ready to log in. This
chapter lays out the first administrative tasks you need to do and some ongoing administrative tools you'll
want to know about as you continue to add software and users to your system.
As with any multiuser system, you have to create accounts for users and assign them the proper
privileges. In SELinux these tasks are not much more complicated than in other systems, although you'll
have to learn some new commands to carry them out. And in the future, after SELinux has become
widely adopted, the wrinkles have been ironed out, and thoroughly tested policy files are available, these
typical sysadmin tasks may be all that's involved for most people running SELinux.
But unfortunately, we are not yet at that stage of maturity. As explained in earlier chapters, each release
of SELinux on each distribution has its own rough spots. These will be manifested in various
hard-to-diagnose ways, including:
• Applications failing (silently or with obnoxious complaints) because they cannot access files or
other necessary resources
Thus, basic sysadmin tasks for SELinux include checking log files and tracing what has happened to
users and applications. This chapter contains a substantial section to help you understand SELinux
logging and make use of that information to change permissions on users and files.
Furthermore, SELinux has a built-in troubleshooting method known as permissive mode to help you
figure out what changes to make. In permissive mode, SELinux does not actually stop anybody from
doing anything. In other words, you do not actually have a secure SELinux system. (Traditional Unix
security is still operational, though.) You should learn how to switch to and from permissive mode—on a
non-production system in a safe environment, of course—in order to find out what changes you need to
make in order to let users and applications run on your system.
When you make changes to your system, you may have to rebuild the policy files SELinux uses to
control access or relabel files. Sometimes you can install software seamlessly, and SELinux automatically
does the right thing. But in other cases, the policies or labels become out of sync with the system.
•
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
As mentioned, SELinux provides a special mode called permissive mode that's useful for policy
troubleshooting and system maintenance. SELinux's other operating mode is called enforcing mode
(sometimes called enforcement mode). Enforcing mode is the normal mode of SELinux operation. Under
enforcing mode, operations that violate the SELinux security policy are prevented. Generally, when an
operation is prevented, an entry is also written to the system log so that a system administrator can learn
what operations have been prevented and why. Some operations may be prevented due to an incorrect
or incomplete SELinux security policy, whereas others may be prevented due to an attempted system
compromise. The system log provides administrators with data useful in determining the reason
operations were prevented so that appropriate action can be taken. The section of this chapter titled
"Monitoring SELinux" explains the format of the log entries made by SELinux.
Permissive mode is available only if your system's kernel was compiled with the option NSA SELinux
Development support. Generally, Linux vendors compile their standard kernels with this option.
However, if you compiled your own kernel, you may have omitted the option, in which case permissive
mode won't be available.
If you're especially concerned about the security of your system, you may prefer to compile a kernel
without the NSA SELinux Development support option. Doing so ensures that the system always
operates in enforcing mode. However if you do so, you may find it cumbersome to administer the
system. For instance, you may install a new software package and find that the associated policy file isn't
quite accurate or complete, causing the application to operate imperfectly. Without the ability to enter
permissive mode, it may be difficult to troubleshoot and correct the problems with the policy file.
Permissive mode is used when configuring, testing, and troubleshooting SELinux and the SELinux
security policy. Under permissive mode, SELinux permits all operations, even those that violate the
SELinux security policy. Nevertheless, SELinux writes log entries that would have been written had the
system been in enforcing mode. Permissive mode enables a system administrator to observe the effects
of experimental SELinux security policies without affecting the operation of the system. SELinux includes
a special utility, Audit2allow, that can recommend SELinux policy changes based on log entries; the
section of this chapter titled "Monitoring SELinux" explains this utility and how to use it to revise the
SELinux security policy.
• Labeling files
If your Linux kernel was compiled with the NSA SELinux Development support option, you can specify
the SELinux operating mode that should be entered when your SELinux system is booted. And, unless
the SELinux security policy specifies otherwise, you can dynamically change the operating mode of a
running SELinux system. Additionally, if your Linux kernel was compiled with the NSA SELinux boot
parameter option, you can entirely disable SELinux via a boot parameter. The following subsections
explain how to do so.
The initial operating mode of an SELinux system can be set via the boot parameter enforcing. To boot
the system into enforcing mode, assign this boot parameter the value 1; to boot the system into
permissive mode, assign this boot parameter the value 0.
If you use GRUB to boot your system and want the system to automatically boot into enforcing mode,
you might specify a kernel directive such as the following in your GRUB configuration file (generally,
/boot/grub/grub.conf):
kernel /vmlinuz-2.6.4-1.305 ro root=LABEL=/ enforcing=1
If you use LILO to boot your system and want the system to automatically enter permissive mode after
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
SELinux is largely transparent to ordinary system users and presents system administrators with few
complications. This section describes the handful of issues that users and administrators need to be
aware of when using and administering an SELinux system. The issues fall into the following broad
categories:
• Entering a role
•
• Tuning SELinux
Recall that, as explained in Chapter 2, SELinux users have one or more associated roles and, at any
time, are bound to exactly one of these. Users are initially bound to a role at login time. Thereafter, a
user can issue a special command to replace this binding with a binding to any role for which the user is
authorized. System administrators may use this command to transition back and forth between the staff_r
and sysadm_r roles. Otherwise, role transitions are relatively rare.
staff_r
sysadm_r
system_r
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
SELinux writes log entries that enable system administrators to monitor its operation. The following
subsections explain the format of SELinux log messages, some logging subtleties, and how to use the
Audit2allow utility to automatically generate rules to allow operations logged as denied.
When a program attempts an operation that is checked by the SELinux security engine, SELinux may
make a log entry. As more fully explained in Chapter 2, operations that are denied generally cause a log
entry to be made, whereas permitted operations generally do not. However, SELinux policy rules can
override this principle.
Apart from the timestamp and other information that accompanies every system log message, SELinux
log messages have the following general format:
avc: result { operation } for pid= pid exe= exe path= opath dev= devno :ptno ino=
node scontext= source tcontext= target tclass= class
A given SELinux log message may omit one or more of the attribute-value pairs
given in the general format. Log messages include only the applicable
attribute-value pairs.
The variable fields within the log message have the following meanings:
result
The value granted or denied, indicating whether SELinux permitted or prohibited the operation.
operation
The operation that was attempted, such as read or write. SELinux defines about 150 operations.
Appendix B summarizes the SELinux operations that can appear in log messages.
pid
exe
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
SELinux is generally stable and free of trouble. But sometimes, particularly during the initial period when
a system administrator is unfamiliar with SELinux, problems crop up. The following five subsections
provide troubleshooting tips that address the most common problems encountered. These problems are
classified into the following five categories:
• Boot problems
•
• Daemon problems
•
• X problems
It's relatively common to misconfigure or otherwise break an SELinux system in a way that prevents it
from booting. If you find that you've done so, try to boot into permissive mode (enforcing=0) or with
SELinux disabled (selinux=0). If your kernel does not support these options, boot the system using a
non-SELinux kernel, such as one residing on rescue media. Generally, you can then troubleshoot and
repair the problem.
Another relatively common problem is inability to log into the system. A likely cause is that the user's
home directory is not labeled or is labeled with an incorrect security context. You can fix this problem by
using the fixfiles utility:
fixfiles restore
Alternatively, if you're confident that only one user's home directory is badly labeled, you can fix the
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Chapter 2 examined the SELinux security model from a bird's-eye perspective. The purpose of that
chapter was to acquaint you with SELinux just enough to enable you to understand the procedure for
installing and initially configuring SELinux. In the long run, you're likely to need to know significantly
more about the SELinux security model. So this chapter picks up where Chapter 2 left off, explaining the
SELinux security model and SELinux policies in greater detail and laying the groundwork for the
following chapters, which explain the SELinux policy language in detail.
For convenience, this chapter recapitulates some of the key concepts and terms
introduced in Chapter 2. However, I assume that you're generally familiar with
and able to recall the material from that chapter. If you find this chapter difficult
to follow, I suggest that you revisit Chapter 2 and then return to this chapter. I
anticipate that you'll find this chapter much clearer when the material from
Chapter 2 is fresh in your mind.
General systems theory arose in the middle of the last century, as systems analysts discovered that
systems of a variety of types share common characteristics. One such characteristic is that systems can
often be understood at any of several levels, sometimes referred to as levels of abstraction. For example,
scientists tell us that interactions among atoms and molecules are governed by the quantum mechanical
properties of elementary particles. But much of chemistry can be understood without reference to these
fundamental structures. Indeed, chemistry arose and prospered as a discipline before the discovery of
quantum mechanics and elementary particles.
To understand SELinux, it's important that its internal mechanisms—such as access vectors—be
understood, because these govern the security decisions SELinux makes. Yet because SELinux is highly
configurable, the runtime behavior of an SELinux system can be viewed as effectively determined by the
system's SELinux policy, which operates at a higher level of abstraction than low-level mechanisms such
as access vectors.
The high flexibility of SELinux is due to the configurability of its policy. Hence the SELinux policy of any
given system—though likely to be more or less based on the SELinux sample policy distributed with the
NSA's SELinux release—is unlikely to exactly match the sample policy. Moreover, the SELinux sample
policy is itself a living document. At the time of writing, work is underway to polish the SELinux
implementation to be released as part of Fedora Core 2, and the policy is being updated regularly, even
daily.
The configurability of policy and the high frequency of policy change complicate explication of the policy
in two ways. First, they raise the question: what version of the policy is being explained? And second,
they imply that any explanation is likely to be quickly outdated.
Fortunately, this analysis overstates the degree of difficulty. Over an extended period of time, the main
features of the SELinux sample policy have remained relatively constant. And, as mentioned, most actual
SELinux policies are based on the NSA's sample policy. So although policies vary and are subject to
change, they remain more alike than different.
In this chapter, I explain a generic SELinux policy based on the SELinux policy associated with Fedora
Core 2. The policy is hypothetical in the sense that it's not identical to any actual policy at any actual
time. But that's not to say that it's irrelevant or even artificial. Instead, it's intended to be representative of
a cross-section of actual SELinux policies and therefore serve as a baseline for understanding other,
more highly customized or developed policies. You'll find the generic SELinux policy described in this
chapter a useful point of reference in understanding the behavior of typical SELinux systems. However,
please bear in mind that the policy of your own SELinux system is unlikely to match precisely the one
described in this chapter.
If you're familiar with a programming language, such as C, you'll find that working with an SELinux
policy resembles working with a program. Programs generally have two forms: a source form and an
object form. Programmers work with the source form of a program, which resides in one or more
ordinary text files. These files can be created and changed using a text editor or interactive development
environment (IDE). However, you can't load and run the source form of a program. Instead, you must
use a compiler to translate the source form into object form. The file that contains the object form of a
program is a binary file that cannot be viewed or changed using a text editor. Figure 5-1 shows the
process that transforms a program from source to object form.
Figure 5-2 shows the process that transforms an SELinux policy from source to binary (object) form.
The checkpolicy command is analogous to the compiler that converts a program from source to object
form. Sometimes, therefore, the checkpolicy command is referred to as the SELinux policy compiler.
Unlike a typical compiler used to translate computer programs, the checkpolicy command can take input
from only one source file. So, all SELinux policy source files are concatenated and written to the
policy.conf file. The checkpolicy command reads the policy.conf file and writes a policy.?? file
containing a binary policy. The replaceable part of the binary policy filename indicates the version
number of the SELinux policy language that was used to create the binary policy. For instance, a binary
policy having filename policy.17 would relate to Version 17 of the SELinux policy language.
The binary form of an SELinux policy can be loaded into a running Linux kernel by issuing a load_policy
command specifying the binary policy filename as an argument. However, as explained in Chapter 4, the
system administrator generally uses the SELinux Makefile to load a policy. The make install, make load,
and make reload commands cause the SELinux Makefile to issue the load_policy command.
Let's switch our view of the SELinux policy from wide-angle to close-up and examine a simple
component of an SELinux policy, to better understand how an SELinux policy operates. Recall that the
SELinux type enforcement mechanism is based on domains. At any given time, a running process is
associated with a domain that determines its permissions. The SELinux policy statements that establish a
domain are generally grouped as two files:
FC file
The file context (FC) file, which has the filename extension .fc, resides in the file_contexts/program
subdirectory of the policy source directory. The file specifies the security contexts of directories and files
associated with the domain.
TE file
The type enforcement (TE) file, which has the filename extension .te, resides in the domains/program
subdirectory of the policy source directory. The file specifies the access vector rules and transitions
associated with the domain.
An SELinux policy contains many files other than FC and TE files. However, most of the work you do
with an SELinux policy will involve the FC and TE files. Because FC and TE files are central to
SELinux, understanding the function of these files takes you a long way toward understanding SELinux
policies. So in this section, we'll overview the FC and TE files. The following chapters will explain more
fully the FC and TE files as well as the other files that comprise an SELinux policy.
The FC and TE files that establish a domain generally carry the name of the principal program associated
with the domain. For instance, the files associated with the domain that regulates the behavior of the
Snort intrusion detection application are named snort.fc and snort.te. Let's begin by examining the
snort.fc file.
The snort.fc file specifies security contexts for directories and files related to Snort:
# SNORT
/usr/sbin/snort -- system_u:object_r:snort_exec_t
/usr/local/bin/snort -- system_u:object_r:snort_exec_t
/etc/snort(/.*)? system_u:object_r:snort_etc_t
/var/log/snort(/.*)? system_u:object_r:snort_log_t
The first line in the file is a comment, as indicated by the hash mark (#) appearing in the first column. The
remaining four lines have a simple structure consisting of three columns:
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Now that we've completed our close-up view of an SELinux policy component, let's return to a
wide-angle view. This section explains the conventions observed by SELinux policy developers in
choosing where to place policy statements of various types. The explanation is organized around the
structure of the SELinux source directory tree, which is typically /etc/security/selinux/src/policy. In
good computer science fashion, we'll first visit the leaf nodes (that is, the subdirectories of the tree) and
ultimately visit the root node (that is, the policy directory itself). However, we'll depart from computer
science conventions in one key respect: rather than visit the nodes in lexicographic (alphabetical) order,
we'll visit them in an order in which several nodes having fundamental content are visited first, to facilitate
the exposition.
The flask directory, as implied by being the first subdirectory visited in our traversal of the policy source
directory tree, is the most fundamental of the subdirectories. It contains three important files:
• initial_sids
•
• security_classes
•
• access_vectors
Like other policy source files, these files are read and processed during policy compilation. In addition,
these files are used to generate C header files that are used during compilation of an SELinux-capable
Linux kernel. In that context, the files specify symbol definitions for access vectors (that is, permissions),
initial SIDs, and security classes. Because of their relationship to the kernel, changes to the contents of
these files may require recompilation of the kernel. Therefore, in comparison to other policy source files,
these files are relatively static.
Although several policy source files are used in the compilation of the kernel,
you don't need to have SELinux policy sources available during kernel
compilation. The kernel sources include copies of the necessary SELinux policy
source files.
The following subsections explain the purpose and contents of these files. The most interesting of the files
is the access_vectors file, which is explained in the last of the three subsections.
Up to this point in the book, we've looked at the functions SELinux provides and the configuration files
that direct its operation. However, we've merely glanced at the SELinux policy language that's used to
specify the SELinux security policy. Our situation is akin to that of a 15th or 16th century explorer who
has studied maps of the New World and dreamed of the exotic sights that may be found there but has
not yet ventured to sea. In this chapter, we at last embark upon our sea voyage.
In this chapter and the following two chapters, you'll find a detailed explanation of the SELinux policy
language and several related languages, such as those used to specify file and security contexts. This
chapter explains the SELinux role-based access control policies, Chapter 7 explains the SELinux
type-enforcement policies, and Chapter 8 explains other elements of the SELinux policy. Of course,
most likely your goal is not merely to understand the SELinux policy language or SELinux security
policies themselves, though such skills are useful to the SELinux system administrator. Instead, it's more
likely that you want to be able to specify new and modified SELinux security policies. If that is your goal,
Chapter 6 through Chapter 8 won't quite take you to the end of your voyage, though you'll make landfall
near the end of Chapter 8. Then you'll be ready for Chapter 9, which explains how you can customize
existing SELinux policies and implement your own policies.
As explained in previous chapters, the SELinux security model is based primarily on a mechanism called
type enforcement (TE). Type enforcement assigns processes to domains and restricts the operations
each domain is permitted to perform. The SELinux policy, which can be customized by a system
administrator, specifies the available domains and the operations that processes within them are
authorized to perform. Chapter 7 explains the SELinux type-enforcement model in detail.
SELinux also includes a second security model, called role-based access control (RBAC). Role-based
access control works alongside type enforcement: intended operations are prohibited unless they're
explicitly authorized by both type enforcement and role-based access control. Of course, intended
operations must also satisfy any requirements imposed by ordinary Linux discretionary access control
mechanisms, such as file permissions.
Role-based access control works fairly simply and has three parts. First, each user is authorized for a set
of roles. A user cannot enter a role other than one for which the user is authorized. Second, transitions
between roles are authorized. A process can transition to a new role only if transitions between its
current role and the new role are authorized. Finally, each role is authorized for a set of domains. Any
attempt to enter a nonauthorized role or domain is prohibited by the SELinux security engine. Let's
consider some concrete examples.
Users are assigned roles by the user statement. For instance, the following statement assigns the roles
staff_r and sysadm_r to the user bill, permitting the user to enter either role:
user bill roles { staff_r sysadm_r };
Transitions between roles are governed by allow statements. For instance, the following allow statement
authorizes processes running in the staff_r role to transition to the sysadm_r role:
allow staff_r sysadm_r;
Roles are authorized to enter domains by the role statement. For instance, the following statement
authorizes the role sysadm_r to enter the ifconfig_t domain:
role sysadm_r types ifconfig_t;
A domain can include multiple role statements, each authorizing one or more roles to enter the domain.
Unless a role statement authorizes a particular role to enter a domain, processes running in that role
cannot enter the domain.
Both type enforcement and role-based access control work by inspecting security contexts. Recall that
SELinux assigns a security context to each process, as well as to each instance of other objects, such as
files. A security context includes three elements:
• A user
•
• A role
•
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
In the film Planes, Trains, and Automobiles, characters played by Steve Martin and John Candy are
faced with one improbable obstacle after another as they struggle to arrive home in time for the
Thanksgiving holiday. Having compared this chapter with a sea voyage, it's reminiscent of that film to
consider yet another mode of transportation, railways, as a means of understanding the SELinux policy
language.
However, unlike many of the decisions of the film characters, my decision to introduce railroad diagrams
is not capricious. Such diagrams were used in the 1970s by famous computer scientist Niklaus Wirth to
develop and explain Pascal, one of the most successful programming languages. Since then, they've been
used to explain many other programming languages. Although they can be cumbersome to create, they're
quick to learn as well as easy to read and understand, so they're just about ideal as a means of
explanation. Let's further mix our metaphors by diving into an exposition of railroad diagrams.
Railroad diagrams are also known as syntax diagrams or syntax charts. They present the grammar of a
formal language, such as one used for programming. However, formal languages also underlie the files
used to configure systems and applications, such as the files that specify the SELinux security policy, so
these diagrams are well suited to our immediate purpose.
Literal
A literal is a symbol that consists of one or more specific characters. Literals are generally punctuation
marks, operators, or keywords of some sort.
Replaceable text
These definitions will become clearer in the context of several small examples given in the following
section.
Figure 6-1 shows a railroad diagram that defines a literal representing the letter "a."
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
The railroad diagram in Figure 6-9 represents an overview of the syntax of an SELinux policy.
As the figure shows, an SELinux policy consists of 11 elements, several of which are optional:
classes
initial_sids
access_vectors
mls
te_rbac
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
User declarations associate roles with SELinux users. A user cannot enter a role unless the role has been
associated with the user's current identity.
In the Fedora Core 2 implementation of SELinux, the src/policy/users file includes M4 macros that can
differently define the roles associated with the user_u and root users. If the user_canbe_sysadm symbol
is defined, the user_u user is instead defined as:
user user_u roles { user_r sysadm_r system_r };
And, if the direct_sysadm_daemon symbol is defined, the root user is instead defined as:
user root roles { staff_r system_r };
Both the user_canbe_sysadm and direct_sysadm_daemon symbols are defined in the tunable.te file.
They can be undefined by prefixing the appropriate lines with dnl, the M4 comment token.
If your system includes one or more user accounts other than root, you should update the users file so
that it associates each user account with either the role user_r (for ordinary users) or staff_r (for user
who administer the system). For instance, you might add declarations such as these:
user ordinary roles user_r;
role_type_def
role_dominance
roletrans_def
role_allow_def
A role type declaration specifies the set of domains for which a role is authorized. They have the form
shown in Figure 6-16. The symbol identifier specifies the role and the symbol names specifies the
authorized domain or domains.
The preceding chapter explained role-based access control in SELinux. Role-based access control is a
secondary access control model that supplements the primary SELinux access control model, type
enforcement. This chapter explains the syntax and meaning of SELinux policy declarations related to
type enforcement. The chapter concludes with an analysis of a small but typical domain policy: the
Fedora Core 2 policy for the ping domain, which resides in the file ping.te.
As explained in Chapter 2, the SELinux type-enforcement model associates each process with a domain
and each nonprocess object with a type.[1] Permissions define the operations that can be performed
upon objects. Thus, you can think of a domain as a set of related processes that share the same
permissions. For instance, the Apache web server process runs within the httpd_t domain and therefore
possesses the permissions associated with that domain. The SELinux policy grants permissions to
domains and specifies rules for transitioning between domains.
[1] Recall that, in the context of SELinux, the words domain and type are synonymous; however, it's
customary to use domain in reference to processes and type in reference to nonprocess objects.
Permissions are encoded as access vectors, which specify the operations that a domain is authorized to
perform on objects of a given type, such as files. Thus, you can think of an object's type as implicitly
referring to the set of rules—that is, the access vector—that specify the permissible operations on the
object. For instance, access vector rules enable processes within the httpd_t domain to write to the web
server log files.
Under Linux, processes fork new processes when they execute programs. The new process is called a
child process and the process that forked the child process is called a parent process. The child process
may run within the same domain as the parent. Alternatively, the SELinux policy may specify a new
domain to enter when the process is forked. Programs that can enter new domains upon execution are
called domain entry points. For instance, the init run-control processes are associated with the initrc_t
domain. However, when the init process starts the web server process, the web server process does not
run in this domain. Instead, the web server process automatically transitions to the httpd_t domain, as
specified by the SELinux policy.
As explained in Chapter 6, an SELinux policy consists of 11 elements, several of which are optional:
classes
initial_sids
access_vectors
mls
te_rbac
users
constraints
initial_sid_contexts
attribute_def
Attribute declarations
type_def
Type declarations
typealias_def
bool_def
Boolean declarations
transition_def
Transition declarations
te_avtab_def
cond_stmt_def
The SELinux policy language requires that all type names be explicitly defined. In the simplest possible
form, a type declaration merely defines a name as a type. For instance, the type declaration:
type ping_t;
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Seeing the syntax of individual policy declarations is not the same as seeing how they work together to
establish a useful policy. In this section, we'll look at the policy that governs the ping_t domain, and the
related domain ping_exec_t, as implemented in Fedora Core 2. Like most policies, this policy resides in
two files:
file_contexts/program/ping.fc
domains/program/ping.te
/bin/ping.* -- system_u:object_r:ping_exec_t
/usr/sbin/hping2 -- system_u:object_r:ping_exec_t
When the filesystems are labeled, these specifications cause ordinary files matching the first regular
expression /bin/ping.* to be labeled with the security context system_u:object_r:ping_exec_t. Ordinary
files matching the second regular expression /usr/sbin/hping2 are also labeled with that security context.
The ping.te file is considerably longer than the ping.fc file, so we'll analyze it a few lines at a time. The
first several lines are merely comments:
#DESC Ping - Send ICMP messages to network hosts
#################################
The most important SELinux policy statement types—role-based access control and type enforcement
statements—were explained in the two preceding chapters. However, a typical SELinux policy contains
several other statement types that the administrator of an SELinux system may want to understand. This
chapter explains these statement types, including constraint declarations, context-related declarations,
and Flask-related declarations. Most administrators will seldom need to refer to the material in this
chapter, since these statement types are primarily important to SELinux developers rather than SELinux
system administrators. However, occasionally a policy modification will fail because it violates a policy
constraint. At these times, an understanding of policy constraint declarations is helpful.
SELinux policy constraint declarations superficially resemble the constraints implemented via neverallow
rules. However, they support a richer language for specifying constraints and, at the same time, have a
narrower purpose: constraint declarations restrict the permissions that can be granted by an
access-vector rule.
Figures Figure 8-1 through Figure 8-5 show the statement syntax, which is relatively complex.
Fortunately, it's unusual for a system administrator to need to modify the constraint declarations supplied
by a sample SELinux policy.
The SELinux policy language includes several declaration types that establish contexts for various
objects:
• Network-related objects
Some filesystems, such as ext2 and ext3, provide space in which SELinux can store persistent file labels.
However, some filesystems do not have this capability. So that even uncooperative filesystems can be
used with SELinux, SELinux lets you specify static labels that are applied to files within such filesystems.
Figure 8-6 shows the syntax of initial SID context declarations, which are used to specify the security
context of objects having initial SIDs.
The example SELinux policy typically includes a bit more than two dozen initial SID declarations. A
typical declaration is:
sid kernel system_u:system_r:kernel_t
This declaration assigns the security context system_u:system_r:kernel_t to the kernel object. In general,
it's not possible to change or add an initial SID declaration without making corresponding changes to
SELinux itself, so changes and additions are generally made only by SELinux developers rather than
system administrators.
The flask directory contains several files that are part of the SELinux policy:
security_classes
initial_sids
access_vectors
The following subsections explain the syntax of declarations residing in these files. Generally, only
SELinux developers should change these declarations. However, administrators may find it helpful to
understand these files and the declarations they contain.
The flask/security_classes file specifies the security classes handled by SELinux. Entries in the file have
the syntax shown in Figure 8-10. A class declaration contains only the keyword class and an identifier
giving the class name.
The example policy defines between two and three dozen classes. Here is a typical class declaration:
class security
The flask/initial_sids file specifies the symbols corresponding to initial SIDs. Entries in the file have the
syntax shown in Figure 8-11, consisting of the keyword sid and an identifier naming the SID.
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Chapter 8 explained the syntax and operation of the statements that make up the SELinux policy
language. This chapter explains how to customize SELinux policies. It begins by reviewing the structure
of the SELinux policy source tree and the Makefile that's used to compile, build, and load an SELinux
policy. The chapter then explains several typical policy customizations of the sort you're most likely to
perform. Most often, you'll use customizations recommended by the Audit2allow program. However,
you'll need to carefully review such recommendations rather than blindly implement them. Otherwise,
you may extend an unnecessarily broad set of permissions, thereby compromising system security. The
chapter concludes with descriptions of some policy management tools, along with hints and procedures
for using them.
Chapter 5 explained the structure of the SELinux policy source tree. The source tree typically resides in
the directory /etc/security/selinux/src/policy; however, your SELinux distribution may place it
elsewhere. Table 9-1 recaps the structure of the policy source tree. You'll likely find it convenient to
refer to this table as you read this chapter; it will help you locate the file that contains a particular type of
declaration, the file to which you should add a particular type of declaration, or the directory in which
you should create the file to hold a particular type of declaration. In other words, it's your roadmap to
the policy source tree.
Directory/file Description
The SELinux source policy is a sophisticated software system. It includes dozens of object classes,
scores of defined permissions, more than 1,000 type transitions, thousands of object instances, and tens
of thousands of access-vector rules. You can think of the source policy as a computer program and the
security engine as a CPU that executes the translated binary form of this program. So customizing the
SELinux policy is akin to performing software maintenance on a program consisting of tens of thousands
of noncomment source lines.
After you modify a policy source file, you must recompile the policy sources and load the translated
binary policy into the kernel. These and other common administrative functions are performed by using
the SELinux Makefile, which typically resides in /etc/security/selinux/src/policy. Chapter 4 introduced
the SELinux Makefile. Table 9-2 recaps the six operations the Makefile provides.
Operation Description
To perform an operation using the Makefile, move to the directory containing it. Then, issue the
command:
make operation
where operation is one of the six operations described in Table 9-2. For example, to compile, create,
and load a new binary policy, issue the command:
make load
root
system_u
user_u
Unless your system has many users, you should generally create a specific SELinux user identity for each
human user who will log in and use your SELinux system. To do so, modify the file users in the policy
source directory.
It's important to add an SELinux user identity for each user who administers the system; otherwise, the
user will be unable to transition to the sysadm_r role. To specify a user as a system administrator, add a
declaration having the following form:
user wheel roles staff_r sysadm_r;
where wheel is the name of the user account. For example, to declare the user bill as an administrative
user, add the following declaration:
user bill role staff_r sysadm_r;
The Fedora Core implementation of SELinux provides a feature that enables a system administrator to
launch daemons without using the run_init program. As a result, user declarations under Fedora Core
are slightly different, taking the form:
user wheel roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r')
};
The direct_sysadm_daemon M4 macro, which implements the feature, can be enabled or disabled by
tweaking the file tunable.te. The feature is enabled by default. If the feature is enabled, the expanded
macro gives the declaration the following form:
user wheel roles {staff_r sysadm_r system_r};
which associates the user with the role system_r, as well as the two roles staff_r and sysadm_r.
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
The SELinux RBAC associates roles with users and domains. A given user is authorized only for specific
roles, and a given role is authorized only for specific domains. Thus, a user cannot enter a domain unless
the user is associated with a role authorized for the domain.
staff_r
sysadm_r
system_r
user_r
Used by ordinary users, who are not authorized to transition to the sysadm_r role
The fact that many system processes and objects share the system_r role does
not mean that SELinux violates the principle of least privilege. Processes and
objects generally have discrete types that determine the operations that they
can perform and that can be performed on them. As commonly used, roles
don't authorize operations; instead they limit the types available to a process or
object.
These roles are defined, and associated with users, by the user declarations appearing in the users file.
cyrus_r
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
At this point in the development of SELinux, it's common for policies to contain small bugs that cause
operations to fail when applications or programs are used in unusual ways unanticipated by policy
developers. As an SELinux administrator, one of the most frequent SELinux policy customizations you're
likely to perform is adding permissions to coax the security engine into accepting an operation. Let's
consider an actual situation based on Fedora Core 2's SELinux implementation and see how it's
resolved. The procedure we'll follow isn't the only procedure or best procedure. Creating new policies
typically entails a generous dollop of troubleshooting, which tends to be relatively unstructured. So rather
than see our procedure as the universal norm, you should see it as merely an illustrative example.
Though unfamiliar to many, the Nmap program is a popular tool among those concerned with security
that provides many useful functions. For instance, using Nmap, you can determine the ports on which a
network host is listening and what service is running on each open port.
Suppose you install and run Nmap and obtain the following error message:
# nmap -sT 127.0.0.1
It seems that Nmap is unable to read the nmap-services file. Checking the system log, you find that
SELinux recently logged eight denial messages:
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=urandom dev=dm-0
ino=306563 scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:urandom_
device_t tclass=chr_file
ino=301298 scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:random_
device_t tclass=chr_file
ino=306563 scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:urandom_
device_t tclass=chr_file
ino=301298 scontext=root:sysadm_r:traceroute_t
tcontext=system_u:object_r:random_
device_t tclass=chr_file
Let's continue the case study from the preceding section by observing that users other than the system
administrator can't use Nmap:
# id -Z
root:staff_r:staff_t
The message tells us that the staff_r role is not authorized to create a raw IP socket. We could authorize
the domain to do so. But this naive approach would likely confer excessive permissions. Indeed, it's
debatable whether we should allow staff_r access to Nmap at all. But let's presume that we do want to
authorize access to Nmap without generally authorizing creation of raw IP sockets.
Unless you have a good reason, I don't recommend that you authorize staff_r
users to access Nmap. Limiting the permissions available to staff_r users is
consistent with the principle of least privilege. If you do choose to authorize
Nmap access, carefully consider whether to do so by using the approach
explained here, which authorizes access to the entire traceroute_t domain,
rather than only the Nmap program. The following section shows a more
focused alternative approach.
Apparently, the problem is that staff_r is not authorized to enter the traceroute_t domain. Inspecting the
traceroute.te file, we find the following two role declarations:
role sysadm_r types traceroute_t;
To give effect to the change, load the revised policy. Then, retry Nmap:
# make load
In general, it's unwise to create overly large domains, especially domains that include unrelated
programs. The traceroute_t domain considered in the preceding sections is perhaps such an overweight
domain, since it relates to both the traceroute and Nmap programs. These programs perform a few
somewhat similar operations, but they're not closely related. Because they're part of a single domain, a
vulnerability in either program could enable an intruder to gain control of the entire domain. Let's
presume that we prefer to avoid that fate and see what's required to create a domain specific to the
Nmap program.
To do so, we'll follow a procedure that also works in most similar cases:
1.
3. Decide what security contexts are appropriate for the new domain.
4.
5. Create a basic FC file that specifies proper labels for files related to the domain.
6.
As the procedure directs, let's start by finding out what files are related to Nmap:
# rpm -ql nmap
/usr/bin/nmap
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Most implementations of SELinux include Audit2allow, a tool that can help you create or customize a
domain. Some fledgling SELinux administrators use Audit2allow indiscriminately, rendering their system
less secure. One technical reviewer of this book terms Audit2allow "evil," not so much because of
problems with the tool itself as because of the way it's often misused. In this section, I'll explain how to
use Audit2allow more carefully, so that you can avoid this pitfall.
Audit2allow is a Perl script that processes recent AVC messages. It analyzes the messages it finds and
prints allow rules that—if added to the current policy—would authorize the denied operations. Hence,
you can go badly wrong by blindly accepting its recommendations. For instance, perhaps someone has
attempted a prohibited operation. Adding the rules generated by Audit2allow will authorize the
prohibited operation, but may also compromise system security. Another more subtle source of
problems is that Audit2allow takes the current type architecture and file labels as given. Often it's
appropriate—or even necessary—to create a new domain that encapsulates a program or operation, as
I did in the preceding section. But Audit2allow provides no help in doing so.
Audit2allow is less than perfect in other ways. For instance, it is sometimes blind to prohibited
operations. This can occur if the operation is covered by a dontaudit rule. It can also occur if AVC
message caching has caused one or more messages to be suppressed.
A related weakness of Audit2allow is that it's not aware of the M4 macros used in implementing
policies. So rules recommended by Audit2allow tend to be quite wordy and can result in cluttered policy
files that are hard to understand.
However, despite its weaknesses, Audit2allow is a very useful tool when properly used.
-d
Read input from the dmesg command, rather than a log file.
-v
-l
Ignore input preceding the most recent loading of the SELinux policy.
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Tresys Technology, a network services company, has published a set of open source GUI tools for
SELinux policy management. Most releases of SELinux include at least one of the Tresys tools, which
are:
Apol
Seaudit
Sepcut
Seuserx
The following subsections briefly describe these tools. My intention is not to show you how to use the
tools but to help you understand what they do, so that you can decide when to use them and which tool
to use. Because the tools are regularly improved, I advise you to refer to the tools' help files for
information on operating them. If your SELinux release does not include the Tresys tools, you can obtain
them at http://www.tresys.com/.
9.10.1 Apol
The Apol tool enables you to analyze an SELinux policy. It does not work with the component files that
compose the policy, but only with policy.conf. So you should compile the SELinux policy before using
Apol. You can do so by issuing the command:
make load
from within the SELinux src/policy directory. Figure 9-1 shows Apol's main window after using its File
menu to open the policy.conf file.
Having completed this chapter, you know quite a bit about SELinux and typical SELinux policies. If
you're content to run only relatively popular applications and prefer to rely on others for assistance in
troubleshooting and fixing the occasional problems that you're likely to run into when using SELinux,
you'll know pretty much all you need to know.
But typical Linux users are seldom so complacent. Those that desire even greater control over their
computing affairs have merely begun to learn what they need to know about SELinux. This book has
covered the fundamentals. But the SELinux policy is a sophisticated software unit whose mastery
demands significant study and experimentation. Moreover, SELinux is still a relatively new software
product and is constantly undergoing change. So in working with SELinux, you should anticipate that
you will encounter many interesting puzzles and challenges. If you resemble the typical Linux user, you'll
enjoy tackling and overcoming these. You should also anticipate that your growing SELinux expertise
will enable you to better secure your systems and applications, which should help you—and your
management—sleep more soundly.
SELinux and the SELinux sample policy are powerful tools for securing systems. But like other security
tools, their proper installation and ongoing use demand significant expertise. From this book, you can
learn how SELinux works and the syntax and semantics of the SELinux policy language. But mastery of
SELinux demands thorough understanding of the policy domains associated with principal programs and
applications installed on your systems. And since SELinux and its policies are regularly updated and
improved, understanding arises only from an ongoing process of study and learning.
Here are some tips for developing a progressively greater understanding of SELinux:
• Maintain at least one system dedicated for testing new and revised SELinux policies and releases.
•
• Begin a study of the TE files associated with important programs and applications.
•
May all your policies build correctly the first time and authorize neither too few nor too many
permissions!
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
Table 2-1 has been reproduced here as Table A-1 for convenient reference. Table A-1 summarizes the
object classes defined by the current release of SELinux. The table is organized by object class within
object class type. SELinux developers may change the roster of object classes in future releases of
SELinux.
Class Description
File classes
dir Directory
fd File descriptor
file File
Table B-1 summarizes SELinux operations, identifying their related object classes and giving an
approximate description of them. In future SELinux releases, SELinux developers may change the roster
of operations, associate operations with object classes differently, or modify the function performed by
an operation. The table is sorted alphabetically by the name of the operation. The SELinux file
src/policy/flask/access_vectors shows the relationship between object classes and operations and is
sorted by object class.
key_socket, netlink_socket,
packet_socket, raw_ipsocket,
socket, tcp_socket,
accept Accept a connection.
udp_socket,
unix_dgram_socket,
unix_stream_socket
Table C-1 describes principal macros defined in the src/policy/macros subdirectory. The macros
included in the table are those present in the Fedora Core 2 implementation of SELinux. Other
implementations may define different macros or alter the operation of macros appearing in the table.
Macro Description
This appendix includes several tables describing SELinux general types: types that tend to be referenced
by multiple domains. The types shown in Tables 1 through 5 are those present in the Fedora Core 2
implementation of SELinux. SELinux developers may introduce new types or delete existing types in
other SELinux releases.
Type Description
device_t Device
Table E-1 summarizes the SELinux type attributes appearing in the Fedora Core 2 implementation of
SELinux. Other implementations may define different type attributes or assign different meaning to
attributes shown in the table.
Colophon
Our look is the result of reader comments, our own experimentation, and feedback from distribution
channels. Distinctive covers complement our distinctive approach to technical topics, breathing
personality and life into potentially dry subjects.
The image on the cover of SELinux: NSA's Open Source Security Enhanced Linux depicts surveying
soldiers. During the second half of the nineteenth century, following the Civil War, the U.S. military
dispatched troops to the American West to subdue hostilities between Native Americans and settlers.
These intrepid soldiers braved a chaotic environment; they were frequently confronted with shoot-outs,
ambushes, and snipers in their struggle to bring order to the American frontier. Among these troops were
the Buffalo soldiers, the first peacetime regiments of African-American cavalry in the military. Despite
being stationed in extremely dangerous terrain with inferior supplies, the Buffalo soldiers became one of
the most distinguished military units in the Old West. To future generations of soldiers, they were models
of courage and dedication in the face of adversity.
Sanders Kleinfeld was the production editor and copyeditor for SELinux: NSA's Open Source Security
Enhanced Linux. Jamie Peppard was the proofreader. Mary Anne Weeks Mayo and Claire Cloutier
provided quality control. Caitrin McCullough provided production assistance. Judy Hoer wrote the
index.
Emma Colby designed the cover of this book, based on a series design by Hanna Dyer and Edie
Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Clay Fernald
produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.
Melanie Wang designed the interior layout, based on a series design by David Futato. The chapter
opening images are from the Dover Pictorial Archive, Marvels of the New West: A Vivid Portrayal of
the Stupendous Marvels in the Vast Wonderland West of the Missouri River, by William Thayer (The
Henry Bill Publishing Co., 1888);and The Pioneer History of America: A Popular Account of the
Heroes and Adventures, by Augustus Lynch Mason, A.M. (The Jones Brothers Publishing Company,
1884). This book was converted by Julie Hawks to FrameMaker 5.5.6 with a format conversion tool
created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML
technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the
code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were
produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe
Photoshop 6. The tip and warning icons were drawn by Christopher Bing. This colophon was written by
Sanders Kleinfeld.
The online edition of this book was created by the Safari production group (John Chodacki, Ken
Douglass, and Ellie Cutler) using a set of Frame-to-XML conversion and cleanup tools written and
maintained by Erik Ray, Benn Salter, John Chodacki, Ellie Cutler, and Jeff Liggett.
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
accept operation
acceptfrom operation
access controls, discretionary/mandatory
access decisions
access vector cache (AVC)
access vectors
TE access-vector declarations
access-control lists (ACLs), protecting memory with
access-vector rules
authorizing transitions with
restrictions imposed on, by constraint declarations
syntax of
access_vectors file in flask subdirectory 2nd
access_vectors policy element 2nd
ACLs (access-control lists), protecting memory with
actions performed by subjects
active content, contributing to software threats
Add button (Seuserx window)
add_name operation
adding user accounts 2nd
Address Space Layout Randomization (ASLR)
adduser command
admin type attribute
admin.te file 2nd
admin_domain macro
admin_macros.te file 2nd
Advanced button (Seuserx window)
agp_device_t type
aliases for type names, defining with type declarations 2nd
allow access vector 2nd
conditional declarations and 2nd
sample declaration
allow lines in snort.te file
allow statements, governing role transitions 2nd
allow_user_direct_mouse macro
allow_user_dmesg macro
allow_user_tcp_server macro
allow_xserver_home_fonts macro
allow_ypbind macro
alternatives to SELinux
Analysis tab (Apol window) 2nd
any_socket_t type
Apache OpenSSL attack 2nd
apm_bios_t type
Apol tool 2nd
appconfig subdirectory 2nd
files in
append directive
append operation
append_log_domain macro
append_logdir_domain macro
application_domain macro
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
base_file_read_access macro
base_pty_perms macro
base_user_domain macro
base_user_macros.te file 2nd
bdev_t type
bdflush operation
Bell, David
bin_t type
binary policy files, creating with checkpolicy command 2nd
bind operation
blk_file (object security class) 2nd
Boolean declarations (bool_def)
Booleans
setting via SELinux filesystem
tuning SELinux via
Booleans tab (Apol window)
boot parameters and setting initial operating mode
boot problems, troubleshooting
boot time, disabling SELinux at
boot_runtime_t type
boot_t type
Browse Policy tab (Sepcut window)
buffer overflow attacks, detecting with stack canaries
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
enforce_dest operation
enforcing mode
booting system into
curtailing unnecessary logging
dynamically setting operating mode
enqueue operation
entrypoint operation
escalating privileges
/etc/init.d directory
/etc/passwd program
setting user passwords
/etc/shadow program
setting user passwords
etc_aliases_t type
etc_domain macro
etc_runtime_t type
etc_t type
etc_writer type attribute
etcdir_domain macro
event_device_t type
eventpollfs_t type
exec_type type attribute
execute operation
execute_no_trans operation
ext2/ext3 (Linux Ext2/Ext3 filesystems)
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
faillog_t type
failsafe_context file
FC (file context) files
adding permissions to
creating
deleting conflicting specifications
manual installation by system administrators
testing/revising
understanding how SELinux policy operates
fcron domain (domains/misc subdirectory)
fd (object security class) 2nd
fdisk command
features of SELinux
Fedora Core
demonstration system
Fedora Core 2
automatic transition to sysadm_r role
Boolean declarations
policy elements and associated files in
role transition allowed for system administrators 2nd
sestatus command
supporting SELinux
tuning SELinux
via macros
via policy Booleans
type attributes in SELinux 2nd
fifo_file (object security class) 2nd
file (object security class) 2nd
file context database
file context files files) [See FC (file context]
file creation and transition decisions
file labeling
file labels
boot problems and relabeling filesystems
repairing, using restorecon utility
file security context, viewing
file-related types
file-type transitions
file.te file
file_class_set macro 2nd
file_contexts file
file_contexts subdirectory
files/subdirectories in
file_labels_t type
file_t type
file_type type attribute
file_type_auto_trans macro 2nd
file_type_trans macro 2nd
filesystem (object security class) 2nd
filesystem labeling declarations
firewalls
for hosts
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
icmp_socket_t type
id -Z command 2nd
id command 2nd
id_comma_list policy subelement
identifier_list policy subelement
identifiers, lowercase vs. uppercase
igmp_packet_t type
in_user_role macro
incident reports
indirect information flow analysis
init scripts
relabeling, using fixfiles command
starting/controlling daemons
init_service_domain macro
initial operating mode of SELinux system, setting
initial SID context declarations
initial SIDs (security identifiers)
Initial SIDs tab (Apol window)
initial_sid_contexts file 2nd
initial_sid_contexts policy element 2nd
initial_sids file in flask subdirectory 2nd
initial_sids policy element 2nd
initrc_context file
initrc_t domain
insider threats
install command
install Makefile target 2nd
installing SELinux
from binary or source packages
on Debian GNU/Linux
Fedora Core 2
on Gentoo Linux
existing systems
fresh systems
from NSA source
overview
on RHEL using RPM packages
on SUSE Linux using RPM packages
Internet and software threats
intrusion detection systems 2nd
intrusion prevention systems
invoking macros
in ping.te file
in snort.te file
ioctl operation
ipc (object security class) 2nd
ipc_info operation
ipc_lock operation
ipc_owner operation
iso9660_t type
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
M4 macros
authorizing access to files and network operations
for classes
creating role allow declarations
defining roles associated with users
dnl (do not list) comment prefix 2nd 3rd
macro invocations
in ping.te file
in snort.te file
macros subdirectory 2nd
tuning SELinux via
type alias declarations, generating
MAC (mandatory access control)
vs. Linux DAC
macros subdirectory
files in
macros defined in
mail_server_domain type attribute
mail_server_sender type attribute
mail_spool_t type
mailing lists related to SELinux
mailman_r role
make install command
make load command
make reload command
Makefile
labeling/relabeling filesystems
loading SELinux security policy
in policy source directory 2nd
SELinux binary policy file generated by
targets (operations) supported by 2nd
man_t type
mandatory access control (MAC)
vs. Linux DAC
May, Brian
MBR (master boot record) 2nd
McGraw, Gary
member_sid operation
memory protection schemes
memory-resident tables
memory_device_t type
mini_pty_type type attribute
mini_user_domain macro
mini_user_macros.te file 2nd
misc subdirectory
domains directory 2nd
file_contexts directory 2nd
misc_device_t type
MITRE Corporation
mknod operation
mkswap command
mls file 2nd
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
name_bind operation
names policy subelement
naming conventions for security attributes
National Security Agency [See NSA]
ncurses-dev package
nested_id_set policy subelement
net_admin operation
net_bind_service operation
net_conf_t type
net_contexts file 2nd
net_contexts policy element 2nd
net_raw operation 2nd
netbroadcast operation
netif (object security class) 2nd
netif_eth0_t type
netif_eth1_t type
netif_eth2_t type
netif_ippp0_t type
netif_ipsec0_t type
netif_ipsec1_t type
netif_ipsec2_t type
netif_lo_t type
netif_t type
netif_type type attribute
netifcon declarations
netlink_socket (object security class) 2nd
netmsg_eth0_t type
netmsg_eth1_t type
netmsg_eth2_t type
netmsg_ippp0_t type
netmsg_ipsec0_t type
netmsg_ipsec1_t type
netmsg_ipsec2_t type
netmsg_lo_t type
netmsg_t type
netmsg_type type attribute
Network Associates
network declarations
network.te file
networks
connectivity issues, contributing to software threats
defenses for
intrusion detection systems
types related to
neverallow rule type
sample declaration
newconn operation
newrole command 2nd
nfs.te file
nfs_export_all_ro macro
nfs_export_all_rw macro
nfs_home_dirs macro
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
packages, installing
packet_perms macro
packet_socket (object security class) 2nd
pam program
parent and child processes 2nd
parsing log messages
passwd (object security class) 2nd
passwd command 2nd 3rd
passwords
setting for users
patch cycles and 0-day vulnerabilities
PaX project
permissions
adding
associated with classes
associated with file-like objects
extending to processes in domain
restricting, with constraint declarations
special notations for
permissive mode
booting system into
curtailing unnecessary logging
dynamically setting operating mode
setting, before using Audit2allow
persistent labels
filesystems not supporting
filesystems supporting
persistent objects
persistent security identifiers (PSIDs), storing on filesystems
pidfile type attribute
ping command, controlling access to
ping.fc file, examining sample policy
ping.te file
basic policy elements
conditional statement declaration in
domain_auto_trans macro, invoked in
examining sample policy
role type declarations in
pipefs (pseudofilesystem with pipe)
policy Booleans
initializing in ping.te file
setting via SELinux filesystem
tuning SELinux via
Policy Components tab (Apol window) 2nd
policy constraint declarations
policy database of SELinux security server
policy elements
and associated files
list of 2nd
subelements appearing in
policy files 2nd [See also SELinux policy]
browsing/editing with SePCuT
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
quotaget operation
quotamod operation
quotaon operation
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
r_dir_file macro
r_dir_perms macro
r_file_perms macro
r_msgq_perms macro
r_sem_perms macro
r_shm_perms macro
ra_dir_create_file macro
ra_dir_file macro
ra_dir_perms macro
ra_file_perms macro
railroad diagrams
fine points of
how they work
SELinux policy syntax
symbols specified by
what they do
ramfs_t type
random assignment of memory
random_device_t type
raw IP packets, sending/receiving
raw IP sockets, creating/modifying
rawip_recv operation
rawip_send operation
rawip_socket (object security class) 2nd
RBAC (role-based access control) 2nd
declarations
te_rbac policy element
types of
rbac file 2nd
RBAC Rules tab (Apol window)
rbac_decl (RBAC declarations)
read operation
read_default_t macro
read_locale macro
read_sysctl macro
readable_t type
readhome macro
README file
receive operation
recv_msg operation
recvfrom operation
Red Hat
Red Hat Enterprise Linux [See RHEL]
regular expressions
in file-context specifications
in railroad diagrams
in snort.fc file
relabel Makefile target 2nd
relabelfrom operation
relabeling filesystems
using chcon utility
using fixfiles utility
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
sambafs_t type
sample policy, examining
sandboxes
protecting memory with
sbin_t type
scanner_device_t type
SCC (Secure Computing Corporation)
scmp_packet_t type
scsi_generic_device_t type
search operation
Seaudit tool 2nd 3rd
SeCmds tool
Secure Computing Corporation (SCC)
secure_levels macro
security (object security class) 2nd
security attributes
associated with subjects/objects
naming conventions for
security contexts 2nd
assigned to filesystems by Genfs declarations
assigning to new users
changing permissions, to prevent denial messages
elements of
of files, determining
for new domain
of hosts, specifying
of local ports, specifying
of network interfaces, specifying
of objects having initial SIDs
specifying, when starting programs
starting init scripts in correct
viewing
for Snort-related directories/files
security identifiers (SIDs)
flask/initial_sids file
security model for SELinux, overview of
security object classes 2nd
security policy for SELinux
associating users with nondefault roles
enforcing mode vs. permissive mode
loading
roles defined by
rules for dynamically setting operating mode
security.te file
security_classes file in flask subdirectory 2nd
security_t type
SELinux
applications of
architecture of
commands
for administration/use
modified Linux commands
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
tape_device_t type
targets (operations) supported by Makefile 2nd
tcp_recv operation
tcp_send operation
tcp_socket (object security class) 2nd
tcp_socket_t type
TCSEC (Trusted Computer System Evaluation Criteria)
TE (type enforcement) declarations
te_rbac policy element
TE (type enforcement) files
avoiding modification of existing files
creating 2nd
manual installation by system administrators
role type declarations and
testing/revising
troubleshooting
understanding how SELinux policy operates
TE (type enforcement) model 2nd
TE access-vector declarations (te_avtab_def)
TE Rules tab (Apol window)
te_rbac policy element 2nd
TE and RBAC declarations
Test Policy tab (Sepcut window)
test_file_t type
tetex_data_t type
Thompson, Kerry
threats to the Internet
active content contributing to
mobile code contributing to
network connectivity contributing to
software complexity contributing to
tmp subdirectory 2nd
tmp_domain macro
tmp_t type
tmpfile type attribute
tmpfs (pseudofilesystem with memory-resident filesystem)
tmpfs_domain macro
tmpfs_t type
tmpfsfile type attribute
tokens in regular expressions
tools in SELinux
traceroute command, controlling access to
traceroute_t domain
authorizing access
to entire domain
to pseudoterminals
using macros
examining FC file for
transient objects
transition decisions 2nd
transition declarations (transition_def)
transition operation
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
udev_runtime_t type
udp_recv operation
udp_send operation
udp_socket (object security class) 2nd
UML (User-Mode Linux) and SELinux
unconfined_domain macro
Unix stream sockets, creating
unix_dgram_socket (object security class) 2nd
unix_read operation
unix_stream_socket (object security class) 2nd
unix_write operation
unlabeled_t type
unlimitedServices macro
unlimitedUsers macro
unlink operation
unmount operation
unpriv_socket_class_set macro 2nd
unpriv_userdomain type attribute
unrestricted_admin macro
unsupported platforms, installing SELinux on
Update Policy button (Seuserx window)
uppercase vs. lowercase identifiers
urandom_device_t type
usbdevfs_t type
usbfs_t type
use operation
use_games macro
user account databases, keeping Linux separate from SELinux
user accounts, adding 2nd
user declarations, syntax of
user identities in SELinux
adding ordinary users
adding system administrators
constraint declarations and
user passwords, setting
user security context, viewing
user statements, assigning roles to users
User-Mode Linux (UML) and SELinux
user.te file 2nd
user_application_domain macro
user_can_mount macro
user_canbe_sysadm macro 2nd 3rd
user_crond_domain type attribute
user_domain macro
user_home_dir_t security context
user_home_dir_type type attribute
user_home_type type attribute
user_macros.te file 2nd 3rd
user_mail_domain type attribute
user_mini_domain type attribute
user_net_control macro
user_ping Boolean
ABC Amber CHM Converter Trial version, http://www.processtext.com/abcchm.html
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
v4l_device_t type
var_lib_domain macro
var_lib_nfs_t type
var_lib_t type
var_lock_t type
var_log_ksyms_t type
var_log_t type
var_run_domain macro
var_run_t type
var_spool_t type
var_t type
var_yp_t type
VERSION file
versions of SELinux
vi_t domain
View/Change button (Seuserx window)
virtual filesystems
virtual machines and User-Mode Linux (UML)
vixie-cron package
Vogt, Tom
vulnerabilities, 0-day
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
Walsh, Dan
web sites for SELinux
web_client_domain type attribute
Weber, Michael
wget command
Wiki, SELinux
Wirth, Niklaus
Woody (Debian GNU/Linux 3.0 stable)
write operation
writehome macro
wtmp_t type
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
X window systems
troubleshooting problems with
using SELinux with
x_file_perms macro
xdm_sysadm_login macro
xfs (Linux Xfs filesystem)
xserver_port_t type
xserver_tmpfile type attribute
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [
X] [Z]
zero_device_t type