These are common files and directories, and their purposes.
This is the default setting for the Booleans in the targeted policy:
cat /etc/selinux/targeted/booleans allow_ypbind=1 dhcpd_disable_trans=1 httpd_disable_trans=0 httpd_enable_cgi=1 httpd_enable_homedirs=1 httpd_ssi_exec=1 httpd_tty_comm=0 httpd_unified=1 mysqld_disable_trans=0 named_disable_trans=0 named_write_master_zones=0 nscd_disable_trans=0 ntpd_disable_trans=0 portmap_disable_trans=0 postgresql_disable_trans=0 snmpd_disable_trans=0 squid_disable_trans=0 syslogd_disable_trans=0 winbind_disable_trans=0 ypbind_disable_trans=0 |
Using Boolean values to define the state of optional policy allows for the tunables to be switchable during runtime. The kernel accesses the state of the values in /selinux/booleans/*, with a separate file for each Boolean. If you run echo "1 1" > squid_disable_trans to turn off the targeted policy for squid by disabling the transition from unconfined_t to squid_t, you can then make the change take effect by running echo 1 > /selinux/commit_pending_bools. The value in /etc/selinux/targeted/booleans would then change to squid_disable_trans=1. An easier technique for changing Booleans is to use the setsebool command.
If you change the value in /etc/selinux/targeted/booleans, the change takes effect upon next policy load, such as a reboot or make load (refer to Chapter 7 Compiling SELinux Policy).
Booleans work by having the if statements with conditional policy compiled into the binary policy, so the potential policy for each conditional is always present.
If you look at a pseudo file system Boolean file, for example cat /selinux/booleans/httpd_unified/, you get two values returned, 1 1. The first value represents the current value, the other is the pending value that is to be set programmatically when a security_commit_booleans() is run, that is, when policy is loaded. Another time this occurs is when you run setsebool -P. The -P writes all the pending Boolean values to the disk.
This directory contains security context information used at run time by various applications, such as restorecon. Within contexts/ are a number of files and directories. Here are the most important:
default_contexts — this file defines the default security context(s) for local and remote user sessions, cron jobs, and so forth.
files/ — this subdirectory contains security context configuration files used by applications needing to set file labels during runtime, such as rpm, restorecon, setfiles, and udev.
userhelper_context — this file sets the context for the userhelper application to use.
The location of the TE files that define the policy for the daemons covered by the targeted policy. If a TE file is not in this directory, then it is not compiled into the policy.
All of the file contexts for the targeted and unconfined daemons are in the directory file_contexts/program. When the policy is built, all of the relevant *.fc files are concatenated into $SELINUX_SRC/file_contexts/file_contexts. A file contexts file is considered relevant to the policy if there is a corresponding $SELINUX_SRC/domains/programs/*.fc file. A copy of file_contexts is at /etc/selinux/targeted/contexts/files/file_contexts.
For files that are not part of the targeted daemons and their associated file contexts files, the file types.fc is referenced for setting the security context, especially for when the policy is installed or if the file system is relabeled.
This directory is discussed thoroughly in Section 3.3 Understanding the File Contexts Files.
Each distribution of Linux that supports SELinux may have unique file contexts that should only be included if the policy is being compiled on that system. The set for Red Hat Enterprise Linux is grouped inside of ifdef(`distro_redhat', ... ')`, and includes contexts for Red Hat specific applications such as system-config-securitylevel, packages with possibly unique file locations, and file contexts for the /emul libraries for x86 emulation on 64-bit systems.
This file defines the domain for unconfined processes, that is, everything that is not specifically a targeted daemon.
This directory contains application configuration files that provide contexts or partial contexts for certain daemons and utilities. A partial context is when the user identity is not included. This identity is inferred from the user who runs the utility.
The kind of utilities that rely upon the appconfig contexts are crond, newrole, and login, which need to have a context that derives from a user rather than their own context. These files provide a list of possible contexts the program can try to set, and the policy decides if the process can transition to those contexts.
These various files are installed as the separate files and directories within $SELINUX_POLICY/contexts/, and are used in runtime by libselinux to search through for usable contexts.
In a stricter policy than the targeted policy, there would be additional entries since all users and daemons run in their own security context instead of unconfined_t. For example, when parsing through default_contexts, if the policy defines that a context is not allowed for a user, it would be ignored and the next one checked. This way the file can have a cascading set of partial contexts, so the most privileged gets the first choice, and the least privileged gets the last choice. In default_contexts for the targeted policy, the most and least privileged are the same
cat default_contexts system_r:unconfined_t system_r:unconfined_t |
The default_type file is the configuration file for when applications need to know which domains are to be associated with which roles. In the targeted policy, there is effectively one single role for subjects: system_r. For example, newrole looks to this file to know what domains to assign each transitioned role:
cat default_type system_r:unconfined_t |
There ins only a partial context in failsafe_context. This is what is returned if default_contexts does not have an appropriate context. In other words, if nothing else matches, try this context. Note that it is the same context as in default_contexts. This file is more useful in a stricter policy.
cat failsafe_context system_r:unconfined_t |
When run_init executes a script in /etc/rc.d/, this is the context that run_init transitions to before running the script. This way, the context executing the scripts is the same as when they are executed by init.
cat initrc_context user_u:system_r:unconfined_t |
These are the default contexts applied to different media types, for example, when they are mounted on /media:
cat media cdrom system_u:object_r:removable_device_t floppy system_u:object_r:removable_device_t disk system_u:object_r:fixed_disk_device_t |
This context covers removable media types, such as USB flash storage devices:
cat removable_context system_u:object_r:removable_t |
The root_default_contexts allows login to root to be different than login to a normal user:
cat root_default_contexts system_r:unconfined_t system_r:unconfined_t |
This is the context userhelper transitions to before executing the application that requires the privilege escalation:
cat userhelper_context system_u:system_r:unconfined_t |
These files are the type declarations for general sets of types. The types are grouped by similarities such as being a file, being related to security, network, or devices. The name of the type declaration file reflects its contents.
One odd file included in the targeted policy is $SELINUX_SRC/types/apache.te. The file contains this one line macro:
define(`admin_tty_type', `{ tty_device_t devpts_t }') |
This macro is connected with a conditional set of rules in the httpd TE file at $SELINUX_SRC/domains/program/apache.te. The confitional rules allow httpd to utilize the console (if (httpd_tty_comm) {}). This allows Apache HTTP to use the console for parts of the SSL certification handling process.
The reason the macro defining admin_tty_type is in types/apache.te is that the macro is included in the targeted policy only for the benefit of httpd. Apache HTTP needs this macro defined for the httpd policy to work.
In a stricter policy, the system administrator domain sysadm_t is used, and it's associated TE file at /etc/selinux/strict/src/policy/domains/admin.te supplies the admin_tty_type macro.
The file $SELINUX_SRC/types/files.fc defines the contexts for all of the file types on the system.
These are the TE policy files that make the targeted daemons protected. In SELinux, in the tree at $SELINUX_SRC/domains/ are all the rules that govern the behavior of the various domains. If a particular *.te is not in the $SELINUX_SRC/domains/ path, it is not compiled in as part of the policy.
In Chapter 4 Example Policy Reference - dhcpd, the policy for dhcpd is completely dissected and examined as a reference for all of the policy files for the targeted daemons.
The file assert.te contains the neverallow assertions, discussed in Section 2.8 TE Rules - Access Vectors. The attributes declared for the targeted policy are in attrib.te, discussed in Section 2.6 TE Rules - Attributes. Constraining rules, as discussed in Section 2.11 TE Rules - Constraints, are defined for the targeted policy in the file constraints.
This directory is where several important definitions occur. In access_vectors, object classes are defined, as discussed in Section 2.5 Object Classes and Permissions. The file initial_sids provides the booting kernel with the initial security identifiers to use until policy can be loaded, as described in Section 2.3 Policy Role in Boot. Security object classes are defined in security_classes. The shell scripts and Makefile are used in SELinux kernel development, and are not intended for end-user usage.
Macros are discussed in Section 2.9 Policy Macros. Only two macro files in this directory are used, core_macros.te and global_macros.te. The directory $SELINUX_SRC/macros/program/ contains the macro files for various daemons. Only the macro files that correspond to a *.te file in $SELINUX_SRC/domains/program/ are actually used in the policy.
As explained in Section 2.4 File System Security Contexts, this file supplies the contexts for mountpoint labeling, where a mounted file system is given a single, overarching context instead of an individual context for each file.
These are the security contexts that are applied to the initial contexts in $SELINUX_SRC/flask/initial_sids and are used by the kernel during boot before it has loaded the policy. Refer to Section 2.3 Policy Role in Boot for more information.
This file is unused in the targeted policy, but is noteworthy for those interested in MLS security. Refer to Chapter 9 References for sources of information about MLS.
This file has the contexts for network entities, with many declarations within an ifdef statement that depends on the presence of a specific *.te file in $SELINUX_SRC/domains/program/. The syntax looks like this:
portcon <protocol> <{ port | port-range }> <type> |
When invoked, a network context declaration looks like this:
ifdef(`mta.te', ` portcon tcp 25 system_u:object_r:smtp_port_t portcon tcp 465 system_u:object_r:smtp_port_t portcon tcp 587 system_u:object_r:smtp_port_t ') ... ifdef(`use_dhcpd', `portcon udp 67 \ system_u:object_r:dhcpd_port_t') ... # Defaults for reserved ports. Earlier portcon entries take # precedence; these entries just cover any remaining reserved # ports not otherwise declared or omitted due to removal of a # domain. portcon tcp 1-1023 system_u:object_r:reserved_port_t portcon udp 1-1023 system_u:object_r:reserved_port_t ... netifcon eth0 system_u:object_r:netif_eth0_t \ system_u:object_r:unlabeled_t |
This file is created by m4 during the policy compiling process. It is all of the TE rules from domains/ with the macros expanded, and the result concatenated together. The compilation process is covered in Chapter 7 Compiling SELinux Policy, and you can learn about analyzing the policy using policy.conf in Chapter 6 Tools for Manipulating and Analyzing SELinux.
This file defines which roles are allowed to attain which other roles. Roles are discussed in Section 2.10 SELinux Users and Roles. These are all the allowed role transitions in the targeted policy: This file only specifies which roles may transition to which other roles, it does not grant permission to actually change role.
allow sysadm_r system_r; allow user_r system_r; allow user_r sysadm_r; allow sysadm_r user_r; allow system_r sysadm_r; |
The tunable is a way of switching on or off certain settings that have global effect. For example, the file distro.tun has only one Linux distribution defined, the others are dnl define:
define(`distro_redhat') |
The existence of this definition triggers conditional statements in the TE files for httpd, mysqld, named, and snmpd in $SELINUX_SRC/domains/program, as well as $SELINUX_SRC/macros/program/userhelper_macros.te.
Tunables are included in the policy at compile time and are not a flexible way to manage settings that you want to effect more immediately. For the most part, the tunables have been replaced by Booleans in /etc/selinux/targeted/booleans that are checked during runtime.
The second file, tunable.tun, has several definitions which are in use in the targeted policy:
define(`targeted_policy') define(`nscd_all_connect') define(`nfs_home_dirs') |
The targeted_policy tunable is used by apache.te, named.te, squid.te, and mta.te in $SELINUX_SRC/domains/programs/, as well as global_macros.te and apache_macros.te. For example, this statement from apache.te is triggered to be included in the policy if targeted_policy is defined:
ifdef(`targeted_policy', ` typealias httpd_sys_content_t alias httpd_user_content_t; typealias httpd_sys_script_exec_t alias \ httpd_user_script_exec_t; if (httpd_enable_homedirs) { allow httpd_sys_script_t user_home_dir_t:dir { getattr \ search }; allow httpd_t user_home_dir_t:dir { getattr search }; } ') dnl targeted policy |
The type aliases created support for Apache HTTP CGI scripting by users, aliasing the user equivalent of the httpd scripting type. Notice the if (httpd_enable_homedirs) statement. This is the Boolean value httpd_enable_homedirs, used for enabling public HTML directories being served from user home directories.
This file contains the definitions for the SELinux users, as explained in Section 2.10 SELinux Users and Roles and Section 3.5 Understanding the Roles and Users in the Targeted Policy.
If you are trying to run a minimal policy to reduce disk and memory usage, you can try removing unused files from $SELINUX_SRC/domains/program/. A TE file may be unused if the daemon associated with that domain file is not installed. For example, if you do not have the nameserver BIND installed, you may be able to remove the associated policy by moving the file $SELINUX_SRC/domains/program/named.te. This reduces the SELinux footprint in kernel memory and possibly some impact on performance.
After you remove the *.te file from the directory, you need to cd $SELINUX_SRC/ and make load. This takes effect immediately. Policy compiling is discussed in detail in Chapter 7 Compiling SELinux Policy. If you move the file to $SELINUX_SRC/domains/program/unused/, the TE policy is easy to obtain should you choose to install BIND at a later date.
Warning | |
---|---|
Removing the wrong file can result in your system being unable to boot in enforcing mode. Policy compilation can fail if dependencies are not available. Be sure you know the consequences of removing any of the *.te files from /etc/selinux/targeted/src/policy/. A better solution for most cases is to use the Booleans to disable the policy for uninstalled applications. This compromise reduces some of the kernel overhead |
Here is an abbreviated file tree for the policy source. Not included are the TE files that are unused in the targeted policy. Note the presence of the files policy.conf, file_contexts/file_contexts, and tmp/*. These indicate a policy that has been compiled from source and possibly loaded.
tree /etc/selinux/targeted/src/policy/ /etc/selinux/targeted/src/policy/ |-- COPYING |-- ChangeLog |-- Makefile |-- README |-- VERSION |-- appconfig | |-- default_contexts | |-- default_type | |-- failsafe_context | |-- initrc_context | |-- media | |-- removable_context | |-- root_default_contexts | `-- userhelper_context |-- assert.te |-- attrib.te |-- constraints |-- domains | |-- misc | | `-- unused | |-- program | | |-- apache.te | | |-- dhcpd.te | | |-- hotplug.te | | |-- init.te | | |-- initrc.te | | |-- ldconfig.te | | |-- mailman.te | | |-- modutil.te | | |-- mta.te | | |-- mysqld.te | | |-- named.te | | |-- nscd.te | | |-- ntpd.te | | |-- portmap.te | | |-- postgresql.te | | |-- rpm.te | | |-- snmpd.te | | |-- squid.te | | |-- syslogd.te | | |-- udev.te | | |-- winbind.te | | `-- ypbind.te | `-- unconfined.te |-- file_contexts | |-- distros.fc | |-- file_contexts | |-- misc | |-- program | | |-- apache.fc | | |-- dhcpd.fc | | |-- hotplug.fc | | |-- init.fc | | |-- initrc.fc | | |-- ldconfig.te | | |-- mailman.fc | | |-- modutil.fc | | |-- mta.fc | | |-- mysqld.fc | | |-- named.fc | | |-- nscd.fc | | |-- ntpd.fc | | |-- portmap.fc | | |-- postgresql.fc | | |-- rpm.fc | | |-- snmpd.fc | | |-- squid.fc | | |-- syslogd.fc | | |-- udev.fc | | |-- winbind.fc | | |-- ypbind.fc | `-- types.fc |-- flask | |-- Makefile | |-- access_vectors | |-- initial_sids | |-- mkaccess_vector.sh | |-- mkflask.sh | `-- security_classes |-- fs_use |-- genfs_contexts |-- initial_sid_contexts |-- macros | |-- core_macros.te | |-- global_macros.te | `-- program | |-- apache_macros.te | |-- mta_macros.te | |-- sendmail_macros.te | `-- ypbind_macros.te |-- mls |-- net_contexts |-- policy.conf |-- rbac |-- serviceusers |-- tmp | |-- load | `-- program_used_flags.te |-- tunables | |-- distro.tun | `-- tunable.tun |-- types | |-- apache.te | |-- device.te | |-- devpts.te | |-- file.te | |-- network.te | |-- nfs.te | |-- procfs.te | |-- security.te | `-- x.te `-- users |