Thursday, February 11, 2010

10. SELinux - Source Targeted Policy

The file_context file with respect to Source Targeted Policy:
    The binary installation of the Targeted Policy created the file "file_contexts" inside /etc/selinux/targeted/contexts/files, it involves many individual files for creation of the file_contexts file.
After installation of the source policy we will get a folder called /etc/selinux/targeted/src. Beneath "src" a folder called "policy" contains many files and folders including version information, role based access control information and other related files. Two important files in this folder are "attrib.te" used for the Type Enforcement for attributes and another file called "assert.te".The "file_contexts" sub directory inside the policy folder of "src" has additional file called "types.fc", which is almost similar as the binary installation "file_contexts". "distro.fc" file is having information about the linux distros to make conditional matches for m4 usage while building the policy(i.e, it guides to the exact file location according to the distro variable.)
(filename.fc = file context
 filename.te = type enforcement)
In "program" directory of the "file_contexts" have many *.fc files which defines the file context information about the various system utilities and daemons.
# cat ping.fc
# ping

/bin/ping.*        --    system_u:object_r:ping_exex_t
/usr/sbin/hping2    --    system_u:object_r:ping_exex_t
    This file defines the file context information for the binary ping. i.e, if there were policy applied in the system then the security label will be as above. But if we look at the binary /bin/ping, it will show something that not matches the above statement.
The context information of the current binary is
# ls -alz /bin/ping
-rwx-rx-rx    root root system_u:object_r:bin_t
    This is because each file context defined inside the folder "/etc/selinux/targeted/src/policy/file_contexts/program" should have a corresponding type enforcement defined. Here the type "bin_t" is applied/inherited from the context of parent ( /bin) directory. The corresponding ".te" files should be located in /etc/selinux/targeted/src/policy/domains/program. This folder houses all the TE files that corresponds to .fc files. eg:- apache.te, dhcpd.te, ntpd.te etc. So the listed daemons (which corresponds to the programs) will be protected.
Check whether the protection for apache has been enforced
# cat /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc | grep /var/www
/var/www(/.*)?    system_u:object:httpd_sys_content_t
(And the corresponding TE file has been created inside "/etc/selinux/targeted/src/policy/domains/program" )
# ls -al /etc/selinux/targeted/src/policy/domains/program |grep apache
-rwx------    root root Jan 8 2010    apache.te
Now check the file_context of folder /var/www
# ls -ldZ /var/www
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t
    The folder is correctly labeled because of .fc has corressponding .te file defined. i.e, the Type has been enforced because it has a corressponding TE file for FC file.

Focus on TE files which relate to FC files.
    TE files resides inside /etc/selinux/targeted/src/policy/domains/program.
Function of TE :
1. TE Files enforce Type
    a. TE Files describes what are each domains able to do, this includes the types that domains that able to access as well as the system related calls (link, unlink, read, tcp_open, udp_open etc).
2. Now the action that are to be enabled in the object are defined in the TE file."TE" file enables actions on objects.

   " We will explain this process with apache service."

        The SELinux admin should have low level of understanding about the operating system in order to understand the calls that made by a program.
The general system calls that apache makes are described below.
    a. read files (config files, content files and log files)
    b. bind to network ports (TCP: 80, TCP :443)
    c. write to file (log files)
    d. execute scripts (cgi, php etc)

Now take a look at apache file:
# vim /etc/selinux/targeted/src/policy/domains/program/apache.te
    Initially it defines about the booleans that can be over written by the configurations in "/etc/selinux/targeted/booleans" file. Under the "Apache Types" we defines the types that supported by apache. This is where actually the labels that defined for the domains which usually corresponds the types that applied to the filenames.
For Eg:-
#ls -alZ /var/www/
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_script_exec_t cgi-bin
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t error
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t html
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t icons
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t manual
-rwxr-x--x    root root Jan 8 2010 system_u:object:httpd_sys_content_t usage
    Notice that the context entries in this folder are defined in the "apache.te" file. Beneath "Apache Types" we can see the type for allowing access for apache defined
# cat /etc/selinux/targeted/src/policy/domains/program/apache.te
    "This file governs what the apache and its related programs are allowed to do on your system."
# Syntax: The syntax is as follows
allow|neverallow|audit|dontaudit     subject|domains     object     object_class     {premissions that to be appiled}
allow httpd_t httpd_log_t:link_file read
    allows httpd_t domain to Object httpd_log_t with object class as link_file with permission read
allow httpd_suexec_t self:capability {setuid setgid };
    # allows the subject httpd_suexec_t domain to object self capability with permissions setuid & setgid
dontaudit httpd_suexec_t var_run_t:dir search;
    This will stop auditing the given process
allow httpd_suexec_t home_root_t:dir search;
    This grands apache the permission to search the object having label home_root_t in which the object class is a directory) This means the apache can search any directory having the label "home_root_t", which is a directory (object class :dir)
The permission should be in "{}" curly brackets while defining two or more at a time.

No comments:

Post a Comment

tag ur valuable ideas below