Monday, February 8, 2010

9. SELinux Targeted Policy (RedHat) - IV

Now we will discuss about Preparing system with the source policies that are associated with the policy number 18 (by default comes with RHEL 4)
Inside the "/etc/selinux" folder have "targeted" folder which contains the source & Binary policies. If we intend to make any changes to the Policy we have to install the targeted source policy. The default installation will be the Binary policy which is unchangeable. So for changing the policy we have to install the targeted source policy. Again "the default installation of RHEL 4 installs the binary packages."

Need of source Policy installation
  1. In order to customize the policy or changing the policy
  2. In order to Learn more about the targeted Policy that how it is written.
  3. May need to define a policy in case of installation of a new program (which moves the newly installed program to the confined domains in SELinux).
    SELinux which operates in the kernel, processes existing policy, based on binary format in memory, so the source file are not used by the SELinux portion of the kernel.
The "/etc/selinux" folder contains
  • targeted/
  • config,v
  • config
The "Targeted" folder Contains
  • booleans  (This file contains the variables for enabling and disabling features on the fly such as cgi enabled apache http_enable_homedirs (refer previous topic) etc)
  • policy/ (This Folder contains the actual binary file of the policy called policy.xx(Eg:- "policy.18" RHEL 4)
  • contexts/ (This Folder consists of information about the contexts. All the contexts (Tuples) are defined inside this folder. The "file_contexts" file inside the folder "contexts/files" is the key file that actually maintains the relation ship between directories of the files system and how those directories and files should be labeled. Also the file contains the context entries of all sorts of mount points (i.e, how should the the files created in the file system labeled by default).
Installing source policy for Targeted Policy:
# rpm -qa |grep -i selinux
    This will show the selinux-policy-targeted package. This is responsible for the binary policy installation.
For installation of the selinux source policy download the source package of the policy named selinux-policy-targeted-sources.version.rpm .The installation creates the folder called /etc/selinux/targeted/src.
Install the package
# rpm -ivh selinux-policy-targeted.version.rpm
# cd /etc/selinux/targeted/src
 Beneath the /etc/selinux/targeted/src have a directory called "policy" which contains all of the files and directories that pertained to targeted policy.

The "file_contexts" file:
    This file contains the labeling information of all objects and subjects. It uses regular expressions for labeling
the files. check the "/home" definitions in the file to get more idea about the regular expressions used in the file_contexts..
The format used in the file is
" regexp -type context|none "

-d = directory
  -- = file)
/home     -d     system_u:object_r:home_root_t
    The knowledge in this file is useful while creating the new policies.
Another eg:-
/media/[^/]*/.*    none
    This will make no labeling for the mounted object beneath the folder /media (eg:- cdrom mounted inside the /media). In short this file describes how the files in the system should be labeled to take effect of the targeted policy. So if we run the "fixfiles" (Refer previous posts) utility it refers this file for labeling.

RUN_INIT (Process at system boots with respect to SELinux)
    While system boots INIT determines the SELinux support and if found, it creates the process or allocates the space inside the memory with the help of utility called "run_init". "run_init" sets up the programs that are protected by SELinux in to distinct spaces that cannot be overlaped by each other or interacted by other daemons. So this way it increases the system security.

Key Start-up Utility For SELinux-Protected Daemons:
    If we need to restart a daemon, run_init will help that programs to run with in their protected spaces i.e, "run_init" ensures protected daemon isolation. "run_init" has been installed by package named "policycoreutils".

How to Check the process whether its out of context or running correctly with policy defined context:

We will use the apache to check whether the daemon is having the correct context
# ps -axZ |grep httpd
root:system_r:httpd_t    3111    ?    S    0:00    /usr/sbin/httpd
    Here we can see the Tuple/Context as "root:system_r:httpd_t". Here apache is running with the wrong user_id root:.

To change it First kill the process
# kill 3111

Now run the process/httpd daemon using run_init
# /usr/sbin/run_init /etc/init.d/httpd start
    ( This Will promt you for authentication for root user)
        This will start the httpd daemon in the domain that specified in the policy. i.e, the policy enforces the type or honors the type.
Now we check the httpd process again
# ps -axZ |grep httpd
user_u:system_r:httpd_t    5114    ?    S    0:00    /usr/sbin/httpd
    We can see that the apache is up and running with the proper context.

No comments:

Post a Comment

tag ur valuable ideas below