SELinux Context Definition:
Here we will discuss about the basics behind roles, types and domains in SELinux. Its important that we have a clear understanding of the three key pieces of information used in the security context Tuple.
Security Context or Tuple:
A security context or Tuple consist of 2 or more related fields in given row.
eg:- user_u:system_r:unconfined_t
explained in simple word is "id:first_name:last_name"
Field/Degree 1: USER LABEL
eg:- user_u, root_u etc
In general the first value will be the user value. Usually the non-privilege user will be described as "user_u". However the root user is treated as "root_u". The targeted policy in RHEL is not much more concentrated in the first and second fields
Field/Degree 2: (Role based Access control[RBAC])
SELinux supports users being the members of Role (same like a typical DAC system where the user belongs to a group). i.e, in this example of Tuple user_u:system_r:unconfined_t & root_u:system_r:unconfined_t the non privilege & privilege user is having a common role "system_r"
Field/Degree 3: Type/Domain
It makes a difference whether we apply this to a subject or object. i.e, Type is applied to objects such as files and Domains are applied to Subjects (Programs or users).
Eg:-
Privilege as well as non privilege users are grouped in to unconfined "Type" by default .
For process such as httpd, each process has a domain named after the process with a suffix of "_t" eg:- httpd_t, dhcpd_t
Thursday, February 4, 2010
7. SELinux Targeted Policy (RedHat) - II
Confined and Unconfined states
1. How to Disable Protection of currently protected targeted Daemon (httpd) while SELinux runns at enforcing mode ?
Or
How to Disable a particular domain from SELinux protection while it runs in enforcing mode?
Or
Transition from confined state to unconfined state of a daemon
We will explain this with apache daemon. Lets start configuring apache from confined state to unconfined state.
Steps:
# ps -axZ |grep httpd
This will show the apache sandbox (Tuple) details or SELinux labeling httpd process .# cd /selinux
Inside this directory is a file called httpd_disable_trans, which controlls the httpd upon invication makes the transition from the default unconfined_t (unconfined) to httpd_t (confined)Step: 1
# echo "1 1" > /selinux/booleans/httpd_disable_trans
The file is overwritten by two values "1 1". The first value "1" is related to the currently running status of the daemon with respect to SELinux i.e, the service is currently being protected and the other value "1" is the pending value.Step: 2
# echo "1" > /selinux/commit_pending_bools
This makes the changes to booleans immediately, reloads SELinux policy (None of the other domains are effected)Step: 3
# service httpd restart
This cause the httpd service reload finishes the transition from confined (httpd_t) sandbox to unconfined (unconfined_t) sandbox, "which is not protected by the Targeted Policy ". This means the httpd service will be behaving like a typical Linux service.# ps -axZ |grep httpd
Now we can notice that the httpd has been moved from confined to unconfiend.2. Changing back httpd from unconfined to confined context.
# echo "0 0" > /selinux/booleans/httpd_disable_trans
# echo "1" > /selinux/commit_pending_bools
# service httpd restart
# ps -axZ
Now we can see that the httpd is running in confined.
# echo "1" > /selinux/commit_pending_bools
# service httpd restart
# ps -axZ
Wednesday, February 3, 2010
6. SELinux Targeted Policy (RedHat) - I
Introduction:
Here we will discuss about the daemons that supported with Targeted Policy. The Targeted policy in SELinux is specifically designed for RHEL and not applied to other Linux Distros. The idea of Targeted policy in SELinux is to protect vulnerability/highly utilized daemons/services of RHEL Servers. Each daemon is essentially sandboxed in targeted policy.i.e, daemons are restricted to some area and unable to interact to
other area/domains.
List of daemons protected by Targeted Policy by default.
Confined:
13. All other process
The first 12 process mentioned above are the daemons which is protected as confined domains in Tuple (httpd_t, squid_t,snmp_t etc) and all other programs/subject/process are included in the unconfined (unconfined_t) domains in Targeted Policy. The Targeted policy restricts from communicating one domain with the other, i.e, dhcpd_t from httpd_t, which can be called as sandboxed.
Here we will discuss about the daemons that supported with Targeted Policy. The Targeted policy in SELinux is specifically designed for RHEL and not applied to other Linux Distros. The idea of Targeted policy in SELinux is to protect vulnerability/highly utilized daemons/services of RHEL Servers. Each daemon is essentially sandboxed in targeted policy.i.e, daemons are restricted to some area and unable to interact to
other area/domains.
List of daemons protected by Targeted Policy by default.
Confined:
- dhcpd
- httpd
- mysql
- named
- nscd - name service caching daemon
- ntpd
- portmap
- postgresql
- snmpd
- squid
- syslogd
- winbindd
13. All other process
The first 12 process mentioned above are the daemons which is protected as confined domains in Tuple (httpd_t, squid_t,snmp_t etc) and all other programs/subject/process are included in the unconfined (unconfined_t) domains in Targeted Policy. The Targeted policy restricts from communicating one domain with the other, i.e, dhcpd_t from httpd_t, which can be called as sandboxed.
Subscribe to:
Posts (Atom)