Post date: Aug 25, 2016 6:34:44 AM
SELinux provides Mandatory Access Control (MAC) which is applied after the existing Discretionary Access Control (DES). Only an admin can modify MAC, users can modify DES if they have the correct privileges.
Security Context
All processes and resources (files, directories, network ports) are labeled with a A Security Context(SC).
A SC is a group of four text strings separated by colons:
user_group: Each linux user is mapped to a SELinux User Group.
role: Used for Role Based Access Control(RBAC)
domain/type: domain (for processes). type (for resources). Used for Type Enforcement (TE)
level/category: Used for Multi-Level Security(MLS) and Multi-Category Security (MCS)
Policy
Permissions are given to each SC to act on another SC in the SELinux Policy.
Different types of policy are possible, but the most common is targeted.
Targeted policy: uses TE rule to define allow or deny permissions between process domains and resource types.
Strict policy: Locks everything down, but very difficult to maintain and manage
MLS/MCS policy: Provides the concept of levels sensitivity and categories e.g. top secret. Targeted policy only supports sensitivity S0.
Console tools
Install the package "setools-console" provides some useful tools to work with SELinux.
Worked Example: Why can a user run passwd?
# ls -alZ `which passwd`
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /bin/passwd
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0-c1023
So how does the user with unconfined_t launch the application passwd_exec_t?
Search SELinux policy for domain transitions from unconfined_t to
# sesearch -T --source unconfined_t --target passwd_exec_t
found 1 semantic te rules:
type_transition unconfined_t passwd_exec_t:process passwd_t
What allows the transsition:
# sesearch -A -s unconfined_t -t passwd_exec_t -c file -p execute