Chapter 3. SELinux Contexts
Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. In Red Hat Enterprise Linux, SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement (TE), and, optionally, Multi-Level Security (MLS).
The following is an example showing SELinux context. SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux. Use the
ls -Z
command to view the SELinux context of files and directories:
~]$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
SELinux contexts follow the SELinux user:role:type:level syntax. The fields are as follows:
- SELinux user
- The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS/MCS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions placed on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to define what roles and levels they can enter. Run the
semanage login -l
command as the Linux root user to view a list of mappings between SELinux and Linux user accounts (you need to have the policycoreutils-python package installed):~]#
semanage login -l
Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023Output may differ slightly from system to system. TheLogin Name
column lists Linux users, and theSELinux User
column lists which SELinux user the Linux user is mapped to. For processes, the SELinux user limits which roles and levels are accessible. The last column,MLS/MCS Range
, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). - role
- Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered; ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
- type
- The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
- level
- The level is an attribute of MLS and MCS. An MLS range is a pair of levels, written as lowlevel-highlevel if the levels differ, or lowlevel if the levels are identical (
s0-s0
is the same ass0
). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity.If the category set is a contiguous series, it can be abbreviated. For example,c0.c3
is the same asc0,c1,c2,c3
. The/etc/selinux/targeted/setrans.conf
file maps levels (s0:c0
) to human-readable form (that isCompanyConfidential
). Do not editsetrans.conf
with a text editor: use thesemanage
command to make changes. Refer to the semanage(8) manual page for further information. In Red Hat Enterprise Linux, targeted policy enforces MCS, and in MCS, there is just one sensitivity,s0
. MCS in Red Hat Enterprise Linux supports 1024 different categories:c0
through toc1023
.s0-s0:c0.c1023
is sensitivitys0
and authorized for all categories.MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy. The MLS policy shipped with Red Hat Enterprise Linux omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the upstream SELinux Reference Policy can be built that includes all program domains. For more information on MLS configuration, refer to Section 5.11, “Multi-Level Security (MLS)”.
3.1. Domain Transitions
A process in one domain transitions to another domain by executing an application that has the
entrypoint
type for the new domain. The entrypoint
permission is used in SELinux policy, and controls which applications can be used to enter a domain. The following example demonstrates a domain transition:
- A user wants to change their password. To do this, they run the
passwd
application. The/usr/bin/passwd
executable is labeled with thepasswd_exec_t
type:~]$
ls -Z /usr/bin/passwd
-rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwdThepasswd
application accesses/etc/shadow
, which is labeled with theshadow_t
type:~]$
ls -Z /etc/shadow
-r--------. root root system_u:object_r:shadow_t:s0 /etc/shadow - An SELinux policy rule states that processes running in the
passwd_t
domain are allowed to read and write to files labeled with theshadow_t
type. Theshadow_t
type is only applied to files that are required for a password change. This includes/etc/gshadow
,/etc/shadow
, and their backup files. - An SELinux policy rule states that the
passwd_t
domain hasentrypoint
permission to thepasswd_exec_t
type. - When a user runs the
passwd
application, the user's shell process transitions to thepasswd_t
domain. With SELinux, since the default action is to deny, and a rule exists that allows (among other things) applications running in thepasswd_t
domain to access files labeled with theshadow_t
type, thepasswd
application is allowed to access/etc/shadow
, and update the user's password.
This example is not exhaustive, and is used as a basic example to explain domain transition. Although there is an actual rule that allows subjects running in the
passwd_t
domain to access objects labeled with the shadow_t
file type, other SELinux policy rules must be met before the subject can transition to a new domain. In this example, Type Enforcement ensures:
- The
passwd_t
domain can only be entered by executing an application labeled with thepasswd_exec_t
type; can only execute from authorized shared libraries, such as thelib_t
type; and cannot execute any other applications. - Only authorized domains, such as
passwd_t
, can write to files labeled with theshadow_t
type. Even if other processes are running with superuser privileges, those processes cannot write to files labeled with theshadow_t
type, as they are not running in thepasswd_t
domain. - Only authorized domains can transition to the
passwd_t
domain. For example, thesendmail
process running in thesendmail_t
domain does not have a legitimate reason to executepasswd
; therefore, it can never transition to thepasswd_t
domain. - Processes running in the
passwd_t
domain can only read and write to authorized types, such as files labeled with theetc_t
orshadow_t
types. This prevents thepasswd
application from being tricked into reading or writing arbitrary files.