4.14. File Name Transition
The file name transition feature allows policy writers to specify the file name when writing policy transition rules. It is possible to write a rule that states: If a process labeled
A_t
creates a specified object class in a directory labeled B_t
and the specified object class is named objectname
, it gets the label C_t
. This mechanism provides more fine-grained control over processes on the system.
Without file name transition, there are three possible ways how to label an object:
- By default, objects inherit labels from parent directories. For example, if the user creates a file in a directory labeled
etc_t
, then the file is labeled alsoetc_t
. However, this method is useless when it is desirable to have multiple files within a directory with different labels. - Policy writers can write a rule in policy that states: If a process with type
A_t
creates a specified object class in a directory labeledB_t
, the object gets the newC_t
label. This practice is problematic if a single program creates multiple objects in the same directory where each object requires a separate label. Moreover, these rules provide only partial control, because names of the created objects are not specified. - Certain applications have SELinux awareness that allow such an application to ask the system what the label of a certain path should be. These applications then request the kernel to create the object with the required label. Examples of applications with SELinux awareness are the rpm package manager, the restorecon utility, or the udev device manager. However, it is not possible to instruct every application that creates files or directories with SELinux awareness. It is often necessary to relabel objects with the correct label after creating. Otherwise, when a confined domain attempts to use the object, AVC messages are returned.
The file name transition feature decreases problems related to incorrect labeling and improves the system to be more secure. Policy writers are able to state properly that a certain application can only create a file with a specified name in a specified directory. The rules take into account the file name, not the file path. This is the basename of the file path. Note that file name transition uses an exact match done by the
strcmp()
function. Use of regular expressions or wildcard characters is not considered.
Note
File paths can vary in the kernel and file name transition does not use the paths to determine labels. Consequently, this feature only affects initial file creation and does not fix incorrect labels of already created objects.
Example 4.2. Examples of Policy Rules Written with File Name Transition
The example below shows a policy rule with file name transition:
filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")
This rule states that if a process with the
unconfined_t
type creates the ~/.ssh/
directory in a directory labeled admin_home_t
, the ~/.ssh/
directory gets the label ssh_home_t
.
Similar examples of policy rules written with file name transition are presented below:
filetrans_pattern(staff_t, user_home_dir_t, httpd_user_content_t, dir, "public_html") filetrans_pattern(thumb_t, user_home_dir_t, thumb_home_t, file, "missfont.log") filetrans_pattern(kernel_t, device_t, xserver_misc_device_t, chr_file, "nvidia0") filetrans_pattern(puppet_t, etc_t, krb5_conf_t, file, "krb5.conf")
Note
The file name transition feature affects mainly policy writers, but users can notice that instead of file objects almost always created with the default label of the containing directory, some file objects have a different label as specified in policy.