NB LSM - Revision history

Jaxelson at 20:46, 13 September 2010

Jaxelson — Mon, 13 Sep 2010 20:46:41 GMT

←Older revision		Revision as of 20:46, 13 September 2010
Line 657:		Line 657:
	----		----
	<references/>		<references/>
		+
		+	[[Category:Notebook]]

RichardHaines: /* SELinux Filesystem */

RichardHaines — Mon, 17 May 2010 15:57:50 GMT

SELinux Filesystem

←Older revision		Revision as of 15:57, 17 May 2010
Line 335:		Line 335:
	\| <div align="right">deny_unknown</div>		\| <div align="right">deny_unknown</div>
	\| <center>-r--r--r--</center>		\| <center>-r--r--r--</center>
-	\| These two files export unknown deny and reject handling status to user space. This is taken from the handle-unknown parameter set<ref name="ftn17"~~><sup~~>That is taken from the UNK_PERMS entry in the Reference Policy build.conf file.~~</sup>~~</ref> in the /etc/selinux/semanage.conf file and are set as follows:	+	\| These two files export unknown deny and reject handling status to user space. This is taken from the <tt>handle-unknown</tt> parameter set<ref name="ftn17">That is taken from the UNK_PERMS entry in the Reference Policy build.conf file.</ref> in the /etc/selinux/semanage.conf file and are set as follows:

	0:0 = allow, 1:0 = deny and 1:1 = reject.		0:0 = allow, 1:0 = deny and 1:1 = reject.

RichardHaines: /* Process Transition Walk-thorough */

RichardHaines — Mon, 17 May 2010 15:55:33 GMT

Process Transition Walk-thorough

←Older revision		Revision as of 15:55, 17 May 2010
Line 210:		Line 210:
	This section walks through the <tt>execve()</tt> and checking whether a process transition to the <tt>ext_gateway_t</tt> domain is allowed, and if so obtain a new SID for the context (<tt>user_u:message_filter_r:ext_gateway_t</tt>) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram.		This section walks through the <tt>execve()</tt> and checking whether a process transition to the <tt>ext_gateway_t</tt> domain is allowed, and if so obtain a new SID for the context (<tt>user_u:message_filter_r:ext_gateway_t</tt>) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram.

-	The process starts with the Linux operating system issuing a <tt>do_execve()</tt><ref name="ftn16"~~><tt~~>This function call will pass over the file name to be run and its environment + arguments. Note that for loading shared libraries the exec_mmap function is used.</ref> call from the CPU specific architecture code to execute a new program (for example, from <tt>arch/ia64/kernel/process.c</tt>). The <tt>do_execve()</tt> function is located in the <tt>fs/exec.c</tt> source code module and does the loading and final exec as described below.	+	The process starts with the Linux operating system issuing a <tt>do_execve()</tt><ref name="ftn16">This function call will pass over the file name to be run and its environment + arguments. Note that for loading shared libraries the exec_mmap function is used.</ref> call from the CPU specific architecture code to execute a new program (for example, from <tt>arch/ia64/kernel/process.c</tt>). The <tt>do_execve()</tt> function is located in the <tt>fs/exec.c</tt> source code module and does the loading and final exec as described below.

	<tt>do_execve()</tt> has a number of calls to <tt>security_bprm_*</tt> functions that are a part of the LSM (see <tt>security.h</tt>), and are hooked by SELinux during the initialisation process (in <tt>hooks.c</tt>). Table 4 briefly describes these <tt>security_bprm</tt> functions that are hooks for validating program loading and execution (although see <tt>security.h</tt> for greater detail).		<tt>do_execve()</tt> has a number of calls to <tt>security_bprm_*</tt> functions that are a part of the LSM (see <tt>security.h</tt>), and are hooked by SELinux during the initialisation process (in <tt>hooks.c</tt>). Table 4 briefly describes these <tt>security_bprm</tt> functions that are hooks for validating program loading and execution (although see <tt>security.h</tt> for greater detail).

RichardHaines: /* Process Transition Walk-thorough */

RichardHaines — Mon, 17 May 2010 15:54:25 GMT

Process Transition Walk-thorough

←Older revision		Revision as of 15:54, 17 May 2010
Line 210:		Line 210:
	This section walks through the <tt>execve()</tt> and checking whether a process transition to the <tt>ext_gateway_t</tt> domain is allowed, and if so obtain a new SID for the context (<tt>user_u:message_filter_r:ext_gateway_t</tt>) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram.		This section walks through the <tt>execve()</tt> and checking whether a process transition to the <tt>ext_gateway_t</tt> domain is allowed, and if so obtain a new SID for the context (<tt>user_u:message_filter_r:ext_gateway_t</tt>) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram.

-	The process starts with the Linux operating system issuing a <tt>do_execve()<ref name="ftn16"><tt>This function call will pass over the file name to be run and its environment + arguments. Note that for loading shared libraries the exec_mmap function is used.~~</tt>~~</ref> call from the CPU specific architecture code to execute a new program (for example, from <tt>arch/ia64/kernel/process.c</tt>). The <tt>do_execve()</tt> function is located in the <tt>fs/exec.c</tt> source code module and does the loading and final exec as described below.	+	The process starts with the Linux operating system issuing a <tt>do_execve()</tt><ref name="ftn16"><tt>This function call will pass over the file name to be run and its environment + arguments. Note that for loading shared libraries the exec_mmap function is used.</ref> call from the CPU specific architecture code to execute a new program (for example, from <tt>arch/ia64/kernel/process.c</tt>). The <tt>do_execve()</tt> function is located in the <tt>fs/exec.c</tt> source code module and does the loading and final exec as described below.

	<tt>do_execve()</tt> has a number of calls to <tt>security_bprm_*</tt> functions that are a part of the LSM (see <tt>security.h</tt>), and are hooked by SELinux during the initialisation process (in <tt>hooks.c</tt>). Table 4 briefly describes these <tt>security_bprm</tt> functions that are hooks for validating program loading and execution (although see <tt>security.h</tt> for greater detail).		<tt>do_execve()</tt> has a number of calls to <tt>security_bprm_*</tt> functions that are a part of the LSM (see <tt>security.h</tt>), and are hooked by SELinux during the initialisation process (in <tt>hooks.c</tt>). Table 4 briefly describes these <tt>security_bprm</tt> functions that are hooks for validating program loading and execution (although see <tt>security.h</tt> for greater detail).

RichardHaines: /* Process Transition Walk-thorough */

RichardHaines — Mon, 17 May 2010 15:50:51 GMT

Process Transition Walk-thorough

←Older revision		Revision as of 15:50, 17 May 2010
Line 219:		Line 219:

	\|-		\|-
-	\| security_bprm_alloc->	+	\| <nowiki>security_bprm_alloc->

-	selinux_bprm_alloc_security	+	selinux_bprm_alloc_security</nowiki>
	\| Allocates memory for the <tt>bprm</tt> structure.		\| Allocates memory for the <tt>bprm</tt> structure.

	\|-		\|-
-	\| security_bprm_free->	+	\| <nowiki>security_bprm_free->

-	selinux_bprm_free_security	+	selinux_bprm_free_security</nowiki>
	\| Frees memory from the <tt>bprm</tt> structure.		\| Frees memory from the <tt>bprm</tt> structure.

	\|-		\|-
-	\| security_bprm_apply_creds->	+	\| <nowiki>security_bprm_apply_creds->

-	selinux_bprm_apply_creds	+	selinux_bprm_apply_creds</nowiki>
	\| Sets task lock and new security attributes for a transformed process on execve. Seems to be used for libraries, scripts etc. Called from various Linux OS areas via <tt>compute_creds()</tt> located in <tt>fs/exec.c</tt>.		\| Sets task lock and new security attributes for a transformed process on execve. Seems to be used for libraries, scripts etc. Called from various Linux OS areas via <tt>compute_creds()</tt> located in <tt>fs/exec.c</tt>.

	\|-		\|-
-	\| security_bprm_post_apply_creds->	+	\| <nowiki>security_bprm_post_apply_creds->

-	selinux_bprm_post_apply_creds	+	selinux_bprm_post_apply_creds</nowiki>
	\| Supports the <tt>security_bprm_apply_creds</tt> function for areas that must not be locked.		\| Supports the <tt>security_bprm_apply_creds</tt> function for areas that must not be locked.

	\|-		\|-
-	\| security_bprm_secureexec->	+	\| <nowiki>security_bprm_secureexec->

-	selinux_bprm_secureexec	+	selinux_bprm_secureexec</nowiki>
	\| Called after the <tt>selinux_bprm_post_apply_creds</tt> function to check <tt>AT_SECURE</tt> flag for glibc secure mode support.		\| Called after the <tt>selinux_bprm_post_apply_creds</tt> function to check <tt>AT_SECURE</tt> flag for glibc secure mode support.

	\|-		\|-
-	\| security_bprm_set->	+	\| <nowiki>security_bprm_set->

-	selinux_bprm_set_security	+	selinux_bprm_set_security</nowiki>
	\| Carries out the major checks to validate whether the process can transition to the target context, and obtain a new SID if required.		\| Carries out the major checks to validate whether the process can transition to the target context, and obtain a new SID if required.

	\|-		\|-
-	\| security_bprm_check->	+	\| <nowiki>security_bprm_check->

-	selinux_bprm_check_security	+	selinux_bprm_check_security</nowiki>
	\| This hook is not used by SELinux.		\| This hook is not used by SELinux.

Line 264:		Line 264:


-	Therefore starting at the <tt>do_execve()</tt> function and using the [http://taiga.selinuxproject.org/~rhaines/diagrams/11-Transition.png \| Process Transition] diagram, the following major steps will be carried out to check whether the <tt>unconfined_t</tt> process has permission to transition the <tt>secure_server</tt> executable to the <tt>ext_gateway_t</tt> domain:	+	Therefore starting at the <tt>do_execve()</tt> function and using the [http://taiga.selinuxproject.org/~rhaines/diagrams/11-Transition.png Process Transition] diagram, the following major steps will be carried out to check whether the <tt>unconfined_t</tt> process has permission to transition the <tt>secure_server</tt> executable to the <tt>ext_gateway_t</tt> domain:

-	# The executable file is opened, a call issued to the <tt>sched_exec()</tt> function and the <tt>bprm</tt> structure is initialised with the file parameters (name, environment and arguments).	+	: 1. The executable file is opened, a call issued to the <tt>sched_exec()</tt> function and the <tt>bprm</tt> structure is initialised with the file parameters (name, environment and arguments).
	: The <tt>security_bprm_alloc()->selinux_bprm_alloc_security()</tt> function is then called (in <tt>hooks.c</tt>) where SELinux will allocate memory for the <tt>bprm</tt> security structure and set the <tt>bsec->set</tt> flag to <tt>0</tt> indicating this is the first time through this process for this exec request.		: The <tt>security_bprm_alloc()->selinux_bprm_alloc_security()</tt> function is then called (in <tt>hooks.c</tt>) where SELinux will allocate memory for the <tt>bprm</tt> security structure and set the <tt>bsec->set</tt> flag to <tt>0</tt> indicating this is the first time through this process for this exec request.
-	# Via the <tt>prepare_binprm()</tt> function call the UID and GIDs are checked and a call issued to <tt>security_bprm_set()</tt> that will carry out the following:	+	: 2. Via the <tt>prepare_binprm()</tt> function call the UID and GIDs are checked and a call issued to <tt>security_bprm_set()</tt> that will carry out the following:
-	: a) The <tt>selinux_bprm_set_security()</tt> function will call the <tt>secondary_ops->bprm_set_security</tt> function in <tt>capability.c</tt>, that is effectively a no-op.	+	:: a) The <tt>selinux_bprm_set_security()</tt> function will call the <tt>secondary_ops->bprm_set_security</tt> function in <tt>capability.c</tt>, that is effectively a no-op.
-	: b) The <tt>bsec->set</tt> flag will be checked and if <tt>1</tt> will return as this function can be called multiple times during the exec process.	+	:: b) The <tt>bsec->set</tt> flag will be checked and if <tt>1</tt> will return as this function can be called multiple times during the exec process.
-	: c) The target SID is checked to see whether a transition is required (in this case it is), therefore a call will be made to the <tt>security_transition_sid()</tt> function in <tt>services.c</tt>. This function will compute the SID for a new subject or object (subject in this case) via the <tt>security_compute_sid()</tt> function that will (assuming there are no errors):	+	:: c) The target SID is checked to see whether a transition is required (in this case it is), therefore a call will be made to the <tt>security_transition_sid()</tt> function in <tt>services.c</tt>. This function will compute the SID for a new subject or object (subject in this case) via the <tt>security_compute_sid()</tt> function that will (assuming there are no errors):
-	:: .i. Search the SID table for the source and target SIDs.	+	::: .i. Search the SID table for the source and target SIDs.
-	:: .ii. Sets the SELinux user identity.	+	::: .ii. Sets the SELinux user identity.
-	:: .iii. Set the source role and type.	+	::: .iii. Set the source role and type.
-	:: .iv. Checks that a <tt>type_transition</tt> rule exists in the AV table and / or the conditional AV table (see the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram).	+	::: .iv. Checks that a <tt>type_transition</tt> rule exists in the AV table and / or the conditional AV table (see the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram).
-	:: .v. If a <tt>type_transition</tt>, then also check for a <tt>role_transition</tt> (there is a role change in the <tt>ext_gateway.conf</tt> policy module), set the role.	+	::: .v. If a <tt>type_transition</tt>, then also check for a <tt>role_transition</tt> (there is a role change in the <tt>ext_gateway.conf</tt> policy module), set the role.
-	:: .vi. Check if any MLS attributes by calling <tt>mls_compute_sid()</tt> in <tt>mls.c</tt>. It also checks whether MLS is enabled or not, if so sets up MLS contexts.	+	::: .vi. Check if any MLS attributes by calling <tt>mls_compute_sid()</tt> in <tt>mls.c</tt>. It also checks whether MLS is enabled or not, if so sets up MLS contexts.
-	:: .vii. Check whether the contexts are valid by calling <tt>compute_sid_handle_invalid_context()</tt> that will also log an audit message if the context is invalid.	+	::: .vii. Check whether the contexts are valid by calling <tt>compute_sid_handle_invalid_context()</tt> that will also log an audit message if the context is invalid.
-	:: .viii. Finally obtains a SID for the new context by calling <tt>sidtab_context_to_sid()</tt> in <tt>sidtab.c</tt> that will search the SID table (see the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram) and insert a new entry if okay or log a kernel event if invalid.	+	::: .viii. Finally obtains a SID for the new context by calling <tt>sidtab_context_to_sid()</tt> in <tt>sidtab.c</tt> that will search the SID table (see the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram) and insert a new entry if okay or log a kernel event if invalid.
-	: d) The <tt>selinux_bprm_set_security()</tt> function will then continue by checking via the <tt>avc_has_perm()</tt> function (in <tt>avc.c</tt>) whether the <tt>file_execute_no_trans</tt> is set (in this case it is not), therefore the <tt>process_transition</tt> and <tt>file_entrypoint</tt> permissions are checked (in this case they are), therefore the new SID is set, the <tt>bsec->set</tt> flag is set to <tt>1</tt> so that this part of the function is not executed again for this <tt>exec</tt>, finally control is passed back to the <tt>do_execve</tt> function:	+	:: d) The <tt>selinux_bprm_set_security()</tt> function will then continue by checking via the <tt>avc_has_perm()</tt> function (in <tt>avc.c</tt>) whether the <tt>file_execute_no_trans</tt> is set (in this case it is not), therefore the <tt>process_transition</tt> and <tt>file_entrypoint</tt> permissions are checked (in this case they are), therefore the new SID is set, the <tt>bsec->set</tt> flag is set to <tt>1</tt> so that this part of the function is not executed again for this <tt>exec</tt>, finally control is passed back to the <tt>do_execve</tt> function:
-	# Various strings are copied (args etc.) and a check is made to see if the exec succeeded or not (in this case it did), therefore the <tt>security_bprm_free()</tt> function is called to free the <tt>bprm</tt> security structure.	+	: 3. Various strings are copied (args etc.) and a check is made to see if the exec succeeded or not (in this case it did), therefore the <tt>security_bprm_free()</tt> function is called to free the <tt>bprm</tt> security structure.
-	# The End.	+	: 4. The End.
-		+
-		+

	=== SELinux Filesystem ===		=== SELinux Filesystem ===

RichardHaines: /* Fork System Call Walk-thorough */

RichardHaines — Mon, 17 May 2010 15:38:27 GMT

Fork System Call Walk-thorough

←Older revision		Revision as of 15:38, 17 May 2010
Line 204:		Line 204:
	:: e) Remove permissions that are defined in any constraint via the <tt>constraint_expr_eval()</tt> function call (in <tt>services.c</tt>). This function will also check any MLS constraints.		:: e) Remove permissions that are defined in any constraint via the <tt>constraint_expr_eval()</tt> function call (in <tt>services.c</tt>). This function will also check any MLS constraints.
	:: f) Finally <tt>context_struct_compute_av()</tt> checks if a process transition is being requested (it is not). If it were, then the <tt>TRANSITION</tt> and <tt>DYNTRANSITION</tt> permissions are checked and whether the role is changing.		:: f) Finally <tt>context_struct_compute_av()</tt> checks if a process transition is being requested (it is not). If it were, then the <tt>TRANSITION</tt> and <tt>DYNTRANSITION</tt> permissions are checked and whether the role is changing.
-	: 8) Once the result has been computed it is returned to the <tt>kernel/fork.c</tt> system call via the initial <tt>selinux_task_create()</tt> function. In this case the fork call is allowed.	+	: 8. Once the result has been computed it is returned to the <tt>kernel/fork.c</tt> system call via the initial <tt>selinux_task_create()</tt> function. In this case the fork call is allowed.
-	: 9) The End.	+	: 9. The End.
-		+

	=== Process Transition Walk-thorough ===		=== Process Transition Walk-thorough ===

RichardHaines: New page: = Linux Security Module and SELinux = This section gives a high level overview of the LSM and SELinux internal structure and workings. A more detailed view can be found in the "[http://www...

RichardHaines — Mon, 17 May 2010 15:34:13 GMT

New page: = Linux Security Module and SELinux = This section gives a high level overview of the LSM and SELinux internal structure and workings. A more detailed view can be found in the "[http://www...

New page

= Linux Security Module and SELinux =
This section gives a high level overview of the LSM and SELinux internal structure and workings. A more detailed view can be found in the "[http://www.nsa.gov/selinux/papers/module/t1.html Implementing SELinux as a Linux Security Module]" that was used extensively to develop this section (with the SELinux kernel source code). The major areas covered are:

* How the LSM and SELinux modules work together.
* The major SELinux internal services.
* The fork system call and exec are followed through as an example to tie in with the transition process covered in the [[NB_Objects#Domain_Transition | Domain and Object Transitions]] section.
* The SELinux filesystem <tt>/selinux</tt>.
* The boot sequences that are relevant to SELinux.

== The LSM Module ==
The LSM is the Linux security framework that allows 3<sup>rd</sup> party access control mechanisms to be linked into the GNU / Linux kernel. Currently there are two 3<sup>rd</sup> party services that utilise the LSM: SELinux and SMACK (Simplified Mandatory Access Control Kernel) that both provide mandatory access control services. Details regarding SMACK can be found at: [http://www.schaufler-ca.com/ http://www.schaufler-ca.com/].

The basic idea behind the LSM is to:
# Insert security function calls (or hooks) and security data structures in the various kernel services to allow access control to be applied over and above that already implemented via DAC. The type of service that have hooks inserted are shown in Table 1 with an example task and program execution shown in the Fork Walk-thorough and Process Transition Walk-thorough sections below.
# Allow registration and initialisation services for the 3<sup>rd</sup> party security modules.
# Allow process security attributes to be available to userspace services by extending the <tt>/proc</tt> filesystem with a security namespace.
# Support filesystems that use extended attributes (SELinux uses <tt>security.selinux</tt>.
# Consolidate the Linux capabilities into an optional module.

It should be noted that the LSM does not provide any security services itself, only the hooks and structures for supporting 3<sup>rd</sup> party modules. If no 3<sup>rd</sup> party module is loaded, the capabilities module becomes the default module thus allowing standard DAC access control.

{| border="1"
| Program execution
| Filesystem operations
| Inode operations

|-
| File operations
| Task operations
| Netlink messaging

|-
| Unix domain networking
| Socket operations
| XFRM operations

|-
| Key Management operations
| IPC operations
| Memory Segments

|-
| Semaphores
| Capability
| Sysctl

|-
| Syslog
| Audit
|

|}
''Table 1: LSM Hooks - These are the kernel services that LSM has inserted security hooks and structures to allow access control to be managed by 3<sup>rd</sup> party modules (see <tt>./kernel-2.6.27/include/linux/security.h</tt>).''

The major kernel source files (relative to <tt>./kernel-2.6.27/security</tt>) that form the LSM are shown in Table 2. However there is one major header file (<tt>include/linux/security.h</tt>) that describes all the security hooks and structures defined by the LSM.

{| border="1"
! Name
! Function

|-
| capability.c
| Some capability functions were in various kernel modules have been consolidated into these source files. These are now (from Kernel 2.6.27) always linked into the kernel. This means the dummy.c security module (mentioned in the "[http://www.nsa.gov/selinux/papers/module/t1.html Implementing SELinux as a Linux Security Module]" document) is no longer required.

|-
| commoncap.c

|-
| device_cgroup.c

|-
| inode.c
| This allows the 3<sup>rd</sup> party security module to initialise a security filesystem. In the case of SELinux this would be <tt>/selinux</tt> that is defined in the <tt>selinux/selinuxfs.c</tt> source file.

|-
| root_plug.c
| This is a sample 3<sup>rd</sup> party module and therefore not used.

|-
| security.c
| Contains the LSM framework initialisation services that will set up the hooks described in <tt>security.h</tt> and those in the capability source files. It also provides functions to initialise 3<sup>rd</sup> party modules.

|}
''Table 2: The core LSM source modules.''

== The SELinux Module ==
This section does not go into detail of all the SELinux module functionality as the "[http://www.nsa.gov/selinux/papers/module/t1.html Implementing SELinux as a Linux Security Module]" document does this, however it attempts to highlight the way some areas work by using the Fork and Domain Transition Walk-thorough and transition process examples and also by describing the SELinux Boot Process.

The major kernel SELinux source files (relative to <tt>./kernel-2.6.27/security/selinux</tt>) that form the SELinux security module are shown in Table 3. The diagrams [http://taiga.selinuxproject.org/~rhaines/diagrams/2-high-level-arch.png High Level SELinux Architecture] and [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] can be used to see how some of these kernel source modules fit together.

{| border="1"
! Name
! Function

|-
| avc.c
| Access Vector Cache functions and structures. The function calls are for the kernel services, however they have been ported to form the <tt>libselinux</tt> userspace library detailed in the [[LibselinuxAPISummary | API Summary for libselinux]] section.

|-
| exports.c
| Exported SELinux services for SECMARK (as there is SELinux specific code in the netfilter source tree).

|-
| hooks.c
| Contains all the SELinux functions that are called by the kernel resources via the <tt>security_ops</tt> function table (they form the kernel resource object managers). There are also support functions for managing process exec's, managing SID allocation and removal, interfacing into the AVC and Security Server.

|-
| netif.c
| These manage the mapping between labels and SIDs for the net* language statements when they are declared in the active policy.

|-
| netnode.c

|-
| netport.c

|-
| netlabel.c
| The interface between NetLabel services and SELinux.

|-
| netlink.c
| Manages the notification of policy updates to resources including userspace applications via <tt>libselinux</tt>.

|-
| nlmsgtab.c

|-
| selinuxfs.c
| The <tt>selinuxfs</tt> pseudo filesystem (<tt>/selinux</tt>) that exports the security policy to userspace services via <tt>libselinux</tt>. The services exported are shown in the SELinux Filesystem section below.

|-
| xfrm.c
| Contains the IPSec XFRM hooks for SELinux.

|-
| include/flask.h
| This contains all the kernel security classes and initial SIDs. Note that the Reference Policy source (<tt>policy/flask</tt> directory) contains a list of all the kernel and userspace security classes and permissions.

|-
| ss/avtab.c
| AVC table functions for inserting / deleting entries.

|-
| ss/conditional.c
| Support boolean statement functions and implements a conditional AV table to hold entries.

|-
| ss/avtab.c
| AVC table functions for inserting / deleting entries.

|-
| ss/ebitmap.c
| Bitmaps to represent sets of values, such as types, roles, categories, and classes.

|-
| ss/hashtab.c
| Hash table.

|-
| ss/mls.c
| Functions to support MLS.

|-
| ss/policydb.c
| Defines the structure of the policy database. See the "[http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer]" article for details on the structure.

|-
| ss/services.c
| This contains the supporting services for kernel hooks defined in hooks.c, the AVC and the Security Server.

For example the <tt>security_transition_sid</tt> that computes the SID for a new subject / object shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram.

|-
| ss/sidtab.c
| The SID table contains the security context indexed by its SID value.

|-
| ss/symtab.c
| Maintains associations between symbol strings and their values.

|}
'''Table 3: The core SELinux source modules - '''''The <tt>.h</tt> files and those in the <tt>include</tt> directory have a number of useful comments.''

=== Fork System Call Walk-thorough ===
This section walks through the the <tt>fork</tt> system call shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram starting at the kernel hooks that link to the SELinux services. The way the SELinux hooks are initialised into the LSM <tt>security_ops</tt> and <tt>secondary_ops</tt> function tables are also described.

Using the [http://taiga.selinuxproject.org/~rhaines/diagrams/10-Fork.png Hooks for the fork system call] diagram, the major steps to check whether the <tt>unconfined_t</tt> process has permission to use the fork permission are:

# The <tt>kernel/fork.c</tt> has a hook that links it to the LSM function <tt>security_task_create()</tt> that is called to check access permissions.
# Because the SELinux module has been initialised as the security module, the <tt>security_ops</tt> table has been set to point to the SELinux <tt>selinux_task_create()</tt> function in <tt>hooks.c</tt>.
# The <tt>selinux_task_create()</tt> function will first call the capabilities code in <tt>capability.c</tt> via the <tt>secondary_ops</tt> function table to check the DAC permission.
# This is simply a <tt>return 0;</tt>, therefore no error would be generated.
# The <tt>selinux_task_create()</tt> function will then check whether the task has permission via the <tt>task_has_perm(current_process, current_process, PROCESS__FORK)</tt> function.
# This will result in a call to the AVC via the <tt>avc_has_perm()</tt> function in <tt>avc.c</tt> that checks whether the permission has been granted or not. First (via <tt>avc_has_perm_noaudit()</tt>) the cache is checked to for an entry. Assuming that there is no entry in the AVC, then the <tt>security_compute_av()</tt> function in <tt>services.c</tt> is called.
# The <tt>security_compute_av()</tt> function will search the SID table for source and target entries, and if found will then call the <tt>context_struct_compute_av()</tt> function.
: The <tt>context_struct_compute_av()</tt> function carries out many check to validate whether access is allowed. The steps are (assuming the access is valid):
:: a) Initialise the AV structure so that it is clear.
:: b) Check the object class and permissions are correct. It also checks the status of the <tt>allow_unknown</tt> flag (see the SELinux Filesystem section below, [[GlobalConfigurationFiles | /etc/selinux/semanage.conf file]] and [[NB_RefPolicy | Reference Policy Build Options - build.conf]] sections).
:: c) Checks if there are any type enforcement rules (<tt>ALLOW</tt>, <tt>AUDIT_ALLOW</tt>, <tt>AUDIT_DENY</tt>).
:: d) Check whether any conditional statements are involved via the <tt>cond_compute_av()</tt> function in <tt>conditional.c</tt>.
:: e) Remove permissions that are defined in any constraint via the <tt>constraint_expr_eval()</tt> function call (in <tt>services.c</tt>). This function will also check any MLS constraints.
:: f) Finally <tt>context_struct_compute_av()</tt> checks if a process transition is being requested (it is not). If it were, then the <tt>TRANSITION</tt> and <tt>DYNTRANSITION</tt> permissions are checked and whether the role is changing.
: 8) Once the result has been computed it is returned to the <tt>kernel/fork.c</tt> system call via the initial <tt>selinux_task_create()</tt> function. In this case the fork call is allowed.
: 9) The End.

=== Process Transition Walk-thorough ===
This section walks through the <tt>execve()</tt> and checking whether a process transition to the <tt>ext_gateway_t</tt> domain is allowed, and if so obtain a new SID for the context (<tt>user_u:message_filter_r:ext_gateway_t</tt>) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram.

The process starts with the Linux operating system issuing a <tt>do_execve()<ref name="ftn16"><tt>This function call will pass over the file name to be run and its environment + arguments. Note that for loading shared libraries the exec_mmap function is used.</tt></ref> call from the CPU specific architecture code to execute a new program (for example, from <tt>arch/ia64/kernel/process.c</tt>). The <tt>do_execve()</tt> function is located in the <tt>fs/exec.c</tt> source code module and does the loading and final exec as described below.

<tt>do_execve()</tt> has a number of calls to <tt>security_bprm_*</tt> functions that are a part of the LSM (see <tt>security.h</tt>), and are hooked by SELinux during the initialisation process (in <tt>hooks.c</tt>). Table 4 briefly describes these <tt>security_bprm</tt> functions that are hooks for validating program loading and execution (although see <tt>security.h</tt> for greater detail).

{| border="1"
| '''LSM / SElinux Function Name'''
| '''Description'''

|-
| security_bprm_alloc->

selinux_bprm_alloc_security
| Allocates memory for the <tt>bprm</tt> structure.

|-
| security_bprm_free->

selinux_bprm_free_security
| Frees memory from the <tt>bprm</tt> structure.

|-
| security_bprm_apply_creds->

selinux_bprm_apply_creds
| Sets task lock and new security attributes for a transformed process on execve. Seems to be used for libraries, scripts etc. Called from various Linux OS areas via <tt>compute_creds()</tt> located in <tt>fs/exec.c</tt>.

|-
| security_bprm_post_apply_creds->

selinux_bprm_post_apply_creds
| Supports the <tt>security_bprm_apply_creds</tt> function for areas that must not be locked.

|-
| security_bprm_secureexec->

selinux_bprm_secureexec
| Called after the <tt>selinux_bprm_post_apply_creds</tt> function to check <tt>AT_SECURE</tt> flag for glibc secure mode support.

|-
| security_bprm_set->

selinux_bprm_set_security
| Carries out the major checks to validate whether the process can transition to the target context, and obtain a new SID if required.

|-
| security_bprm_check->

selinux_bprm_check_security
| This hook is not used by SELinux.

|}
''Table 4: The LSM / SELinux Program Loading Hooks''

Therefore starting at the <tt>do_execve()</tt> function and using the [http://taiga.selinuxproject.org/~rhaines/diagrams/11-Transition.png | Process Transition] diagram, the following major steps will be carried out to check whether the <tt>unconfined_t</tt> process has permission to transition the <tt>secure_server</tt> executable to the <tt>ext_gateway_t</tt> domain:

# The executable file is opened, a call issued to the <tt>sched_exec()</tt> function and the <tt>bprm</tt> structure is initialised with the file parameters (name, environment and arguments).
: The <tt>security_bprm_alloc()->selinux_bprm_alloc_security()</tt> function is then called (in <tt>hooks.c</tt>) where SELinux will allocate memory for the <tt>bprm</tt> security structure and set the <tt>bsec->set</tt> flag to <tt>0</tt> indicating this is the first time through this process for this exec request.
# Via the <tt>prepare_binprm()</tt> function call the UID and GIDs are checked and a call issued to <tt>security_bprm_set()</tt> that will carry out the following:
: a) The <tt>selinux_bprm_set_security()</tt> function will call the <tt>secondary_ops->bprm_set_security</tt> function in <tt>capability.c</tt>, that is effectively a no-op.
: b) The <tt>bsec->set</tt> flag will be checked and if <tt>1</tt> will return as this function can be called multiple times during the exec process.
: c) The target SID is checked to see whether a transition is required (in this case it is), therefore a call will be made to the <tt>security_transition_sid()</tt> function in <tt>services.c</tt>. This function will compute the SID for a new subject or object (subject in this case) via the <tt>security_compute_sid()</tt> function that will (assuming there are no errors):
:: .i. Search the SID table for the source and target SIDs.
:: .ii. Sets the SELinux user identity.
:: .iii. Set the source role and type.
:: .iv. Checks that a <tt>type_transition</tt> rule exists in the AV table and / or the conditional AV table (see the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram).
:: .v. If a <tt>type_transition</tt>, then also check for a <tt>role_transition</tt> (there is a role change in the <tt>ext_gateway.conf</tt> policy module), set the role.
:: .vi. Check if any MLS attributes by calling <tt>mls_compute_sid()</tt> in <tt>mls.c</tt>. It also checks whether MLS is enabled or not, if so sets up MLS contexts.
:: .vii. Check whether the contexts are valid by calling <tt>compute_sid_handle_invalid_context()</tt> that will also log an audit message if the context is invalid.
:: .viii. Finally obtains a SID for the new context by calling <tt>sidtab_context_to_sid()</tt> in <tt>sidtab.c</tt> that will search the SID table (see the [http://taiga.selinuxproject.org/~rhaines/diagrams/12-lsm-selinux-arch.png The Main LSM / SELinux Modules] diagram) and insert a new entry if okay or log a kernel event if invalid.
: d) The <tt>selinux_bprm_set_security()</tt> function will then continue by checking via the <tt>avc_has_perm()</tt> function (in <tt>avc.c</tt>) whether the <tt>file_execute_no_trans</tt> is set (in this case it is not), therefore the <tt>process_transition</tt> and <tt>file_entrypoint</tt> permissions are checked (in this case they are), therefore the new SID is set, the <tt>bsec->set</tt> flag is set to <tt>1</tt> so that this part of the function is not executed again for this <tt>exec</tt>, finally control is passed back to the <tt>do_execve</tt> function:
# Various strings are copied (args etc.) and a check is made to see if the exec succeeded or not (in this case it did), therefore the <tt>security_bprm_free()</tt> function is called to free the <tt>bprm</tt> security structure.
# The End.

=== SELinux Filesystem ===
Table 5 shows the information contained in the pseudo file system /selinux where the SELinux kernel exports relevant information regarding its configuration and active policy for use by the [[LibselinuxAPISummary | libselinux API]] library (that is used by user-space object managers and SELinux-aware applications).

{| border="1"
! <center>Directory / File Name</center>
! <center>Permissions</center>
! <center>Comments</center>

|-
| '''/selinux'''
| <center>'''Directory'''</center>
| This is the root directory where the SELinux kernel exports relevant information regarding its configuration and active policy for use by the libselinux library (that is used by user space object managers and SELinux-aware applications).

|-
| <div align="right">access</div>
| <center>-rw-rw-rw-</center>
| Compute access decision interface.

|-
| <div align="right">checkreqprot</div>
| <center>-rw-r--r--</center>
| Check requested protection, not kernel-applied one.

|-
| <div align="right">commit_pending_bools</div>
| <center>--w-------</center>
| Commit new boolean values to the kernel policy.

|-
| <div align="right">compat_net</div>
| <center>-rw-r--r--</center>
| Whether SECMARK is enabled or not:

0 = SECMARK enabled (F-12 default).

1 = SECMARK disabled

|-
| <div align="right">context</div>
| <center>-rw-rw-rw-</center>
| Validate context interface.

|-
| <div align="right">create</div>
| <center>-rw-rw-rw-</center>
| Compute create labeling decision interface.

|-
| <div align="right">deny_unknown</div>
| <center>-r--r--r--</center>
| These two files export unknown deny and reject handling status to user space. This is taken from the handle-unknown parameter set<ref name="ftn17"><sup>That is taken from the UNK_PERMS entry in the Reference Policy build.conf file.</sup></ref> in the /etc/selinux/semanage.conf file and are set as follows:

0:0 = allow, 1:0 = deny and 1:1 = reject.

|-
| <div align="right">reject_unknown</div>
| <center>-r--r--r--</center>

|-
| <div align="right">disable</div>
| <center>--w-------</center>
| Disable SELinux until next reboot.

|-
| <div align="right">enforce</div>
| <center>-rw-r--r--</center>
| Get or set enforcing status. Used by the setenforce(8) command.

|-
| <div align="right">load</div>
| <center>-rw-------</center>
| Load policy interface.

|-
| <div align="right">member</div>
| <center>-rw-rw-rw-</center>
| Compute polyinstantiation membership decision interface.

|-
| <div align="right">mls</div>
| <center>-r--r--r--</center>
| Returns 1 if MLS policy is enabled or 0 if not.

|-
| <div align="right">null</div>
| <center>crw-rw-rw-</center>
|

|-
| <div align="right">policyvers</div>
| <center>-r--r--r--</center>
| Returns policy version for this kernel (F-12 = 24).

|-
| <div align="right">relabel</div>
| <center>-rw-rw-rw-</center>
| Compute relabeling decision interface.

|-
| <div align="right">user</div>
| <center>-rw-rw-rw-</center>
| Compute reachable user contexts interface.

|-
| '''/selinux/avc'''
| <center>'''Directory'''</center>
| This directory contains information regarding the kernel AVC that can be displayed by the avcstat command.

|-
| <div align="right">cache_stats</div>
| <center>-r--r--r--</center>
| Shows the AVC lookups, hits, misses etc.

|-
| <div align="right">cache_threshold</div>
| <center>-rw-r--r--</center>
| The default value is 512, however caching can be turned off (but performance suffers) by:

echo 0 > /selinux/avc/cache_threshold

|-
| <div align="right">hash_stats</div>
| <center>-r--r--r--</center>
| Shows the number of AVC entries, longest chain etc.

|-
| '''/selinux/booleans'''
| <center>'''Directory'''</center>
| This directory contains one file for each boolean defined in the active policy.

|-
| <div align="right">secmark_audit</div>

<div align="right">......</div>

<div align="right">......</div>
| <center>-rw-r--r--</center>
| Each file contains the current status of the boolean (0 = false or 1 = true). The getsebool(8), setsebool(8) and sestatus -b commands use this information.

|-
| '''/selinux/initial_contexts'''
| <center>'''Directory'''</center>
| This directory contains one file for each initial SID defined in the active policy.

|-
| <div align="right">any_socket</div>

<div align="right">devnull</div>

<div align="right">.....</div>
| <center>-r--r--r--</center>
| Each file contains the initial context of the initial SID as defined in the active policy (e.g. any_socket was assigned system_u:object_r:unconfined_t).

|-
| '''/selinux/policy_capabilities'''
| <center>'''Directory'''</center>
| This directory contains the policy capabilities that have been configured by default in the kernel. They are generally new features that can be enabled for testing by using the policycap statement in a monolithic or base policy.

|-
| <div align="right">network_peer_controls</div>
| <center>-r--r--r--</center>
| For the F-12 kernel, this file contains "0" (false) which means that the following network_peer_controls are not enabled by default:

node: sendto recvfrom

netif: ingress egress

peer: recv

|-
| <div align="right">open_perms</div>
| <center>-r--r--r--</center>
| For the F-12 kernel, this file contains "0" (false) which means that open permissions are not enabled by default on the following objects: dir, file, fifo_file, chr_file, blk_file.

|-
| '''/selinux/class'''
| <center>'''Directory'''</center>
| This directory contains a list of classes and their permissions as defined within the policy.

|-
| '''/selinux/class/appletalk_socket'''
| <center>'''Directory'''</center>
| Each class has its own directory that contains the following:

|-
| <div align="right">index</div>
| <center>-r--r--r--</center>
| This file contains the allocated class number (e.g. appletalk_socket is "56" in flask.h (linux-2.6.27/security/selinux/include/flask.h)).

|-
| '''/selinux/class/appletalk_socket/'''

'''perms'''
| <center>'''Directory'''</center>
| This directory contains one file for each permission defined in the policy.

|-
| <div align="right">accept</div>

<div align="right">append</div>

<div align="right">bind</div>

<div align="right">....</div>
| <center>-r--r--r--</center>
| Each file contains a number but not sure what it represents.

|}
''Table 5: /selinux File and Directory Information''

Notes:

# SIDs are not passed to userspace, only the security context string. The context can be read via the [[LibselinuxAPISummary | libselinux API]] where a userspace object manager normally manages the relationship (see "SELinux Support for Userspace Object Managers" [Ref. 17]).
# The <tt>/proc</tt> filesystem exports the process security context string to userspace via <tt>/proc/<pid>/attr</tt> interface (where <tt><pid></tt> is the process ID). These can also be managed via the the [[LibselinuxAPISummary | libselinux API]].

=== SELinux Boot Process ===
Figure 1 shows the boot process that has been limited to what is considered relevant for initialising SELinux<ref name="ftn18">There is a Linux overview at: [http://en.wikipedia.org/wiki/Linux_startup_process http://en.wikipedia.org/wiki/Linux_startup_process].</ref>, loading the policy and checking whether re-labeling is required. The SELinux kernel initialisation areas are in red. The <tt>kernel</tt>, <tt>mkinitrd</tt> and <tt>upstart</tt> source code rpms were used to find the sequence of events (all corrections welcome).

<center>'''Start Kernel Boot Process'''</center>

<center>|</center>

<center>./init/main.c start_kernel()</center>

<center>|</center>

<center>Load the initial RAM Disk (this is a temporary root filesystem). The source </center>

<center>code for this and <tt>nash(8)</tt> is in the <tt>mkinitrd</tt> source code.</center>

<center>| </center>

<center>Kernel calls <tt>security_init()</tt> to initialise the LSM security framework. </center>

<center>For SELinux this results in a call to <tt>selinux_init()</tt> that is in <tt>hooks.c</tt></center>

<center>|</center>

<center>Set the kernel context to the initial SID value "<tt>1</tt>" taken from</center>

<center><tt>include/flask.h</tt> (<tt>SECINITSID_KERNEL</tt>) </center>

<center>|</center>

<center>The AVC is initialised by a call to <tt>avc_init()</tt></center>

<center>|</center>

<center>Other areas of SELinux get initialised such as the </center>

<center><tt>selinuxfs</tt> (<tt>/selinux</tt>) pseudo filesystem and netlink with their </center>

<center>objects set with the initial SIDs from <tt>flask.h</tt></center>

<center>|</center>

<center><tt>'''/sbin/nash is run by the kernel</tt>.'''</center>

<center>|</center>

<center><tt>/sbin/nash</tt> initialises services such as drivers, loads the root filesystem</center>

<center>read-only and loads the SELinux policy using the <tt>loadPolicyCommand</tt>. </center>

<center>This function will check various directories, then call the SELinux API</center>

<center>the selinux_init_load_policy function to load the policy.</center>

<center>|</center>

<center>Loading the policy will now complete the SELinux initialisation </center>

<center>with a call to <tt>selinux_complete_init()</tt> in <tt>hooks.c</tt>. </center>

<center>SELinux will now start enforcing policy or allow permissive access </center>

<center>depending on the value set in <tt>/etc/selinux/config SELINUX=</tt></center>

<center>|</center>

<center>The kernel is now loaded, the RAM disk removed, SELinux is </center>

<center>initialised, the policy loaded and <tt>/sbin/init</tt> is running </center>

<center>with the root filesystem in read only mode.</center>

<center>|</center>

<center>'''End Kernel Load and Initialisation'''</center>

<center>|</center>

<center><tt>'''/etc/rc.d/sysinit</tt> is run by <tt>init </tt>that will:'''</center>

<center>|</center>

<center>mount <tt>/proc</tt> and <tt>sysfs</tt> filesystems</center>

<center>|</center>

<center>Check that the <tt>selinuxfs</tt> (<tt>/selinux</tt>) pseudo filesystem</center>

<center>is present and whether the current process is labeled <tt>kernel_t</tt></center>

<center>|</center>

<center>If the current SELinux state can be read (<tt>/selinux/enforce</tt>), </center>

<center>then set to value. If cannot read, set to "1".</center>

<center>|</center>

<center>Run r<tt>estorecon -R</tt> on /<tt>dev</tt> if needed.</center>

<center>|</center>

<center>Kill off <tt>/sbin/nash</tt> if it is still running.</center>

<center>|</center>

<center>Run <tt>restorecon</tt> on <tt>/dev/pts</tt> if needed.</center>

<center>|</center>

<center>Set contexts on the files in <tt>/etc/rwtab</tt> and /<tt>etc/statetab</tt> </center>

<center>by running <tt>restorecon -R path</tt>.</center>

<center>|</center>

<center>Check if relabeling required:</center>

<center>if <tt>./autorelabel</tt> file + <tt>AUTORELABEL=0</tt> (in <tt>/etc/selinux/config</tt>):</center>

<center>then drop to shell for manual relabel, or </center>

<center>if only <tt>./autorelabel</tt> file, then run <tt>fixfiles -F restore</tt>.</center>

<center>|</center>

<center>remove <tt>./autorelabel</tt> file.</center>

<center>|</center>

<center>If <tt>/sbin/init</tt> has changed context after the relabel, </center>

<center>then ensure a reboot. ELSE carry on.</center>

<center>|</center>

<center><tt>/etc/rc.d/sysinit</tt> will do other initialisation tasks, then exit.</center>

<center>|</center>

<center>'''Note:''' Some SELinux notes state that <tt>/sbin/init</tt> is re-exec"ed </center>

<center>to allow it to run in the correct context. Could not find where this</center>

<center>happened as policy seems to be active before <tt>init</tt> daemon is run ?? </center>

<center>|</center>

<center>'''Initialisation Complete'''</center>

''Figure 1: The Boot Sequence - This shows how SELinux is initialised and the policy loaded during the boot process.''

----
<references/>