NB Objects - Revision history http://selinuxproject.org/w/?title=NB_Objects&action=history Revision history for this page on the wiki en MediaWiki 1.23.13 Fri, 29 Mar 2024 07:05:05 GMT RichardHaines: /* Allowing a Process Access to Resources */ http://selinuxproject.org/w/?title=NB_Objects&diff=1789&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=1789&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Allowing a Process Access to Resources</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:36, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 20:</td> <td colspan="2" class="diff-lineno">Line 20:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>An SELinux policy contains many rules and statements, the majority of which are [[AVCRules#allow | allow]] rules that (simply) allows processes to be given access permissions to an objects resources.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>An SELinux policy contains many rules and statements, the majority of which are [[AVCRules#allow | allow]] rules that (simply) allows processes to be given access permissions to an objects resources.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The following allow rule and [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/6-allow-rule.png &quot;The allow rule&quot;] diagram illustrates 'a process can also be an object' as it allows processes running in the unconfined_t domain, permission to 'transition' the external gateway application to the ext_gateway_t domain once it has been executed:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The following allow rule and [http://selinuxproject.org/~rhaines/NB4-diagrams/6-allow-rule.png &quot;The allow rule&quot;] diagram illustrates 'a process can also be an object' as it allows processes running in the unconfined_t domain, permission to 'transition' the external gateway application to the ext_gateway_t domain once it has been executed:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow Rule | source_domain | target_type&#160; : class&#160; &#160; | permission</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow Rule | source_domain | target_type&#160; : class&#160; &#160; | permission</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 52:</td> <td colspan="2" class="diff-lineno">Line 52:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [[NB_Domain_and_Object_Transitions#Domain_Transition | Domain Transition]] section.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [[NB_Domain_and_Object_Transitions#Domain_Transition | Domain Transition]] section.</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Objects ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Objects ==</div></td></tr> </table> Fri, 25 Sep 2015 13:36:54 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Object Classes and Permissions */ http://selinuxproject.org/w/?title=NB_Objects&diff=1788&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=1788&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Object Classes and Permissions</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:35, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 4:</td> <td colspan="2" class="diff-lineno">Line 4:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Object Classes and Permissions ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Object Classes and Permissions ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Each object consists of a class identifier that defines its purpose (e.g. &lt;tt&gt;file&lt;/tt&gt;, &lt;tt&gt;socket&lt;/tt&gt;) along with a set of permissions&lt;ref name=&quot;ftn5&quot;&gt;&lt;sup&gt;Also known in SELinux as Access Vectors (AV).&lt;/sup&gt;&lt;/ref&gt; that describe what services the object can handle (&lt;tt&gt;read&lt;/tt&gt;, &lt;tt&gt;write&lt;/tt&gt;, &lt;tt&gt;send&lt;/tt&gt; etc.). When an object is instantiated it will be allocated a name (e.g. a file could be called config or a socket my_connection) and a security context (e.g. &lt;tt&gt;system_u:object_r:selinux_config_t&lt;/tt&gt;) as shown in the [http://selinuxproject.org/~rhaines/<del class="diffchange diffchange-inline">Notebook</del>-<del class="diffchange diffchange-inline">4</del>/<del class="diffchange diffchange-inline">NB_5</del>-object-class.png Object Class 'file' and permissions] diagram.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Each object consists of a class identifier that defines its purpose (e.g. &lt;tt&gt;file&lt;/tt&gt;, &lt;tt&gt;socket&lt;/tt&gt;) along with a set of permissions&lt;ref name=&quot;ftn5&quot;&gt;&lt;sup&gt;Also known in SELinux as Access Vectors (AV).&lt;/sup&gt;&lt;/ref&gt; that describe what services the object can handle (&lt;tt&gt;read&lt;/tt&gt;, &lt;tt&gt;write&lt;/tt&gt;, &lt;tt&gt;send&lt;/tt&gt; etc.). When an object is instantiated it will be allocated a name (e.g. a file could be called config or a socket my_connection) and a security context (e.g. &lt;tt&gt;system_u:object_r:selinux_config_t&lt;/tt&gt;) as shown in the [http://selinuxproject.org/~rhaines/<ins class="diffchange diffchange-inline">NB4</ins>-<ins class="diffchange diffchange-inline">diagrams</ins>/<ins class="diffchange diffchange-inline">5</ins>-object-class.png Object Class 'file' and permissions] diagram.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The objective of the policy is to enable the user of the object (the subject) access to the minimum permissions needed to complete the task (i.e. do not allow write permission if only reading information).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The objective of the policy is to enable the user of the object (the subject) access to the minimum permissions needed to complete the task (i.e. do not allow write permission if only reading information).</div></td></tr> </table> Fri, 25 Sep 2015 13:35:05 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Object Classes and Permissions */ http://selinuxproject.org/w/?title=NB_Objects&diff=1787&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=1787&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Object Classes and Permissions</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:32, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 4:</td> <td colspan="2" class="diff-lineno">Line 4:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Object Classes and Permissions ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Object Classes and Permissions ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Each object consists of a class identifier that defines its purpose (e.g. &lt;tt&gt;file&lt;/tt&gt;, &lt;tt&gt;socket&lt;/tt&gt;) along with a set of permissions&lt;ref name=&quot;ftn5&quot;&gt;&lt;sup&gt;Also known in SELinux as Access Vectors (AV).&lt;/sup&gt;&lt;/ref&gt; that describe what services the object can handle (&lt;tt&gt;read&lt;/tt&gt;, &lt;tt&gt;write&lt;/tt&gt;, &lt;tt&gt;send&lt;/tt&gt; etc.). When an object is instantiated it will be allocated a name (e.g. a file could be called config or a socket my_connection) and a security context (e.g. &lt;tt&gt;system_u:object_r:selinux_config_t&lt;/tt&gt;) as shown in the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/Notebook-4/NB_5-object-class.png Object Class 'file' and permissions] diagram.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Each object consists of a class identifier that defines its purpose (e.g. &lt;tt&gt;file&lt;/tt&gt;, &lt;tt&gt;socket&lt;/tt&gt;) along with a set of permissions&lt;ref name=&quot;ftn5&quot;&gt;&lt;sup&gt;Also known in SELinux as Access Vectors (AV).&lt;/sup&gt;&lt;/ref&gt; that describe what services the object can handle (&lt;tt&gt;read&lt;/tt&gt;, &lt;tt&gt;write&lt;/tt&gt;, &lt;tt&gt;send&lt;/tt&gt; etc.). When an object is instantiated it will be allocated a name (e.g. a file could be called config or a socket my_connection) and a security context (e.g. &lt;tt&gt;system_u:object_r:selinux_config_t&lt;/tt&gt;) as shown in the [http://selinuxproject.org/~rhaines/Notebook-4/NB_5-object-class.png Object Class 'file' and permissions] diagram.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The objective of the policy is to enable the user of the object (the subject) access to the minimum permissions needed to complete the task (i.e. do not allow write permission if only reading information).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The objective of the policy is to enable the user of the object (the subject) access to the minimum permissions needed to complete the task (i.e. do not allow write permission if only reading information).</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 11:</td> <td colspan="2" class="diff-lineno">Line 11:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The object classes consist of kernel object classes (for handling files, sockets etc.) plus userspace object classes for userspace object managers (for services such as X-Windows or dbus). The number of object classes and their permissions can vary depending on the features configured in the GNU / Linux release. All the known object classes and permissions are described in [[NB_ObjectClassesPermissions | Object Classes and Permissions]].</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The object classes consist of kernel object classes (for handling files, sockets etc.) plus userspace object classes for userspace object managers (for services such as X-Windows or dbus). The number of object classes and their permissions can vary depending on the features configured in the GNU / Linux release. All the known object classes and permissions are described in [[NB_ObjectClassesPermissions | Object Classes and Permissions]].</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Allowing a Process Access to Resources ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Allowing a Process Access to Resources ==</div></td></tr> </table> Fri, 25 Sep 2015 13:32:14 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines at 12:12, 7 December 2014 http://selinuxproject.org/w/?title=NB_Objects&diff=1705&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=1705&oldid=prev <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 12:12, 7 December 2014</td> </tr><tr><td colspan="2" class="diff-lineno">Line 62:</td> <td colspan="2" class="diff-lineno">Line 62:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># SELinux-aware applications can enforce a new label (with the policies approval of course) using the libselinux API functions.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># SELinux-aware applications can enforce a new label (with the policies approval of course) using the libselinux API functions.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># An object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as [[NB_XWIN#The x_contexts File | X-Windows]]).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># An object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as [[NB_XWIN#The x_contexts File | X-Windows]]).</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Use an '[[PolicyLanguage#sid | initial security identifier]' (or initial SID). These are defined in all base and monolithic policies and are used to either set an initial context during the boot process, or if an object requires a default (i.e. the object does not already have a valid context).</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Use an '[[PolicyLanguage#sid | initial security identifier<ins class="diffchange diffchange-inline">]</ins>]' (or initial SID). These are defined in all base and monolithic policies and are used to either set an initial context during the boot process, or if an object requires a default (i.e. the object does not already have a valid context).</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The [[NB_ComputingSecurityContexts | Computing Security Contexts]] section gives detail on how some of the kernel based objects are computed.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The [[NB_ComputingSecurityContexts | Computing Security Contexts]] section gives detail on how some of the kernel based objects are computed.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 167:</td> <td colspan="2" class="diff-lineno">Line 167:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>GNU / Linux handles object reuse by ensuring that when a resource is re-allocated it is cleared. This means that when a process releases an object instance (e.g. release allocated memory back to the pool, delete a directory entry or file), there may be information left behind that could prove useful if harvested. If this should be an issue, then the process itself should clear or shred the information before releasing the object (which can be difficult in some cases unless the source code is available).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>GNU / Linux handles object reuse by ensuring that when a resource is re-allocated it is cleared. This means that when a process releases an object instance (e.g. release allocated memory back to the pool, delete a directory entry or file), there may be information left behind that could prove useful if harvested. If this should be an issue, then the process itself should clear or shred the information before releasing the object (which can be difficult in some cases unless the source code is available).</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{| style=&quot;width: 100%;&quot; border=&quot;0&quot;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">|-</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| [[NB_Subjects | '''Previous''']]</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| &lt;center&gt;[[NewUsers | '''Home''']]&lt;/center&gt;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">| &lt;center&gt;[[NB_ComputingSecurityContexts | '''Next''']]&lt;/center&gt;</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">|}</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> Sun, 07 Dec 2014 12:12:57 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines at 13:26, 5 December 2014 http://selinuxproject.org/w/?title=NB_Objects&diff=1688&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=1688&oldid=prev <p></p> <a href="http://selinuxproject.org/w/?title=NB_Objects&amp;diff=1688&amp;oldid=1030">Show changes</a> Fri, 05 Dec 2014 13:26:54 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects Jaxelson at 20:47, 13 September 2010 http://selinuxproject.org/w/?title=NB_Objects&diff=1030&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=1030&oldid=prev <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 20:47, 13 September 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 362:</td> <td colspan="2" class="diff-lineno">Line 362:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Notebook]]</ins></div></td></tr> </table> Mon, 13 Sep 2010 20:47:38 GMT Jaxelson http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Labeling Subjects */ http://selinuxproject.org/w/?title=NB_Objects&diff=999&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=999&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Labeling Subjects</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:25, 21 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 152:</td> <td colspan="2" class="diff-lineno">Line 152:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Subjects ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Subjects ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On a running GNU / Linux system, processes inherit the security context of the parent process. If the new process being spawned has permission to change its context, then a &quot;type transition&quot; is allowed that is discussed in the [[<del class="diffchange diffchange-inline">NB_DomainandObjectTransitions</del>#<del class="diffchange diffchange-inline">Domain Transition </del>| Domain Transition]] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On a running GNU / Linux system, processes inherit the security context of the parent process. If the new process being spawned has permission to change its context, then a &quot;type transition&quot; is allowed that is discussed in the [[<ins class="diffchange diffchange-inline">NB_Objects</ins>#<ins class="diffchange diffchange-inline">Domain_Transition </ins>| Domain Transition]] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The [[NB_LSM#Initial Boot - Loading the Policy | Initial Boot - Loading the Policy]] section discusses how GNU / Linux is initialised and the processes labeled for the login process.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The [[NB_LSM#Initial Boot - Loading the Policy | Initial Boot - Loading the Policy]] section discusses how GNU / Linux is initialised and the processes labeled for the login process.</div></td></tr> </table> Fri, 21 May 2010 15:25:12 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Labeling Objects */ http://selinuxproject.org/w/?title=NB_Objects&diff=941&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=941&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Labeling Objects</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:19, 16 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 56:</td> <td colspan="2" class="diff-lineno">Line 56:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Inherit their labels from the parent process.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Inherit their labels from the parent process.</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># The policy type_transition statements allow a different label to be assigned as discussed in the [[<del class="diffchange diffchange-inline">NB_DomainandObjectTransitions </del>| Domain and Object Transitions]] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># The policy type_transition statements allow a different label to be assigned as discussed in the [[<ins class="diffchange diffchange-inline">NB_Objects#Domain_Transition </ins>| Domain and Object Transitions]] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># SELinux-aware applications can enforce a new label (with the policies approval of course) using the [[LibselinuxAPISummary | libselinux API]] functions.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># SELinux-aware applications can enforce a new label (with the policies approval of course) using the [[LibselinuxAPISummary | libselinux API]] functions.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># The object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as the X-Windows &lt;tt&gt;x_contexts&lt;/tt&gt; file).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># The object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as the X-Windows &lt;tt&gt;x_contexts&lt;/tt&gt; file).</div></td></tr> </table> Sun, 16 May 2010 14:19:41 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Allowing a Process Access to Resources */ http://selinuxproject.org/w/?title=NB_Objects&diff=940&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=940&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Allowing a Process Access to Resources</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:18, 16 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 50:</td> <td colspan="2" class="diff-lineno">Line 50:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [[<del class="diffchange diffchange-inline">NB_DomainandObjectTransitions </del>| Domain Transition]] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [[<ins class="diffchange diffchange-inline">NB_Objects#Domain_Transition </ins>| Domain Transition]] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Objects ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Objects ==</div></td></tr> </table> Sun, 16 May 2010 14:18:55 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Allowing a Process Access to Resources */ http://selinuxproject.org/w/?title=NB_Objects&diff=939&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=939&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Allowing a Process Access to Resources</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:17, 16 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 19:</td> <td colspan="2" class="diff-lineno">Line 19:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>An SELinux policy contains many rules and statements, the majority of which are &lt;tt&gt;allow&lt;/tt&gt; rules that (simply) allows processes to be given access permissions to an objects resources.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>An SELinux policy contains many rules and statements, the majority of which are &lt;tt&gt;allow&lt;/tt&gt; rules that (simply) allows processes to be given access permissions to an objects resources.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The following allow rule and [http://taiga.selinuxproject.org/~rhaines/diagrams/6-allow-rule.png&#160; <del class="diffchange diffchange-inline">The </del>allow rule<del class="diffchange diffchange-inline">] </del>diagram illustrates &quot;a process can also be an object&quot; as it allows processes running in the &lt;tt&gt;unconfined_t&lt;/tt&gt; domain, permission to &quot;transition&quot; the external gateway application to the &lt;tt&gt;ext_gateway_t&lt;/tt&gt; domain once it has been executed:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The following allow rule and [http://taiga.selinuxproject.org/~rhaines/diagrams/6-allow-rule.png&#160; <ins class="diffchange diffchange-inline">the </ins>allow rule diagram<ins class="diffchange diffchange-inline">] </ins>illustrates &quot;a process can also be an object&quot; as it allows processes running in the &lt;tt&gt;unconfined_t&lt;/tt&gt; domain, permission to &quot;transition&quot; the external gateway application to the &lt;tt&gt;ext_gateway_t&lt;/tt&gt; domain once it has been executed:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow Rule | source_domain&#160; |&#160; target_type : class&#160; | permission</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow Rule | source_domain&#160; |&#160; target_type : class&#160; | permission</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 50:</td> <td colspan="2" class="diff-lineno">Line 50:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [<del class="diffchange diffchange-inline">#_Domain_Transition </del>Domain Transition] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [<ins class="diffchange diffchange-inline">[NB_DomainandObjectTransitions | </ins>Domain Transition<ins class="diffchange diffchange-inline">]</ins>] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Objects ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeling Objects ==</div></td></tr> </table> Sun, 16 May 2010 14:17:29 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: /* Object Transition */ http://selinuxproject.org/w/?title=NB_Objects&diff=938&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=938&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Object Transition</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:15, 16 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 307:</td> <td colspan="2" class="diff-lineno">Line 307:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>An object transition is where an object needs to be relabeled, for example changing a files label from one type to another. There are two ways this can be achieved within policy:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>An object transition is where an object needs to be relabeled, for example changing a files label from one type to another. There are two ways this can be achieved within policy:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"># </del>Using a &lt;tt&gt;type_transition&lt;/tt&gt; Statement to perform an object transition (relabel) for programs that are not SELinux-aware. This is the most common method and would be in the form of the following statement: &#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">1) </ins>Using a &lt;tt&gt;type_transition&lt;/tt&gt; Statement to perform an object transition (relabel) for programs that are not SELinux-aware. This is the most common method and would be in the form of the following statement: &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type_transition ext_gateway_t in_queue_t:file in_file_t;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type_transition ext_gateway_t in_queue_t:file in_file_t;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"># </del>Using a &lt;tt&gt;type_change&lt;/tt&gt; Statement to perform an object transition for programs that are SELinux-aware. &#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">2) </ins>Using a &lt;tt&gt;type_change&lt;/tt&gt; Statement to perform an object transition for programs that are SELinux-aware. &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type_change sysadm_t server_ptynode : chr_file sysadm_devpts_t;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type_change sysadm_t server_ptynode : chr_file sysadm_devpts_t;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The [LibselinuxAPISummary | libselinux API] call &lt;tt&gt;security_compute_relabel&lt;/tt&gt; would be used to compute the new context.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins class="diffchange diffchange-inline">[</ins>[LibselinuxAPISummary | libselinux API<ins class="diffchange diffchange-inline">]</ins>] call &lt;tt&gt;security_compute_relabel&lt;/tt&gt; would be used to compute the new context.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The following details an object transition used in the &lt;tt&gt;ext_gateway.conf&lt;/tt&gt; loadable module (shown in volume 2) where by default, files would be labeled &lt;tt&gt;in_queue_t&lt;/tt&gt; when created by the gateway application as this is the label attached to the parent directory as shown:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The following details an object transition used in the &lt;tt&gt;ext_gateway.conf&lt;/tt&gt; loadable module (shown in volume 2) where by default, files would be labeled &lt;tt&gt;in_queue_t&lt;/tt&gt; when created by the gateway application as this is the label attached to the parent directory as shown:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 337:</td> <td colspan="2" class="diff-lineno">Line 337:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>However, as stated above to be able to relabel the file, the following minimum permissions need to be granted in the policy using &lt;tt&gt;allow&lt;/tt&gt; rules, where:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>However, as stated above to be able to relabel the file, the following minimum permissions need to be granted in the policy using &lt;tt&gt;allow&lt;/tt&gt; rules, where:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"># </del>The source domain needs permission to ''add file entries into the directory'':</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">* </ins>The source domain needs permission to ''add file entries into the directory'':</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow ext_gateway_t in_queue_t : dir { write search add_name };</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow ext_gateway_t in_queue_t : dir { write search add_name };</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"># </del>The source domain needs permission to ''create file entries'':</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">* </ins>The source domain needs permission to ''create file entries'':</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow ext_gateway_t in_file_t : file { write create getattr };</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>allow ext_gateway_t in_file_t : file { write create getattr };</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"># </del>The policy can then ensure (via the SELinux kernel services) that files created in the &lt;tt&gt;in_queue&lt;/tt&gt; are relabeled:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">* </ins>The policy can then ensure (via the SELinux kernel services) that files created in the &lt;tt&gt;in_queue&lt;/tt&gt; are relabeled:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type_transition ext_gateway_t in_queue_t:file in_file_t;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type_transition ext_gateway_t in_queue_t:file in_file_t;</div></td></tr> </table> Sun, 16 May 2010 14:15:09 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects RichardHaines: New page: = Objects = Within SELinux an object is a resource such as files, sockets, pipes or network interfaces that are accessed via processes (also known as subjects). These objects are classifie... http://selinuxproject.org/w/?title=NB_Objects&diff=937&oldid=prev http://selinuxproject.org/w/?title=NB_Objects&diff=937&oldid=prev <p>New page: = Objects = Within SELinux an object is a resource such as files, sockets, pipes or network interfaces that are accessed via processes (also known as subjects). These objects are classifie...</p> <p><b>New page</b></p><div>= Objects =<br /> Within SELinux an object is a resource such as files, sockets, pipes or network interfaces that are accessed via processes (also known as subjects). These objects are classified according to the resource they provide with access permissions relevant to their purpose (e.g. read, receive and write), and assigned a [[NB_SC | security context]] as described in the following sections.<br /> <br /> == Object Classes and Permissions ==<br /> Each object consists of a class identifier that defines its purpose (e.g. file, socket) along with a set of permissions&lt;ref name=&quot;ftn9&quot;&gt;&lt;sup&gt;Also known in SELinux as Access Vectors (AV).&lt;/sup&gt;&lt;/ref&gt; that describe what services the object can handle (read, write, send etc.). When an object is instantiated it will be allocated a name (e.g. a file could be called config or a socket &lt;tt&gt;my_connection&lt;/tt&gt;) and a security context (e.g. &lt;tt&gt;system_u:object_r:selinux_config_t&lt;/tt&gt;) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/5-object-class.png Object Class] diagram.<br /> <br /> The objective of the policy is to enable the user of the object (the subject) access to the minimum permissions needed to complete the task (i.e. do not allow write permission if only reading information).<br /> <br /> These object classes and their associated permissions are built into the GNU / Linux kernel and user space object managers by developers and are therefore not generally updated by policy writers. <br /> <br /> The object classes consist of kernel object classes (for handling files, sockets etc.) plus user space object classes used by user space object managers (for services such as the name service cache daemon (nscd), X-Windows and debus). The number of object classes and their permissions can vary depending on the features configured in the GNU / Linux release. The F-12 object classes and permissions are described in [[ObjectClassesPerms | Object Classes and Permissions]].<br /> <br /> == Allowing a Process Access to Resources ==<br /> This is a simple example that attempts to explain two points:<br /> <br /> # How a process is given permission to use an objects resource.<br /> # By using the &quot;process&quot; object class, show that a process can be described as a process or object.<br /> <br /> An SELinux policy contains many rules and statements, the majority of which are &lt;tt&gt;allow&lt;/tt&gt; rules that (simply) allows processes to be given access permissions to an objects resources.<br /> <br /> The following allow rule and [http://taiga.selinuxproject.org/~rhaines/diagrams/6-allow-rule.png The allow rule] diagram illustrates &quot;a process can also be an object&quot; as it allows processes running in the &lt;tt&gt;unconfined_t&lt;/tt&gt; domain, permission to &quot;transition&quot; the external gateway application to the &lt;tt&gt;ext_gateway_t&lt;/tt&gt; domain once it has been executed:<br /> &lt;pre&gt;<br /> allow Rule | source_domain | target_type : class | permission<br /> -----------x----------------x------------------------x--------------<br /> allow unconfined_t ext_gateway_t : process transition;<br /> &lt;/pre&gt;<br /> <br /> '''Where:'''<br /> {| border=&quot;1&quot;<br /> | &lt;tt&gt;allow&lt;/tt&gt;<br /> | The SELinux language allow rule.<br /> <br /> |-<br /> | &lt;tt&gt;unconfined_t&lt;/tt&gt;<br /> | The source domain (or subject) identifier - in this case the shell that wants to exec the gateway application.<br /> <br /> |-<br /> | &lt;tt&gt;ext_gateway_t&lt;/tt&gt;<br /> | The target object identifier - the object instance of the gateway application process. <br /> <br /> |-<br /> | &lt;tt&gt;process&lt;/tt&gt;<br /> | The target object class - the &quot;process&quot; object class.<br /> <br /> |-<br /> | &lt;tt&gt;transition&lt;/tt&gt;<br /> | The permission granted to the source domain on the targets object - in this case the &lt;tt&gt;unconfined_t&lt;/tt&gt; domain has transition permission on the &lt;tt&gt;ext_gateway_t&lt;/tt&gt; &quot;process&quot; object.<br /> <br /> |}<br /> <br /> <br /> It should be noted that there is more to a domain transition than described above, for a more detailed explanation, see the [#_Domain_Transition Domain Transition] section.<br /> <br /> == Labeling Objects ==<br /> Within a running SELinux enabled GNU / Linux system the labeling of objects is managed by the system and generally unseen by the users (until labeling goes wrong !!). As processes and objects are created and destroyed, they either:<br /> <br /> # Inherit their labels from the parent process.<br /> # The policy type_transition statements allow a different label to be assigned as discussed in the [[NB_DomainandObjectTransitions | Domain and Object Transitions]] section.<br /> # SELinux-aware applications can enforce a new label (with the policies approval of course) using the [[LibselinuxAPISummary | libselinux API]] functions.<br /> # The object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as the X-Windows &lt;tt&gt;x_contexts&lt;/tt&gt; file).<br /> # Use an &quot;initial security identifier&quot; (or initial SID). These are defined in all base and monolithic policies and are used to either set an initial context during the boot process, or if an object requires a default (i.e. the object does not already have a valid context).<br /> <br /> While the majority of objects are managed via the system automatically using either the inherited label or an initial SID as required, there are objects that need to have labels defined for them either by their OM (bullet 4 above) using configuration files&lt;ref name=&quot;ftn10&quot;&gt;&lt;sup&gt;The advantage of defining labels in an OM configuration file and not in the policy language is that the OM can then be used by other security mechanisms (for example NetLabel can be used by the [http://www.schaufler-ca.com/ Simplified Mandatory Access Control Kernel] (SMACK) as this MAC system also hooks into the LSM).&lt;/sup&gt;&lt;/ref&gt; or by using policy language statements. <br /> <br /> The SELinux policy language supports object labeling statements for file and network services that are defined in the [[FileStatements | File System Labeling Statements]] and [[NetworkStatements | Network Labeling Statements]] sections.<br /> <br /> An overview of the process required for labeling files systems that use extended attributes (such as &lt;tt&gt;ext3&lt;/tt&gt; and &lt;tt&gt;ext4&lt;/tt&gt;) is discussed in the next section. <br /> <br /> === Labeling Extended Attribute Filesystems ===<br /> The labeling of file systems that implement extended attributes&lt;ref name=&quot;ftn11&quot;&gt;&lt;sup&gt;These file systems store the security context in an attribute associated with the file.&lt;/sup&gt;&lt;/ref&gt; is supported by SELinux using:<br /> <br /> # The &lt;tt&gt;fs_use_xattr&lt;/tt&gt; statement within the policy to identify what file systems use extended attributes. This statement is used to inform the security server how the file system is labeled.<br /> # A &quot;file contexts&quot; file that defines what the initial contexts should be for each file and directory within the file system. The format of this file is described in the [[PolicyConfigurationFiles | Policy Configuration Files]] &lt;ref name=&quot;ftn12&quot;&gt;&lt;sup&gt;Note that this file contains the contexts of all files in all extended attribute filesystems for the policy. However within a modular policy each module describes its own file context information, that is then used to build this file.&lt;/sup&gt;&lt;/ref&gt; section.<br /> # A method to initialise the filesystem with these extended attributes. This is achieved by SELinux utilities such as &lt;tt&gt;fixfiles(8)&lt;/tt&gt; and &lt;tt&gt;setfiles(8)&lt;/tt&gt;. There are also commands such as &lt;tt&gt;chcon(1)&lt;/tt&gt;, &lt;tt&gt;restorecon(8)&lt;/tt&gt; and &lt;tt&gt;restorecond(8)&lt;/tt&gt; that can be used to relabel files.<br /> <br /> Extended attributes containing the SELinux context of a file can be viewed by the &lt;tt&gt;ls -Z&lt;/tt&gt; or &lt;tt&gt;getfattr(1)&lt;/tt&gt; commands as follows:<br /> &lt;pre&gt;<br /> ls -Z myfile<br /> -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 myfile<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> getfattr -n security.selinux &lt;file_name&gt;<br /> <br /> #file_name: rpmbuild<br /> security.selinux=&quot;unconfined_u:object_r:admin_home_t:s0\000&quot;<br /> <br /> # Where -n security.selinux is the name of the attribute and<br /> # rpmbuild is the file name.<br /> # The security context (or label) for the file is:<br /> # system_u:object_r:admin_home_t:s0<br /> &lt;/pre&gt;<br /> <br /> ==== Copying and Moving Files ====<br /> Assuming that the correct permissions have been granted by the policy, the effects on the security context of a file when copied or moved differ as follows:<br /> <br /> * copy a file - takes on label of new directory unless the &lt;tt&gt;-Z&lt;/tt&gt; option is used.<br /> * move a file - retains the label of the file.<br /> <br /> However, if the &lt;tt&gt;restorecond&lt;/tt&gt; daemon is running and the &lt;tt&gt;restorecond.conf&lt;/tt&gt; file is correctly configured, then other security contexts can be associated to the file as it is moved or copied (provided it is a valid context and specified in the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/files/file_contexts&lt;/tt&gt; file.<br /> <br /> The examples below show the effects of copying and moving files:<br /> &lt;pre&gt;<br /> # These are the test files in the /root directory and their current security<br /> # context:<br /> #<br /> -rw-r--r-- root root user_u:object_r:unconfined_t copied-file<br /> -rw-r--r-- root root user_u:object_r:unconfined_t moved-file<br /> <br /> # These are the commands used to copy / move the files:<br /> #<br /> # Standard copy file:<br /> cp copied-file /usr/message_queue/in_queue<br /> <br /> # Copy using -Z to set the files context:<br /> cp -Z user_u:object_r:unconfined_t copied-file /usr/message_queue/in_queue/copied-file-with-Z<br /> <br /> # Standard move file:<br /> mv moved-file /usr/message_queue/in_queue<br /> <br /> # The target directory (/usr/message_queue/in_queue) is label &quot;in_queue_t&quot;.<br /> # The results of &quot;ls -Z&quot; on target the directory are:<br /> #<br /> -rw-r--r-- root root user_u:object_r:in_queue_t copied-file<br /> -rw-r--r-- root root user_u:object_r:unconfined_t copied-file-with-Z<br /> -rw-r--r-- root root user_u:object_r:unconfined_t moved-file<br /> &lt;/pre&gt;<br /> <br /> However, if the restorecond daemon is running:<br /> &lt;pre&gt;<br /> # If the restorecond daemon is running with a restorecond.conf file entry of:<br /> #<br /> /usr/message_queue/in_queue/*<br /> <br /> # AND the file_context file has an entry of:<br /> #<br /> /usr/message_queue/in_queue(/.*)? -- system_u:object_r:in_file_t<br /> <br /> # Then all the entries would be set as follows when the daemon detects the files<br /> # creation:<br /> #<br /> -rw-r--r-- root root user_u:object_r:in_file_t copied-file<br /> -rw-r--r-- root root user_u:object_r:in_file_t copied-file-with-Z<br /> -rw-r--r-- root root user_u:object_r:in_file_t moved-file<br /> <br /> # This is because the restorecond process will set the contexts defined in <br /> # the file_contexts file to the context specified as it is created in the <br /> # new directory.<br /> &lt;/pre&gt;<br /> <br /> This is because the &lt;tt&gt;restorecond&lt;/tt&gt; process will set the contexts defined in the &lt;tt&gt;file_contexts&lt;/tt&gt; file to the context specified as it is created in the new directory.<br /> <br /> == Labeling Subjects ==<br /> On a running GNU / Linux system, processes inherit the security context of the parent process. If the new process being spawned has permission to change its context, then a &quot;type transition&quot; is allowed that is discussed in the [[NB_DomainandObjectTransitions#Domain Transition | Domain Transition]] section.<br /> <br /> The [[NB_LSM#Initial Boot - Loading the Policy | Initial Boot - Loading the Policy]] section discusses how GNU / Linux is initialised and the processes labeled for the login process.<br /> <br /> The policy language supports a number of statements to either assign labels to processes such as:<br /> <br /> * &lt;tt&gt;user&lt;/tt&gt;, &lt;tt&gt;role&lt;/tt&gt; and &lt;tt&gt;type&lt;/tt&gt; statements.<br /> <br /> and manage their scope:<br /> <br /> * &lt;tt&gt;role allow&lt;/tt&gt; and &lt;tt&gt;constrain&lt;/tt&gt;<br /> <br /> and manage their transition:<br /> <br /> * &lt;tt&gt;type_transition&lt;/tt&gt;, &lt;tt&gt;role_transition&lt;/tt&gt; and &lt;tt&gt;range_transition&lt;/tt&gt;<br /> <br /> One point to note is that the current Reference Policy does not support role transitions / changes as these are &quot;constrained&quot; by the policy. To change to a different role, the &lt;tt&gt;newrole(1)&lt;/tt&gt; command needs to be used.<br /> <br /> == Object Reuse ==<br /> As GNU / Linux runs, it creates instances of objects and manages the information they contain (read, write, modify etc.) under the control of processes, and at some stage these objects may be deleted or released allowing the resource (such as memory blocks and disk space) to be available for reuse.<br /> <br /> GNU / Linux handles object reuse by ensuring that when a resource is re-allocated, it is cleared. This means that when a process releases an object instance (e.g. release allocated memory back to the pool, delete a directory entry or file), there may be information left behind that could prove useful if harvested. If this should be an issue, then the process itself should clear or shred the information before releasing the object (which can be difficult in some cases unless the source code is available).<br /> <br /> == Domain and Object Transitions ==<br /> This section discusses the &lt;tt&gt;type_transition Statement&lt;/tt&gt; that is used for:<br /> <br /> # Transition a process from one domain to another (a domain transition).<br /> # Transition an object from one type to another (an object transition or relabel).<br /> <br /> These transitions can also be achieved using the [LibselinuxAPISummary | libselinux API] functions, however they are beyond the scope of this Notebook as is dynamically changing a processes security context using the dyntransition permission.<br /> <br /> == Domain Transition ==<br /> A domain transition is where a process in one domain, transitions to another domain (i.e. runs under a different security context). There are two ways a process can request a domain transition in a policy:<br /> <br /> * Using a &lt;tt&gt;type_transition&lt;/tt&gt; statement to perform a domain transition for programs that are not themselves SELinux-aware. This is the most common method and would be in the form of the following statement:<br /> &lt;pre&gt;<br /> type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;<br /> &lt;/pre&gt;<br /> <br /> * SELinux-aware applications can specify the domain of the new process using the [LibselinuxAPISummary | libselinux API] call &lt;tt&gt;setexeccon&lt;/tt&gt;. To achieve this the SELinux-aware application must also have the &lt;tt&gt;setexec&lt;/tt&gt; permission by:<br /> &lt;pre&gt;<br /> allow crond_t self : process setexec;<br /> &lt;/pre&gt;<br /> <br /> However, before any domain transition can take place the policy must specify that:<br /> * The source ''domain ''has permission to ''transition'' into the target domain.<br /> * The application binary file needs to be ''executable'' in the source domain.<br /> * The application binary file needs an ''entry point'' into the target domain.<br /> <br /> The following is a &lt;tt&gt;type_transition&lt;/tt&gt; statement taken from the example loadable module message filter &lt;tt&gt;ext_gateway.conf&lt;/tt&gt; (described in volume 2) that will be used to explain the transition process&lt;ref name=&quot;ftn13&quot;&gt;&lt;sup&gt;For reference, the external gateway uses a server application called &lt;tt&gt;secure_server&lt;/tt&gt; that is transitioned to the &lt;tt&gt;ext_gateway_t&lt;/tt&gt; domain from the &lt;tt&gt;unconfined_t&lt;/tt&gt; domain. The &lt;tt&gt;secure_server&lt;/tt&gt; executable is labeled &lt;tt&gt;secure_services_exec_t&lt;/tt&gt;.&lt;/sup&gt;&lt;/ref&gt;:<br /> &lt;pre&gt;<br /> type_transition | source_domain | target_type : class | target_domain;<br /> ----------------x---------------x-----------------------x----------------------<br /> type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;<br /> &lt;/pre&gt;<br /> <br /> This type_transition statement states that when a ''&lt;tt&gt;process&lt;/tt&gt;'' running in the ''&lt;tt&gt;unconfined_t&lt;/tt&gt;'' domain (the source domain) executes a file labeled ''&lt;tt&gt;secure_services_exec_t&lt;/tt&gt;'', the ''&lt;tt&gt;process&lt;/tt&gt;'' should be changed to ''&lt;tt&gt;ext_gateway_t&lt;/tt&gt;'' (the target domain) if allowed by the policy (i.e. transition from the ''&lt;tt&gt;unconfined_t&lt;/tt&gt;'' domain to the ''&lt;tt&gt;ext_gateway_t&lt;/tt&gt;'' domain).<br /> <br /> However, as stated above to be able to ''&lt;tt&gt;transition&lt;/tt&gt;'' to the ''&lt;tt&gt;ext_gateway_t&lt;/tt&gt;'' domain, the following minimum permissions must be granted in the policy using &lt;tt&gt;allow&lt;/tt&gt; rules], where (note that the bullet numbers correspond to the numbers shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram):<br /> <br /> 1) The ''&lt;tt&gt;domain&lt;/tt&gt;'' needs permission to ''&lt;tt&gt;transition&lt;/tt&gt;'' into the ''&lt;tt&gt;ext_gateway_t&lt;/tt&gt;'' (target) domain:<br /> &lt;pre&gt;<br /> allow unconfined_t ext_gateway_t : process transition;<br /> &lt;/pre&gt;<br /> <br /> 2) The executable file needs to be ''executable'' in the ''&lt;tt&gt;unconfined_t&lt;/tt&gt;'' (source) domain, and therefore also requires that the file is readable:<br /> &lt;pre&gt;<br /> allow unconfined_t secure_services_exec_t : file { execute read getattr };<br /> &lt;/pre&gt;<br /> <br /> 3) The executable file needs an ''entry point'' into the ''&lt;tt&gt;ext_gateway_t&lt;/tt&gt;'' (target) domain:<br /> &lt;pre&gt;<br /> allow ext_gateway_t secure_services_exec_t : file entrypoint;<br /> &lt;/pre&gt;<br /> <br /> These are shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram where &lt;tt&gt;unconfined_t&lt;/tt&gt; forks a child process, that then exec's the new program into a new domain called &lt;tt&gt;ext_gateway_t&lt;/tt&gt;. Note that because the &lt;tt&gt;type_transition&lt;/tt&gt; statement is being used, the transition is automatically carried out by the SELinux enabled kernel.<br /> <br /> <br /> === Type Enforcement Rules ===<br /> When building the &lt;tt&gt;ext_gateway.conf&lt;/tt&gt; and &lt;tt&gt;int_gateway.conf&lt;/tt&gt; modules (described in Volume 2) the intention was to have both of these transition to their respective domains via &lt;tt&gt;type_transition&lt;/tt&gt; statements. The &lt;tt&gt;ext_gateway_t&lt;/tt&gt; statement would be:<br /> &lt;pre&gt;<br /> type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;<br /> &lt;/pre&gt;<br /> <br /> and the &lt;tt&gt;int_gateway_t&lt;/tt&gt; statement would be:<br /> &lt;pre&gt;<br /> type_transition unconfined_t secure_services_exec_t : process int_gateway_t;<br /> &lt;/pre&gt;<br /> <br /> However, when linking these two loadable modules into the policy, the following error was given:<br /> &lt;pre&gt;<br /> semodule -v -s modular-test -i int_gateway.pp -i ext_gateway.pp<br /> Attempting to install module 'int_gateway.pp':<br /> Ok: return value of 0.<br /> Attempting to install module 'ext_gateway.pp':<br /> Ok: return value of 0.<br /> Committing changes:<br /> libsepol.expand_terule_helper: conflicting TE rule for (unconfined_t, secure_services_exec_t:process): old was ext_gateway_t, new is int_gateway_t<br /> libsepol.expand_module: Error during expand<br /> libsemanage.semanage_expand_sandbox: Expand module failed<br /> semodule: Failed!<br /> &lt;/pre&gt;<br /> <br /> This happened because the type enforcement rules will only handle a single &quot;default&quot; type for a given source and target. In the above case there were two &lt;tt&gt;type_transition&lt;/tt&gt; statements with the same source and target, but different target domains. The &lt;tt&gt;ext_gateway.conf&lt;/tt&gt; module had the following statements:<br /> &lt;pre&gt;<br /> # Allow the client/server to transition for the gateways:<br /> allow unconfined_t ext_gateway_t : process { transition };<br /> allow unconfined_t secure_services_exec_t : file { read execute getattr };<br /> allow ext_gateway_t secure_services_exec_t : file { entrypoint };<br /> type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;<br /> &lt;/pre&gt;<br /> And the int_gateway.conf module had the following statements:<br /> &lt;pre&gt;<br /> # Allow the client/server to transition for the gateways:<br /> allow unconfined_t int_gateway_t : process { transition };<br /> allow unconfined_t secure_services_exec_t : file { read execute getattr };<br /> allow int_gateway_t secure_services_exec_t : file { entrypoint };<br /> type_transition unconfined_t secure_services_exec_t : process int_gateway_t;<br /> &lt;/pre&gt;<br /> <br /> While the allow rules are valid to enable the transitions to proceed, the two &lt;tt&gt;type_transition&lt;/tt&gt; statements had different &quot;default&quot; types, that break the type enforcement rule.<br /> <br /> It was decided to resolve this by:<br /> <br /> # Keeping the &lt;tt&gt;type_transition&lt;/tt&gt; rule for the &quot;default&quot; type of &lt;tt&gt;ext_gateway_t&lt;/tt&gt; and allow the secure server process to be execed from &lt;tt&gt;unconfined_t&lt;tt&gt; as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/7-domain-transition.png Domain Transition] diagram, by simply running the command from the prompt as follows:<br /> &lt;pre&gt;<br /> # Run the external gateway &quot;secure server&quot; application on port 9999 and <br /> # let the policy transition the process to the ext_gateway_t domain:<br /> <br /> secure_server 99999<br /> &lt;/pre&gt;<br /> # Use the SELinux &lt;tt&gt;runcon(1)&lt;/tt&gt; command to ensure that the internal gateway runs in the correct domain by running runcon from the prompt as follows:<br /> &lt;pre&gt;<br /> # Run the internal gateway &quot;secure server&quot; application on port 1111 and <br /> # use runcon to transition the process to the int_gateway_t domain:<br /> <br /> runcon -t int_gateway_t -r message_filter_r secure_server 1111<br /> <br /> # Note - The role is required as a role transition is also defined in the<br /> # policy.<br /> &lt;/pre&gt;<br /> <br /> The &lt;tt&gt;runcon&lt;/tt&gt; command makes use of a number of [LibselinuxAPISummary | libselinux API] functions to check the current context and set up the new context (for example &lt;tt&gt;getfilecon&lt;/tt&gt; is used to check the executable files context and &lt;tt&gt;setexeccon&lt;/tt&gt; is used to ensure the &lt;tt&gt;setexec&lt;/tt&gt; permission is allowed). If the all contexts are correct, then the &lt;tt&gt;execvp(2)&lt;/tt&gt; system call is executed that exec's the &lt;tt&gt;secure_server&lt;/tt&gt; application with the argument of &quot;&lt;tt&gt;1111&lt;/tt&gt;&quot; in the &lt;tt&gt;int_gateway_t&lt;tt&gt; domain with the &lt;tt&gt;message_filter_r&lt;/tt&gt; role. The &lt;tt&gt;runcon&lt;/tt&gt; source can be found in the &lt;tt&gt;coreutils&lt;/tt&gt; package.<br /> <br /> Other ways to resolve this issue are:<br /> <br /> # Use the runcon command for both gateways to transition to their respective domains. The &lt;tt&gt;type_transition&lt;/tt&gt; statements are therefore not required.<br /> # Use different names for the secure server executable files and ensure they have a different type (i.e. instead of &lt;tt&gt;secure_service_exec_t&lt;/tt&gt; label the external gateway &lt;tt&gt;ext_gateway_exec_t&lt;/tt&gt; and the internal gateway &lt;tt&gt;int_gateway_exec_t&lt;/tt&gt;. This would involve making a copy of the application binary (which has already been done as part of the module testing (see volume 2) by calling the server “&lt;tt&gt;server&lt;/tt&gt;” and labeling it &lt;tt&gt;unconfined_t&lt;/tt&gt; and then making a copy called &lt;tt&gt;secure_server&lt;/tt&gt; and labeling it &lt;tt&gt;secure_services_exec_t&lt;/tt&gt;).<br /> # Implement the policy using the Reference Policy template interface.<br /> <br /> It was decided to use &lt;tt&gt;runcon&lt;/tt&gt; as it demonstrates the command usage better than reading the man page.<br /> <br /> == Object Transition ==<br /> An object transition is where an object needs to be relabeled, for example changing a files label from one type to another. There are two ways this can be achieved within policy:<br /> <br /> # Using a &lt;tt&gt;type_transition&lt;/tt&gt; Statement to perform an object transition (relabel) for programs that are not SELinux-aware. This is the most common method and would be in the form of the following statement: <br /> &lt;pre&gt;<br /> type_transition ext_gateway_t in_queue_t:file in_file_t;<br /> &lt;/pre&gt;<br /> <br /> # Using a &lt;tt&gt;type_change&lt;/tt&gt; Statement to perform an object transition for programs that are SELinux-aware. <br /> &lt;pre&gt;<br /> type_change sysadm_t server_ptynode : chr_file sysadm_devpts_t;<br /> &lt;/pre&gt;<br /> <br /> The [LibselinuxAPISummary | libselinux API] call &lt;tt&gt;security_compute_relabel&lt;/tt&gt; would be used to compute the new context.<br /> <br /> The following details an object transition used in the &lt;tt&gt;ext_gateway.conf&lt;/tt&gt; loadable module (shown in volume 2) where by default, files would be labeled &lt;tt&gt;in_queue_t&lt;/tt&gt; when created by the gateway application as this is the label attached to the parent directory as shown:<br /> &lt;pre&gt;<br /> ls -Za /usr/message_queue/in_queue<br /> drwxr-xr-x root root user_u:object_r:in_queue_t .<br /> drwxr-xr-x root root system_u:object_r:unconfined_t ..<br /> &lt;/pre&gt;<br /> <br /> However the requirement is that files in the &lt;tt&gt;in_queue&lt;/tt&gt; directory must be labeled &lt;tt&gt;in_file_t&lt;/tt&gt;. To achieve this the files created must be relabeled to &lt;tt&gt;in_file_t&lt;/tt&gt; by using a &lt;tt&gt;type_transition&lt;/tt&gt; rule as follows:<br /> &lt;pre&gt;<br /> # type_transition | source_domain | target_type : object | default_type;<br /> ------------------x---------------x----------------------x---------------<br /> type_transition ext_gateway_t in_queue_t : file in_file_t;<br /> &lt;/pre&gt;<br /> <br /> This &lt;tt&gt;type_transition&lt;/tt&gt; statement states that when a ''process'' running in the ''&lt;tt&gt;ext_gateway_t&lt;/tt&gt;'' domain (the source domain) wants to create a ''&lt;tt&gt;file&lt;/tt&gt;'' object in the directory that is labeled ''&lt;tt&gt;in_queue_t&lt;/tt&gt;'', the file should be relabeled ''&lt;tt&gt;in_file_t&lt;/tt&gt;'' if allowed by the policy (i.e. label the file ''&lt;tt&gt;in_file_t&lt;/tt&gt;'').<br /> <br /> However, as stated above to be able to relabel the file, the following minimum permissions need to be granted in the policy using &lt;tt&gt;allow&lt;/tt&gt; rules, where:<br /> <br /> # The source domain needs permission to ''add file entries into the directory'':<br /> &lt;pre&gt;<br /> allow ext_gateway_t in_queue_t : dir { write search add_name };<br /> &lt;/pre&gt;<br /> # The source domain needs permission to ''create file entries'':<br /> &lt;pre&gt;<br /> allow ext_gateway_t in_file_t : file { write create getattr };<br /> &lt;/pre&gt;<br /> # The policy can then ensure (via the SELinux kernel services) that files created in the &lt;tt&gt;in_queue&lt;/tt&gt; are relabeled:<br /> &lt;pre&gt;<br /> type_transition ext_gateway_t in_queue_t:file in_file_t;<br /> &lt;/pre&gt;<br /> <br /> An example output from a directory listing shows the resulting file labels:<br /> &lt;pre&gt;<br /> ls -Za /usr/message_queue/in_queue<br /> drwxr-xr-x root root user_u:object_r:in_queue_t .<br /> drwxr-xr-x root root system_u:object_r:unconfined_t ..<br /> -rw-r--r-- root root user_u:object_r:in_file_t Message-1<br /> -rw-r--r-- root root user_u:object_r:in_file_t Message-2<br /> &lt;/pre&gt;<br /> <br /> <br /> ----<br /> &lt;references/&gt;</div> Sun, 16 May 2010 14:12:05 GMT RichardHaines http://selinuxproject.org/page/Talk:NB_Objects