Difference between revisions of "NB Poly"
(New page: = Polyinstantiation = GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) that is explained in the next ...) |
|||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
− | = Polyinstantiation = | + | = Polyinstantiation Support = |
− | GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) that is explained in the next section. The "[http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html Polyinstantiation of directories in an SELinux system] | + | GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) that is explained in the next section. The "[http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html Polyinstantiation of directories in an SELinux system] also gives a more detailed overview of the subject. |
Polyinstantiation of objects is also supported for X-windows selections and properties that are discussed in the X-windows section. Note that sockets are not yet supported. | Polyinstantiation of objects is also supported for X-windows selections and properties that are discussed in the X-windows section. Note that sockets are not yet supported. | ||
To clarify polyinstantiation support: | To clarify polyinstantiation support: | ||
− | + | # SELinux has <tt>libselinux</tt> functions and a policy rule to support polyinstantiation. | |
# The polyinstantiation of directories is a function of GNU / Linux not SELinux (as more correctly, the GNU / Linux services such as PAM have been modified to support polyinstantiation of directories and have also been made SELinux-aware. Therefore their services can be controlled via policy). | # The polyinstantiation of directories is a function of GNU / Linux not SELinux (as more correctly, the GNU / Linux services such as PAM have been modified to support polyinstantiation of directories and have also been made SELinux-aware. Therefore their services can be controlled via policy). | ||
− | # The polyinstantiation of X-windows selections and properties is a function of the XSELinux Object Manager and the supporting XACE service | + | # The polyinstantiation of X-windows selections and properties is a function of the XSELinux Object Manager and the supporting XACE service. |
− | + | ||
== Polyinstantiated Objects == | == Polyinstantiated Objects == | ||
− | + | Determining a polyinstantiated context for an object is supported by SELinux using the policy language type_member statement and the <tt>'''avc_compute_member'''(3)</tt> and <tt>'''security_compute_member'''(3)</tt> libselinux API functions. These are not limited to specific object classes, however only dir, <tt>x_selection</tt> and <tt>x_property</tt> objects are currently supported. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
== Polyinstantiation support in PAM == | == Polyinstantiation support in PAM == | ||
− | PAM supports polyinstantiation of directories at login time using the Shared Subtree / Namespace services available within GNU / Linux (the namespace.conf(5) man page is | + | PAM supports polyinstantiation (namespaces) of directories at login time using the Shared Subtree / Namespace services available within GNU / Linux (the '''namespace.conf'''(5) man page is a good reference). Note that PAM and Namespace services are SELinux-aware. |
− | The default installation of F- | + | The default installation of F-20 does not enable polyinstantiated directories, therefore this section will show the configuration required to enable the feature and some [[#Example_Configurations | examples]]. |
To implement polyinstantiated directories PAM requires the following files to be configured: | To implement polyinstantiated directories PAM requires the following files to be configured: | ||
− | + | * A pam_namespace module entry added to the appropriate <tt>/etc/pam.d/</tt> login configuration file (e.g. login, sshd, gdm etc.). F-20 already has these entries configured, with an example <tt>/etc/pam.d/gdm-password</tt> file being: | |
− | * A pam_namespace module entry added to the appropriate /etc/pam.d/ login configuration file (e.g. login, sshd, gdm etc.). F- | + | |
<pre> | <pre> | ||
− | |||
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so | auth [success=done ignore=ignore default=bad] pam_selinux_permit.so | ||
− | + | auth substack password-auth | |
− | + | ||
− | auth substack | + | |
auth optional pam_gnome_keyring.so | auth optional pam_gnome_keyring.so | ||
+ | auth include postlogin | ||
+ | |||
account required pam_nologin.so | account required pam_nologin.so | ||
− | account include | + | account include password-auth |
− | password include | + | |
+ | password include password-auth | ||
+ | |||
session required pam_selinux.so close | session required pam_selinux.so close | ||
session required pam_loginuid.so | session required pam_loginuid.so | ||
session optional pam_console.so | session optional pam_console.so | ||
+ | -session optional pam_ck_connector.so | ||
session required pam_selinux.so open | session required pam_selinux.so open | ||
session optional pam_keyinit.so force revoke | session optional pam_keyinit.so force revoke | ||
session required pam_namespace.so | session required pam_namespace.so | ||
+ | session include password-auth | ||
session optional pam_gnome_keyring.so auto_start | session optional pam_gnome_keyring.so auto_start | ||
− | session include | + | session include postlogin |
</pre> | </pre> | ||
− | * Entries added to the <tt>/etc/security/namespace.conf</tt> file that defines the directories to be polyinstantiated by PAM (and other services that may need to use the namespace service). The entries are explained in the namespace.conf section, with the default entries in F- | + | * Entries added to the <tt>/etc/security/namespace.conf</tt> file that defines the directories to be polyinstantiated by PAM (and other services that may need to use the namespace service). The entries are explained in the [[#namespace.conf_Configuration_File | namespace.conf]] file section, with the default entries in F-20 being (note that the entries are commented out in the distribution): |
<pre> | <pre> | ||
− | #polydir instance-prefix | + | #polydir instance-prefix method list_of_uids |
− | /tmp | + | /tmp /tmp-inst/ level root,adm |
− | /var/tmp /var/tmp/tmp-inst/ | + | /var/tmp /var/tmp/tmp-inst/ level root,adm |
− | $HOME | + | $HOME $HOME/$USER.inst/ level |
</pre> | </pre> | ||
− | Once these files have been configured and a user logs in (although not root or adm in the above example), the PAM pam_namespace module would unshare the current namespace from the parent and mount namespaces according to the rules defined in the namespace.conf file. The F- | + | Once these files have been configured and a user logs in (although not root or adm in the above example), the PAM pam_namespace module would unshare the current namespace from the parent and mount namespaces according to the rules defined in the namespace.conf file. The F-20 configuration also includes an <tt>/etc/security/namespace.init</tt> script that is used to initialise the namespace every time a new directory instance is set up. This script receives four parameters: the polyinstantiated directory path, the instance directory path, a flag to indicate if a new instance, and the user name. If a new instance is being set up, the directory permissions are set and the '''restorecon'''(8) command is run to set the correct file contexts. |
+ | |||
=== namespace.conf Configuration File === | === namespace.conf Configuration File === | ||
Line 66: | Line 61: | ||
'''Where:''' | '''Where:''' | ||
{| border="1" | {| border="1" | ||
− | | | + | | polydir |
| The absolute path name of the directory to polyinstantiate. The optional strings <tt>$USER</tt> and <tt>$HOME</tt> will be replaced by the user name and home directory respectively. | | The absolute path name of the directory to polyinstantiate. The optional strings <tt>$USER</tt> and <tt>$HOME</tt> will be replaced by the user name and home directory respectively. | ||
|- | |- | ||
− | | | + | | instance_prefix |
− | | A string prefix used to build the pathname for the polyinstantiated directory. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively. | + | | A string prefix used to build the pathname for the polyinstantiated directory. The optional strings <tt>$USER</tt> and <tt>$HOME</tt> will be replaced by the user name and home directory respectively. |
|- | |- | ||
− | | | + | | method |
| This is used to determine the method of polyinstantiation with valid entries being: | | This is used to determine the method of polyinstantiation with valid entries being: | ||
Line 86: | Line 81: | ||
|- | |- | ||
− | | | + | | list_of_uids |
− | | A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an | + | | A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an '~' character, then only the users in the list will have polyinstantiated directories. |
− | There are a number of optional flags available that are described in the | + | There are a number of optional flags available that are described in the '''namespace.conf'''(5) man page. |
|} | |} | ||
Line 98: | Line 93: | ||
'''Example 1 - method=user:''' | '''Example 1 - method=user:''' | ||
+ | |||
* Set the /etc/security/namespace.conf entries as follows: | * Set the /etc/security/namespace.conf entries as follows: | ||
<pre> | <pre> | ||
− | #polydir instance-prefix | + | #polydir instance-prefix method list_of_uids |
− | /tmp | + | /tmp /tmp-inst/ user root,adm |
− | /var/tmp /var/tmp/tmp-inst/ | + | /var/tmp /var/tmp/tmp-inst/ user root,adm |
− | $HOME | + | $HOME $HOME/$USER.inst/ user |
</pre> | </pre> | ||
− | * Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories: | + | * Login as a normal user (<tt>rch</tt> in this example) and the PAM / Namespace process will build the following polyinstantiated directories: |
<pre> | <pre> | ||
− | # The directories will contain the user name as a part of | + | # The directories will contain the user name as a part of |
# the polyinstantiated directory name as follows: | # the polyinstantiated directory name as follows: | ||
Line 124: | Line 120: | ||
* Set the /etc/security/namespace.conf entries as follows: | * Set the /etc/security/namespace.conf entries as follows: | ||
<pre> | <pre> | ||
− | #polydir instance-prefix | + | #polydir </nowiki>instance-prefix method list_of_uids |
− | /tmp | + | /tmp /tmp-inst/ context root,adm |
− | /var | + | /var/tmp /var/tmp/tmp-inst/ context root,adm |
− | $HOME | + | $HOME $HOME/$USER.inst/ context |
</pre> | </pre> | ||
* Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories: | * Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories: | ||
<pre> | <pre> | ||
− | # The directories will contain the security context and | + | # The directories will contain the security context and</nowiki> |
− | # user name as a part of the polyinstantiated directory | + | # user name as a part of the polyinstantiated directory</nowiki> |
# name as follows: | # name as follows: | ||
# /tmp | # /tmp | ||
− | /tmp/tmp-inst/ | + | /tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch |
# /var/tmp: | # /var/tmp: | ||
− | /var/tmp/tmp-inst/ | + | /var/tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch |
# $HOME | # $HOME | ||
− | /home/rch/rch.inst/ | + | /home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch |
</pre> | </pre> | ||
== Polyinstantiation support in X-Windows == | == Polyinstantiation support in X-Windows == | ||
− | The X- | + | The X-Windows SELinux object manager and XACE (X Access Control Extension) supports <tt>x_selection</tt> and <tt>x_property</tt> polyinstantiated objects as discussed in the [[NB_XWIN#X-Windows SELinux Support | SELinux X-windows Support] section. |
== Polyinstantiation support in the Reference Policy == | == Polyinstantiation support in the Reference Policy == | ||
The reference policy <tt>files.te</tt> and <tt>files.if</tt> modules (in the kernel layer) support polyinstantiated directories. There is also a global tunable (a boolean called <tt>allow_polyinstantiation</tt>) that can be used to set this functionality on or off during login. By default this boolean is set <tt>false</tt> (off). | The reference policy <tt>files.te</tt> and <tt>files.if</tt> modules (in the kernel layer) support polyinstantiated directories. There is also a global tunable (a boolean called <tt>allow_polyinstantiation</tt>) that can be used to set this functionality on or off during login. By default this boolean is set <tt>false</tt> (off). | ||
− | The polyinstantiation of X- | + | The polyinstantiation of X-Windows objects (<tt>x_selection</tt> and <tt>x_property</tt>) are not currently supported by the reference policy. |
− | + | ||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[NB_AL | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[NB_PAM | '''Next''']]</center> | ||
+ | |} | ||
---- | ---- | ||
<references/> | <references/> | ||
+ | |||
+ | [[Category:Notebook]] |
Latest revision as of 14:55, 6 December 2014
Contents
Polyinstantiation Support
GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) that is explained in the next section. The "Polyinstantiation of directories in an SELinux system also gives a more detailed overview of the subject.
Polyinstantiation of objects is also supported for X-windows selections and properties that are discussed in the X-windows section. Note that sockets are not yet supported.
To clarify polyinstantiation support:
- SELinux has libselinux functions and a policy rule to support polyinstantiation.
- The polyinstantiation of directories is a function of GNU / Linux not SELinux (as more correctly, the GNU / Linux services such as PAM have been modified to support polyinstantiation of directories and have also been made SELinux-aware. Therefore their services can be controlled via policy).
- The polyinstantiation of X-windows selections and properties is a function of the XSELinux Object Manager and the supporting XACE service.
Polyinstantiated Objects
Determining a polyinstantiated context for an object is supported by SELinux using the policy language type_member statement and the avc_compute_member(3) and security_compute_member(3) libselinux API functions. These are not limited to specific object classes, however only dir, x_selection and x_property objects are currently supported.
Polyinstantiation support in PAM
PAM supports polyinstantiation (namespaces) of directories at login time using the Shared Subtree / Namespace services available within GNU / Linux (the namespace.conf(5) man page is a good reference). Note that PAM and Namespace services are SELinux-aware.
The default installation of F-20 does not enable polyinstantiated directories, therefore this section will show the configuration required to enable the feature and some examples.
To implement polyinstantiated directories PAM requires the following files to be configured:
- A pam_namespace module entry added to the appropriate /etc/pam.d/ login configuration file (e.g. login, sshd, gdm etc.). F-20 already has these entries configured, with an example /etc/pam.d/gdm-password file being:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth auth optional pam_gnome_keyring.so auth include postlogin account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so -session optional pam_ck_connector.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include password-auth session optional pam_gnome_keyring.so auto_start session include postlogin
- Entries added to the /etc/security/namespace.conf file that defines the directories to be polyinstantiated by PAM (and other services that may need to use the namespace service). The entries are explained in the namespace.conf file section, with the default entries in F-20 being (note that the entries are commented out in the distribution):
#polydir instance-prefix method list_of_uids /tmp /tmp-inst/ level root,adm /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/ level
Once these files have been configured and a user logs in (although not root or adm in the above example), the PAM pam_namespace module would unshare the current namespace from the parent and mount namespaces according to the rules defined in the namespace.conf file. The F-20 configuration also includes an /etc/security/namespace.init script that is used to initialise the namespace every time a new directory instance is set up. This script receives four parameters: the polyinstantiated directory path, the instance directory path, a flag to indicate if a new instance, and the user name. If a new instance is being set up, the directory permissions are set and the restorecon(8) command is run to set the correct file contexts.
namespace.conf Configuration File
Each line in the namespace.conf file is formatted as follows:
polydir instance_prefix method list_of_uids
Where:
polydir | The absolute path name of the directory to polyinstantiate. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively. |
instance_prefix | A string prefix used to build the pathname for the polyinstantiated directory. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively. |
method | This is used to determine the method of polyinstantiation with valid entries being:
user - Polyinstantiation is based on user name. level - Polyinstantiation is based on the user name and MLS level. context - Polyinstantiation is based on the user name and security context. Note that level and context are only valid for SELinux enabled systems. |
list_of_uids | A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an '~' character, then only the users in the list will have polyinstantiated directories.
There are a number of optional flags available that are described in the namespace.conf(5) man page. |
Example Configurations
This section shows two sample namespace.conf configurations, the first uses the method=user and the second method=context. It should be noted that while polyinstantiation is enabled, the full path names will not be visible, it is only when polyinstantiation is disabled that the directories become visible.
Example 1 - method=user:
- Set the /etc/security/namespace.conf entries as follows:
#polydir instance-prefix method list_of_uids /tmp /tmp-inst/ user root,adm /var/tmp /var/tmp/tmp-inst/ user root,adm $HOME $HOME/$USER.inst/ user
- Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories:
# The directories will contain the user name as a part of # the polyinstantiated directory name as follows: # /tmp /tmp/tmp-inst/rch # /var/tmp: /var/tmp/tmp-inst/rch # $HOME /home/rch/rch.inst/rch
Example 2 - method=context:
- Set the /etc/security/namespace.conf entries as follows:
#polydir </nowiki>instance-prefix method list_of_uids /tmp /tmp-inst/ context root,adm /var/tmp /var/tmp/tmp-inst/ context root,adm $HOME $HOME/$USER.inst/ context
- Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories:
# The directories will contain the security context and</nowiki> # user name as a part of the polyinstantiated directory</nowiki> # name as follows: # /tmp /tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch # /var/tmp: /var/tmp/tmp-inst/unconfined_u:unconfined_r:unconfined_t_rch # $HOME /home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch
Polyinstantiation support in X-Windows
The X-Windows SELinux object manager and XACE (X Access Control Extension) supports x_selection and x_property polyinstantiated objects as discussed in the [[NB_XWIN#X-Windows SELinux Support | SELinux X-windows Support] section.
Polyinstantiation support in the Reference Policy
The reference policy files.te and files.if modules (in the kernel layer) support polyinstantiated directories. There is also a global tunable (a boolean called allow_polyinstantiation) that can be used to set this functionality on or off during login. By default this boolean is set false (off).
The polyinstantiation of X-Windows objects (x_selection and x_property) are not currently supported by the reference policy.
Previous | |
|