Difference between revisions of "PolicyConfigurationFiles"

From SELinux Wiki
Jump to: navigation, search
(contexts/x_contexts File)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= Policy Configuration Files =
 
= Policy Configuration Files =
 
Each file discussed in this section is relative to the policy name as follows:
 
Each file discussed in this section is relative to the policy name as follows:
 +
<pre>
 +
/etc/selinux/<policy_name>
 +
</pre>
 +
The majority of files are installed by the Reference Policy, '''semanage'''(8) or '''semodule'''(8) commands. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example the simple monolithic policy described in the Notebook source tarball could run at init 3 (i.e. no X-Windows) and only require the following configuration files:
 +
: policy/policy.29 - The binary policy loaded into the kernel.
 +
: context/files/file_contexts - To allow the filesystem to be relabeled.
  
<nowiki>/etc/selinux/<policy_name></nowiki>
+
If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required:
 
+
: context/dbus_contexts - To allow the dbus messaging service to run under SELinux.
The majority of files are installed by the Reference Policy, semanage or semodule processes. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example a simple monolithic policy could run at init 3 (i.e. no X-Windows), and only require the following configuration files:
+
: context/x_contexts - To allow the X-Windows service to run under SELinux (or XSELinux could be disabled as discussed in the [[NB_XWIN | SELinux  X-Windows Support]] section.
 
+
'''<nowiki>./policy/policy.[ver]</nowiki>''' - The binary policy loaded into the kernel.
+
 
+
'''./context/files/file_contexts''' - To allow the filesystem to be relabeled.
+
 
+
If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional file is required:
+
 
+
'''./context/dbus_contexts''' - To allow the debus messaging service to run under SELinux.
+
  
 
== seusers File  ==
 
== seusers File  ==
This file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:
+
The <tt>'''seusers'''(5)</tt> file is used by login programs (normally via the <tt>libselinux</tt> library) and maps GNU / Linux users (as defined in the <tt>user</tt> / <tt>passwd</tt> files) to SELinux users (defined in the policy). A typical login sequence would be:
 
+
 
* Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
 
* Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
* To determine the remaining context to be used as the security context, read the <nowiki>./contexts/users/[seuser_id]</nowiki> file. If this file is not present, then:
+
* To determine the remaining context to be used as the security context, read the <nowiki>contexts/users/[seuser_id]</nowiki> file file. If this file is not present, then:
** Check for a default context in the ./contexts/default_contexts file. If no default context is found, then:
+
* Check for a default context in the [[#contexts/default_contexts | contexts/default_contexts]] file. If no default context is found, then:
*** Read the ./contexts/failsafe_context file to allow a fail safe context to be set.
+
* Read the [[#contexts/failsafe_context | contexts/failsafe_context]] file to allow a fail safe context to be set.
  
 
Note: The system_u user is defined in this file, however there must be '''no''' system_u GNU / Linux user configured on the system.
 
Note: The system_u user is defined in this file, however there must be '''no''' system_u GNU / Linux user configured on the system.
  
The format of the seusers file is the same as the files described in the ./modules/active/seusers.final and seusers section, where an example semanage user command is also shown.
+
The format of the seusers file is the same as the files described in the [[PolicyStoreConfigurationFiles#modules/active/seusers.final_and_seusers | modules/active/seusers.final]] section, where an example semanage user command is also shown.
  
 
'''Example seusers file contents:'''
 
'''Example seusers file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./seusers file for non-MCS/MLS systems.
+
# seusers file for non-MCS/MLS systems.
  
 
system_u:system_u
 
system_u:system_u
Line 36: Line 33:
 
</pre>
 
</pre>
 
<pre>
 
<pre>
<nowiki># </nowiki>./seusers file for an MLS system. Note that the system_u user  
+
# seusers file for an MLS system. Note that the system_u user  
<nowiki># has access to all security levels and therefore should not be </nowiki>
+
# has access to all security levels and therefore should not be  
<nowiki># configured as a valid GNU / Linux user.</nowiki>
+
# configured as a valid GNU / Linux user.
  
 
system_u:system_u:s0-s15:c0.c255
 
system_u:system_u:s0-s15:c0.c255
Line 52: Line 49:
 
</pre>
 
</pre>
  
 +
== booleans and booleans.local File ==
 +
Generally these <tt>'''booleans'''(5)</tt> files are not present if <tt>'''semanage'''(8)</tt> is being used to manage booleans (see the modules/active/booleans.local File section). However if <tt>semanage</tt> is not being used or there is an SELinux-aware application that uses the <tt>libselinux</tt> functions listed below, then these files may be present (they could also be present in older Reference policies):
 +
: <tt>'''security_set_boolean_list'''(3)</tt> - Writes a <tt>boolean.local</tt> file if flag <tt>permanent</tt> = '<tt>1</tt>'.
 +
: <tt>'''security_load_booleans'''(3)</tt> - Will look for a <tt>booleans</tt> or <tt>booleans.local</tt> file here unless a specific path is specified.
 +
 +
Both files have the same format and contain one or more boolean names. The format is:
 +
<pre>
 +
boolean_name value
 +
</pre>
 +
 +
'''Where:'''
 +
 +
{| border="1"
 +
| boolean_name
 +
| The name of the boolean.
 +
 +
|-
 +
| value
 +
| The default setting for the boolean that can be one of the following:
 +
 +
true | false | 1 | 0
 +
 +
|}
 +
 +
 +
Note that if <tt>SETLOCALDEFS</tt> is set in the SELinux [[GlobalConfigurationFiles#/etc/selinux/config File | config]] file, then <tt>'''selinux_mkload_policy'''(3)</tt> will check for a <tt>booleans.local</tt> file in the <tt>'''selinux_booleans_path'''(3)</tt>, and also a <tt>local.users</tt> file in the <tt>'''selinux_users_path'''(3)</tt>.
 +
 +
== booleans.subs_dist File ==
 +
The <tt>booleans.subs_dist</tt> file (if present) will allow new boolean names to be allocated to those in the active policy. This file was added because many older booleans began with 'allow' that made it difficult to determine what they did. For example the boolean <tt>allow_console_login</tt> becomes more descriptive as <tt>login_console_enabled</tt>. If the <tt>booleans.subs_dist</tt> file is present, then either name maybe used. <tt>'''selinux_booleans_subs_path'''(3)</tt> will return the active policy path to this file and <tt>'''selinux_boolean_sub'''(3)</tt> will will return the translated name.
 +
 +
Each line within the substitution file <tt>booleans.subs_dist</tt> is:
 +
<pre>
 +
policy_bool_name new_name
 +
</pre>
 +
 +
'''Where:'''
 +
: policy_bool_name
 +
:: The policy boolean name.
 +
: new_name
 +
:: The new boolean name.
 +
 +
'''Example:'''
 +
<pre>
 +
# booleans.subs_dist
 +
 +
# policy_bool_name          new_name
 +
allow_auditadm_exec_content auditadm_exec_content
 +
allow_console_login        login_console_enabled
 +
allow_cvs_read_shadow      cvs_read_shadow
 +
allow_daemons_dump_core    daemons_dump_core
 +
</pre>
 +
 +
When <tt>'''security_get_boolean_names'''(3)</tt> or <tt>'''security_set_boolean'''(3)</tt> is called with a boolean name and the <tt>booleans.subs_dist</tt> file is present, the name will be looked up and if using the <tt>new_name</tt>, then the <tt>policy_bool_name</tt> will be used (as that is what is defined in the active policy).
 +
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_booleans_subs_path
 +
selinux_booleans_sub
 +
security_get_boolean_names
 +
security_set_boolean
 +
</pre>
  
 
== setrans.conf File ==
 
== setrans.conf File ==
This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.  
+
The <tt>'''setrans.conf'''(8)</tt> file is used by the '''mcstransd'''(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.
 +
 
 +
There are a number of sample configuration files within the <tt>mcstrans</tt> package that describe the configuration options in detail that are located at <tt>/usr/share/mcstrans/examples</tt>.  
  
 
The daemon will not load unless a valid MCS or MLS policy is active.
 
The daemon will not load unless a valid MCS or MLS policy is active.
  
The semanage command can be used to update this file.
+
The translations can be disabled by added the following line to the file:
 +
<pre>
 +
disable = 1
 +
</pre>
  
'''The file format is as follows:'''
+
This file will also support the display of information in colour. The configuration file that controls this is called <tt>secolor.conf</tt> and is described in the [[#secolor.conf File | secolor.conf]] section.
 +
 
 +
The file format is described in <tt>'''setrans.conf'''(8)</tt> with the following giving an overview:
 
<pre>
 
<pre>
<nowiki># Enable / disable translation service:</nowiki>
+
# Syntax
  
disable=1|0
+
# A domain is a self consistent domain of translation (English, German, Paragraph Markings ...)
 +
Domain=NAME1
  
<nowiki># Each line consists of a level or range with user friendly </nowiki>
+
# Within a domain are a number of fixed translations
<nowiki># label:</nowiki>
+
# format is raw_range=trans_range
 +
s3:c200.c511=Confidential
 +
# repeat as required...
  
level|range=text_label
+
# Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup
</pre>
+
Base=Sensitivity Levels
 +
# raw_range=name
 +
s1=Unclassified
 +
# Aliases have the same name but a different translation.
 +
# The first one is used to compute translations
 +
s1=U
 +
# inverse bits should appear in the base of any level that uses inverse bits
 +
s2:c200.c511=Restricted
 +
# repeat as required...
  
'''Where:'''
+
# Modifier Groups should be in the order of appearance in the translated range.
{| border="1"
+
ModifierGroup=GROUP1
| | disable
+
# Allowed white space can be defined
| | To disable the translation service, set disable=1. To enable the service comment out the entry or set disable=0.
+
Whitespace=- ,/
 +
# Join defines the character between multiple members of this group
 +
Join=/
 +
# A Prefix can be defined per group
 +
Prefix=Releasable to
 +
# Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup
 +
Default=c200.c511
 +
# format is raw_categories=name
 +
# ~ turns off inverse bits
 +
~c200.c511=EVERYBODY
  
|-
+
# Aruba - bit 201
| | range
+
~c200,~c201=ABW
| | The optional level or range as defined in the MLS range definition section.
+
~c200,~c201=AA
 +
# Afghanistan - bit 202
 +
~c200,~c202=AFG
 +
~c200,~c202=AF
 +
# repeat as required...
  
|-
+
# Another Modifier Group
| | text_label
+
ModifierGroup=GROUP2
| | The user friendly label to be displayed by SELinux-aware applications that use the translation service API.
+
# With different white space
 +
Whitespace=
 +
# And different Join
 +
Join=,
 +
# A Suffix can be defined per group
 +
Suffix=Eyes only
 +
# Default categories need to be consistent
 +
Default=c200.c511
  
|}
+
# New domain
 +
Domain=NAME2
  
 +
# any text can be put in a separate file
 +
Include=PATH
 +
Include=PATH
 +
<pre>
  
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./setrans.conf - Taken from the reference policy.
+
# setrans.conf
<nowiki>#</nowiki>
+
#
<nowiki># Multi-Level Security translation table for SELinux</nowiki>
+
# Multi-Level Security translation table for SELinux
<nowiki># </nowiki>
+
#  
<nowiki># Uncomment the following to disable translation library</nowiki>
+
# Uncomment the following to disable translation library
<nowiki># disable=1</nowiki>
+
# disable=1
<nowiki>#</nowiki>
+
#
<nowiki># SystemLow and SystemHigh</nowiki>
+
# SystemLow and SystemHigh
 
+
 
s0=SystemLow
 
s0=SystemLow
 
s15:c0.c1023=SystemHigh
 
s15:c0.c1023=SystemHigh
 
s0-s15:c0.c1023=SystemLow-SystemHigh
 
s0-s15:c0.c1023=SystemLow-SystemHigh
  
<nowiki># Unclassified level</nowiki>
+
# Unclassified level
 
s1=Unclassified
 
s1=Unclassified
  
<nowiki># Secret level with compartments</nowiki>
+
# Secret level with compartments
 
s2=Secret
 
s2=Secret
 
s2:c0=A
 
s2:c0=A
 
s2:c1=B
 
s2:c1=B
  
<nowiki># ranges for Unclassified</nowiki>
+
# ranges for Unclassified
 
s0-s1=SystemLow-Unclassified
 
s0-s1=SystemLow-Unclassified
 
s1-s2=Unclassified-Secret
 
s1-s2=Unclassified-Secret
 
s1-s15:c0.c1023=Unclassified-SystemHigh
 
s1-s15:c0.c1023=Unclassified-SystemHigh
  
<nowiki># ranges for Secret with compartments</nowiki>
+
# ranges for Secret with compartments
 
s0-s2=SystemLow-Secret
 
s0-s2=SystemLow-Secret
 
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
 
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
Line 122: Line 222:
 
</pre>
 
</pre>
  
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_translations_path
 +
selinux_raw_to_trans_context
 +
selinux_trans_to_raw_context
 +
</pre>
  
'''Example semanage command:'''
+
== secolor.conf File ==
 +
The '''secolor.conf'''(5) file controls the colour to be associated to the components of a context when information is displayed by an SELinux colour-aware application (currently none, although there are two examples in the Notebook source tarball under the <tt>libselinux/examples</tt> directory). The file format is as follows:
 
<pre>
 
<pre>
<nowiki># Add a new entry to the file. Note that the -T flag component </nowiki>
+
color color_name = #color_mask
<nowiki># (the user friendly name for the level) must not have spaces.</nowiki>
+
  
semanage translation -a -T Top-Level s15:c1023
+
context_component string fg_color_name bg_color_name
 
</pre>
 
</pre>
<pre>
 
<nowiki># List the setrans.conf file contents</nowiki>
 
  
semanage translation -l
+
'''Where:'''
  
...
+
{| border="1"
s15:c1023=Top-Level
+
| color
</pre>
+
| The color keyword.
  
'''Supporting libselinux API functions are:'''
+
|-
<pre>
+
| color_name
selinux_translations_path
+
| A descriptive name for the colour (e.g. <tt>red</tt>).
selinux_raw_to_trans_context
+
selinux_trans_to_raw_context
+
</pre>
+
  
 +
|-
 +
| color_mask
 +
| A colour mask starting with a hash (<tt><nowiki>#</nowiki></tt>) that describes the RGB colours with black being <tt><nowiki>#000000</nowiki></tt> and white being <tt><nowiki>#ffffff</nowiki></tt>.
  
== policy/policy.[ver] File ==
+
|-
This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the [http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer] notes.  
+
| context_component
 +
| The colour translation supports different colours on the context string components (<tt>user</tt>, <tt>role</tt>, <tt>type</tt> and <tt>range</tt>). Each component is on a separate line.
  
The file name extension is the policy database version supported by the GNU / Linux release and can be found by executing the following command:
+
|-
 +
| string
 +
| This is the context_component string that will be matched with the <tt>raw</tt> context component passed by <tt>'''selinux_raw_context_to_color'''(3)</tt>
 +
 
 +
A wildcard '<tt>'''<nowiki>*</nowiki>'''</tt>' may be used to match any undefined <tt>string</tt> for the <tt>user</tt>, <tt>role</tt> and <tt>type context_component</tt> entries only
 +
 
 +
A wildcard '<tt>'''<nowiki>*</nowiki>'''</tt>' may be used to match any undefined <tt>string</tt> for the <tt>user</tt>, <tt>role</tt> and <tt>type context_component</tt> entries only.
 +
 
 +
|-
 +
| fg_color_name
 +
| The <tt>color_name</tt> string that will be used as the foreground colour.
 +
 
 +
A <tt>color_mask</tt> may also be used.
 +
 
 +
|-
 +
| bg_color_name
 +
| The <tt>color_name</tt> string that will be used as the background colour.
 +
 
 +
A <tt>color_mask</tt> may also be used.
 +
 
 +
|}
 +
 
 +
 
 +
'''Example file contents:'''
 
<pre>
 
<pre>
cat /selinux/policyvers
+
color black = #000000
23
+
color green = #008000
 +
color yellow = #ffff00
 +
color blue = #0000ff
 +
color white = #ffffff
 +
color red = #ff0000
 +
color orange = #ffa500
 +
color tan = #D2B48C
 +
 
 +
user * = black white
 +
role * = white black
 +
type * = tan orange
 +
range s0-s0:c0.c1023 = black green
 +
range s1-s1:c0.c1023 = white green
 +
range s3-s3:c0.c1023 = black tan
 +
range s5-s5:c0.c1023 = white blue
 +
range s7-s7:c0.c1023 = black red
 +
range s9-s9:c0.c1023 = black orange
 +
range s15:c0.c1023 = black yellow
 
</pre>
 
</pre>
  
The different versions are discussed in the Policy Versions section.
+
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_colors_path
 +
selinux_raw_context_to_color - this call returns the foreground
 +
and background colours of the context string as the specified
 +
RGB 'color' hex digits as follows:
 +
    user      :    role      :      type    :    range
 +
#000000 #ffffff #ffffff #000000 #d2b48c #ffa500 #000000 #008000
 +
black  white  white  black  tan    orange  black  green
 +
</pre>
 +
 
 +
== policy/policy.<ver> File ==
 +
This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the "[http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer]" notes.
 +
 
 +
By convention the file name extension is the policy database version used to build the policy, however is is not mandatory as the true version is built into the policy file. The different policy versions are discussed in the [[NB_PolicyType#Policy_Versions | Policy Versions]] section.
  
 
== contexts/customizable_types File ==
 
== contexts/customizable_types File ==
This file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).
+
The '''customizable_types'''(5) file contains a list of types that will not be relabeled by the '''setfiles'''(8) or '''restorecon'''(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
Line 167: Line 326:
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | type
+
| type
| | The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.
+
| The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.
  
 
|}
 
|}
Line 176: Line 336:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/customizable_types - Taken from the reference policy.
+
# contexts/customizable_types
 
+
 
mount_loopback_t
 
mount_loopback_t
 
public_content_rw_t
 
public_content_rw_t
Line 193: Line 352:
 
</pre>
 
</pre>
  
=== contexts/default_contexts File  ===
+
== contexts/default_contexts File  ==
Used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:
+
The '''default_contexts'''(5) file is used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:
  
 
# The GNU / Linux user identity should be known by the application.
 
# The GNU / Linux user identity should be known by the application.
# If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section.
+
# If a login application, then the SELinux user (seuser), would have been determined as described in the [[#seusers | seusers]] file section.
# The login applications will check the <nowiki>./contexts/users/[seuser_id]</nowiki> file first and if no valid entry, will then look in the <nowiki>[seuser_id]</nowiki> file for a default context to use.
+
# The login applications will check the <nowiki>contexts/users/[seuser_id]</nowiki>] file first and if no valid entry, will then look in the <nowiki>[seuser_id]</nowiki> file for a default context to use.
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
 
<pre>
 
<pre>
role:type role:type ...
+
role:type[:range] role:type[:range] ...
</pre>
+
'''Or:'''
+
<pre>
+
role:type:range role:type:range ...
+
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | role:type
+
| <nowiki>role:type[:range]</nowiki>
| | The file contains one or more lines that consist of role:type pairs.
+
| The file contains one or more lines that consist of <nowiki>role:type[:range]</nowiki> pairs (including the MLS / MCS level or range if applicable).
 
+
The entry at the start of a new line corresponds to the partial role:type context of (generally) the login application.
+
 
+
The other role:type entries on that line represent an ordered list of valid contexts that could be used to set the users context.
+
 
+
|-
+
| | range
+
 
+
  
 +
The entry at the start of a new line corresponds to the partial <nowiki>role:type[:range]</nowiki> context of (generally) the login application.
  
| | The range as defined in the MLS range definition section.
+
The other <nowiki>role:type[:range]</nowiki> entries on that line represent an ordered list of valid contexts that may be used to set the users context.  
  
 
|}
 
|}
Line 230: Line 379:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/default_contexts - Taken from the reference
+
# contexts/default_contexts
<nowiki># policy. The entry at the start of each line </nowiki>
+
<nowiki># corresponds to the login applications role:type context. </nowiki>
+
  
system_r:crond_t  user_r:user_crond_t  staff_r:staff_crond_t  sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
+
system_r:crond_t:s0 system_r:system_crond_t:s0
 
+
system_r:local_login_t:s0 user_r:user_t:s0
<nowiki>#</nowiki>
+
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+
system_r:sshd_t:s0 user_r:user_t:s0
unconfined_r:unconfined_t
+
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
 
+
system_r:xdm_t:s0 user_r:user_t:s0
<nowiki>#</nowiki>
+
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+
<nowiki>#</nowiki>
+
system_r:sshd_tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
</pre>
+
<pre>
+
<nowiki># </nowiki>./contexts/default_contexts - Taken from the MLS 
+
<nowiki># reference policy.</nowiki>
+
 
+
system_r:crond_t:s0         system_r:system_crond_t:s0
+
system_r:local_login_t:s0   user_r:user_t:s0
+
system_r:remote_login_t:s0 user_r:user_t:s0
+
system_r:sshd_t:s0         user_r:user_t:s0
+
system_r:sulogin_t:s0       sysadm_r:sysadm_t:s0
+
system_r:xdm_t:s0           user_r:user_t:s0
+
 
</pre>
 
</pre>
  
 
'''Supporting libselinux API functions are:'''
 
'''Supporting libselinux API functions are:'''
 
<pre>
 
<pre>
<nowiki># Note that the </nowiki><nowiki>./contexts/users/[seuser_id]</nowiki> file is also read
+
# Note that the contexts/users/[seuser_id] file is also read
<nowiki># by some of these functions.</nowiki>
+
# by some of these functions.
  
 
selinux_contexts_path
 
selinux_contexts_path
Line 272: Line 404:
 
query_user_context
 
query_user_context
 
manual_user_enter_context
 
manual_user_enter_context
get_default_role
 
 
</pre>
 
</pre>
  
An example use (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was user_u:unconfined_r:unconfined_t).  
+
An example use in this Notebook (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was unconfined_u:unconfined_r:unconfined_t).  
  
However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. user_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to user_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').  
+
However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. unconfined_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to unconfined_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').  
  
 
The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:
 
The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:
Line 284: Line 415:
 
</pre>
 
</pre>
  
The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/user_u configuration file instead could also have achieved this.
+
The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/unconfined_u configuration file instead could also have achieved this.
  
== contexts/debus_contexts File ==
+
== contexts/dbus_contexts File ==
This file is for the debus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The [http://dbus.freedesktop.org/doc/dbus-daemon.1.html dbus-daemon] man page details the contents, however it is not recommended that this file is changed. The Free Desktop web site has detailed information at:
+
This file is for the dbus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The '''dbus-daemon'''(1) man page details the contents and the Free Desktop web site has detailed information at:
  
 
[http://dbus.freedesktop.org/ http://dbus.freedesktop.org]
 
[http://dbus.freedesktop.org/ http://dbus.freedesktop.org]
Line 293: Line 424:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/debus_contexts - Taken from the reference policy.
+
# contexts/dbus_contexts
  
<nowiki><!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/</nowiki>
+
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/
 
1.0/busconfig.dtd">
 
1.0/busconfig.dtd">
<nowiki><busconfig></nowiki>
+
<busconfig>
<nowiki><selinux></nowiki>
+
<selinux>
<nowiki></selinux></nowiki>
+
</selinux>
<nowiki></busconfig></nowiki>
+
</busconfig>
</pre>
+
<pre>
  
 
'''Supporting libselinux API function is:'''
 
'''Supporting libselinux API function is:'''
Line 307: Line 438:
 
selinux_context_path
 
selinux_context_path
 
</pre>
 
</pre>
 
  
 
== contexts/default_type File ==
 
== contexts/default_type File ==
This file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied. An example use is by newrole when it is called to change a users role, with no type specified, this file would then be consulted to determine the default type to use for the requested role.
+
The '''default_type'''(5) file allows SELinux-aware applications such as '''newrole'''(1) to select a default type for a role if one is not supplied.  
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
Line 318: Line 448:
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | role:type
+
| role:type
| | The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.
+
| The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.
  
 
|}
 
|}
 
 
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/default_type - Taken from the reference policy.
+
# contexts/default_type
  
 
auditadm_r:auditadm_t
 
auditadm_r:auditadm_t
Line 339: Line 468:
 
'''Supporting libselinux API functions are:'''
 
'''Supporting libselinux API functions are:'''
 
<pre>
 
<pre>
selinux_context_path
+
selinux_default_type_path
 
get_default_type
 
get_default_type
 
</pre>
 
</pre>
 
  
 
== contexts/failsafe_context File ==
 
== contexts/failsafe_context File ==
If the login process cannot determine a default context to use, then this can be set to allow an administrator access to the system by setting a known valid context.
+
The '''failsafe_context'''(5) is used when a login process cannot determine a default context to use. The file contents will then be used to allow an administrator access to the system.
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
 
<pre>
 
<pre>
role:type
+
role:type[:range]
</pre>
+
'''Or:'''
+
<pre>
+
role:type:range
+
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | role:type
+
| <nowiki>role:type[:range]</nowiki>
| | The file contains a single line that consist of a role:type for a known valid context to allow an administrator access to the system..
+
| A single line that has a valid context to allow an administrator access to the system, including the MLS / MCS level or range if applicable.
 
+
|-
+
| | range
+
| | The range as defined in the MLS range definition section.
+
  
 
|}
 
|}
Line 370: Line 491:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/failsafe_context - Taken from the reference policy.
+
# contexts/failsafe_context - Taken from the targeted policy.
  
sysadm_r:sysadm_t
+
unconfined_r:unconfined_t
 
</pre>
 
</pre>
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/failsafe_context - Taken from the MLS
+
# contexts/failsafe_context - Taken from the MLS policy.
<nowiki># reference policy.</nowiki>
+
  
 
sysadm_r:sysadm_t:s0
 
sysadm_r:sysadm_t:s0
 
</pre>
 
</pre>
 
  
 
'''Supporting libselinux API functions are:'''
 
'''Supporting libselinux API functions are:'''
Line 386: Line 505:
 
selinux_context_path
 
selinux_context_path
 
selinux_failsafe_context_path
 
selinux_failsafe_context_path
 +
get_default_context
 +
get_default_context_with_role
 +
get_default_context_with_level
 +
get_default_context_with_rolelevel
 +
get_ordered_context_list
 +
get_ordered_context_list_with_level
 
</pre>
 
</pre>
  
 
+
== contexts/initrc_context File ==
=== contexts/initrc_context File ===
+
This is used by the '''run_init'''(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.
This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.
+
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
 
<pre>
 
<pre>
security_context
+
user:role:type[:range]
 
</pre>
 
</pre>
  
 +
'''Where:'''
  
'''Where:'''
 
 
{| border="1"
 
{| border="1"
| | security_context
+
| <nowiki>user:role:type[:range]</nowiki>
| | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.
+
| The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.
  
 
|}
 
|}
Line 408: Line 532:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/initrc_context - Taken from the reference policy.
+
# contexts/initrc_context - Taken from the targeted policy.
  
system_u:system_r:initrc_t
+
system_u:system_r:initrc_t:s0
 
</pre>
 
</pre>
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/initrc_context - Taken from the MLS reference
+
# contexts/initrc_context - Taken from the MLS policy
<nowiki># policy. Note that the init process has full access via the </nowiki>
+
# Note that the init process has full access via the  
<nowiki># range </nowiki>s0-s15:c0.c255.
+
# range s0-s15:c0.c255.
  
 
system_u:system_r:initrc_t:s0-s15:c0.c255
 
system_u:system_r:initrc_t:s0-s15:c0.c255
Line 425: Line 549:
 
</pre>
 
</pre>
  
 +
== contexts/lxc_contexts File ==
 +
This file supports labeling lxc containers within the <tt>libvirt</tt> library (see libvirt source <tt>src/security/security_selinux.c</tt>). This is similar to the [[#contexts/virtual_domain_context File | virtual_domain_context]] and [[#contexts/virtual_image_context File | virtual_image_context]] files used by libvirt qemu services.
 +
 +
'''The file format is as follows:'''
 +
<pre>
 +
process = "security_context"
 +
file = "security_context"
 +
content = "security_context"
 +
sandbox_kvm_process = "security_context"
 +
sandbox_lxc_process = "security_context"
 +
</pre>
 +
 +
'''Where:'''
 +
 +
{| border="1"
 +
| process
 +
| A single <tt>process</tt> entry that contains the lxc domain security context, including the MLS / MCS level or range if applicable.
 +
 +
|-
 +
| file
 +
| A single <tt>file</tt> entry that contains the lxc file security context, including the MLS / MCS level or range if applicable.
 +
 +
|-
 +
| content
 +
| A single <tt>content</tt> entry that contains the lxc content security context, including the MLS / MCS level or range if applicable.
 +
 +
|-
 +
| sandbox_kvm_process
 +
 +
sandbox_lxc_process
 +
| These entries may be present, however in F-20 they are not currently used.
 +
 +
|}
 +
 +
 +
'''Example file contents:'''
 +
<pre>
 +
# contexts/lxc_contexts
 +
 +
process = "system_u:system_r:svirt_lxc_net_t:s0"
 +
content = "system_u:object_r:virt_var_lib_t:s0"
 +
file = "system_u:object_r:svirt_sandbox_file_t:s0"
 +
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
 +
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
 +
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
 +
</pre>
 +
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_context_path
 +
selinux_lxc_context_path
 +
</pre>
  
 
== contexts/netfilter_contexts File ==
 
== contexts/netfilter_contexts File ==
This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the ./modules/active/netfilter_contexts & netfilter.local file section for further information).
+
This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the modules/active/netfilter_contexts file section for further information).
  
 
'''Supporting libselinux API functions are:'''
 
'''Supporting libselinux API functions are:'''
Line 435: Line 611:
 
</pre>
 
</pre>
  
 
+
== contexts/removable_context File ==
== contexts/removable_contexts File ==
+
The '''removable_context'''(5) file contains a single default label that should be used for removable devices that are not defined in the [[#contexts/files/media | contexts/files/media]] file.
This file contains the default label that should be used for removable devices that are not defined in the contexts/files/media file.
+
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
 
<pre>
 
<pre>
security_context
+
user:role:type[:range]
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | security_context
+
| <nowiki>user:role:type[:range]</nowiki>
| | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.
+
| The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.
  
 
|}
 
|}
 
 
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/removable_contexts - Taken from the reference policy.
+
# contexts/removable_contexts
 
+
system_u:object_r:removable_t
+
</pre>
+
<pre>
+
<nowiki># </nowiki>./contexts/removable_contexts - Taken from the MLS 
+
<nowiki># reference policy.</nowiki>
+
  
 
system_u:object_r:removable_t:s0
 
system_u:object_r:removable_t:s0
Line 471: Line 639:
  
 
== contexts/securetty_types File ==
 
== contexts/securetty_types File ==
This file is used by the newrole(1) command to find the type to use with tty devices when changing roles or levels.
+
The '''securetty_types'''(5) file is used by the '''newrole'''(1) command to find the type to use with tty devices when changing roles or levels.
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
Line 479: Line 647:
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | type
+
| type
| | Zero or more type entries that are defined in the policy for tty devices.
+
| Zero or more type entries that are defined in the policy for tty devices.
  
 
|}
 
|}
 
 
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/securetty_types - Taken from the reference policy.
+
# contexts/securetty_types
  
 
sysadm_tty_device_t
 
sysadm_tty_device_t
Line 494: Line 661:
 
staff_tty_device_t
 
staff_tty_device_t
 
</pre>
 
</pre>
 +
 +
'''Supporting libselinux API functions are:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/securetty_types - Taken from the MLS reference
+
selinux_securetty_types_path
<nowiki># policy.</nowiki>
+
</pre>
  
sysadm_tty_device_t
+
== contexts/sepgsql_contexts File ==
user_tty_device_t
+
This file contains the default security contexts for SE-PostgreSQL database objects and is descibed in <tt>'''selabel_db'''(5)</tt>.
staff_tty_device_t
+
 
auditadm_tty_device_t
+
'''The file format is as follows:'''
secureadm_tty_device_t
+
 
 +
Each line within the database contexts file is as follows:
 +
<pre>
 +
object_type object_name context
 
</pre>
 
</pre>
  
'''Supporting libselinux API functions are:'''
+
'''Where:'''
 +
 
 +
{| border="1"
 +
| <tt>object_type</tt>
 +
| This is the string representation of the object type.
 +
 
 +
|-
 +
| <tt>object_name</tt>
 +
| These are the object names of the specific database objects.
 +
 
 +
The entry can contain '<tt><nowiki>*</nowiki></tt>' for wildcard matching or '<tt>?</tt>' for substitution. Note that if the '<tt><nowiki>*</nowiki></tt>' is used, then be aware that the order of entries in the file is important. The '<tt><nowiki>*</nowiki></tt>' on its own is used to ensure a default fallback context is assigned and should be the last entry in the <tt>object_type</tt> block.
 +
 
 +
|-
 +
| <tt>context</tt>
 +
| The security context that will be applied to the object.
 +
 
 +
|}
 +
 
 +
 
 +
'''Example file contents:'''
 
<pre>
 
<pre>
selinux_securetty_types_path
+
# contexts/sepgsql_contexts file
 +
 
 +
# object_type object_name  context
 +
db_database  my_database  system_u:object_r:my_sepgsql_db_t:s0
 +
db_database      *        system_u:object_r:sepgsql_db_t:s0
 +
db_schema        *.*      system_u:object_r:sepgsql_schema_t:s0
 
</pre>
 
</pre>
  
 +
== contexts/systemd_contexts File  ==
 +
This file is not currently used in F-20 but seems to contain file contexts to be used by tasks run via <tt>'''systemd'''(8)</tt> in a later release. There are some patches in the <tt>systemd</tt> mail archive that relate to this file.
 +
 +
'''The file format is as follows:'''
 +
<pre>
 +
service_class = security_context
 +
</pre>
 +
 +
'''Where:'''
 +
 +
{| border="1"
 +
| service_class
 +
| One or more entries that relate to the <tt>systemd</tt> service (e.g. runtime, transient).
 +
 +
|-
 +
| security_context
 +
| The security context, including the MLS / MCS level or range if applicable of the service to be run.
 +
 +
|}
 +
 +
 +
'''Example file contents:'''
 +
<pre>
 +
# contexts/systemd_contexts
 +
 +
runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
 +
</pre>
 +
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_context_path
 +
selinux_systemd_contexts_path
 +
</pre>
  
 
== contexts/userhelper_context File  ==
 
== contexts/userhelper_context File  ==
Line 520: Line 749:
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | security_context
+
| security_context
| | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.
+
| The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.
  
 
|}
 
|}
Line 529: Line 759:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/userhelper_context - Taken from the reference policy.
+
# /contexts/userhelper_context - Taken from the standard reference policy.
  
 
system_u:sysadm_r:sysadm_t
 
system_u:sysadm_r:sysadm_t
 
</pre>
 
</pre>
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/userhelper_context - Taken from the MLS
+
# contexts/userhelper_context - Taken from the MLS/MCS reference policy.
<nowiki># reference policy.</nowiki>
+
  
 
system_u:sysadm_r:sysadm_t:s0
 
system_u:sysadm_r:sysadm_t:s0
Line 544: Line 773:
 
selinux_context_path
 
selinux_context_path
 
</pre>
 
</pre>
 
  
 
== contexts/virtual_domain_context File ==
 
== contexts/virtual_domain_context File ==
This is used by the virtulization API (<tt>libvirt</tt>) and provides the domain contexts that can be used (these are defined in the policy).
+
The '''virtual_domain_context'''(5) file is used by the virtulization API (<tt>libvirt</tt>) and provides the qemu domain contexts available in the policy (see libvirt source <tt>src/security/security_selinux.c</tt>). There may be two entries in this file, with the second entry being an alternative domain context.
  
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
# ./contexts/virtual_domain_context - Taken from the standard
+
# contexts/virtual_domain_context - From targeted policy.
# reference policy.
+
 
+
system_u:system_r:svirt_t
+
</pre>
+
 
+
<pre>
+
# ./contexts/virtual_domain_context - Taken from the MLS/MCS
+
# reference policy.
+
  
 
system_u:system_r:svirt_t:s0
 
system_u:system_r:svirt_t:s0
Line 568: Line 788:
 
selinux_virtual_domain_context_path
 
selinux_virtual_domain_context_path
 
</pre>
 
</pre>
 
 
  
 
== contexts/virtual_image_context File ==
 
== contexts/virtual_image_context File ==
This is used by the virtulization API (<tt>libvirt</tt>) and provides the image contexts that can be used (these are defined in the policy).
+
The '''virtual_image_context'''(5) file is used by the virtulization API (<tt>libvirt</tt>) and provides the image contexts that are available in the policy (see libvirt source <tt>src/security/security_selinux.c</tt>). The first entry is the image file context and the second entry is the image content context.
  
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
# ./contexts/virtual_image_context - Taken from the standard
+
# contexts/virtual_image_context - From targeted policy.
# reference policy.
+
 
+
system_u:system_r:svirt_image_t:s0
+
system_u:system_r:svirtcontent_t:s0
+
</pre>
+
 
+
<pre>
+
# ./contexts/virtual_image_context - Taken from the MLS/MCS
+
# reference policy.
+
  
 
system_u:system_r:svirt_image_t:s0
 
system_u:system_r:svirt_image_t:s0
Line 595: Line 804:
 
selinux_virtual_image_context_path
 
selinux_virtual_image_context_path
 
</pre>
 
</pre>
 
  
 
== contexts/x_contexts File  ==
 
== contexts/x_contexts File  ==
This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extension. The useage is discussed in the X-windows SELinux Support section and examples of how to add additional entries is shown in the Experimenting with X-Windows section. The MCS / MLS version of the file has the appropriate level or range information added.
+
The '''x_contexts'''(5) file provides the default security contexts for the X-Windows SELinux security extension. The usage is discussed in the [[NB_XWIN | SELinux X-Windows Support]] section. The MCS / MLS version of the file has the appropriate level or range information added.
 
+
The <tt>selabel_*</tt> set of <tt>libselinux</tt> API functions allow information to be retrieved from the <tt>x_contexts</tt> file. These are described in the relevant man pages and also in <tt>selabel_x(5)</tt>.
+
  
 
A typical entry is as follows:
 
A typical entry is as follows:
 
<pre>
 
<pre>
# object_type object_name
+
# object_type object_name context
selection     PRIMARY system_u:object_r:clipboard_xselection_t
+
selection     PRIMARY     system_u:object_r:clipboard_xselection_t
 
</pre>
 
</pre>
  
Where:
+
'''Where:'''
 +
 
 
{| border="1"
 
{| border="1"
 
| <tt>object_type</tt>
 
| <tt>object_type</tt>
Line 617: Line 824:
 
| These are the object names of the specific X-server resource such as <tt>PRIMARY</tt>, <tt>CUT_BUFFER0</tt> etc. They are generally defined in the X-server source code (<tt>protocol.txt</tt> and <tt>BuiltInAtoms </tt>in the <tt>dix</tt> directory of the <tt>xorg-server</tt> source package).  
 
| These are the object names of the specific X-server resource such as <tt>PRIMARY</tt>, <tt>CUT_BUFFER0</tt> etc. They are generally defined in the X-server source code (<tt>protocol.txt</tt> and <tt>BuiltInAtoms </tt>in the <tt>dix</tt> directory of the <tt>xorg-server</tt> source package).  
  
This can contain '<tt>*</tt>' for 'any' or '<tt>?</tt>' for 'substitute' (see the <tt>CUT_BUFFER?</tt> entry where the '<tt>?</tt>' would be substituted for a number between 0 and 7 that represents the number of these buffers).
+
This can contain '<tt><nowiki>*</nowiki></tt>' for 'any' or '<tt>?</tt>' for 'substitute' (see the <tt>CUT_BUFFER?</tt> entry where the '<tt>?</tt>' would be substituted for a number between 0 and 7 that represents the number of these buffers).
  
 
|-
 
|-
 
| <tt>context</tt>
 
| <tt>context</tt>
| This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label (<tt>:s0</tt> as standard).
+
| This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label.
  
 
|}
 
|}
  
  
'''Example file contents (taken from the 20091117 Reference Policy):'''
+
'''Example file contents:'''
 
<pre>
 
<pre>
 
#
 
#
 
# Config file for XSELinux extension
 
# Config file for XSELinux extension
 
#
 
#
 +
 
### Rules for X Clients
 
### Rules for X Clients
 
# The default client rule defines a context to be used for all clients
 
# The default client rule defines a context to be used for all clients
Line 642: Line 850:
 
# rule indicated by an asterisk should follow all other property rules.
 
# rule indicated by an asterisk should follow all other property rules.
 
#
 
#
 
 
# Properties that normal clients may only read
 
# Properties that normal clients may only read
 
property _SELINUX_*system_u:object_r:seclabel_xproperty_t
 
property _SELINUX_*system_u:object_r:seclabel_xproperty_t
Line 715: Line 922:
  
 
== contexts/files/file_contexts File ==
 
== contexts/files/file_contexts File ==
This file is managed by the semodule and semanage commands [Ref 1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.
+
The '''file_contexts'''(5) file is managed by the '''semodule'''(8) and '''semanage'''(8) commands<ref name="ftn39"><sup>As each module would have its own file_contexts component that is either added or removed from the policies overall <nowiki>/etc/selinux/<policy_name>/contexts/ files/file_contexts</nowiki> file. </sup></ref> as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.
  
Ref 1 - As each module would have its own file_contexts component that is either added or removed from the policies overall <nowiki>/etc/selinux/[policy_name]/contexts/ files/file_contexts</nowiki> file.
+
The file is used by a number of SELinux-aware commands ('''setfiles'''(8), '''fixfiles'''(8), '''matchpathcon'''(8), '''restorecon'''(8)) to relabel either part or all of the file system.
  
The file is used by a number of SELinux-aware commands (setfiles(8), fixfiles(8), matchpathcon(8), restorecon(8)) to relabel either part or all of the file system.
+
Note that users home directory file contexts are not present in this file as they are managed by the [[#contexts/files/file_contexts.homedirs | file_contexts.homedirs]] file as explained below.
  
Note that users home directory file contexts are not present in this file as they are managed by the file_contexts.homedirs file as explained below.
+
The format of the file_contexts file is the same as the files described in the [[PolicyStoreConfigurationFiles#modules/active/file_contexts_File | modules/active/file_contexts]] file section.
  
The format of the file_contexts file is the same as the files described in the ./modules/active/file_contexts file section.
+
There may also be a <tt>file_contexts.bin</tt> present that is built and used by <tt>'''semanage'''(8)</tt>. The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.
  
 
'''Supporting libselinux API functions are:'''
 
'''Supporting libselinux API functions are:'''
 
<pre>
 
<pre>
 
selinux_file_context_path
 
selinux_file_context_path
selinux_file_context_verify
+
selabel_open
selinux_file_context_local_path
+
selabel_close
 +
selabel_lookup
 +
selabel_stats
 
</pre>
 
</pre>
 
  
 
== contexts/files/file_contexts.local File ==
 
== contexts/files/file_contexts.local File ==
This file is added by the semanage fcontext command as described in the ./modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly.
+
This file is added by the semanage fcontext command as described in the [[PolicyStoreConfigurationFiles#modules/active/file_contexts.local_File | modules/active/file_contexts.local]] file section to allow locally defined files to be labeled correctly. The '''file_contexts'''(5) man page also decribes this file.
 +
 
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_file_context_local_path
 +
</pre>
  
 
== contexts/files/file_contexts.homedirs File ==
 
== contexts/files/file_contexts.homedirs File ==
This file is managed by the semodule and semanage commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.
+
This file is managed by the '''semodule'''(8) and '''semanage'''(8) commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.
  
It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.  
+
It is generated by the '''genhomedircon'''(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.  
  
It is fully described in the ./modules/active/file_contexts.homedirs file section.  
+
It is fully described in the [[PolicyStoreConfigurationFiles#modules/active/file_contexts.homedirs | modules/active/file_contexts.homedirs]] file section. The '''file_contexts'''(5) man page also decribes this file.
 +
 
 +
There may also be a <tt>file_contexts.homedirs.bin</tt> present that is built and used by <tt>'''semanage'''(8)</tt>. The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.
  
 
'''Supporting libselinux API functions are:'''
 
'''Supporting libselinux API functions are:'''
Line 749: Line 964:
 
</pre>
 
</pre>
  
 +
== contexts/files/file_contexts.subs and file_contexts.subs_dist File ==
 +
These files allow substitution of file names (<tt>.subs</tt> for local use and <tt>.subs_dist</tt> for GNU / Linux distributions use) for the <tt>libselinux</tt> functions <tt>'''matchpatchcon'''(3)</tt> and <tt>'''selabel_lookup'''(3)</tt>. The '''file_contexts'''(5) man page also decribes this file.
 +
 +
The subs files contain a list of space separated path names such as:
 +
<pre>
 +
/myweb /var/www
 +
/myspool /var/spool/mail
 +
</pre>
 +
 +
Then (for example), when <tt>'''matchpatchcon'''(3)</tt> or <tt>'''selabel_lookup'''(3)</tt> is passed a path <tt>/myweb/index.html</tt> the functions will substitute the <tt>/myweb</tt> component with <tt>/var/www</tt>, with the final result being:
 +
<pre>
 +
/var/www/index.html
 +
</pre>
 +
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
selinux_file_context_subs_path
 +
selinux_file_context_subs_dist_path
 +
selabel_lookup
 +
matchpathcon
 +
matchpathcon_index
 +
</pre>
  
 
== contexts/files/media File  ==
 
== contexts/files/media File  ==
Used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the ./contexts/removable_contexts is used instead.
+
The '''media'''(5) file is used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the [[#contexts/removeable_contexts | contexts/removable_contexts]] is used instead.
  
 
'''The file format is as follows:'''
 
'''The file format is as follows:'''
Line 759: Line 996:
  
 
'''Where:'''
 
'''Where:'''
 +
 
{| border="1"
 
{| border="1"
| | media_id
+
| media_id
| | The media identifier (those known are: cdrom, floppy, disk and usb).
+
| The media identifier (those known are: cdrom, floppy, disk and usb).
  
 
|-
 
|-
| | file_context
+
| file_context
| | The context to be used for the device. Note that it does not seem to have the MLS / MCS level).
+
| The context to be used for the device. Note that it does not have the MLS / MCS level).
  
 
|}
 
|}
Line 772: Line 1,010:
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/files/media - Taken from the reference policy
+
# contexts/files/media  
<nowiki># (note that the same file is generated for all types of policy).</nowiki>
+
# Note the same file is generated for all types of policy.
  
 
cdrom system_u:object_r:removable_device_t
 
cdrom system_u:object_r:removable_device_t
Line 784: Line 1,022:
 
selinux_media_context_path
 
selinux_media_context_path
 
</pre>
 
</pre>
 
  
 
== contexts/users/[seuser_id] File ==
 
== contexts/users/[seuser_id] File ==
These optional files are named after the SELinux user they represent (e.g. seuser_id = user_u). Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user.
+
These optional files are named after the SELinux user they represent. Each file has the same format as the [[#contexts/default_contexts | contexts/default_contexts]] file and is used to assign the correct context to the SELinux user (generally during login). The <tt>'''user_contexts'''(5)</tt> man page also decribes these entries.
  
 
'''Example file contents:'''
 
'''Example file contents:'''
 
<pre>
 
<pre>
<nowiki># </nowiki>./contexts/users/user_u - Taken from the reference policy.
+
# contexts/users/unconfined_u - From the targeted policy.
  
system_r:local_login_t user_r:user_t
+
system_r:crond_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t user_r:user_t
+
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t user_r:user_t
+
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:crond_t user_r:user_t
+
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
</pre>
+
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
<pre>
+
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
<nowiki># </nowiki>./contexts/users/user_u - Taken from the MLS 
+
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
<nowiki># reference policy.</nowiki>
+
system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
 
+
unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 user_r:user_t:s0
+
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
+
system_r:sshd_t:s0         user_r:user_t:s0
+
system_r:crond_t:s0       user_r:user_t:s0
+
system_r:xdm_t:s0         user_r:user_t:s0
+
user_r:user_su_t:s0       user_r:user_t:s0
+
user_r:user_sudo_t:s0     user_r:user_t:s0
+
 
</pre>
 
</pre>
  
Line 816: Line 1,047:
 
selinux_users_path
 
selinux_users_path
 
selinux_usersconf_path
 
selinux_usersconf_path
 +
get_default_context
 +
get_default_context_with_role
 +
get_default_context_with_level
 +
get_default_context_with_rolelevel
 +
get_ordered_context_list
 +
get_ordered_context_list_with_level
 
</pre>
 
</pre>
 +
 +
== logins/<linuxuser_id> File ==
 +
These optional files are used by SELinux-aware login applications such as PAM (using the <tt>pam_selinux</tt> module) to obtain an SELinux user name and level based on the GNU / Linux login id and service name. It has been implemented for SELinux-aware applications such as FreeIPA (Identity, Policy Audit - see [http://freeipa.org/page/Main_Page)for http://freeipa.org/page/Main_Page] for details). The <tt>'''service_seusers'''(5)</tt> man page also decribes these entries.
 +
 +
The file name is based on the GNU/Linux user that is used at log in time (e.g. <tt>ipa</tt>).
 +
 +
If <tt>'''getseuser'''(3)</tt> fails to find an entry, then the <tt>seusers</tt> file is used to retrieve default information.
 +
 +
'''The file format is as follows:'''
 +
<pre>
 +
service_name:seuser_id:level
 +
</pre>
 +
 +
'''Where:'''
 +
 +
{| border="1"
 +
| service_name
 +
| The name of the service.
 +
 +
|-
 +
| seuser_id
 +
| The SELinux user name.
 +
 +
|-
 +
| level
 +
| The run level
 +
 +
|}
 +
 +
 +
'''Example file contents:'''
 +
<pre>
 +
# logins/ipa example entries
 +
 +
ipa_service:user_u:s0
 +
another_service:unconfined_u:s0
 +
</pre>
 +
 +
'''Supporting libselinux API functions are:'''
 +
<pre>
 +
getseuser
 +
</pre>
 +
 +
== users/local.users File ==
 +
Generally the '''local.users'''(5) file is not present if <tt>'''semanage'''(8)</tt> is being used to manage users, however if <tt>'''semanage'''</tt> is not being used then this file may be present (it could also be present in older Reference or Example policies).
 +
 +
The file would contain local user definitions in the form of <tt>user</tt> statements as defined in the [[PolicyStoreConfigurationFiles#modules/active/users_extra, users_extra.local and users.local Files | modules/active/users.local]] section.
 +
 +
Note that if <tt>SETLOCALDEFS</tt> is set in the SELinux [[GlobalConfigurationFiles#/etc/selinux/config File | config]] file, then <tt>'''selinux_mkload_policy'''(3)</tt> will check for a <tt>local.users</tt> file in the <tt>'''selinux_users_path'''(3)</tt>, and a <tt>booleans.local</tt> file in the <tt>'''selinux_booleans_path'''(3)</tt>.
 +
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[PolicyStoreConfigurationFiles | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[PolicyLanguage | '''Next''']]</center>
 +
|}
 +
 +
 +
----
 +
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 16:47, 10 December 2014

Policy Configuration Files

Each file discussed in this section is relative to the policy name as follows:

/etc/selinux/<policy_name>

The majority of files are installed by the Reference Policy, semanage(8) or semodule(8) commands. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example the simple monolithic policy described in the Notebook source tarball could run at init 3 (i.e. no X-Windows) and only require the following configuration files:

policy/policy.29 - The binary policy loaded into the kernel.
context/files/file_contexts - To allow the filesystem to be relabeled.

If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required:

context/dbus_contexts - To allow the dbus messaging service to run under SELinux.
context/x_contexts - To allow the X-Windows service to run under SELinux (or XSELinux could be disabled as discussed in the SELinux X-Windows Support section.

seusers File

The seusers(5) file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:

  • Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
  • To determine the remaining context to be used as the security context, read the contexts/users/[seuser_id] file file. If this file is not present, then:
  • Check for a default context in the contexts/default_contexts file. If no default context is found, then:
  • Read the contexts/failsafe_context file to allow a fail safe context to be set.

Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.

The format of the seusers file is the same as the files described in the modules/active/seusers.final section, where an example semanage user command is also shown.

Example seusers file contents:

# seusers file for non-MCS/MLS systems.

system_u:system_u
root:root
fred:user_u
__default__:user_u
# seusers file for an MLS system. Note that the system_u user 
# has access to all security levels and therefore should not be 
# configured as a valid GNU / Linux user.

system_u:system_u:s0-s15:c0.c255
root:root:s0-s15:c0.c255
fred:user_u:s0
__default__:user_u:s0

Supporting libselinux API functions are:

getseuser
getseuserbyname

booleans and booleans.local File

Generally these booleans(5) files are not present if semanage(8) is being used to manage booleans (see the modules/active/booleans.local File section). However if semanage is not being used or there is an SELinux-aware application that uses the libselinux functions listed below, then these files may be present (they could also be present in older Reference policies):

security_set_boolean_list(3) - Writes a boolean.local file if flag permanent = '1'.
security_load_booleans(3) - Will look for a booleans or booleans.local file here unless a specific path is specified.

Both files have the same format and contain one or more boolean names. The format is:

boolean_name value

Where:

boolean_name The name of the boolean.
value The default setting for the boolean that can be one of the following:
true | false | 1 | 0


Note that if SETLOCALDEFS is set in the SELinux config file, then selinux_mkload_policy(3) will check for a booleans.local file in the selinux_booleans_path(3), and also a local.users file in the selinux_users_path(3).

booleans.subs_dist File

The booleans.subs_dist file (if present) will allow new boolean names to be allocated to those in the active policy. This file was added because many older booleans began with 'allow' that made it difficult to determine what they did. For example the boolean allow_console_login becomes more descriptive as login_console_enabled. If the booleans.subs_dist file is present, then either name maybe used. selinux_booleans_subs_path(3) will return the active policy path to this file and selinux_boolean_sub(3) will will return the translated name.

Each line within the substitution file booleans.subs_dist is:

policy_bool_name new_name

Where:

policy_bool_name
The policy boolean name.
new_name
The new boolean name.

Example:

# booleans.subs_dist

# policy_bool_name          new_name
allow_auditadm_exec_content auditadm_exec_content
allow_console_login         login_console_enabled
allow_cvs_read_shadow       cvs_read_shadow
allow_daemons_dump_core     daemons_dump_core

When security_get_boolean_names(3) or security_set_boolean(3) is called with a boolean name and the booleans.subs_dist file is present, the name will be looked up and if using the new_name, then the policy_bool_name will be used (as that is what is defined in the active policy).

Supporting libselinux API functions are:

selinux_booleans_subs_path
selinux_booleans_sub
security_get_boolean_names
security_set_boolean

setrans.conf File

The setrans.conf(8) file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

There are a number of sample configuration files within the mcstrans package that describe the configuration options in detail that are located at /usr/share/mcstrans/examples.

The daemon will not load unless a valid MCS or MLS policy is active.

The translations can be disabled by added the following line to the file:

disable = 1

This file will also support the display of information in colour. The configuration file that controls this is called secolor.conf and is described in the secolor.conf section.

The file format is described in setrans.conf(8) with the following giving an overview:

# Syntax

# A domain is a self consistent domain of translation (English, German, Paragraph Markings ...)
Domain=NAME1

# Within a domain are a number of fixed translations
# format is raw_range=trans_range
s3:c200.c511=Confidential
# repeat as required...

# Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup
Base=Sensitivity Levels
# raw_range=name
s1=Unclassified
# Aliases have the same name but a different translation.
# The first one is used to compute translations
s1=U
# inverse bits should appear in the base of any level that uses inverse bits
s2:c200.c511=Restricted
# repeat as required...

# Modifier Groups should be in the order of appearance in the translated range.
ModifierGroup=GROUP1
# Allowed white space can be defined
Whitespace=- ,/
# Join defines the character between multiple members of this group
Join=/
# A Prefix can be defined per group
Prefix=Releasable to
# Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup
Default=c200.c511
# format is raw_categories=name
# ~ turns off inverse bits
~c200.c511=EVERYBODY

# Aruba - bit 201
~c200,~c201=ABW
~c200,~c201=AA
# Afghanistan - bit 202
~c200,~c202=AFG
~c200,~c202=AF
# repeat as required...

# Another Modifier Group
ModifierGroup=GROUP2
# With different white space
Whitespace= 
# And different Join
Join=,
# A Suffix can be defined per group
Suffix=Eyes only
# Default categories need to be consistent
Default=c200.c511

# New domain 
Domain=NAME2

# any text can be put in a separate file
Include=PATH
Include=PATH
<pre>

'''Example file contents:'''
<pre>
# setrans.conf
#
# Multi-Level Security translation table for SELinux
# 
# Uncomment the following to disable translation library
# disable=1
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh

# Unclassified level
s1=Unclassified

# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B

# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh

# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

Supporting libselinux API functions are:

selinux_translations_path
selinux_raw_to_trans_context
selinux_trans_to_raw_context

secolor.conf File

The secolor.conf(5) file controls the colour to be associated to the components of a context when information is displayed by an SELinux colour-aware application (currently none, although there are two examples in the Notebook source tarball under the libselinux/examples directory). The file format is as follows:

color color_name = #color_mask

context_component string fg_color_name bg_color_name 

Where:

color The color keyword.
color_name A descriptive name for the colour (e.g. red).
color_mask A colour mask starting with a hash (#) that describes the RGB colours with black being #000000 and white being #ffffff.
context_component The colour translation supports different colours on the context string components (user, role, type and range). Each component is on a separate line.
string This is the context_component string that will be matched with the raw context component passed by selinux_raw_context_to_color(3)

A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only

A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only.

fg_color_name The color_name string that will be used as the foreground colour.

A color_mask may also be used.

bg_color_name The color_name string that will be used as the background colour.

A color_mask may also be used.


Example file contents:

color black = #000000
color green = #008000
color yellow = #ffff00
color blue = #0000ff
color white = #ffffff
color red = #ff0000
color orange = #ffa500
color tan = #D2B48C

user * = black white
role * = white black
type * = tan orange
range s0-s0:c0.c1023 = black green
range s1-s1:c0.c1023 = white green
range s3-s3:c0.c1023 = black tan
range s5-s5:c0.c1023 = white blue
range s7-s7:c0.c1023 = black red
range s9-s9:c0.c1023 = black orange
range s15:c0.c1023 = black yellow

Supporting libselinux API functions are:

selinux_colors_path
selinux_raw_context_to_color - this call returns the foreground
and background colours of the context string as the specified
RGB 'color' hex digits as follows:
     user      :    role       :       type    :     range
#000000 #ffffff #ffffff #000000 #d2b48c #ffa500 #000000 #008000
 black   white   white   black   tan     orange  black   green 

policy/policy.<ver> File

This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the "SELinux Policy Module Primer" notes.

By convention the file name extension is the policy database version used to build the policy, however is is not mandatory as the true version is built into the policy file. The different policy versions are discussed in the Policy Versions section.

contexts/customizable_types File

The customizable_types(5) file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).

The file format is as follows:

type

Where:

type The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.


Example file contents:

# contexts/customizable_types
mount_loopback_t
public_content_rw_t
public_content_t
swapfile_t
sysadm_untrusted_content_t
sysadm_untrusted_content_tmp_t

Supporting libselinux API functions are:

is_context_customizable
selinux_customizable_types_path
selinux_context_path

contexts/default_contexts File

The default_contexts(5) file is used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:

  1. The GNU / Linux user identity should be known by the application.
  2. If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section.
  3. The login applications will check the contexts/users/[seuser_id]] file first and if no valid entry, will then look in the [seuser_id] file for a default context to use.

The file format is as follows:

role:type[:range] role:type[:range] ...

Where:

role:type[:range] The file contains one or more lines that consist of role:type[:range] pairs (including the MLS / MCS level or range if applicable).

The entry at the start of a new line corresponds to the partial role:type[:range] context of (generally) the login application.

The other role:type[:range] entries on that line represent an ordered list of valid contexts that may be used to set the users context.


Example file contents:

# contexts/default_contexts

system_r:crond_t:s0 system_r:system_crond_t:s0
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0

Supporting libselinux API functions are:

# Note that the contexts/users/[seuser_id] file is also read
# by some of these functions.

selinux_contexts_path
selinux_default_context_path
get_default_context
get_ordered_context_list
get_ordered_context_list_with_level
get_default_context_with_level
get_default_context_with_role
get_default_context_with_rolelevel
query_user_context
manual_user_enter_context

An example use in this Notebook (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was unconfined_u:unconfined_r:unconfined_t).

However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. unconfined_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to unconfined_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').

The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:

unconfined_r:unconfined_t unconfined_r:unconfined_t

The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/unconfined_u configuration file instead could also have achieved this.

contexts/dbus_contexts File

This file is for the dbus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon(1) man page details the contents and the Free Desktop web site has detailed information at:

http://dbus.freedesktop.org

Example file contents:

# contexts/dbus_contexts

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/
1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>
<pre>

'''Supporting libselinux API function is:'''
<pre>
selinux_context_path

contexts/default_type File

The default_type(5) file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied.

The file format is as follows:

role:type

Where:

role:type The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.

Example file contents:

# contexts/default_type

auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

Supporting libselinux API functions are:

selinux_default_type_path
get_default_type

contexts/failsafe_context File

The failsafe_context(5) is used when a login process cannot determine a default context to use. The file contents will then be used to allow an administrator access to the system.

The file format is as follows:

role:type[:range]

Where:

role:type[:range] A single line that has a valid context to allow an administrator access to the system, including the MLS / MCS level or range if applicable.


Example file contents:

# contexts/failsafe_context - Taken from the targeted policy.

unconfined_r:unconfined_t
# contexts/failsafe_context - Taken from the MLS policy.

sysadm_r:sysadm_t:s0

Supporting libselinux API functions are:

selinux_context_path
selinux_failsafe_context_path
get_default_context
get_default_context_with_role
get_default_context_with_level
get_default_context_with_rolelevel
get_ordered_context_list
get_ordered_context_list_with_level

contexts/initrc_context File

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

The file format is as follows:

user:role:type[:range]

Where:

user:role:type[:range] The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.


Example file contents:

# contexts/initrc_context - Taken from the targeted policy.

system_u:system_r:initrc_t:s0
# contexts/initrc_context - Taken from the MLS policy 
# Note that the init process has full access via the 
# range s0-s15:c0.c255.

system_u:system_r:initrc_t:s0-s15:c0.c255

Supporting libselinux API functions are:

selinux_context_path

contexts/lxc_contexts File

This file supports labeling lxc containers within the libvirt library (see libvirt source src/security/security_selinux.c). This is similar to the virtual_domain_context and virtual_image_context files used by libvirt qemu services.

The file format is as follows:

process = "security_context"
file = "security_context"
content = "security_context"
sandbox_kvm_process = "security_context"
sandbox_lxc_process = "security_context"

Where:

process A single process entry that contains the lxc domain security context, including the MLS / MCS level or range if applicable.
file A single file entry that contains the lxc file security context, including the MLS / MCS level or range if applicable.
content A single content entry that contains the lxc content security context, including the MLS / MCS level or range if applicable.
sandbox_kvm_process

sandbox_lxc_process

These entries may be present, however in F-20 they are not currently used.


Example file contents:

# contexts/lxc_contexts

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

Supporting libselinux API functions are:

selinux_context_path
selinux_lxc_context_path

contexts/netfilter_contexts File

This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the modules/active/netfilter_contexts file section for further information).

Supporting libselinux API functions are:

selinux_context_path
selinux_netfilter_context_path

contexts/removable_context File

The removable_context(5) file contains a single default label that should be used for removable devices that are not defined in the contexts/files/media file.

The file format is as follows:

user:role:type[:range]

Where:

user:role:type[:range] The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.

Example file contents:

# contexts/removable_contexts

system_u:object_r:removable_t:s0

Supporting libselinux API functions are:

selinux_removable_context_path

contexts/securetty_types File

The securetty_types(5) file is used by the newrole(1) command to find the type to use with tty devices when changing roles or levels.

The file format is as follows:

type

Where:

type Zero or more type entries that are defined in the policy for tty devices.

Example file contents:

# contexts/securetty_types

sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

Supporting libselinux API functions are:

selinux_securetty_types_path

contexts/sepgsql_contexts File

This file contains the default security contexts for SE-PostgreSQL database objects and is descibed in selabel_db(5).

The file format is as follows:

Each line within the database contexts file is as follows:

object_type object_name context

Where:

object_type This is the string representation of the object type.
object_name These are the object names of the specific database objects.

The entry can contain '*' for wildcard matching or '?' for substitution. Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the object_type block.

context The security context that will be applied to the object.


Example file contents:

# contexts/sepgsql_contexts file

# object_type object_name  context
db_database   my_database  system_u:object_r:my_sepgsql_db_t:s0
db_database       *        system_u:object_r:sepgsql_db_t:s0
db_schema        *.*       system_u:object_r:sepgsql_schema_t:s0

contexts/systemd_contexts File

This file is not currently used in F-20 but seems to contain file contexts to be used by tasks run via systemd(8) in a later release. There are some patches in the systemd mail archive that relate to this file.

The file format is as follows:

service_class = security_context

Where:

service_class One or more entries that relate to the systemd service (e.g. runtime, transient).
security_context The security context, including the MLS / MCS level or range if applicable of the service to be run.


Example file contents:

# contexts/systemd_contexts 

runtime=system_u:object_r:systemd_runtime_unit_file_t:s0

Supporting libselinux API functions are:

selinux_context_path
selinux_systemd_contexts_path

contexts/userhelper_context File

This file contains the default security context used by the system-config-* applications when running from root.

The file format is as follows:

security_context

Where:

security_context The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.


Example file contents:

# /contexts/userhelper_context - Taken from the standard reference policy.

system_u:sysadm_r:sysadm_t
# contexts/userhelper_context - Taken from the MLS/MCS reference policy.

system_u:sysadm_r:sysadm_t:s0

Supporting libselinux API functions are:

selinux_context_path

contexts/virtual_domain_context File

The virtual_domain_context(5) file is used by the virtulization API (libvirt) and provides the qemu domain contexts available in the policy (see libvirt source src/security/security_selinux.c). There may be two entries in this file, with the second entry being an alternative domain context.

Example file contents:

# contexts/virtual_domain_context - From targeted policy.

system_u:system_r:svirt_t:s0

Supporting libselinux API functions are:

selinux_virtual_domain_context_path

contexts/virtual_image_context File

The virtual_image_context(5) file is used by the virtulization API (libvirt) and provides the image contexts that are available in the policy (see libvirt source src/security/security_selinux.c). The first entry is the image file context and the second entry is the image content context.

Example file contents:

# contexts/virtual_image_context - From targeted policy.

system_u:system_r:svirt_image_t:s0
system_u:system_r:svirtcontent_t:s0

Supporting libselinux API functions are:

selinux_virtual_image_context_path

contexts/x_contexts File

The x_contexts(5) file provides the default security contexts for the X-Windows SELinux security extension. The usage is discussed in the SELinux X-Windows Support section. The MCS / MLS version of the file has the appropriate level or range information added.

A typical entry is as follows:

# object_type object_name context
selection     PRIMARY     system_u:object_r:clipboard_xselection_t

Where:

object_type These are types of object supported and valid entries are: client, property, poly_property, extension, selection, poly_selection and events.
object_name These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package).

This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers).

context This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label.


Example file contents:

#
# Config file for XSELinux extension
#

### Rules for X Clients
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
client*system_u:object_r:remote_t

#
### Rules for X Properties
# Property rules map a property name to a context. A default property
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
property _SELINUX_*system_u:object_r:seclabel_xproperty_t

# Clipboard and selection properties
property CUT_BUFFER?system_u:object_r:clipboard_xproperty_t

# Default fallback type
property * system_u:object_r:xproperty_t

#
### Rules for X Extensions
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
# Restricted extensions
extension SELinuxsystem_u:object_r:security_xextension_t

# Standard extensions
extension * system_u:object_r:xextension_t

#
### Rules for X Selections
# Selection rules map a selection name to a context. A default selection
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
selection PRIMARYsystem_u:object_r:clipboard_xselection_t
selection CLIPBOARDsystem_u:object_r:clipboard_xselection_t

# Default fallback type
selection *system_u:object_r:xselection_t

#
### Rules for X Events
# Event rules map an event protocol name to a context. A default event
# rule indicated by an asterisk should follow all other event rules.
#
# Input events
event X11:KeyPresssystem_u:object_r:input_xevent_t
event X11:KeyReleasesystem_u:object_r:input_xevent_t
event X11:ButtonPresssystem_u:object_r:input_xevent_t
event X11:ButtonReleasesystem_u:object_r:input_xevent_t
event X11:MotionNotifysystem_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyPresssystem_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyReleasesystem_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonPresssystem_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonReleasesystem_u:object_r:input_xevent_t
event XInputExtension:DeviceMotionNotifysystem_u:object_r:input_xevent_t
event XInputExtension:DeviceValuatorsystem_u:object_r:input_xevent_t
event XInputExtension:ProximityInsystem_u:object_r:input_xevent_t
event XInputExtension:ProximityOutsystem_u:object_r:input_xevent_t

# Client message events
event X11:ClientMessagesystem_u:object_r:client_xevent_t
event X11:SelectionNotifysystem_u:object_r:client_xevent_t
event X11:UnmapNotifysystem_u:object_r:client_xevent_t
event X11:ConfigureNotifysystem_u:object_r:client_xevent_t

# Default fallback type
event *system_u:object_r:xevent_t

Supporting libselinux API functions are:

selinux_x_context_path
selabel_open
selabel_close
selabel_lookup
selabel_stats

contexts/files/file_contexts File

The file_contexts(5) file is managed by the semodule(8) and semanage(8) commands[1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.

The file is used by a number of SELinux-aware commands (setfiles(8), fixfiles(8), matchpathcon(8), restorecon(8)) to relabel either part or all of the file system.

Note that users home directory file contexts are not present in this file as they are managed by the file_contexts.homedirs file as explained below.

The format of the file_contexts file is the same as the files described in the modules/active/file_contexts file section.

There may also be a file_contexts.bin present that is built and used by semanage(8). The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.

Supporting libselinux API functions are:

selinux_file_context_path
selabel_open
selabel_close
selabel_lookup
selabel_stats

contexts/files/file_contexts.local File

This file is added by the semanage fcontext command as described in the modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly. The file_contexts(5) man page also decribes this file.

Supporting libselinux API functions are:

selinux_file_context_local_path

contexts/files/file_contexts.homedirs File

This file is managed by the semodule(8) and semanage(8) commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.

It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.

It is fully described in the modules/active/file_contexts.homedirs file section. The file_contexts(5) man page also decribes this file.

There may also be a file_contexts.homedirs.bin present that is built and used by semanage(8). The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.

Supporting libselinux API functions are:

selinux_file_context_homedir_path
selinux_homedir_context_path

contexts/files/file_contexts.subs and file_contexts.subs_dist File

These files allow substitution of file names (.subs for local use and .subs_dist for GNU / Linux distributions use) for the libselinux functions matchpatchcon(3) and selabel_lookup(3). The file_contexts(5) man page also decribes this file.

The subs files contain a list of space separated path names such as:

/myweb /var/www 
/myspool /var/spool/mail 

Then (for example), when matchpatchcon(3) or selabel_lookup(3) is passed a path /myweb/index.html the functions will substitute the /myweb component with /var/www, with the final result being:

/var/www/index.html

Supporting libselinux API functions are:

selinux_file_context_subs_path
selinux_file_context_subs_dist_path
selabel_lookup
matchpathcon
matchpathcon_index

contexts/files/media File

The media(5) file is used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the contexts/removable_contexts is used instead.

The file format is as follows:

media_id file_context

Where:

media_id The media identifier (those known are: cdrom, floppy, disk and usb).
file_context The context to be used for the device. Note that it does not have the MLS / MCS level).


Example file contents:

# contexts/files/media 
# Note the same file is generated for all types of policy.

cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

Supporting libselinux API functions are:

selinux_media_context_path

contexts/users/[seuser_id] File

These optional files are named after the SELinux user they represent. Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user (generally during login). The user_contexts(5) man page also decribes these entries.

Example file contents:

# contexts/users/unconfined_u - From the targeted policy.

system_r:crond_t:s0 unconfined_r:unconfined_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0

Supporting libselinux API functions are:

selinux_user_contexts_path
selinux_users_path
selinux_usersconf_path
get_default_context
get_default_context_with_role 
get_default_context_with_level
get_default_context_with_rolelevel
get_ordered_context_list
get_ordered_context_list_with_level

logins/<linuxuser_id> File

These optional files are used by SELinux-aware login applications such as PAM (using the pam_selinux module) to obtain an SELinux user name and level based on the GNU / Linux login id and service name. It has been implemented for SELinux-aware applications such as FreeIPA (Identity, Policy Audit - see http://freeipa.org/page/Main_Page for details). The service_seusers(5) man page also decribes these entries.

The file name is based on the GNU/Linux user that is used at log in time (e.g. ipa).

If getseuser(3) fails to find an entry, then the seusers file is used to retrieve default information.

The file format is as follows:

service_name:seuser_id:level

Where:

service_name The name of the service.
seuser_id The SELinux user name.
level The run level


Example file contents:

# logins/ipa example entries

ipa_service:user_u:s0
another_service:unconfined_u:s0

Supporting libselinux API functions are:

getseuser

users/local.users File

Generally the local.users(5) file is not present if semanage(8) is being used to manage users, however if semanage is not being used then this file may be present (it could also be present in older Reference or Example policies).

The file would contain local user definitions in the form of user statements as defined in the modules/active/users.local section.

Note that if SETLOCALDEFS is set in the SELinux config file, then selinux_mkload_policy(3) will check for a local.users file in the selinux_users_path(3), and a booleans.local file in the selinux_booleans_path(3).


Previous
Home
Next



  1. As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/<policy_name>/contexts/ files/file_contexts file.