PolicyConfigurationFiles

From SELinux Wiki

Revision as of 14:41, 12 May 2010 by RichardHaines (Talk | contribs)
Jump to: navigation, search

Contents

Policy Configuration Files

Each file discussed in this section is relative to the policy name as follows:

/etc/selinux/<policy_name>

The majority of files are installed by the Reference Policy, semanage or semodule processes. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example a simple monolithic policy could run at init 3 (i.e. no X-Windows), and only require the following configuration files:

./policy/policy.[ver] - The binary policy loaded into the kernel.

./context/files/file_contexts - To allow the filesystem to be relabeled.

If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional file is required:

./context/dbus_contexts - To allow the debus messaging service to run under SELinux.

seusers File

This file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:

  • Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
  • To determine the remaining context to be used as the security context, read the ./contexts/users/[seuser_id] file. If this file is not present, then:
    • Check for a default context in the ./contexts/default_contexts file. If no default context is found, then:
      • Read the ./contexts/failsafe_context file to allow a fail safe context to be set.

Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.

The format of the seusers file is the same as the files described in the ./modules/active/seusers.final and seusers section, where an example semanage user command is also shown.

Example seusers file contents:

# ./seusers file for non-MCS/MLS systems.

system_u:system_u
root:root
fred:user_u
__default__:user_u
# ./seusers file for an MLS system. Note that the system_u user 
# has access to all security levels and therefore should not be 
# configured as a valid GNU / Linux user.

system_u:system_u:s0-s15:c0.c255
root:root:s0-s15:c0.c255
fred:user_u:s0
__default__:user_u:s0

Supporting libselinux API functions are:

getseuser
getseuserbyname


setrans.conf File

This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

The daemon will not load unless a valid MCS or MLS policy is active.

The semanage command can be used to update this file.

The file format is as follows:

# Enable / disable translation service:

disable=1|0

# Each line consists of a level or range with user friendly 
# label:

level|range=text_label

Where:

disable To disable the translation service, set disable=1. To enable the service comment out the entry or set disable=0.
range The optional level or range as defined in the MLS range definition section.
text_label The user friendly label to be displayed by SELinux-aware applications that use the translation service API.


Example file contents:

# ./setrans.conf - Taken from the reference policy.
#
# Multi-Level Security translation table for SELinux
# 
# Uncomment the following to disable translation library
# disable=1
#
# SystemLow and SystemHigh

s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh

# Unclassified level
s1=Unclassified

# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B

# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh

# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh


Example semanage command:

# Add a new entry to the file. Note that the -T flag component 
# (the user friendly name for the level) must not have spaces.

semanage translation -a -T Top-Level s15:c1023
# List the setrans.conf file contents

semanage translation -l 

...
s15:c1023=Top-Level

Supporting libselinux API functions are:

selinux_translations_path
selinux_raw_to_trans_context
selinux_trans_to_raw_context


policy/policy.[ver] File

This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the SELinux Policy Module Primer notes.

The file name extension is the policy database version supported by the GNU / Linux release and can be found by executing the following command:

cat /selinux/policyvers
23

The different versions are discussed in the Policy Versions section.

contexts/customizable_types File

This file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).

The file format is as follows:

type

Where:

type The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.


Example file contents:

# ./contexts/customizable_types - Taken from the reference policy.

mount_loopback_t
public_content_rw_t
public_content_t
swapfile_t
sysadm_untrusted_content_t
sysadm_untrusted_content_tmp_t

Supporting libselinux API functions are:

is_context_customizable
selinux_customizable_types_path
selinux_context_path

contexts/default_contexts File

Used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:

  1. The GNU / Linux user identity should be known by the application.
  2. If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section.
  3. The login applications will check the ./contexts/users/[seuser_id] file first and if no valid entry, will then look in the [seuser_id] file for a default context to use.

The file format is as follows:

role:type role:type ...

Or:

role:type:range role:type:range ...

Where:

role:type The file contains one or more lines that consist of role:type pairs.

The entry at the start of a new line corresponds to the partial role:type context of (generally) the login application.

The other role:type entries on that line represent an ordered list of valid contexts that could be used to set the users context.

range


The range as defined in the MLS range definition section.


Example file contents:

# ./contexts/default_contexts - Taken from the reference
# policy. The entry at the start of each line 
# corresponds to the login applications role:type context. 

system_r:crond_t  user_r:user_crond_t  staff_r:staff_crond_t  sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t

#
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t 
unconfined_r:unconfined_t

#
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
#
system_r:sshd_tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
# ./contexts/default_contexts - Taken from the MLS  
# reference policy.

system_r:crond_t:s0         system_r:system_crond_t:s0
system_r:local_login_t:s0   user_r:user_t:s0
system_r:remote_login_t:s0  user_r:user_t:s0
system_r:sshd_t:s0          user_r:user_t:s0
system_r:sulogin_t:s0       sysadm_r:sysadm_t:s0
system_r:xdm_t:s0           user_r:user_t:s0

Supporting libselinux API functions are:

# Note that the ./contexts/users/[seuser_id] file is also read
# by some of these functions.

selinux_contexts_path
selinux_default_context_path
get_default_context
get_ordered_context_list
get_ordered_context_list_with_level
get_default_context_with_level
get_default_context_with_role
get_default_context_with_rolelevel
query_user_context
manual_user_enter_context
get_default_role

An example use (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was user_u:unconfined_r:unconfined_t).

However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. user_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to user_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').

The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:

unconfined_r:unconfined_t unconfined_r:unconfined_t

The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/user_u configuration file instead could also have achieved this.

contexts/debus_contexts File

This file is for the debus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon man page details the contents, however it is not recommended that this file is changed. The Free Desktop web site has detailed information at:

http://dbus.freedesktop.org

Example file contents:

# ./contexts/debus_contexts - Taken from the reference policy.

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/
1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

Supporting libselinux API function is:

selinux_context_path


contexts/default_type File

This file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied. An example use is by newrole when it is called to change a users role, with no type specified, this file would then be consulted to determine the default type to use for the requested role.

The file format is as follows:

role:type

Where:

role:type The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.


Example file contents:

# ./contexts/default_type - Taken from the reference policy.

auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

Supporting libselinux API functions are:

selinux_context_path
get_default_type


contexts/failsafe_context File

If the login process cannot determine a default context to use, then this can be set to allow an administrator access to the system by setting a known valid context.

The file format is as follows:

role:type

Or:

role:type:range

Where:

role:type The file contains a single line that consist of a role:type for a known valid context to allow an administrator access to the system..
range The range as defined in the MLS range definition section.


Example file contents:

# ./contexts/failsafe_context - Taken from the reference policy.

sysadm_r:sysadm_t
# ./contexts/failsafe_context - Taken from the MLS  
# reference policy.

sysadm_r:sysadm_t:s0


Supporting libselinux API functions are:

selinux_context_path
selinux_failsafe_context_path


contexts/initrc_context File

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

The file format is as follows:

security_context


Where:

security_context The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.


Example file contents:

# ./contexts/initrc_context - Taken from the reference policy.

system_u:system_r:initrc_t
# ./contexts/initrc_context - Taken from the MLS reference 
# policy. Note that the init process has full access via the 
# range s0-s15:c0.c255.

system_u:system_r:initrc_t:s0-s15:c0.c255

Supporting libselinux API functions are:

selinux_context_path


contexts/netfilter_contexts File

This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the ./modules/active/netfilter_contexts & netfilter.local file section for further information).

Supporting libselinux API functions are:

selinux_context_path
selinux_netfilter_context_path


contexts/removable_contexts File

This file contains the default label that should be used for removable devices that are not defined in the contexts/files/media file.

The file format is as follows:

security_context

Where:

security_context The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.


Example file contents:

# ./contexts/removable_contexts - Taken from the reference policy.

system_u:object_r:removable_t
# ./contexts/removable_contexts - Taken from the MLS  
# reference policy.

system_u:object_r:removable_t:s0

Supporting libselinux API functions are:

selinux_removable_context_path

contexts/securetty_types File

This file is used by the newrole(1) command to find the type to use with tty devices when changing roles or levels.

The file format is as follows:

type

Where:

type Zero or more type entries that are defined in the policy for tty devices.


Example file contents:

# ./contexts/securetty_types - Taken from the reference policy.

sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
# ./contexts/securetty_types - Taken from the MLS reference 
# policy.

sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t

Supporting libselinux API functions are:

selinux_securetty_types_path


contexts/userhelper_context File

This file contains the default security context used by the system-config-* applications when running from root.

The file format is as follows:

security_context

Where:

security_context The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.


Example file contents:

# ./contexts/userhelper_context - Taken from the reference policy.

system_u:sysadm_r:sysadm_t
# ./contexts/userhelper_context - Taken from the MLS  
# reference policy.

system_u:sysadm_r:sysadm_t:s0

Supporting libselinux API functions are:

selinux_context_path


contexts/virtual_domain_context File

This is used by the virtulization API (libvirt) and provides the domain contexts that can be used (these are defined in the policy).

Example file contents:

# ./contexts/virtual_domain_context - Taken from the standard
# reference policy.

system_u:system_r:svirt_t
# ./contexts/virtual_domain_context - Taken from the MLS/MCS
# reference policy.

system_u:system_r:svirt_t:s0

Supporting libselinux API functions are:

selinux_virtual_domain_context_path


contexts/virtual_image_context File

This is used by the virtulization API (libvirt) and provides the image contexts that can be used (these are defined in the policy).

Example file contents:

# ./contexts/virtual_image_context - Taken from the standard
# reference policy.

system_u:system_r:svirt_image_t:s0
system_u:system_r:svirtcontent_t:s0
# ./contexts/virtual_image_context - Taken from the MLS/MCS
# reference policy.

system_u:system_r:svirt_image_t:s0
system_u:system_r:svirtcontent_t:s0

Supporting libselinux API functions are:

selinux_virtual_image_context_path


contexts/x_contexts File

This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extension. The useage is discussed in the X-windows SELinux Support section and examples of how to add additional entries is shown in the Experimenting with X-Windows section. The MCS / MLS version of the file has the appropriate level or range information added.

The selabel_* set of libselinux API functions allow information to be retrieved from the x_contexts file. These are described in the relevant man pages and also in selabel_x(5).

A typical entry is as follows:

# object_type  object_name  context
selection      PRIMARY      system_u:object_r:clipboard_xselection_t

Where:

object_type These are types of object supported and valid entries are: client, property, poly_property, extension, selection, poly_selection and events.
object_name These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package) or by the X-Windows application (e.g. using XInternAtom).

This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers).

context This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label (:s0 as standard).


Example file contents (taken from the 20091117 Reference Policy):

#
# Config file for XSELinux extension
#
### Rules for X Clients
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
client * system_u:object_r:remote_t

#
### Rules for X Properties
# Property rules map a property name to a context. A default property
# rule indicated by an asterisk should follow all other property rules.
#

# Properties that normal clients may only read
property _SELINUX_* system_u:object_r:seclabel_xproperty_t

# Clipboard and selection properties
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t

# Default fallback type
property * system_u:object_r:xproperty_t

#
### Rules for X Extensions
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
# Restricted extensions
extension SELinux system_u:object_r:security_xextension_t

# Standard extensions
extension * system_u:object_r:xextension_t

#
### Rules for X Selections
# Selection rules map a selection name to a context. A default selection
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
selection PRIMARY   system_u:object_r:clipboard_xselection_t
selection CLIPBOARD system_u:object_r:clipboard_xselection_t

# Default fallback type
selection * system_u:object_r:xselection_t

#
### Rules for X Events
# Event rules map an event protocol name to a context. A default event
# rule indicated by an asterisk should follow all other event rules.
#
# Input events
event X11:KeyPress         system_u:object_r:input_xevent_t
event X11:KeyRelease       system_u:object_r:input_xevent_t
event X11:ButtonPress      system_u:object_r:input_xevent_t
event X11:ButtonRelease    system_u:object_r:input_xevent_t
event X11:MotionNotify     system_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyPress       system_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyRelease     system_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonPress    system_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonRelease  system_u:object_r:input_xevent_t
event XInputExtension:DeviceMotionNotify   system_u:object_r:input_xevent_t
event XInputExtension:DeviceValuator   system_u:object_r:input_xevent_t
event XInputExtension:ProximityIn      system_u:object_r:input_xevent_t
event XInputExtension:ProximityOut     system_u:object_r:input_xevent_t

# Client message events
event X11:ClientMessage   system_u:object_r:client_xevent_t
event X11:SelectionNotify system_u:object_r:client_xevent_t
event X11:UnmapNotify     system_u:object_r:client_xevent_t
event X11:ConfigureNotify system_u:object_r:client_xevent_t

# Default fallback type
event * system_u:object_r:xevent_t

Supporting libselinux API functions are:

selinux_x_context_path
selabel_open
selabel_close
selabel_lookup
selabel_stats

contexts/files/file_contexts File

This file is managed by the semodule and semanage commands [Ref 1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.

Ref 1 - As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/[policy_name]/contexts/ files/file_contexts file.

The file is used by a number of SELinux-aware commands (setfiles(8), fixfiles(8), matchpathcon(8), restorecon(8)) to relabel either part or all of the file system.

Note that users home directory file contexts are not present in this file as they are managed by the file_contexts.homedirs file as explained below.

The format of the file_contexts file is the same as the files described in the ./modules/active/file_contexts file section.

Supporting libselinux API functions are:

selinux_file_context_path
selinux_file_context_verify
selinux_file_context_local_path


contexts/files/file_contexts.local File

This file is added by the semanage fcontext command as described in the ./modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly.

contexts/files/file_contexts.homedirs File

This file is managed by the semodule and semanage commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.

It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.

It is fully described in the ./modules/active/file_contexts.homedirs file section.

Supporting libselinux API functions are:

selinux_file_context_homedir_path
selinux_homedir_context_path


contexts/files/media File

Used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the ./contexts/removable_contexts is used instead.

The file format is as follows:

media_id file_context

Where:

media_id The media identifier (those known are: cdrom, floppy, disk and usb).
file_context The context to be used for the device. Note that it does not seem to have the MLS / MCS level).


Example file contents:

# ./contexts/files/media - Taken from the reference policy 
# (note that the same file is generated for all types of policy).

cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

Supporting libselinux API functions are:

selinux_media_context_path


contexts/users/[seuser_id] File

These optional files are named after the SELinux user they represent (e.g. seuser_id = user_u). Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user.

Example file contents:

# ./contexts/users/user_u - Taken from the reference policy.

system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
system_r:crond_t user_r:user_t
# ./contexts/users/user_u - Taken from the MLS  
# reference policy.

system_r:local_login_t:s0  user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0         user_r:user_t:s0
system_r:crond_t:s0        user_r:user_t:s0
system_r:xdm_t:s0          user_r:user_t:s0
user_r:user_su_t:s0        user_r:user_t:s0
user_r:user_sudo_t:s0      user_r:user_t:s0

Supporting libselinux API functions are:

selinux_user_contexts_path
selinux_users_path
selinux_usersconf_path
Personal tools