Difference between revisions of "PolicyConfigurationFiles"
(→contexts/x_contexts File) |
(→contexts/x_contexts File) |
||
Line 604: | Line 604: | ||
A typical entry is as follows: | A typical entry is as follows: | ||
<pre> | <pre> | ||
− | # object_type object_name | + | # object_type object_name context |
− | selection PRIMARY system_u:object_r:clipboard_xselection_t | + | selection PRIMARY system_u:object_r:clipboard_xselection_t |
</pre> | </pre> | ||
Revision as of 14:31, 12 May 2010
Contents
- 1 Policy Configuration Files
- 1.1 seusers File
- 1.2 setrans.conf File
- 1.3 policy/policy.[ver] File
- 1.4 contexts/customizable_types File
- 1.5 contexts/debus_contexts File
- 1.6 contexts/default_type File
- 1.7 contexts/failsafe_context File
- 1.8 contexts/netfilter_contexts File
- 1.9 contexts/removable_contexts File
- 1.10 contexts/securetty_types File
- 1.11 contexts/userhelper_context File
- 1.12 contexts/virtual_domain_context File
- 1.13 contexts/virtual_image_context File
- 1.14 contexts/x_contexts File
- 1.15 contexts/files/file_contexts File
- 1.16 contexts/files/file_contexts.local File
- 1.17 contexts/files/file_contexts.homedirs File
- 1.18 contexts/files/media File
- 1.19 contexts/users/[seuser_id] File
Policy Configuration Files
Each file discussed in this section is relative to the policy name as follows:
/etc/selinux/<policy_name>
The majority of files are installed by the Reference Policy, semanage or semodule processes. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example a simple monolithic policy could run at init 3 (i.e. no X-Windows), and only require the following configuration files:
./policy/policy.[ver] - The binary policy loaded into the kernel.
./context/files/file_contexts - To allow the filesystem to be relabeled.
If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional file is required:
./context/dbus_contexts - To allow the debus messaging service to run under SELinux.
seusers File
This file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:
- Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
- To determine the remaining context to be used as the security context, read the ./contexts/users/[seuser_id] file. If this file is not present, then:
- Check for a default context in the ./contexts/default_contexts file. If no default context is found, then:
- Read the ./contexts/failsafe_context file to allow a fail safe context to be set.
- Check for a default context in the ./contexts/default_contexts file. If no default context is found, then:
Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.
The format of the seusers file is the same as the files described in the ./modules/active/seusers.final and seusers section, where an example semanage user command is also shown.
Example seusers file contents:
# ./seusers file for non-MCS/MLS systems. system_u:system_u root:root fred:user_u __default__:user_u
# ./seusers file for an MLS system. Note that the system_u user # has access to all security levels and therefore should not be # configured as a valid GNU / Linux user. system_u:system_u:s0-s15:c0.c255 root:root:s0-s15:c0.c255 fred:user_u:s0 __default__:user_u:s0
Supporting libselinux API functions are:
getseuser getseuserbyname
setrans.conf File
This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.
The daemon will not load unless a valid MCS or MLS policy is active.
The semanage command can be used to update this file.
The file format is as follows:
# Enable / disable translation service: disable=1|0 # Each line consists of a level or range with user friendly # label: level|range=text_label
Where:
disable | To disable the translation service, set disable=1. To enable the service comment out the entry or set disable=0. |
range | The optional level or range as defined in the MLS range definition section. |
text_label | The user friendly label to be displayed by SELinux-aware applications that use the translation service API. |
Example file contents:
# ./setrans.conf - Taken from the reference policy. # # Multi-Level Security translation table for SELinux # # Uncomment the following to disable translation library # disable=1 # # SystemLow and SystemHigh s0=SystemLow s15:c0.c1023=SystemHigh s0-s15:c0.c1023=SystemLow-SystemHigh # Unclassified level s1=Unclassified # Secret level with compartments s2=Secret s2:c0=A s2:c1=B # ranges for Unclassified s0-s1=SystemLow-Unclassified s1-s2=Unclassified-Secret s1-s15:c0.c1023=Unclassified-SystemHigh # ranges for Secret with compartments s0-s2=SystemLow-Secret s2:c1-s15:c0.c1023=Secret:B-SystemHigh s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
Example semanage command:
# Add a new entry to the file. Note that the -T flag component # (the user friendly name for the level) must not have spaces. semanage translation -a -T Top-Level s15:c1023
# List the setrans.conf file contents semanage translation -l ... s15:c1023=Top-Level
Supporting libselinux API functions are:
selinux_translations_path selinux_raw_to_trans_context selinux_trans_to_raw_context
policy/policy.[ver] File
This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the SELinux Policy Module Primer notes.
The file name extension is the policy database version supported by the GNU / Linux release and can be found by executing the following command:
cat /selinux/policyvers 23
The different versions are discussed in the Policy Versions section.
contexts/customizable_types File
This file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).
The file format is as follows:
type
Where:
type | The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work. |
Example file contents:
# ./contexts/customizable_types - Taken from the reference policy. mount_loopback_t public_content_rw_t public_content_t swapfile_t sysadm_untrusted_content_t sysadm_untrusted_content_tmp_t
Supporting libselinux API functions are:
is_context_customizable selinux_customizable_types_path selinux_context_path
contexts/default_contexts File
Used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:
- The GNU / Linux user identity should be known by the application.
- If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section.
- The login applications will check the ./contexts/users/[seuser_id] file first and if no valid entry, will then look in the [seuser_id] file for a default context to use.
The file format is as follows:
role:type role:type ...
Or:
role:type:range role:type:range ...
Where:
role:type | The file contains one or more lines that consist of role:type pairs.
The entry at the start of a new line corresponds to the partial role:type context of (generally) the login application. The other role:type entries on that line represent an ordered list of valid contexts that could be used to set the users context. |
range
|
The range as defined in the MLS range definition section. |
Example file contents:
# ./contexts/default_contexts - Taken from the reference # policy. The entry at the start of each line # corresponds to the login applications role:type context. system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t # system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t # system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t # system_r:sshd_tuser_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
# ./contexts/default_contexts - Taken from the MLS # reference policy. system_r:crond_t:s0 system_r:system_crond_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 system_r:xdm_t:s0 user_r:user_t:s0
Supporting libselinux API functions are:
# Note that the ./contexts/users/[seuser_id] file is also read # by some of these functions. selinux_contexts_path selinux_default_context_path get_default_context get_ordered_context_list get_ordered_context_list_with_level get_default_context_with_level get_default_context_with_role get_default_context_with_rolelevel query_user_context manual_user_enter_context get_default_role
An example use (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was user_u:unconfined_r:unconfined_t).
However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. user_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to user_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').
The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:
unconfined_r:unconfined_t unconfined_r:unconfined_t
The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/user_u configuration file instead could also have achieved this.
contexts/debus_contexts File
This file is for the debus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon man page details the contents, however it is not recommended that this file is changed. The Free Desktop web site has detailed information at:
Example file contents:
# ./contexts/debus_contexts - Taken from the reference policy. <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/ 1.0/busconfig.dtd"> <busconfig> <selinux> </selinux> </busconfig>
Supporting libselinux API function is:
selinux_context_path
contexts/default_type File
This file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied. An example use is by newrole when it is called to change a users role, with no type specified, this file would then be consulted to determine the default type to use for the requested role.
The file format is as follows:
role:type
Where:
role:type | The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy. |
Example file contents:
# ./contexts/default_type - Taken from the reference policy. auditadm_r:auditadm_t secadm_r:secadm_t sysadm_r:sysadm_t staff_r:staff_t unconfined_r:unconfined_t user_r:user_t
Supporting libselinux API functions are:
selinux_context_path get_default_type
contexts/failsafe_context File
If the login process cannot determine a default context to use, then this can be set to allow an administrator access to the system by setting a known valid context.
The file format is as follows:
role:type
Or:
role:type:range
Where:
role:type | The file contains a single line that consist of a role:type for a known valid context to allow an administrator access to the system.. |
range | The range as defined in the MLS range definition section. |
Example file contents:
# ./contexts/failsafe_context - Taken from the reference policy. sysadm_r:sysadm_t
# ./contexts/failsafe_context - Taken from the MLS # reference policy. sysadm_r:sysadm_t:s0
Supporting libselinux API functions are:
selinux_context_path selinux_failsafe_context_path
contexts/initrc_context File
This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.
The file format is as follows:
security_context
Where:
security_context | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable. |
Example file contents:
# ./contexts/initrc_context - Taken from the reference policy. system_u:system_r:initrc_t
# ./contexts/initrc_context - Taken from the MLS reference # policy. Note that the init process has full access via the # range s0-s15:c0.c255. system_u:system_r:initrc_t:s0-s15:c0.c255
Supporting libselinux API functions are:
selinux_context_path
contexts/netfilter_contexts File
This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the ./modules/active/netfilter_contexts & netfilter.local file section for further information).
Supporting libselinux API functions are:
selinux_context_path selinux_netfilter_context_path
contexts/removable_contexts File
This file contains the default label that should be used for removable devices that are not defined in the contexts/files/media file.
The file format is as follows:
security_context
Where:
security_context | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable. |
Example file contents:
# ./contexts/removable_contexts - Taken from the reference policy. system_u:object_r:removable_t
# ./contexts/removable_contexts - Taken from the MLS # reference policy. system_u:object_r:removable_t:s0
Supporting libselinux API functions are:
selinux_removable_context_path
contexts/securetty_types File
This file is used by the newrole(1) command to find the type to use with tty devices when changing roles or levels.
The file format is as follows:
type
Where:
type | Zero or more type entries that are defined in the policy for tty devices. |
Example file contents:
# ./contexts/securetty_types - Taken from the reference policy. sysadm_tty_device_t user_tty_device_t staff_tty_device_t
# ./contexts/securetty_types - Taken from the MLS reference # policy. sysadm_tty_device_t user_tty_device_t staff_tty_device_t auditadm_tty_device_t secureadm_tty_device_t
Supporting libselinux API functions are:
selinux_securetty_types_path
contexts/userhelper_context File
This file contains the default security context used by the system-config-* applications when running from root.
The file format is as follows:
security_context
Where:
security_context | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable. |
Example file contents:
# ./contexts/userhelper_context - Taken from the reference policy. system_u:sysadm_r:sysadm_t
# ./contexts/userhelper_context - Taken from the MLS # reference policy. system_u:sysadm_r:sysadm_t:s0
Supporting libselinux API functions are:
selinux_context_path
contexts/virtual_domain_context File
This is used by the virtulization API (libvirt) and provides the domain contexts that can be used (these are defined in the policy).
Example file contents:
# ./contexts/virtual_domain_context - Taken from the standard # reference policy. system_u:system_r:svirt_t
# ./contexts/virtual_domain_context - Taken from the MLS/MCS # reference policy. system_u:system_r:svirt_t:s0
Supporting libselinux API functions are:
selinux_virtual_domain_context_path
contexts/virtual_image_context File
This is used by the virtulization API (libvirt) and provides the image contexts that can be used (these are defined in the policy).
Example file contents:
# ./contexts/virtual_image_context - Taken from the standard # reference policy. system_u:system_r:svirt_image_t:s0 system_u:system_r:svirtcontent_t:s0
# ./contexts/virtual_image_context - Taken from the MLS/MCS # reference policy. system_u:system_r:svirt_image_t:s0 system_u:system_r:svirtcontent_t:s0
Supporting libselinux API functions are:
selinux_virtual_image_context_path
contexts/x_contexts File
This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extension. The useage is discussed in the X-windows SELinux Support section and examples of how to add additional entries is shown in the Experimenting with X-Windows section. The MCS / MLS version of the file has the appropriate level or range information added.
The selabel_* set of libselinux API functions allow information to be retrieved from the x_contexts file. These are described in the relevant man pages and also in selabel_x(5).
A typical entry is as follows:
# object_type object_name context selection PRIMARY system_u:object_r:clipboard_xselection_t
Where:
object_type | These are types of object supported and valid entries are: client, property, poly_property, extension, selection, poly_selection and events. |
object_name | These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package).
This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers). |
context | This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label (:s0 as standard). |
Example file contents (taken from the 20091117 Reference Policy):
# # Config file for XSELinux extension # ### Rules for X Clients # The default client rule defines a context to be used for all clients # connecting to the server from a remote host. # client*system_u:object_r:remote_t # ### Rules for X Properties # Property rules map a property name to a context. A default property # rule indicated by an asterisk should follow all other property rules. # # Properties that normal clients may only read property _SELINUX_*system_u:object_r:seclabel_xproperty_t # Clipboard and selection properties property CUT_BUFFER?system_u:object_r:clipboard_xproperty_t # Default fallback type property * system_u:object_r:xproperty_t # ### Rules for X Extensions # Extension rules map an extension name to a context. A default extension # rule indicated by an asterisk should follow all other extension rules. # # Restricted extensions extension SELinuxsystem_u:object_r:security_xextension_t # Standard extensions extension * system_u:object_r:xextension_t # ### Rules for X Selections # Selection rules map a selection name to a context. A default selection # rule indicated by an asterisk should follow all other selection rules. # # Standard selections selection PRIMARYsystem_u:object_r:clipboard_xselection_t selection CLIPBOARDsystem_u:object_r:clipboard_xselection_t # Default fallback type selection *system_u:object_r:xselection_t # ### Rules for X Events # Event rules map an event protocol name to a context. A default event # rule indicated by an asterisk should follow all other event rules. # # Input events event X11:KeyPresssystem_u:object_r:input_xevent_t event X11:KeyReleasesystem_u:object_r:input_xevent_t event X11:ButtonPresssystem_u:object_r:input_xevent_t event X11:ButtonReleasesystem_u:object_r:input_xevent_t event X11:MotionNotifysystem_u:object_r:input_xevent_t event XInputExtension:DeviceKeyPresssystem_u:object_r:input_xevent_t event XInputExtension:DeviceKeyReleasesystem_u:object_r:input_xevent_t event XInputExtension:DeviceButtonPresssystem_u:object_r:input_xevent_t event XInputExtension:DeviceButtonReleasesystem_u:object_r:input_xevent_t event XInputExtension:DeviceMotionNotifysystem_u:object_r:input_xevent_t event XInputExtension:DeviceValuatorsystem_u:object_r:input_xevent_t event XInputExtension:ProximityInsystem_u:object_r:input_xevent_t event XInputExtension:ProximityOutsystem_u:object_r:input_xevent_t # Client message events event X11:ClientMessagesystem_u:object_r:client_xevent_t event X11:SelectionNotifysystem_u:object_r:client_xevent_t event X11:UnmapNotifysystem_u:object_r:client_xevent_t event X11:ConfigureNotifysystem_u:object_r:client_xevent_t # Default fallback type event *system_u:object_r:xevent_t
Supporting libselinux API functions are:
selinux_x_context_path selabel_open selabel_close selabel_lookup selabel_stats
contexts/files/file_contexts File
This file is managed by the semodule and semanage commands [Ref 1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.
Ref 1 - As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/[policy_name]/contexts/ files/file_contexts file.
The file is used by a number of SELinux-aware commands (setfiles(8), fixfiles(8), matchpathcon(8), restorecon(8)) to relabel either part or all of the file system.
Note that users home directory file contexts are not present in this file as they are managed by the file_contexts.homedirs file as explained below.
The format of the file_contexts file is the same as the files described in the ./modules/active/file_contexts file section.
Supporting libselinux API functions are:
selinux_file_context_path selinux_file_context_verify selinux_file_context_local_path
contexts/files/file_contexts.local File
This file is added by the semanage fcontext command as described in the ./modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly.
contexts/files/file_contexts.homedirs File
This file is managed by the semodule and semanage commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.
It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.
It is fully described in the ./modules/active/file_contexts.homedirs file section.
Supporting libselinux API functions are:
selinux_file_context_homedir_path selinux_homedir_context_path
contexts/files/media File
Used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the ./contexts/removable_contexts is used instead.
The file format is as follows:
media_id file_context
Where:
media_id | The media identifier (those known are: cdrom, floppy, disk and usb). |
file_context | The context to be used for the device. Note that it does not seem to have the MLS / MCS level). |
Example file contents:
# ./contexts/files/media - Taken from the reference policy # (note that the same file is generated for all types of policy). cdrom system_u:object_r:removable_device_t floppy system_u:object_r:removable_device_t disk system_u:object_r:fixed_disk_device_t
Supporting libselinux API functions are:
selinux_media_context_path
contexts/users/[seuser_id] File
These optional files are named after the SELinux user they represent (e.g. seuser_id = user_u). Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user.
Example file contents:
# ./contexts/users/user_u - Taken from the reference policy. system_r:local_login_t user_r:user_t system_r:remote_login_t user_r:user_t system_r:sshd_t user_r:user_t system_r:crond_t user_r:user_t
# ./contexts/users/user_u - Taken from the MLS # reference policy. system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 system_r:crond_t:s0 user_r:user_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0
Supporting libselinux API functions are:
selinux_user_contexts_path selinux_users_path selinux_usersconf_path