NB Poly

From SELinux Wiki
Revision as of 15:16, 17 May 2010 by RichardHaines (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Polyinstantiation

GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) that is explained in the next section. The "Polyinstantiation of directories in an SELinux system" also gives a more detailed overview of the subject.

Polyinstantiation of objects is also supported for X-windows selections and properties that are discussed in the X-windows section. Note that sockets are not yet supported.

To clarify polyinstantiation support:

  1. The polyinstantiation of directories is a function of GNU / Linux not SELinux (as more correctly, the GNU / Linux services such as PAM have been modified to support polyinstantiation of directories and have also been made SELinux-aware. Therefore their services can be controlled via policy).
  2. The polyinstantiation of X-windows selections and properties is a function of the XSELinux Object Manager and the supporting XACE service. These two services are effectively X-windows extensions that can be disabled if required.
  3. SELinux has a type_member rule that supports polyinstantiated objects. An example using X-windows selections is shown in the Experimenting with X-Windows section of volume 2.

Polyinstantiated Objects

Polyinstantiation is supported by SELinux using the type_member rule. This statement is not limited to specific object classes, however GNU / Linux currently only supports dir, x_selection and x_property objects.

The following libselinux API functions support polyinstantiation as detailed in the API Summary for libselinux section:

avc_compute_member
security_compute_member
security_compute_member_raw

Polyinstantiation support in PAM

PAM supports polyinstantiation of directories at login time using the Shared Subtree / Namespace services available within GNU / Linux (the namespace.conf(5) man page is also a good reference). Note that PAM and Namespace services are SELinux-aware.

The default installation of F-12 does not enable polyinstantiated directories, therefore this section will show the configuration required to enable the feature and some configuration examples.

To implement polyinstantiated directories PAM requires the following files to be configured:

  • A pam_namespace module entry added to the appropriate /etc/pam.d/ login configuration file (e.g. login, sshd, gdm etc.). F-12 already has these entries configured, with an example /etc/pam.d/gdm file being:
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
# auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
  • Entries added to the /etc/security/namespace.conf file that defines the directories to be polyinstantiated by PAM (and other services that may need to use the namespace service). The entries are explained in the namespace.conf section, with the default entries in F-12 being (note that the entries are commented out in the distribution):
#polydir instance-prefix      method list_of_uids
/tmp     /tmp-inst/           level  root,adm
/var/tmp /var/tmp/tmp-inst/   level  root,adm
$HOME    $HOME/$USER.inst/    level

Once these files have been configured and a user logs in (although not root or adm in the above example), the PAM pam_namespace module would unshare the current namespace from the parent and mount namespaces according to the rules defined in the namespace.conf file. The F-12 configuration also includes an /etc/security/namespace.init script that is used to initialise the namespace every time a new directory instance is set-up. This script receives four parameters: the polyinstantiated directory path, the instance directory path, a flag to indicate if new instance, and the user name. If a new instance is being set up, the directory permissions are set and the restorecon(8) command is run to set the correct file contexts.

namespace.conf Configuration File

Each line in the namespace.conf file is formatted as follows:

polydir instance_prefix method list_of_uids

Where:

polydir The absolute path name of the directory to polyinstantiate. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.
instance_prefix A string prefix used to build the pathname for the polyinstantiated directory. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.
method This is used to determine the method of polyinstantiation with valid entries being:

user - Polyinstantiation is based on user name.

level - Polyinstantiation is based on the user name and MLS level.

context - Polyinstantiation is based on the user name and security context.

Note that level and context are only valid for SELinux enabled systems.

list_of_uids A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an "~" character, then only the users in the list will have polyinstantiated directories.

There are a number of optional flags available that are described in the namespace.conf(5) man page.


Example Configurations

This section shows two sample namespace.conf configurations, the first uses the method=user and the second method=context. It should be noted that while polyinstantiation is enabled, the full path names will not be visible, it is only when polyinstantiation is disabled that the directories become visible.

Example 1 - method=user:

  • Set the /etc/security/namespace.conf entries as follows:
#polydir instance-prefix     method list_of_uids
/tmp     /tmp-inst/          user   root,adm
/var/tmp /var/tmp/tmp-inst/  user   root,adm
$HOME    $HOME/$USER.inst/   user
  • Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories:
# The directories will contain the user name as a part of 
# the polyinstantiated directory name as follows:

# /tmp
/tmp/tmp-inst/rch

# /var/tmp:
/var/tmp/tmp-inst/rch

# $HOME
/home/rch/rch.inst/rch

Example 2 - method=context:

  • Set the /etc/security/namespace.conf entries as follows:
#polydir instance-prefix          method  list_of_uids
/tmp     /tmp-inst/               context root,adm
/var     /tmp /var/tmp/tmp-inst/  context root,adm
$HOME    $HOME/$USER.inst/        context
  • Login as a normal user (rch in this example) and the PAM / Namespace process will build the following polyinstantiated directories:
# The directories will contain the security context and 
# user name as a part of the polyinstantiated directory 
# name as follows:

# /tmp
/tmp/tmp-inst/user_u:unconfined_r:unconfined_t_rch

# /var/tmp:
/var/tmp/tmp-inst/user_u:unconfined_r:unconfined_t_rch

# $HOME
/home/rch/rch.inst/user_u:unconfined_r:unconfined_t_rch


Polyinstantiation support in X-Windows

The X-windows SELinux object manager and XACE (X Access Control Extension) supports x_selection and x_property polyinstantiated objects as discussed in the SELinux X-Windows Support section.

Polyinstantiation support in the Reference Policy

The reference policy files.te and files.if modules (in the kernel layer) support polyinstantiated directories. There is also a global tunable (a boolean called allow_polyinstantiation) that can be used to set this functionality on or off during login. By default this boolean is set false (off).

The polyinstantiation of X-windows objects (x_selection and x_property) are not currently supported by the reference policy, however the Experimenting with X-Windows section in volume 2 shows an x_selection example.