From Fedora Project Wiki

Revision as of 11:44, 10 June 2011 by Dwalsh (talk | contribs) (Created page with '{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To rea...')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.
Set a Page Watch
Make sure you click watch on your new page so that you are notified of changes to it by others, including the Feature Wrangler
All sections of this template are required for review by FESCo. If any sections are empty it will not be reviewed



Feature Name

SELinux File Name Transition

Summary

This change allows us to write a rule in policy that states if a process labeled A_t creates a file in a directory labeled B_t and the file is named "filename", it will get the label C_t.

An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.

Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.

Owner

  • Email: dwalsh@redhat.com

Current status

  • Targeted release: [Fedora 16]
  • Last updated: (DATE)
  • Percentage of completion: 90%


Detailed Description

SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.

The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labeled etc_t.

This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.

Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.

Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labeled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.

But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labeled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.

With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states, if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled resolv.conf.

We have also added rules that state:

  • kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.
    • For Example /dev/rfcomm
  • sysadm_t creating a directory named .ssh in a directory labeled admin_home_t should create it labelled ssh_home_t.
    • Example: /root/.ssh
  • staff_t creating a directory named .public_html in a directory labeled user_home_dir_t should create it labelled http_user_content_t.
    • For Example /home/dwalsh/.public_html

Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).

Benefit to Fedora

The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labeled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.

Scope

This change only effects Policy writers and the kernel. No other applications should be effected by this change.

How To Test

This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.

Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.

yum remove policycoreutils-restorecond

useradd test mkdir ~test/.public_html Verify ~/test/.public_html is labeled correctly restorecon -v ~/test/.public_html # No output expected Now login graphically to test account. restorecon -R -v ~/test #Hopefully no output...

mv /root/.ssh /root/.ssh.old mkdir /root/.ssh restorecon -v /root/.public_html # No output expected rmdir /root/.ssh mv /root/.ssh.old /root/.ssh

mv /etc/resolv.conf /tmp cp /tmp/resolv.conf /etc restorecon -v /tmp/resolv.conf # No output expected

Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.

Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory. Make sure on the server the directory gets created with the correct label.

If you find other objects that could use this feature, open a bugzilla and we can discuss.

User Experience

It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.

Dependencies

Contingency Plan

Documentation

Release Notes

Comments and Discussion