6

Chapter 2. SELinux Policy Overview

For example, the binary executable file object at

/usr/bin/postgres

has the type of

postgresql_exec_t

. All of the targeted daemons have their own

*_exec_t

type for their

executable applications. In fact, the entire set of PostgreSQL executables such as

createlang

,

pg_dump

, and

pg_restore

have the same type,

postgresql_exec_t

, and they transition to the

same domain,

postgresql_t

, upon execution.

The policy defines various rules that say how each domain may access each type. Only what is specif 

ically allowed by the rules is permitted. By default every operation is denied and audited, meaning it

is logged in

$AUDIT_LOG

, such as

/var/log/messages

. Policy is compiled into binary format for

loading into the kernel security server, and as the security server hands out decisions, these are cached

in the AVC for performance.

Policy can be administratively defined, either by modifying the existing files or adding local TE and

file context files to the policy tree. Such a new policy can be loaded into the kernel in real time.

Otherwise, the policy is loaded during boot by

init

, as explained in Section 2.3 Policy Role in Boot.

Ultimately, every system operation is determined by the policy and the type labeling of the files.

Important

After loading a new policy, it is recommended to restart any services that may have new or changed

labeling. For the most part, this is only the targeted daemons, as listed in Section 3.1 What is the

Targeted Policy?.

SELinux is an implementation of domain type access control, with role based limiting. The policy

specifies the rules in that environment. It is written in a simple language created specifically for writing

security policy. Policy writers use

m4

macros to capture common sets of low level rules. There are a

number of

m4

macros defined in the existing policy, which assist greatly in writing new policy. These

rules are preprocessed into many additional rules as part of building

policy.conf

, which is compiled

into the binary policy.

The files are divided into various categories in a policy tree at

$SELINUX_SRC/

. This is covered in

Section 3.2 Files and Directories of the Targeted Policy. Access rights are divided differently among

domains, and no domain is required to act as a master for all other domains. Entering and switching

domains is controlled by the policy, through login programs, userspace programs such as

newrole

,

or by requiring a new process execution in the new domain, called a transition.

2.2. Where is the Policy?

There are two components to the policy, the binary tree and the source tree. The binary tree comes from

the

selinux policy  policyname

package and supplies the binary policy file. Alternately,

the binary policy can be built from source when the

selinux policy  policyname  sources

package is installed. For Red Hat Enterprise Linux 4 the

policyname

is targeted. Directory

conventions for this guide are explained in Section 3 Conventions for SELinux Directories and Files.

  /etc/selinux/targeted/

  this is the root folder for the targeted policy, and contains both the

binary and source trees.

  /etc/selinux/targeted/policy/

  the binary policy file

policy. XY

is here. In this

guide, the variable $SELINUX_POLICY/ is used for this directory.

  /etc/selinux/targeted/src/policy/

  this is the location of the policy source tree. For

details about these sub directories, read Section 3.2 Files and Directories of the Targeted Policy. In

this guide, the variable $SELINUX_SRC/ is used for this directory.

  /etc/selinux/targeted/contexts/

  location of the security context information and con 

figuration files, which are used during runtime by various applications. This directory contains: