10
Chapter 2. SELinux Policy Overview
The way SELinux implements its label in the xattr is different from other labeling schemes. SELinux
stores its labels in human readable strings. This provides a meaningful label with the file that can help
in backup, restoration, and moving files between systems. Standard attributes do not provide a label
that has continuous meaning for the file.
In this example under the targeted policy, the policy does not specify anything about files created by
unconfined_t
in the directory
/tmp
, so the files inherit the context from the parent directory:
id  Z
root:system_r:unconfined_t
ls  dZ /tmp
drwxrwxrwt
root
root
system_u:object_r:tmp_t
/tmp/
touch /tmp/foo
ls  Z /tmp/foo
 rw r  r  
root
root
root:object_r:tmp_t
/tmp/foo
In this example under a different policy, the policy explicitly states that files created by
user_t
in
/tmp
have a type of
user_tmp_t
:
id  Z
user_u:staff_r:user_t
ls  dZ /tmp
drwxrwxrwt
usera
usera
system_u:object_r:tmp_t
/tmp/
touch /tmp/foo
ls  Z /tmp/foo
 rw r  r  
usera
usera
root:object_r:user_tmp_t
/tmp/foo
This finer grained control is implemented via policy using the
tmp_domain()
macro, which defines
a temporary type per domain. In this macro, the variable
$1_tmp_t
is expanded by substituting the
subject's type base, so that
user_t
creates files with a type of
user_tmp_t
.
Having separate types for
/tmp/
protects a domain's temporary files against tampering or disclosure
by other domains. It also protects against misdirection through a malicious symlink. In the targeted
policy, the confined daemons have separate types for their temporary files, keeping those daemons
from interfering with other
/tmp/
files.
A privileged application can override any stated labeling rule by writing a security context to
/proc/self/attr/fscreate
using
setfscreatecon(3)
. This action must still be allowed by
policy. The context is then used to label the next newly created file object, and the
fscreate
is
automatically reset after the next
execve
or through
setfscreatecon(NULL)
. This ensures that a
program starts in a known state without having to be concerned what context was left by the previous
program in
/proc/self/attr/fscreate
.
2.5. Object Classes and Permissions
SELinux defines a number of classes for objects, making it easier to group certain permissions by
specific classes. Here are some examples:
File related classes include
filesystem
for file systems,
file
for files, and
dir
for directories.
Each class has it's own associated set of permissions. The
filesystem
class can mount, unmount,
get attributes, set quotas, relabel, and so forth. The
file
class gains the common file permissions
such as read, write, get and set attributes, lock, relabel, link, rename, append, etc.
Network related classes include
tcp_socket
for TCP sockets,
netif
for network interfaces, and
node
for network nodes. The
netif
class, for example, can send and receive on TCP, UDP and
raw sockets (
tcp_recv
,
tcp_send
,
udp_send
,
udp_recv
,
rawip_recv
, and
rawip_send
.)






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved