10


Chapter 2. SELinux Policy Overview


The way SELinux implements its label in the xattr is different from other labeling schemes. SELinux


stores its labels in human readable strings. This provides a meaningful label with the file that can help


in backup, restoration, and moving files between systems. Standard attributes do not provide a label


that has continuous meaning for the file.


In this example under the targeted policy, the policy does not specify anything about files created by


unconfined_t


in the directory


/tmp


, so the files inherit the context from the parent directory:


id  Z


root:system_r:unconfined_t


ls  dZ /tmp


drwxrwxrwt


root


root


system_u:object_r:tmp_t


/tmp/


touch /tmp/foo


ls  Z /tmp/foo


 rw r  r  


root


root


root:object_r:tmp_t


/tmp/foo


In this example under a different policy, the policy explicitly states that files created by


user_t


in


/tmp


have a type of


user_tmp_t


:


id  Z


user_u:staff_r:user_t


ls  dZ /tmp


drwxrwxrwt


usera


usera


system_u:object_r:tmp_t


/tmp/


touch /tmp/foo


ls  Z /tmp/foo


 rw r  r  


usera


usera


root:object_r:user_tmp_t


/tmp/foo


This finer grained control is implemented via policy using the


tmp_domain()


macro, which defines


a temporary type per domain. In this macro, the variable


$1_tmp_t


is expanded by substituting the


subject's type base, so that


user_t


creates files with a type of


user_tmp_t


.


Having separate types for


/tmp/


protects a domain's temporary files against tampering or disclosure


by other domains. It also protects against misdirection through a malicious symlink. In the targeted


policy, the confined daemons have separate types for their temporary files, keeping those daemons


from interfering with other


/tmp/


files.


A privileged application can override any stated labeling rule by writing a security context to


/proc/self/attr/fscreate


using


setfscreatecon(3)


. This action must still be allowed by


policy. The context is then used to label the next newly created file object, and the


fscreate


is


automatically reset after the next


execve


or through


setfscreatecon(NULL)


. This ensures that a


program starts in a known state without having to be concerned what context was left by the previous


program in


/proc/self/attr/fscreate


.


2.5. Object Classes and Permissions


SELinux defines a number of classes for objects, making it easier to group certain permissions by


specific classes. Here are some examples:


File related classes include


filesystem


for file systems,


file


for files, and


dir


for directories.


Each class has it's own associated set of permissions. The


filesystem


class can mount, unmount,


get attributes, set quotas, relabel, and so forth. The


file


class gains the common file permissions


such as read, write, get and set attributes, lock, relabel, link, rename, append, etc.


Network related classes include


tcp_socket


for TCP sockets,


netif


for network interfaces, and


node


for network nodes. The


netif


class, for example, can send and receive on TCP, UDP and


raw sockets (


tcp_recv


,


tcp_send


,


udp_send


,


udp_recv


,


rawip_recv


, and


rawip_send


.)








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved