I gave a course at the SELinux Symposium on using SELinux in Red Hat Enterprise Linux 4.
ftp://people.redhat.com/dwalsh/SELinux/M
After the talk, I was amazed at how many people came up to me and said they wish they had this talk before some of the more advanced talks.
In the early 80's when I went to college, Holy Cross, computers were the big thing on campus. Everyone thought they had to take a computer class in order to understand computing. Problem was that the college only offered PL1/Fortran classes. So we had lots of liberal arts students taking PL1 and Fortran classes so they would know what this computing thing was all about. They came away from the experience thinking that computing was hard. Of course I got a lot of free beer, for helping them write their programs. :^)
We are doing the same thing with SELinux. So lets take a step back and talk about some of the fundamentals of SELinux, from my point of view.
Security Context. system_u:object_r:httpd_exec_t:s0
Everything in SELinux revolves around the Security Label, or security context. Every Subject (Processes) and Object (Usually files on the computer) has a security context associated with it. This context has different names depending on what it is attached to. It is called a file_context when it is associated with a file. It is sometimes called a domain when associated with a process.
File context are stored with the Inode in an extended attribute on systems that support extended attributes. This works the same way as DAC Protections and ACL's. In that the security of the file is based information stored at the Inode not the path to the file.
On file systems that do not support extended attributes the kernel provides the file context. So for example there is a rule on a SELinux box that says all files in an NFS mounted file system are labeled system_u:object_r:nfs_t.
Now lets look at what makes up a security context.
The security context is made up of 3 or 4 components separated by “:”
I want to talk about these components starting at the last and working my way back to the first.
4th Component: MLS Component
The 4th component is the MLS field which is not supported in RHEL4 or Fedora Core 4. It is first showing up with Fedora Core 5, although it has been in SELinux in the previous versions, it was never turned on.
This component is used in all policies shipped with Fedora Core 5. On strict and targeted policies we refer to this as the MCS Field. Unfortunately this field can contain a ":". The syntax of this field can look something like s0-s15:c1,c2. But I will put off talking about
this syntax until a later date. Most files by default are labeled s0, sometimes referred to as SystemLow. Fortunately SELinux provides a translation library (libsetrans) that replaces the codes in this field with a more human readable form. So something like s0:c1,c2 might be show up to the user as PatientRecord,CompanyConfidential. On a targeted or strict policy machine s0 translates to "", so almost all files will not even show the fourth field.
3rd Component: Types
The 3rd component of the security context is the Type component, for example /usr/sbin/httpd is labeled with a type of “httpd_exec_t".
In my opinion this is the most important field in the SELinux security context. This is the heart of SELinux Type Enforcement. Most of the policy rules in SELinux revolve around what subject types have what access to which object types. By convention this component always ends in a "_t".
2nd Component: Roles
The second component of the security context is the Role field. This field is only really relevant on processes or domains. The role field on a file is always object_r, and really has no meaning other than as a place holder. On a process you would usually see a role like system_r or sysadm_r. Roles are used to group security types. So you can specify in policy which roles are able to execute which types. This is the basis of "Roles Based Access Control" (RBAC) in SELinux. RBAC is not really used in targeted policy, but becomes more important in Strict and MLS policy. MLS Policy also contains sysadm_r, staff_r, and secadm_r. Roles by convention end with a "_r".
1st Component: Users
The first component of the security context is the "SELinux User" component. This component can be thought of as a way of grouping roles.
SELinux Users can have multiple roles that they can reach, and then in those roles they can reach multiple types. Three users that you will usually see on the system are "user_u", "system_u" and root. The user_u is the default SELinux User for a logged in user on a system. "system_u" is the default User for processes started during the boot up process. IE they were never started by a user. "root" is the SELinux user that you get when you login at the console as "root". In targeted policy the user component is really not important. It is more important in MLS and Strict policy machines. On a file the user component specifies the SELinux user that created the file. On the initial system files are labeled as system_u. Or if you relabel they will get set back to system_u. By convention all default SELinux Users end with a "_u" except for root. Originally if you wanted to map a Linux User to an SELinux user, you would create a SELinux user name with the same name as the Linux User. This is why the root user does not end in a "_u". In newer versions of SELinux we have added a mapping file "seusers" which allows you to map Linux Users to SELinux Users without having to create a lot of new SELinux Users.
Tomorrow "How does SELinux enforce policy?"
This may sound silly, but...
And it's a bad sign when something looks enough that way that it makes an experienced linux admin's eyes glaze over. And it's not just mine -- I've seen this reaction from a lot of people when seeing SELinux messages, and I really do blame the underscores. :)
Does it really add a lot in keeping things straight? The libsetrans translation library is new, right? It looks like on FC5, this just is used for the MLS component, but it could be used everywhere, right?
If dropping the convention completely isn't really reasonable, it would be nice to make it so that anyone not actively writing policy would never have to see messages at that level -- or even have to work with them when changing system configuration. (Just as admins rarely or never need to look at assembly language these days....)
I think the dummies in your part of the world are pretty bright, though, as I was having trouble keeping up but I think I managed.
I disagree with the first commenter - the _r, _u and _t labels are useful reminders. For dummies, anyway! (Surely nobody wants to have to keep remembering in what order the things are listed).
reminders
Role=object, Type=http_exec, User=system, MLS="PatientRecord,CompanyConfidential".
With good tools, this shouldn't ever actually result in more typing, and would make the whole thing a lot less intimidating.
Users still a bit confusing to me
Hypothetically, say I want to create several other SELinux users that regular Linux users can be assigned to (e.g. create other selinux users like apacheadm_u and add my linux users that are allowed to mess with apache and nothing else to it). How do I do that? I just mean how do I set up the linux->selinux user mapping, I can figure out the rest :).
The current method is I *think* done in userdomain.if, but I'm finding the 'going through all these m4 macros' part of the job rather trying, and can't figure out how to change login to make a logged in user my new selinux user.
Cheers and thanks,
Reid
PS: I run a 'for Dummies' website and was threatened by IDG. I told them to shove off and cited a few court cases proving that I would win. They haven't bothered me since. This site is rather amusing and informative (read their disclaimer), its owners went through a very similar situation.
Re: Users still a bit confusing to me
Reid