danwalsh

How does SELinux enforce policy?

First lets talk about the boot process.

When the SELinux kernel boots up it is hard coded to run as kernel_t. Since at this point there is no policy running, this is the only context. So since this is the only context all applications that are run will stay in kernel_t. When the kernel executes /sbin/init it originally is running as kernel_t, then it reads in the policy file and loads it into the kernel. At this point init re-execs itself. When /sbin/init was installed is labeled init_exec_t and now there is a rule in the kernel that says when kernel_t execs an application labeled init_exec_t, it should transition to init_t. So now the init process is running as init_t.

The init process then runs /etc/rc.d/rc.sysinit which is labeled initrc_exec_t. The kernel has a rule that says when init_r execs initrc_exec_t it transitions to initrc_t. So this continues until the httpd executable gets started as httpd_t.

The kernel will now examine every access (read) of the process domain (httpd_t) on the class (file) of objects on the system /var/www/index.html (httpd_sys_content_t). If there is a rule in policy that allows it the access will go forward. If it is denied, an AVC, Access Vector Cache, message will be generated in the log file. By the way don't blame me for AVC, I was not the one who chose the name.

What about unconfined_t and the login process?

Certain Applications, such as login, are allowed by policy to set the context of the next executed program.
Actually most of the login programs are using pam_selinux to get this behavior.

So when I log in to the system. pam users libselinux to figure out what is the initial context setup for username dwalsh? On a targeted system this will be unconfined_t. You can modify this behavior by changing files in /etc/selinux/POLICYTYPE/contexts/default_contexts and /etc/selinux/POLICYTYPE/contexts/users/ so that on a strict or MLS policy machine, you could setup dwalsh logging in on the local terminal to default to one context, and on a remote login to use a different context, but that is an advanced feature.

So once the user is logged his shell will be running with unconfined_t or user_t, every access that the user makes is going through the kernel to make sure the access is allowed. Obviously this is all cached to make the overhead as little as possible.

NOTE:

One curious thing that you might have noticed, is depending on how you start an application, it could end up running in a different context. For example if I run httpd via the service start up script it will run as httpd_t, but if I run it directly it will run as unconfined_t.

Why????

There is a rule in the kernel that says unconfined_t running initrc_exec_t will transition to initrc_t, and initrc_t running httpd_exec_t will transition to httpd_t. There is also a rule that says unconfined_t is allow to run httpd_exec_t without transitioning.

This was a conscious decision made by the policy writers to attempt to lesson confusion. You see most confined domains are not allowed to talk to the terminal. They are also not allowed to read/write users home directories. The reason for this is we are trying to protect user space from system space, and if a hacked targeted domain was able to read/write the console or terminal, it could put up a login screen and us lemmings would just enter our username and password. Similarly if a targeted domain was able to read/write our homedirs it could read our credit card data, modify our login scripts, or generally cause havoc.

So one problem with this is administrators sometimes run the targeted domain with --help or want to test a cgi script and they would see no output. Or would attempt to redirect the output to their home directories.

./mycgi_script >> ~dwalsh.out

If these domains transitioned, these access would be denied, and the user would have a hard time understand what happened.

So if you want to run a targeted domain under the locked down context, you need to use the init scripts.

Tomorrow:
Key components of SELinux: Applications