Previous Entry Share Next Entry
Key components of SELinux: Applications
Back to SELinux for Dummies...


When I usually give my SELinux talk, I have a section on Key components of SELinux and I usually start out talking about the kernel. But I find that most people understand that SELinux is integrated in the upstream kernel. The kernel has many access checks built into it, and the access checks call into the Linux Security Module (LSM). But I am not a SELinux Kernel Engineer, nor do I play one on TV. So I will leave it to the Stephen Smalley's and James Morris's of the world to explain the SELinux Kernel. Besides this is SELinux for dummies, and we know that no dummies work on the kernel. :^).

Most of the papers on SELinux talk about the Kernel, and how this integration happens.


The more interesting part in my opinion is how the rest of the Base Operating System uses SELinux. Of course that is what I work on ...

Most user applications and server applications unchanged SELinux aware applications. Of the hundreds/thousands of rpm packages in a Fedora only about 50 are compiled with SELinux awareness in them. This is one of the powerful features of SELinux in that applications do not need to be aware of SELinux.

The power of this is that it is fairly easy to write policy for a new daemon. You do not need to be a "C" programmer or fully understand the way the application works, but you can confine it with policy.

One problem with this, that you may have seen is that since an application is not aware if it is being blocked by Discretionary Access Control, or Mandatory Access Control. It just gets EPERM, Permission Denied. Administrators can become confused by this.
For example an administrator sets up a web page, the permissions on the files and ownership of the file are set correctly, yet apache reports permission denied. The file context on the files are set incorrectly, but apache has no awareness of this. We are working on tools to make this more obvious to the Administrator, but for now they need to know to look in the
/var/log/messages file or /var/log/audit/audit.log for AVC messages.

So which applications need to be SELinux aware?

  • Applications used to view or manipulate security contexts (Core Utilities)
Examples of this are the ls for viewing file context, ps for viewing process context.

  •   Programs required to set user session security context
The login programs are the most obvious programs for this login, sshd, gdm ... Also cron

  •   The SELinux core programs.
These are used to control/manipulate security context. chcon, setfiles, restorecon
Used to manipulate policy: load_policy, check_policy, check_module, semodule, semanage, setenforce, getenforce, setsebool, getsebool ...

Core Utilities

"Z" is your friend...

When I took over maintenance of the SELinux userspace I settled on to using "Z" as the universal option to show security context.

So "ps auxZ" will show you the security context of all processes. "ls -Z" will show you the security context of files. "id -Z" will show you the security context of your login shell.

So if you think an application might be SELinux aware try the -Z option...

Find command:

The find command has a powerful SELinux option "-context". This allows you to search for files matching a certain context. It uses a "glob" syntax to you can execute a command like

find /etc -context '*net_conf_t'

To find all the files labeled with type net_conf_t.

Another handy find option is:

find /etc -context "*net_conf_t" -printf "%p %Z\n"
/etc/sysconfig/networking/profiles/default/resolv.conf system_u:object_r:net_conf_t
/etc/resolv.conf.windham system_u:object_r:net_conf_t
/etc/ system_u:object_r:net_conf_t
/etc/ntp.conf system_u:object_r:net_conf_t
/etc/ntp/step-tickers system_u:object_r:net_conf_t
/etc/resolv.conf.old system_u:object_r:net_conf_t
/etc/yp.conf root:object_r:net_conf_t
/etc/resolv.conf.redhat system_u:object_r:net_conf_t
/etc/resolv.conf system_u:object_r:net_conf_t

Continued tomorrow:  mv/cp/install 

  • 1

Re: de

(Anonymous) 号码MTV 星星月亮太阳MTV 紫滕花MTV LIVE_不怕不怕M 心雨 大喜宙 威尼斯迷路 亲亲 一人世界 娘子写 个人秘密 单车恋人 一个人的世界两个人的 暗奏 xiangaigepengyou/770/ 别爱我 像爱个朋友 青柠一片天 模范生 静静的 黄昏晓 眼看心勿动 单身潜逃 姐妹们地聚会MTV 可爱的早晨MTV 那些花儿MTV 青春舞曲MTV will be there MTV/759/ I will be 十字街头MTV shalala放假M 姐妹MTV The World MTV/755/ Around The love rock and roll MTV/754/ I love roc day MTV/753/ Sunny day 爱情36计MTV MTV/751/ Reflection 冰河MTV 蓝色雨MTV 被风吹过的夏天MTV 花田错MTV 千言万语MTV 曹操MTV 感恩的心MTV 寂寞沙洲冷MTV 忘不了MTV 勇敢一点MTV 有多少爱可以重来MT 执着MTV Friend MTV/738/ Dear Frien you believe MTV/737/ When you b 不让我的眼泪陪我过夜 如果爱MTV 西班牙野玫瑰MTV 香草MTV girl from MTV/732/ The girl f 等等MTV 映山红MTV

Re: de

(Anonymous) 后会有期 Forever 古香气味风野美女 阳关娃娃水性香味 纯净诱热可爱娃娃 大地优美天真妹妹 冰凉清香可爱妹妹 忧郁几分纯香娃娃 都市可爱女孩古香 古典风格清香女孩 个性MM酷野性感 沙滩丽人活泼美丽 秀丽迷人郊外MM 清气香香可爱靓女 酷酷美丽女孩风情 幽幽可爱娃娃女生 秋色夏季优美女孩 热爱娃娃可爱风情 可爱娇气学生MM 纯感灵意天使娃娃 亭亭少女玲珑可爱 农场风情郊野美人 小巧可爱风情MM 洋气可爱娃娃女生 野性清纯个性美女 留外学生白嫰贡献 阳光淑女清新动人 城市白领气派女孩 古典风味沙士美女 迷人美女清纯可爱 清凉清新俏小妹妹 白嫰肉体扭动美感 成熟野性美丽女人 优美肥P迷人动感 引人犯罪激情女郎 狂野森林动人女人 强迫逼人少妇身体 时代女性美丽香气 现代女人玩法传奇 动态MM激动风情 寂寞女生激情摄像 肉感女郎摆动身躯 上班一族屋里屋外 漂亮铜体放送视线 香野标致优人美女 优美达标迷人肉P 美丽纹身另类美感 风野少女开放迷人 心香妇人动人娃娃 纹纹餐桌优美服务 娇艳欲滴媚骨女郎 小野非国皮肤光滑 经典开放成熟女孩 另类玩法现代激情 激情妇女动人一面 白嫰肉体丰满迷人 乡间生活火爆裸身 裸体绘画美感逼人 吧台女朗疯狂肉体 白嫰成熟少妇尤物 潮流野性欲火销魂 学生教师激情生活 激情缭人肉感肉P 寂寞女人野性狂爆

  • 1

Log in