Dan Walsh's Blog

Got SELinux?

Previous Entry Add to Memories Share Next Entry
10 things you probably did not know about SELinux.. #4
#4 How do I tell whether a domain is confined on an SELinux System?

On SELinux targeted systems, we have confined domains and unconfined domains, and as of RHEL6 and all supported Fedoras we also have permissive domains.  SELinux does not block access on processes running in these domains, for the most part.

Unconfined Domains

An unconfined domain is supposed to be a process that has the same rights as it would if SELinux was disabled.  There are a few caveats to this though. 

Process Transitions

A process transition says when process running as label a_t executes a file labeled b_exec_t it should execute the process as b_t  An example of this would be service httpd start.  In this case we have unconfined_t running an init script labeled initrc_exec_t and SELinux starts the process as initrc_t. 

# sesearch -T -s unconfined_t -t initrc_exec_t
Found 1 semantic te rules:
   type_transition unconfined_t initrc_exec_t : process initrc_t;

Then the init script has a rule that says initrc_t executing httpd_exec_t will transition to httpd_t

# sesearch -T -s initrc_t -t httpd_exec_t
Found 1 semantic te rules:
   type_transition initrc_t httpd_exec_t : process httpd_t;

This means that even though the process that started another process was unconfined, the new process can be confined.  We tend to discourage transitions from the unconfined_t user domain, since this can surprise the user.  "I thought I was unconfined, why when I start XYZ does SELinux block it?"

Other then transitioning to initrc_t there are currently 55 executables that transition out of the unconfined_t domain.

#  sesearch -T -s unconfined_t -c process -C| grep -v initrc_t| grep -v ^D | wc -l

A lot of these domains are also unconfined.  unconfined_java_t for example is the same as unconfined_t except it has execstack and execmem privilege always.

Minor Denials

In some cases I have been convinced to add minor confinement to even unconfined domains.  The most seen one of these was the executable memory checks.  execmem, execmod, execheap and execstack.  There are booleans to turn on and off the checks for the unconfined domains.

Listing unconfined domains

You can use seinfo to list the unconfined domains.

# seinfo -aunconfined_domain_type -x | wc -l

Disabling unconfined domains

You can easily disable lots of domains unconfined domains to make your machine more locked down.  In RHEL6 and Fedora their are two policy modules unconfined and unconfineduser.  If you disable unconfined it will lock down most of system space.

# semodule -d unconfined
# seinfo -aunconfined_domain_type -x | wc -l

This is how I usually run.  In this mode, it will require you to have policy for all apps launched out of init system or xinetd.

You can also disable the unconfined user, by executing the following commands.

# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u

# semodule -d unconfineduser

As long as unconfined is not defined in either the semanage user or semanage login database this should work and you pretty much get back to what used to be strict policy.

I tend to leave unconfineduser enabled, but setup all my users as confined, and allow staff_t to transition to unconfined_t through sudo.

Adding unconfined domains to when building policy modules

If you were building your own policy module and you wanted to build an unconfined domain, you would write code like:

type mydomian_t;



Permissive Domains

The other type of domain that SELinux does not block is the permissive domain.    These are usually domains under construction.  SELinux allows these domains to do any thing but reports AVC;s on them when they do something not allowed in policy.  When we develop policy for Fedora, we define all new domains as permissive and allow them to run permissive through an entire run of a release.  Then in the next release we turn them to enforcing.  One difference between F15 and F16 policy is we just removed the permissive flag from all domains in F15.

Listing Permissive Domains

You can see the permissive domains in two ways.

# seinfo  --permissive  | wc -l

Or you can use the semanage command to list them

# semanage permissive -l

Builtin Permissive Types


Customized Permissive Types


Adding Permissive Domains

Notice that the semanage command differentiates between customized permissive domains and built-ins.  With the semanage command, the administrator can choose to make a domain permissive, by executing

# semanage permissive -a httpd_t
# seinfo  --permissive  |grep http

Removing Permissive Domains

You can remove a customized permissive domain by executing:

# semanage permissive -d httpd_t

You can not currently remove permissive domains if they are the built-in into policy.

Adding permissive domains to when building policy modules

If you were building your own policy module and you wanted to build a permissive domain, you would write code like:

type mydomian_t;

permissive mydomain_t;


disabling unconfined broke aide ran from cron

Aaron Rodden

2012-10-03 07:49 pm (UTC)

I disabled the unconfined module: semodule -d unconfined
I have an /etc/crontab entry to execute: /usr/sbin/aide --check

The aide process is blocked from starting via cron. After running in permissive mode, audit2allow recommended something like this:

#============= system_cronjob_t ==============
allow system_cronjob_t admin_home_t:file { read open };
allow system_cronjob_t admin_home_t:lnk_file read;
allow system_cronjob_t aide_db_t:file { read lock ioctl write open };
allow system_cronjob_t aide_log_t:file { read write };
allow system_cronjob_t auditd_etc_t:file { read open };
allow system_cronjob_t boot_t:file { read open };
allow system_cronjob_t boot_t:lnk_file read;
allow system_cronjob_t crack_db_t:file { read open };
allow system_cronjob_t etc_aliases_t:file { read open };
allow system_cronjob_t fonts_t:file { read open };
allow system_cronjob_t hwdata_t:file { read open };
allow system_cronjob_t modules_dep_t:file { read open };
allow system_cronjob_t modules_object_t:file { read open };
allow system_cronjob_t modules_object_t:lnk_file read;
allow system_cronjob_t self:capability ipc_lock;
allow system_cronjob_t shadow_t:file { read open };
allow system_cronjob_t system_map_t:file { read open };
allow system_cronjob_t userhelper_conf_t:file { read open };

This seems like allowing system_cronjob_t a bit much. I did not have much luck creating a policy to do process transition with cron so it would run in the needed context. So, I had to keep unconfined enabled.

Re: disabling unconfined broke aide ran from cron


2012-10-04 01:07 pm (UTC)

This looks like we need to add policy for running aide out of a cron job.

Something like

policy_module(myaide, 1.0)
type aide_t;

cron_system_entry(aide_t, aide_exec_t)

Re: disabling unconfined broke aide ran from cron


2012-10-04 01:09 pm (UTC)

I am adding this to Fedora 18 policy.

Re: disabling unconfined broke aide ran from cron

Aaron Rodden

2012-10-08 04:20 pm (UTC)

RHEL6.3 allow cron to run aide with selinux policy howto: add the following policy by creating the myaide.te and then make pp and install with semodule command.

# cat myaide.te

policy_module(myaide, 1.0)

type aide_t;
type aide_exec_t;

cron_system_entry(aide_t, aide_exec_t)

# make -f /usr/share/selinux/devel/Makefile myaide.pp
# semodule -i myaide.pp

Re: disabling unconfined broke aide ran from cron


2012-10-08 07:16 pm (UTC)

Yes we have made this change to RHEL7 policy and will back port it to RHEL6

You are viewing danwalsh