danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Where does SELinux allow my application to write?
danwalsh
SELinux's Number one goal:

Stop confined application/process from affecting other processes on the system. 


One of the biggest ways that a process can affect another process is by writing content that that process reads. 
  • If a hacked process can write ~/.bashrc in a users home directory; the next time the user logs in, the hacker gets control of a process running as unconfined_t.
  • If a hacked process can write to /etc/httpd/config, the hacker gets control of the Apache process.
Because of this SELinux blocks confined applications the ability to write content, unless the directories/files have the proper labels.

Users want to know:

What label is my application allowed to write to? 
Where on the file system are these labels?


For example in another blog, I got asked today where can mozilla_plugins write their logs?

Well in an effort to better document SELinux policy we have been auto-generating man pages, and have just added a new section called MANAGED FILES.  This section of the man page will list the files/directories that a confined application is able to write.

man mozilla_plugin_selinux
...
MANAGED FILES
       The SELinux user type mozilla_plugin_t can manage  files  labelled  with
       the  following  file types.  The paths listed are the default paths for
       these file types.  Note the processes UID still need to have  DAC  per‐
       missions.

       gnome_home_type

       home_cert_t

            /root/.cert(/.*)?
            /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)?
            /home/[^/]*/.pki(/.*)?
            /home/[^/]*/.cert(/.*)?

       mozilla_home_t

            /home/[^/]*/.java(/.*)?
            /home/[^/]*/.adobe(/.*)?
            /home/[^/]*/.gnash(/.*)?
            /home/[^/]*/.galeon(/.*)?
            /home/[^/]*/.spicec(/.*)?
            /home/[^/]*/.mozilla(/.*)?
...


In Fedora 18, we now have 951 man pages related to SELinux.

> man -k selinux | wc -l
951


We will be generating these Man Pages in Fedora 17 and RHEL6/RHEL6 and hope to put them up on a web site so that "search engines" will have an easier time searching them.

You can generate your own man pages using these tools, which should be showing up in policycoreutils soon.

http://people.fedoraproject.org/~dwalsh/SELinux/genman/segenman
http://people.fedoraproject.org/~dwalsh/SELinux/genman/senetwork.py


You are viewing danwalsh