I received a container bugzilla today for someone who was attempting to assign a container process to the object_r role. Hopefully this blog will help explain how roles work with SELinux.
When we describe SELinux we often concentrate on Type Enforcement, which is the most important and most used feature of SELinux. This is what describe in the SELinux Coloring book as Dogs and Cats. We also describe MLS/MCS Separation in the coloring book.
Lets look at the SELinux labels
The SELinux labels consist of four parts, User, Role, Type and Level. Often look something like
One area I do not cover is Roles and SELinux Users.
The analogy I like to use for the Users and Roles is around Russian dolls. In that the User controls the reachable roles and the roles control the reachable types.
When we create an SELinux User, we have to specify which roles are reachable within the user. (We also specify which levels are are available to the user.
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
In the example above you see the Staff_u user is able to reach the staff_r sysadm_r system_r unconfined_r roles, and is able to have any level in the MCS Range s0-s0:c0.c1023.
Notice also the system_u user, which can reach system_r unconfined_r roles as well as the complete MCS Range. System_u is the default user for all processes started at boot or started by systemd. SELinux users are inherited by children processes by default.
You can not assign an SELinux user a role that is not listed, The kernel will reject it with a permission denied.
# runcon staff_u:user_r:user_t:s0 sh
runcon: invalid context: ‘staff_u:user_r:user_t:s0’: Invalid argument
The next part of the Russian dolls is roles.
Here is the roles available on my Fedora Rawhide machine.
# seinfo -r
Roles control which types are available to a role.
# seinfo -rwebadm_r -x
In the example above the only valid type available to the webadm_r is the webadm_t. So if you attempted to transition from webadm_t to a different type the SELinux kernel would block the access.
system_r role is the default role for all processes started at boot, most of the other roles are "user" roles.
seinfo -rsystem_r -x | wc -l
As you can see there are over 950 types that can be used with the system_r.
Other roles of note:
object_r is not really a role, but more of a place holder. Roles only make sense for processes, not for files
on the file system. But the SELinux label requires a role for all labels. object_r is the role that we use to fill the objects on disks role. Changing a process to run as object_r or trying to assign a different role to a file will always be denied by the kernel.
RBAC - Roles Based Access Control
SELinux Users and Roles are mainly used to implement RBAC. The idea is to control what an adminsitrator can do on a system when he is logged in. For certain activities he has to switch his roles. For example, he might log in to a system as a normal user role, but needs to switch to an admin role when he needs to administrate the system.
Most of the other roles that are assigned above are user roles. I have written about switching roles in the past when dealing with confined administrators and users. I usually run as the staff_r but switch to the unconfined_r (through sudo) when I become the administrator of my system.
Most people who use SELinux do not deal with RBAC all that often, but hopefully this blog helps remove some of the confusion on the use of Roles.
Dan Walsh's Blog
- Understanding SELinux Roles