July 15th, 2009

Understanding SELinux

A colleague or mine, Andrew, was baffled by SELinux,  He ran

sudo vpnc ./default.conf

And an  SELinux denial message about vpnc_t trying to read a file labeled user_home_t.  He did not understand what was going on.

Three people chimed in and gave him different ways to get around the SELinux denial.

The first advised to label the file etc_t
chcon -t etc_t ./default.conf

The second advised to build a custom policy using audit2allow.

grep vpnc /var/log/audit/audit.log | audit2allow -m myvpnc; semodule -i myvpnc.pp

The third advised the user to edit the file /etc/vpnc/default.conf instead of a local file in his home dir.

Andrew found all solutions worked, lets examine what is going on, and figure out which is the best solution.

When Andrew logs into the system, SELinux assigns him the default SELinux user unconfined_t.  For the most part the unconfined user is allowed to do everything he can do if SELinux were disabled.  Some commands that the unconfined_t user execute have transitions rules that say when the unconfined_t user executes programs labeled vpnc_exec_t they will transition to a label of vpnc_t.  vpnc_t is a confined domain that is not allowed to read files in the users home directory, labeled user_home_t.  Since ./defaults.conf was created in Andrews home directory, SELinux denies access.

In the first solution Andrew changed the label of the ./defaults.conf to etc_t, default label for files in /etc,  since vpnc_t is allowed to read files labeled etc_t, vpnc worked and Andrew has not changed the protection level on vpnc, application.  However Andrew now has a file in his home directory labeled etc_t.  The default rule for files created in the home directory is to label files user_home_t, so there is a reasonably good change that Andrew might mistakenly create a new default.conf file with the wrong label and get frustrated by SELinux in the future.

The second solution was to use audit2allow to generate a new policy module to allow vpnc_t to read files labeled user_home_t.  While this works, you have just lowered the security level of your system.  By installing this policy you allow vpnc_t to read almost any file in your home directory.  So if vpnc_t becomes compromised, the hacker will not be prevented by SELinux for reading most content in your home directory.

The third solution was to edit the files in the default location /etc/vpnc/default.conf.  The default label for these files are etc_t, and the containing directories label is etc_t, so an administrator editing files in this directory would create files by default labeled etc_t, so it is unlikely they will get mislabeled.  This is the solution that I would suggest, as best.

As I wrote in the blog


SELinux is all about labeling, and as long as the labelling is correct SELinux is happy, otherwise it will complain.