March 25th, 2011

10 things you probably did not know about SELinux.. #4

#4 How do I tell whether a domain is confined on an SELinux System?

On SELinux targeted systems, we have confined domains and unconfined domains, and as of RHEL6 and all supported Fedoras we also have permissive domains.  SELinux does not block access on processes running in these domains, for the most part.

Unconfined Domains

An unconfined domain is supposed to be a process that has the same rights as it would if SELinux was disabled.  There are a few caveats to this though. 

Process Transitions

A process transition says when process running as label a_t executes a file labeled b_exec_t it should execute the process as b_t  An example of this would be service httpd start.  In this case we have unconfined_t running an init script labeled initrc_exec_t and SELinux starts the process as initrc_t. 

# sesearch -T -s unconfined_t -t initrc_exec_t
Found 1 semantic te rules:
   type_transition unconfined_t initrc_exec_t : process initrc_t;

Then the init script has a rule that says initrc_t executing httpd_exec_t will transition to httpd_t

# sesearch -T -s initrc_t -t httpd_exec_t
Found 1 semantic te rules:
   type_transition initrc_t httpd_exec_t : process httpd_t;

This means that even though the process that started another process was unconfined, the new process can be confined.  We tend to discourage transitions from the unconfined_t user domain, since this can surprise the user.  "I thought I was unconfined, why when I start XYZ does SELinux block it?"

Other then transitioning to initrc_t there are currently 55 executables that transition out of the unconfined_t domain.

#  sesearch -T -s unconfined_t -c process -C| grep -v initrc_t| grep -v ^D | wc -l

A lot of these domains are also unconfined.  unconfined_java_t for example is the same as unconfined_t except it has execstack and execmem privilege always.

Minor Denials

In some cases I have been convinced to add minor confinement to even unconfined domains.  The most seen one of these was the executable memory checks.  execmem, execmod, execheap and execstack.  There are booleans to turn on and off the checks for the unconfined domains.

Listing unconfined domains

You can use seinfo to list the unconfined domains.

# seinfo -aunconfined_domain_type -x | wc -l

Disabling unconfined domains

You can easily disable lots of domains unconfined domains to make your machine more locked down.  In RHEL6 and Fedora their are two policy modules unconfined and unconfineduser.  If you disable unconfined it will lock down most of system space.

# semodule -d unconfined
# seinfo -aunconfined_domain_type -x | wc -l

This is how I usually run.  In this mode, it will require you to have policy for all apps launched out of init system or xinetd.

You can also disable the unconfined user, by executing the following commands.

# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u

# semodule -d unconfineduser

As long as unconfined is not defined in either the semanage user or semanage login database this should work and you pretty much get back to what used to be strict policy.

I tend to leave unconfineduser enabled, but setup all my users as confined, and allow staff_t to transition to unconfined_t through sudo.

Adding unconfined domains to when building policy modules

If you were building your own policy module and you wanted to build an unconfined domain, you would write code like:

type mydomian_t;



Permissive Domains

The other type of domain that SELinux does not block is the permissive domain.    These are usually domains under construction.  SELinux allows these domains to do any thing but reports AVC;s on them when they do something not allowed in policy.  When we develop policy for Fedora, we define all new domains as permissive and allow them to run permissive through an entire run of a release.  Then in the next release we turn them to enforcing.  One difference between F15 and F16 policy is we just removed the permissive flag from all domains in F15.

Listing Permissive Domains

You can see the permissive domains in two ways.

# seinfo  --permissive  | wc -l

Or you can use the semanage command to list them

# semanage permissive -l

Builtin Permissive Types


Customized Permissive Types


Adding Permissive Domains

Notice that the semanage command differentiates between customized permissive domains and built-ins.  With the semanage command, the administrator can choose to make a domain permissive, by executing

# semanage permissive -a httpd_t
# seinfo  --permissive  |grep http

Removing Permissive Domains

You can remove a customized permissive domain by executing:

# semanage permissive -d httpd_t

You can not currently remove permissive domains if they are the built-in into policy.

Adding permissive domains to when building policy modules

If you were building your own policy module and you wanted to build a permissive domain, you would write code like:

type mydomian_t;

permissive mydomain_t;