August 30th, 2011

Fedora 16 Alpha available, New SELinux Feature/Prebuilt Policy.

Fedora 16 Alpha was just released: The announcement include the following:

  • SELinux Enhancements.
    SELinux policy package now includes a pre-built policy that will only rebuild policy if any customizations have been made. A sample test run shows 4 times speedup on installing the package from 48 Seconds to 12 Seconds and max memory usage from 38M to 6M. In addition to that, SELinux file name transition allows better policy management. For instance, policy writers can take advantage of this and write a policy rule that states, if a SELinux unconfined process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled appropriately. This results is less chances of mislabeled files. Also, from this release onwards, selinuxfs is mounted at /sys/fs/selinux instead of in /selinux. All the affected components including anaconda, dracut, livecd-tools and policycoreutils have been modified to work with this change.


Pre-Built Policy

We made major changes to the selinux-policy-TYPE rpm. (selinux-policy-targeted-3.10.0-21.fc16)

The rpm now includes a pre-built /etc/selinux/targeted/policy/policy.26.  This policy file can be loaded right away in a fresh install.  In all previous versions of SELinux for RHEL and Fedora, we rebuilt this file in the post install.  The reason for this is we  need to recompile in local customizations that the user/administrator might have made on your system.  Additionally if any package shipped  with a policy we would need to recompile in those policy packages.  But as the size of policy grew we were seeing Anaconda installation times  grow and memory requirements grow because of selinux-policy package.  We were even seeing virtual machine installations blow up on selinux-policy package installs because of limited memory.  When we looked at the problem, we realized that on initial install of policy, no user would have made local customizations and very few packages are shipping with their own policy.  

I reworked the tools to include the policy packages within the payload and now the package will check in the pre-install if there was any local customizations, if yes, the post install will recompile the policy, but if not the policy will just install.

We also used to have to ship all of the policy modules, over 300, in the directory /usr/share/selinux/targeted and these would be copied into /etc/selinux/targeted/modules/active/, were we would never touch the files in /usr/share/selinux/targeted again.  Now we install directly into /etc/selinux/targeted/modules/active/.

What you should see is faster initial installs and faster selinux-package updates.  In Fedora 15 a policy-package update would take around 45-50 seconds, in Fedora 16 on an unmodified selinux-policy system it should take < 15 seconds.  If you are updating from Fedora 15 the first time, it will still take a long time, but the next update should go quick.  If you have modified the SELinux system by adding pp
files you will still see the recompile times that you always have.  :^(

Fedora 16 Alpha available part II, New SELinux Feature/File Name Transitions

Fedora 16 Alpha was just released: The announcement include the following:

  • SELinux Enhancements. SELinux policy package now includes a pre-built policy that will only rebuild policy if any customizations have been made. A sample test run shows 4 times speedup on installing the package from 48 Seconds to 12 Seconds and max memory usage from 38M to 6M. In addition to that, SELinux file name transition allows better policy management. For instance, policy writers can take advantage of this and write a policy rule that states, if a SELinux unconfined process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled appropriately. This results is less chances of mislabeled files. Also, from this release onwards, selinuxfs is mounted at /sys/fs/selinux instead of in /selinux. All the affected components including anaconda, dracut, livecd-tools and policycoreutils have been modified to work with this change.


Named File Transitions Feature

This feature was added to F16 to make labelling files easier for users and administrators.  The goal is to prevent accidental mislabelling of file objects.

Accidental mislabelling

Users or administrators often create files or directories that do not have the same label as the parent directory, and then forget to fix the label. An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.   Later when he tries to use the content of the .ssh directory to login without a password, sshd (sshd_t) fails to read the directories contents because sshd is not allowed to read files labelled admin_home_t.

Another example would be a user creating the public_html directory in his home directory.  The default label for content in the home directory is user_home_t, but SELinux requires the public_html directory to be labelled http_user_content_t or the apache process (httpd_t) will not be allowed to read it.

File Transitions Policy

Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (NetworkManger_t), the type of the directory that will contain the file object (etc_t) and the class of the file object (file).  Then specify the type of the created object (net_conf_t).

filetrans_pattern(NetworkManager_t, etc_t, net_conf_t, file)

This policy line says that a process running as NetworkManager_t creating any file in a directory labelled etc_t will create it with the label net_conf_t.

Named File Transitions Policy

Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on 4 characteristics instead of just three.  He added the base file name.  (Not the path).

Now we can write policy rules that state:


  • If the unconfined_t user process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.

    filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")

  • If the staff_t user process creates a directory named public_html in a directory labeled user_home_dir_t it will get labeled

    http_user_content_t. filetrans_pattern(staff_t, user_home_dir_t, http_user_content_t, dir, "public_html")

Additionally we have added rules to make sure if the kernel creates content in /dev it will label it correctly rather then waiting for udev to fix the label.             

filetrans_pattern(kernel_t, device_t, wireless_device_t, chr_file, "rfkill")

Bottom line. 

There should be less occurrences of accidental mislabels by users and hopefully a more secure and better running SELinux system.