Previous Entry Share Next Entry
Fedora 16 Alpha available part II, New SELinux Feature/File Name Transitions
Fedora 16 Alpha was just released: The announcement include the following:

  • SELinux Enhancements. SELinux policy package now includes a pre-built policy that will only rebuild policy if any customizations have been made. A sample test run shows 4 times speedup on installing the package from 48 Seconds to 12 Seconds and max memory usage from 38M to 6M. In addition to that, SELinux file name transition allows better policy management. For instance, policy writers can take advantage of this and write a policy rule that states, if a SELinux unconfined process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled appropriately. This results is less chances of mislabeled files. Also, from this release onwards, selinuxfs is mounted at /sys/fs/selinux instead of in /selinux. All the affected components including anaconda, dracut, livecd-tools and policycoreutils have been modified to work with this change.

Named File Transitions Feature

This feature was added to F16 to make labelling files easier for users and administrators.  The goal is to prevent accidental mislabelling of file objects.

Accidental mislabelling

Users or administrators often create files or directories that do not have the same label as the parent directory, and then forget to fix the label. An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.   Later when he tries to use the content of the .ssh directory to login without a password, sshd (sshd_t) fails to read the directories contents because sshd is not allowed to read files labelled admin_home_t.

Another example would be a user creating the public_html directory in his home directory.  The default label for content in the home directory is user_home_t, but SELinux requires the public_html directory to be labelled http_user_content_t or the apache process (httpd_t) will not be allowed to read it.

File Transitions Policy

Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (NetworkManger_t), the type of the directory that will contain the file object (etc_t) and the class of the file object (file).  Then specify the type of the created object (net_conf_t).

filetrans_pattern(NetworkManager_t, etc_t, net_conf_t, file)

This policy line says that a process running as NetworkManager_t creating any file in a directory labelled etc_t will create it with the label net_conf_t.

Named File Transitions Policy

Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on 4 characteristics instead of just three.  He added the base file name.  (Not the path).

Now we can write policy rules that state:

  • If the unconfined_t user process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.

    filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")

  • If the staff_t user process creates a directory named public_html in a directory labeled user_home_dir_t it will get labeled

    http_user_content_t. filetrans_pattern(staff_t, user_home_dir_t, http_user_content_t, dir, "public_html")

Additionally we have added rules to make sure if the kernel creates content in /dev it will label it correctly rather then waiting for udev to fix the label.             

filetrans_pattern(kernel_t, device_t, wireless_device_t, chr_file, "rfkill")

Bottom line. 

There should be less occurrences of accidental mislabels by users and hopefully a more secure and better running SELinux system.

  • 1
You switched the third and fourth argument of filetrans pattern in the examples. Or maybe it has changed since, but according to the definition the class should be after the third type. It can be confusing for readers eager to try the examples.

allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3 $5;

Thanks I fixed the original blog.

  • 1

Log in

No account? Create an account