danwalsh (danwalsh) wrote,

Fedora 17 New Security Feature part IX - File Name Transitions

File Name Transitions were introduced to the kernel in Fedora 16 by Eric Paris.

Eric actually expected policy writers to only add a few dozen file name transition rules, well in Fedora 17 we now have nearly 100,000 rules:

sesearch -T /etc/selinux/targeted/policy/policy.27 | grep \" | wc -l

Most of these rules are to make devices created in /dev and files/directories created by the unconfined/admin processes be labelled correctly.  A common problem users of SELinux have seen was when an unconfined_t user creating /root/.ssh or $HOME/.ssh.  Then they would place authorization content in the directory.  When they tried to use the content to gain access to the system via sshd, sshd would be blocked from the directory by SELinux because the directory and its contents had the wrong label.  The user needs to run restorecon -R -v /root/.ssh to fix the labels.

Before File Name Transitions the directory would be created with the label based on the label of /root, admin_home_t.   But as of Fedora 16 Policy Writers write rules that say:  "If the unconfined_t user creates a directory named .ssh in a directory labelled admin_home_t, it will get created as ssh_home_t."

  type_transition unconfined_t admin_home_t : dir ssh_home_t ".ssh";

How is this a security feature?

I explained in a previous blog, there are three ways content gets labeled within a directory.  The File Transition rule is a mechanism the policy writer has used since SELinux was first developed to create content within a directory with a different label then the directories label.  Policy writers wrote rules that said if a process running as NetworkManager_t created a file in a directory labeled etc_t it would be labeled net_conf_t.

  type_transition NetworkManager_t etc_t : file net_conf_t;

Or if a process running as mozilla_t created a directory in a directory labeled user_home_dir_t, it would get created as mozilla_home_t.

  type_transition mozilla_t user_home_dir_t : dir mozilla_home_t;

But this is not very fine grained control.  A hacked NetworkManager could create any file in a any directory labeled etc_t, if it did not exist.  If /etc/passwd did not exist for some reason SELinux would not block a confined NetworkManager from creating its own /etc/passwd.  A hacked firefox running as mozilla_t would not be blocked from creating a missing $HOME/.ssh directory.

With File Name Transition rules, policy writers can now specify the file name.  Meaning we can writer finer grained control.  We can say NetworkManager can only create the "resolv.conf" file in a directory labeled etc_t or a   confined firefox can only create the .mozilla directory in a users home directory

As an example of this the Thumbnail confinement added in Fedora 17 has:

type_transition thumb_t user_home_dir_t : file thumb_home_t "missfont.log";
type_transition thumb_t user_home_dir_t : dir thumb_home_t ".thumbnails";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-12";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-10";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-0.10";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-0.12";

Which means thumbnailers running as thumb_t can only create a file labelled missfont.log or directories labeled .thumbnails or .gstreamer-* in the home directory.

Nice job Eric, you increased the Security of SELinux and made it easier to use at the same time!

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 1 comment