Object Classes And Permissions - Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

Selinux guide

Hide thumbs Also See for ENTERPRISE LINUX 4 - SELINUX GUIDE:

Manual (410 pages)

System administration manual (400 pages)

Administration manual (200 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

Table of Contents

The way SELinux implements its label in the xattr is different from other labeling schemes. SELinux

stores its labels in human-readable strings. This provides a meaningful label with the ﬁle that can help

in backup, restoration, and moving ﬁles between systems. Standard attributes do not provide a label

that has continuous meaning for the ﬁle.

In this example under the targeted policy, the policy does not specify anything about ﬁles created by

in the directory

unconfined_t

id -Z

root:system_r:unconfined_t

ls -dZ /tmp

drwxrwxrwt

root

touch /tmp/foo

ls -Z /tmp/foo

-rw-r--r--

root

In this example under a different policy, the policy explicitly states that ﬁles created by

have a type of

/tmp

id -Z

user_u:staff_r:user_t

ls -dZ /tmp

drwxrwxrwt

usera

touch /tmp/foo

ls -Z /tmp/foo

-rw-r--r--

usera

This ﬁner grained control is implemented via policy using the

a temporary type per domain. In this macro, the variable

subject's type base, so that

Having separate types for

by other domains. It also protects against misdirection through a malicious symlink. In the targeted

policy, the conﬁned daemons have separate types for their temporary ﬁles, keeping those daemons

from interfering with other

A privileged application can override any stated labeling rule by writing a security context to

/proc/self/attr/fscreate

policy. The context is then used to label the next newly created ﬁle object, and the

automatically reset after the next

program starts in a known state without having to be concerned what context was left by the previous

program in

/proc/self/attr/fscreate

2.5. Object Classes and Permissions

SELinux deﬁnes a number of classes for objects, making it easier to group certain permissions by

speciﬁc classes. Here are some examples:

File related classes include

•

Each class has it's own associated set of permissions. The

get attributes, set quotas, relabel, and so forth. The

such as read, write, get and set attributes, lock, relabel, link, rename, append, etc.

Network related classes include

•

for network nodes. The

node

raw sockets (

tcp_recv

, so the ﬁles inherit the context from the parent directory:

/tmp

root

system_u:object_r:tmp_t

root

root:object_r:tmp_t

user_tmp_t

usera

system_u:object_r:tmp_t

usera

root:object_r:user_tmp_t

creates ﬁles with a type of

user_t

protects a domain's temporary ﬁles against tampering or disclosure

/tmp/

ﬁles.

/tmp/

using

setfscreatecon(3)

execve

filesystem

tcp_socket

class, for example, can send and receive on TCP, UDP and

netif

tcp_send

udp_send

Chapter 2. SELinux Policy Overview

tmp_domain()

$1_tmp_t

user_tmp_t

. This action must still be allowed by

or through

setfscreatecon(NULL)

for ﬁle systems,

file

filesystem

class gains the common ﬁle permissions

file

for TCP sockets,

udp_recv

/tmp/

/tmp/foo

/tmp/

/tmp/foo

macro, which deﬁnes

is expanded by substituting the

. This ensures that a

for ﬁles, and

dir

class can mount, unmount,

for network interfaces, and

netif

, and

rawip_recv

rawip_send

user_t

fscreate

for directories.

Table of Contents

Object Classes And Permissions - Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

2.5. Object Classes and Permissions

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE

Related Content for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE

Table of Contents