Object Classes And Permissions; Targeted Policy Overview; What Is The Targeted Policy - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 44. Security and SELinux

44.7.4. Object Classes and Permissions

SELinux defines a number of classes for objects, making it easier to group certain permissions by
specific classes. For example:
• File-related classes include filesystem for file systems, file for files, and dir for directories.
Each class has its own associated set of permissions.
The filesystem class can mount, unmount, get attributes, set quotas, relabel, and so forth. The
file class has common file permissions such as read, write, get and set attributes, lock, relabel,
link, rename, append, etc.
• Network related classes include tcp_socket for TCP sockets, netif for network interfaces, and
node for network nodes.
The netif class, for example, can send and receive on TCP, UDP and raw sockets (tcp_recv,
tcp_send, udp_send, udp_recv, rawip_recv, and rawip_send.)
The object classes have matching declarations in the kernel, meaning that it is not trivial to add or
change object class details. The same is true for permissions. Development work is ongoing to make it
possible to dynamically register and unregister classes and permissions.
Permissions are the actions that a subject can perform on an object, if the policy allows it. These
permissions are the access requests that SELinux actively allows or denies.

44.8. Targeted Policy Overview

This chapter is an overview and examination of the SELinux targeted policy, the current supported
policy for Red Hat Enterprise Linux.
Much of the content in this chapter is applicable to all types of SELinux policy, in terms of file locations
and the type of content in those files. The difference lies in which files exist in the key locations and
their contents.

44.8.1. What is the Targeted Policy?

The SELinux policy is highly configurable. For Red Hat Enterprise Linux 5, Red Hat supports
a single policy, the targeted policy. Under the targeted policy, every subject and object runs in
the unconfined_t domain except for the specific targeted daemons. Objects that are in the
unconfined_t domain have no restrictions and fall back to using standard Linux security, that is,
DAC. The daemons that are part of the targeted policy run in their own domains and are restricted in
every operation they perform on the system. This way daemons that are exploited or compromised in
any way are contained and can only cause limited damage.
For example, the http and ntp daemons are both protected in the default targeted policy, and run in
the httpd_t and ntpd_t domains, respectively. The ssh daemon, however, is not protected in this
policy, and consequently runs in the unconfined_t domain.
Refer to the following sample output, which illustrates the various domains for the daemons mentioned
above:
user_u:system_r:httpd_t
user_u:system_r:ntpd_t
system_u:system_r:unconfined_t
746
25129 ? 00:00:00 httpd
25176 ? 00:00:00 ntpd
25245 ? 00:00:00 sshd