In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label.
The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects.
Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label. One example of this would be an administrator going into the
/root directory and creating the
.ssh directory. In previous versions of Red Hat Enterprise Linux, the directory would get created with a label of
admin_home_t, even though the policy requires it to be labeled
ssh_home_t. Later when the admin tries to use the content of the
.ssh directory to log in without a password,
sshd_t) fails to read the directory's contents because
sshd is not allowed to read files labeled
admin_home_t. The administrator would need to run
restorecon -R -v /home/.ssh to fix the labels, and often they forget to do so.
Another example would be a user creating the
public_html directory in his home directory. The default label for content in the home directory is
user_home_t, but SELinux requires the
public_html directory to be labeled
http_user_content_t, which allows the Apache process (
httpd_t) to read the content. We block the Apache process from reading
user_home_t as valuable information like user secrets and credit-card data could be in the user's home directory.
File Transitions Policy
Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (
NetworkManger_t), the type of the directory that will contain the file object (
etc_t), and the class of the file object (
file). They can also specify the type of the created object (
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
This policy line says that a process running as
NetworkManager_t creating any file in a directory labeled
etc_t will create it with the label
Named File Transitions Policy
Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on four characteristics instead of just three. He added the base file name (not the path).
Now policy writers can write policy rules that state:
- If the
unconfined_tuser process creates the
.sshdirectory in a directory labeled
admin_home_t, then it will get created with the label
ssh_home_t: `filetrans_pattern(unconfined_t, admin_home_t, dir, ssh_home_t, ".ssh")
- If the
staff_tuser process creates a directory named
public_htmlin a directory labeled
user_home_dir_t, it will get labeled
http_user_content_t: `filetrans_pattern(staff_t, user_home_dir_t, dir, http_user_content_t, "public_html")
Additionally, we have added rules to make sure that if the kernel creates content in
/dev, it will label it correctly rather than waiting for
udev to fix the label.
filetrans_pattern(kernel_t, device_t, chr_file, wireless_device_t, "rfkill")
This can also be considered a security enhancement, since in Red Hat Enterprise Linux 6, policy writers could only write rules based on the the destination directory label. Consider the example above using
NetworkManager_t. In Red Hat Enterprise Linux 6, a policy writer would write
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t), which means the
networkmanager process could create any file in an
etc_t directory (
/etc) that did not exist. If for some reason the
/etc/passwd file did not exist, SELinux policy would not block
NetworkManager_t from creating
/etc/passwd. In Red Hat Enterprise Linux 7, we can write a tighter policy like this:
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t, "resolv.conf")
This states that NetworkManger can only create files named
resolv.conf in directories labeled
etc_t. If it tries to create the
passwd file in an
etc_t directory, the policy would check if
NetworkManager_t is allowed to create an
etc_t file, which is not allowed.
This feature should result in less occurrences of accidental mislabels by users and hopefully a more secure and better-running SELinux system.