1.5. What Is New in Red Hat Enterprise Linux 7

This section provides a brief overview of new SELinux features that have been introduced in Red Hat Enterprise Linux 7. For each feature described below, a link is provided to full documentation in the book.
File Name Transition
Previously, creating a specified object class within a directory with a different label than the directory's one could cause problems related to incorrect labeling. With the file name transition feature, policy writers can now specify the file name when writing rules. Now, it is possible to write a rule that states, if a process labeled A_t creates a specified object class in a directory labeled B_t and the specified object class is named objectname, it gets the label C_t. This mechanism decreases problems with incorrect labeling and provides more fine-grained control over system processes.
See the Section 4.13, “File Name Transition” for more information about File Name Transition.
OpenShift
The OpenShift Platform as a Service (PaaS) has been added to the list of SELinux confined services. OpenShift provides a platform in the cloud where developers and teams can build, test, deploy, and run their applications. See Chapter 25, OpenShift by Red Hat for more information about SELinux configuration of OpenShift.
Identity Management
Identity Management (IdM) has been added to the list of SELinux confined services. IdM provides centralized authentication, authorization, and account information by storing data about user, groups, hosts, and other objects necessary to manage the security aspects of a network of computers. See Chapter 26, Identity Management for more information about SELinux configuration of IdM.
Disable ptrace()
The new deny_ptrace Boolean has been added to the list of SELinux Booleans. This Boolean allows the user to disable the ptrace() system call. See Section 4.14, “Disable ptrace()” for more information about deny_ptrace.
New Confined Domains
With Red Hat Enterprise Linux 7, many products and services use their separate confined domains. For example, SELinux now supports:
OpenStack
OpenStack is a cloud computing platform which consists of various components, such as Swift, Nova, or Glance. The swift_t, nova_*, and glance_* domains have been added to the SELinux policy.
OpenShift
OpenShift is a cloud computing platform. The openshift_* domains have been added to the SELinux policy.
realmd
The realmd utility is a DBus service that manages discovery and enrollment in realms and domains such as Active Directory or Identity Management. The realmd_t domain has been added to the SELinux policy.
glusterd
The glusterd utility is a volume management daemon. The glusterd_t domain has been added to the SELinux policy.
stapserver
The stapserver utility provides an instrumentation system server. The stapserver_t domain has been added to the SELinux policy.
OpenLMI
OpenLMI (Open Linux Management Infrastructure) provides a common infrastructure for the management of Linux systems. The pegasus_openlmi_* domains have been added to the SELinux policy.
To learn more about the confined domains, see Chapter 3, Targeted Policy. See Section 10.3.3, “Manual Pages for Services” for more information about manual pages for services.
Shrinking Policy
Previously, M4 macros were used to specify policy rules, the SELinux policy was consuming a large amount of kernel memory, and it took a long time to load the policy during boot. In Red Hat Enterprise Linux 7, attributes that allow grouping types together are used instead of macros to simplify the SELinux policy and to shrink its size. For example, some SELinux domains, mainly for cluster and antivirus services, have been merged together:
  • The amavis.pp and clamav.pp modules have been consolidated into the antivirus.pp module and aliased to the antivirus_t type:
    typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t }
  • The pacemaker.pp, corosync.pp, and aisexec.pp modules have been consolidated into the rhcs.pp module and aliased to the cluster_t type:
    typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t }
Size of the SELinux policy has been reduced by 80 percent, its loading time is now significantly shorter, and it consumes less kernel memory during boot.
Pre-built Policy
The selinux-policy package now contains a pre-built policy; the SELinux policy is recompiled after installation only if the user made any local customizations to the policy. This change speeds up the package installation process and lowers the memory usage.
Secure Linux Containers
Linux Containers is a low-level virtualization feature that allows you to run multiple copies of the same service at the same time on a system. When creating a secure Linux container, the virt-sandbox-service utility uses a systemd unit file to properly set up a service within the container. The libvirt library then launches the container with the SELinux context specified in the SELinux policy.
To learn more about secure Linux containers, see Chapter 8, Secure Linux Containers.
The sepolicy Suite
The sepolicy utility provides a suite of features to query the installed SELinux policy. The suite allows you to generate transition reports, man pages, or even new policy modules, thus giving users easier access and better understanding of the SELinux policy.
To learn more about the sepolicy inspection suite, see Chapter 5, The sepolicy Suite.
Thumbnail Protection
Previously, the thumbnail drivers were not locked when the screen was locked. Consequently, it was possible to use the thumbnail driver code to bypass the lock screen without entering a password. A new SELinux policy has been introduced to prevent this type of attack, improving system security. See Section 4.15, “Thumbnail Protection” for more information about thumbnail protection.
Disabling Permissive Domains
All permissive domain declarations have been re-factored into the new permissivedomains.pp module. Consequently, it is now possible to disable all permissive domains using the semodule utility. See Section 10.3.4.2, “Disabling Permissive Domains” for more information about this module.
Labeled NFS
Passing SELinux labels between an NFS client and server is now supported. The new labeled NFS feature allows users to differentiate various SELinux labels on a single NFS volume, which provides better security control of confined domains accessing NFS volumes.
See Section 16.1, “NFS and SELinux” for more information about labeled NFS.
SELinux Systemd Access Control
In Red Hat Enterprise Linux 7, the systemd daemon manages all calls to start and stop system services. The systemd method calls are mapped to SELinux access checks, which provides consistent SELinux labels when the services are started either automatically or manually.
To learn more about SELinux and systemd integration, see Chapter 9, SELinux systemd Access Control.