49.7. SELinux Policy Overview
49.7.1. What is the SELinux Policy?
126.96.36.199. SELinux Types
unconfined_tdomain have an executable file with a type such as
sbin_t. From an SELinux perspective, this means they are all equivalent in terms of what they can and cannot do on the system.
/usr/bin/postgreshas the type postgresql_exec_t. All of the targeted daemons have their own
*_exec_ttype for their executable applications. In fact, the entire set of PostgreSQL executables such as
pg_restorehave the same type,
postgresql_exec_t, and they transition to the same domain,
postgresql_t, upon execution.
188.8.131.52.1. Using Policy Rules to Define Type Access
$AUDIT_LOGfile. In Red Hat Enterprise Linux, this is set to
/var/log/messages. The policy is compiled into binary format for loading into the kernel security server, and each time the security server makes a decision, it is cached in the AVC to optimize performance.
init, as explained in Section 49.7.3, “The Role of Policy in the Boot Process”. Ultimately, every system operation is determined by the policy and the type-labeling of the files.
184.108.40.206. SELinux and Mandatory Access Control
m4macros to capture common sets of low-level rules. A number of
m4macros are defined in the existing policy, which facilitate the writing of new policy. These rules are preprocessed into many additional rules as part of building the
policy.conffile, which is compiled into the binary policy.
newrole, or by requiring a new process execution in the new domain. This movement between domains is referred to as a transition .
49.7.2. Where is the Policy?
selinux-policy-<policyname>package and supplies the binary policy file.
selinux-policy-develpackage is installed.
220.127.116.11. Binary Tree Files
/etc/selinux/targeted/— this is the root directory for the targeted policy, and contains the binary tree.
/etc/selinux/targeted/policy/— this is the location of the binary policy file
policy.<xx>. In this guide, the variable
SELINUX_POLICYis used for this directory.
/etc/selinux/targeted/contexts/— this is the location of the security context information and configuration files, which are used during runtime by various applications.
/etc/selinux/targeted/contexts/files/— contains the default contexts for the entire file system. This is referenced by
restoreconwhen performing relabeling operations.
/etc/selinux/targeted/contexts/users/— in the targeted policy, only the
rootfile is in this directory. These files are used for determining context when a user logs in. For example, for the root user, the context is user_u:system_r:unconfined_t.
/etc/selinux/targeted/modules/active/booleans*— this is where the runtime Booleans are configured.
NoteThese files should never be manually changed. You should use the
semanagetools to manipulate runtime Booleans.
18.104.22.168. Source Tree Files
selinux-policy-develpackage includes all of the interface files used to build policy. It is recommended that people who build policy use these files to build the policy modules.
makefiles installed in
libselinuxprovides a number of functions that return the paths to the different configuration files and directories. This negates the need for applications to hard-code the paths, especially since the active policy location is dependent on the SELINUXTYPE setting in
man 3 selinux_binary_policy_path
libselinuxand related functions is outside the scope of this document.
49.7.3. The Role of Policy in the Boot Process
initperforms some essential operations early in the boot process to maintain synchronization between labeling and policy enforcement.
- After the kernel has been loaded during the boot process, the initial process is assigned the predefined initial SELinux ID (initial SID) kernel. Initial SIDs are used for bootstrapping before the policy is loaded.
/proc/, and then searches for the
selinuxfsfile system type. If it is present, that means SELinux is enabled in the kernel.
initdoes not find SELinux in the kernel, or if it is disabled via the
selinux=0boot parameter, or if
SELINUX=disabled, the boot process proceeds with a non-SELinux system.At the same time,
initsets the enforcing status if it is different from the setting in
/etc/selinux/config. This happens when a parameter is passed during the boot process, such as
enforcing=1. The kernel does not enforce any policy until the initial policy is loaded.
- If SELinux is present,
/selinux/policyversfor the supported policy version. The version number in
/selinux/policyversis the latest policy version your kernel supports.
/etc/selinux/configto determine which policy is active, such as the targeted policy, and loads the associated file at
$SELINUX_POLICY/policy.<version>.If the binary policy is not the version supported by the kernel,
initattempts to load the policy file if it is a previous version. This provides backward compatibility with older policy versions.If the local settings in
/etc/selinux/targeted/booleansare different from those compiled in the policy,
initmodifies the policy in memory based on the local settings prior to loading the policy into the kernel.
- By this stage of the process, the policy is fully loaded into the kernel. The initial SIDs are then mapped to security contexts in the policy. In the case of the targeted policy, the new domain is user_u:system_r:unconfined_t. The kernel can now begin to retrieve security contexts dynamically from the in-kernel security server.
initthen re-executes itself so that it can transition to a different domain, if the policy defines it. For the targeted policy, there is no transition defined and
initremains in the
- At this point,
initcontinues with its normal boot process.
initre-executes itself is to accommodate stricter SELinux policy controls. The objective of re-execution is to transition to a new domain with its own granular rules. The only way that a process can enter a domain is during execution, which means that such processes are the only entry points into the domains.
init, such as
init_t, a method is required to change from the initial SID, such as kernel, to the correct runtime domain for
init. Because this transition may need to occur,
initis coded to re-execute itself after loading the policy.
inittransition occurs if the
domain_auto_trans(kernel_t, init_exec_t, <target_domain_t>)rule is present in the policy. This rule states that an automatic transition occurs on anything executing in the
kernel_tdomain that executes a file of type init_exec_t. When this execution occurs, the new process is assigned the domain
<target_domain_t>, using an actual target domain such as
49.7.4. Object Classes and Permissions
- File-related classes include
filesystemfor file systems,
filefor files, and
dirfor directories. Each class has its own associated set of permissions.The
filesystemclass can mount, unmount, get attributes, set quotas, relabel, and so forth. The
fileclass has common file permissions such as read, write, get and set attributes, lock, relabel, link, rename, append, etc.
- Network related classes include
tcp_socketfor TCP sockets,
netiffor network interfaces, and
nodefor network nodes.The
netifclass, for example, can send and receive on TCP, UDP and raw sockets (