Object Classes and Permissions

Security Policy Development Primer for Security Enhanced Linux

(Module 5)

SE Linux Policy Structure

„

Top-level sections of policy.conf:

„

Flask definitions

„ object classes, permissions, initial SIDs

„

TE and RBAC declarations and statements

„ defines the type enforcement and role access control policies

„

user declarations

„ identify users to policy and associate users with roles

„

constraints

„ additional restrictions based on types, roles, and users

„

security context specifications

„ special security context specifications

Object Classes

„

Basis for access control in SE Linux

„

specified in terms of subject’s access to objects

„

subjects

„ processes

„

objects

„ 29 distinct object classes

„

access

„ numerous permissions

„ each class with its own permission specification

Object Class Definitions

„

Object classes are defined in:

„ /usr/local/selinux/flask/security_classes

„ same definitions built into kernel

„

Object class definition statement

class file

„ simply defines an object class identifier

„

Policy writers should never change security_classes

„ changed only when object classes change in kernel

class identifier

Summary of Object Classes

„

File-related Object Classes

„ file: regular file

„ dir: directory

„ fd: file descriptor

„ opened object descriptors associated with processes

„ lnk_file: symbolic link

„ chr_file: character device (e.g., serial ports, terminals)

„ blk_file: block device (e.g, disk drives)

„ sock_file: Unix-domain socket

„ local socket listed in file name space

„ fifo_file: FIFO, aka named pipes

„ filesystem

„ abstract object representing controls on whole file systems

Summary of Object Classes

„

Network-related object classes

„ node: host(s) by IP address

„ netif: network interfaces

„ tcp_socket: IP stream socket

„ udp_socket: IP datagram socket

„ rawip_socket: IP raw socket

„ netlink_socket: Netlink sockets

„ packet_socket: low level packet socket

„ unix_stream_socket: local stream socket

„ unix_dgram_socket: local datagram socket

„ key_socket: IPsec security association database socket

„ socket: all other socket types

Summary of Object Classes

„

System V IPC-related

„

sem: semaphore set

„

msgq: message queue

„

msg: messages within a message queue

„

shm: shared memory

„

ipc: no longer used

Summary of Object Classes

„

Process class

„ both an object and a subject

„

Security class

„ abstract object to control call to in-kernel security server

„ load new policy, get list of contexts and SIDs

„ only one

„

System class

„ abstract object to control certain system behavior

„ e.g. toggle enforcing mode

„ only one

„

Capability class

„ provides a means to control Linux capabilities

„ must have associated permission as well as capability

Object Class Permissions

„

Each object class has a defined set of permissions

„ called an “access vector”

„

The permission definitions in the policy are in:

„ /usr/local/selinux/flask/access_vectors

„

Permission identifiers defined in two ways

„ common statement (used for multiple classes as a group)

„ class statement #2 (class-specific permissions)

„

Policy writers should never change access_vectors

„ as with object classes, hard coded into the kernel

„ changed only when access vectors change in kernel

Object Class Permissions

„

Common permissions

„

defines group of permission identifiers

„

associated with object classes as a group

„

ensures all like permissions assigned same bit in kernel

common file {ioctl read write create getattr setattr lock … }

„

assigned to object classes via “class” statement (#2)

common

perm identifier permission

identifiers

Object Class Permissions

„ Object class permission definition (class statement #2)

„ assigns permissions to each object class

„ can assign common and/or class-specific permissions class file inherits file { execute_no_trans entrypoint }

„ Net effect: File class has following permissions defined:

ioctl read write

create getattr setattr

lock relabelfrom relabelto

append unlink link

rename execute swapon

quotaon mounton execute_no_trans

entrypoint class ID (from previous class definition)

common perms (from previous common stmnt)

class-specific permissions

optional common perms

Object Class Permissions

Exploring Object Classes and Permissions

File Object Class Permissions

„ read: read file contents

„ write: write or append file contents

„ append: append file contents

„ i.e., opened with O_APPEND flag

„ create: create a new file

„ getattr: read file attributes such as access mode

„ stat, some ioctls, …

„ setattr: change file attributes such as access mode

„ chmod, some ioctls, …

„ ioctl: ioctl sys call requests not addressed by other permissions

„ unlink: remove hard link (delete)

„ link: create hard link to file

File Object Class Permissions

„ lock: set and unset file locks

„ rename: rename a hard link

„ relabelfrom: change the security context based on existing type

„ relabelto: change the security context based on the new type

„ mounton: only meaningful for directories in Linux

„ swapon: allows file to be used for paging/swapping space

„ quotaon: enabling quotas

„ execute: same meaning as ordinary Linux execute

„ execute_no_trans: permission to execute file without a domain transition

„ entrypoint: permission to enter a new domain via this program

Process Object Class Permissions

„ transition: permission to change security context

„ checked against old domain type and new domain type

„ fork: fork or clone a process

„ sigchld: permission to signal SIGCHLD

„ sigkill: permission to signal SIGKILL

„ sigstop: permission to signal SIGSTOP

„ signull: no signal sent, ala kill(pid, 0)

„ signal: all other signal

„ ptrace: ability to trace a process (e.g., debugging)

„ getsched, setsched: get and set process priority

„ getsession: get session information (getsid)

„ getpgid, setpgid: get and set process group ID

„ getcap, setcap: get and set capabilities (capget, capset)

„ share: allows state sharing (via clone call)

More on Object Class Permissions

„

Understanding all requires detailed understanding of implementation

„

Additional references on classes and permissions

„ www.nsa.gov/selinux/doc/slinux.pdf

„ most comprehensive, but a little out of date

„ www.nsa.gov/selinux/doc/module.pdf

„ describes some changes from above report

„

Example policy includes macros

„ provides more abstract permission model

„ using m4 macro processor language

„ definitions in ./policy/macros/global_macros.te

Permission Macro Examples

„

All from policy/macros/global_macros.te

„ rx_file_perms (file read/execute permission)

„ read getattr lock execute ioctl

„ r_dir_perms (read and traverse directory)

„ read getattr lock search ioctl

„ create_dir_perms (create and use new directory)

„ create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir

„

Permission macros can be used in place (or alongside) of

explicit permission list

Interrelationship of Permissions

„

Many actions require several permissions for several object classes

„

Domain transition, for example

„ process transition permission

allow src_type new_type : process transition;

„ program execution permission

allow src_type program_type : file { getattr execute };

„ new domain execute access

allow new_type program_type : file entrypoint;

„ other issues

„ file descriptor inheritance, signals, other IPC

„

Macros can help here too

„ see domain_trans() macro for example

QUESTIONS?