Mayer F., MacMillan K., Caplan D. SELinux by Example(c) Using Security Enhanced Linux / Section 4.5. Exploring Object Classes with Apol

Computers & Technology
Education & Reference
Business & Investing
Science & Math

SELinux by Example(c) Using Security Enhanced Linux
Authors: Mayer F., MacMillan K., Caplan D.
Published year: 2007
Pages: 35-37/154

Buy this book on amazon.com >>

<< Previous page
Table of contents
Next page >>

4.5. Exploring Object Classes with Apol

Apol offers a variety of features for browsing and querying object classes and permissions. Under the Policy Components tab is the Classes/Perms tab, which allows browsing and searching all object classes, common permissions, and unique permissions. Figure 4-1, shows apol with this tab displayed. On the left are all the object classes, common permissions, and permissions. On the right is an interface that enables you to search for object classes or permissions.

Figure 4-1. Apol displaying object classes, common permissions, and permissions

Double-clicking a policy component in the lists on the left displays detailed information about the component. For example, double-clicking an object class displays its access vector; double-clicking a permission displays all the object classes with which it is associated.

The search interface enables you to search for object classes or permissions using regular expressions. For example, in Figure 4-1, we performed a search for all object classes that contain "file" as part of their name . We did not set options to include the class-specific permissions or to expand common permissions in the result. As you can see in the Search Results window, apol is showing the object class file including the class-specific permissions and the expanded common permissions. This is a convenient method to obtain a full list of the permissions associated with an object class.

Most other features in apol that interact with object classes, including the rule searching and automated analyses features, which allow filtering of results based on object classes and permissions. For example, Figure 4-2 shows a search for rules referring to the object class file .

Figure 4-2. Apol displaying a search for rules with the object class file

4.6. Summary

Object classes and permissions are the basis for access control in SELinux, both as part of the policy language and for the access enforcement mechanism in the kernel.
Object classes represent system resources such as files, process, directories, and sockets. There is a corresponding object class for every kind of system resource.
Permissions represent access to system resources. Each object class has a defined set of permissions called an access vector.

Object classes are declared using the class declaration statement ( class ).

Permissions are associated with object classes using the access vector statement (also class ).
Two types of permissions are defined in SELinux: common permissions and class-specific permissions.
Common permissions are a set of permissions shared by more than one object class. They are associated with the object classes as a group using the access vector statement.
SELinux provides object classes and permissions to accurately and comprehensively cover all system resources. In FC4, this results in more than 40 object classes, reflecting the richness and complexity of Linux.
Understanding all the object classes and permissions requires a detailed understanding of both SELinux and Linux.
Allowing access to accomplish many tasks in Linux requires multiple permissions on one or more object classes.
Appendix C has a complete reference of all object classes and permissions.

Exercises

1.	Create a common permission set named `socket` with the permissions `read` , `write` , `bind` , `connect` , and `listen` .
2.	Associate the common permissions `socket` and the class-specific permissions `connecto` and `acceptfrom` with the object class declared in Question 2.
3.	Write an `allow` rule that allows the domain `httpd_t` to append to a file of type `httpd_log_t` , but not write.
4.	Write the necessary allow rules to allow the domain `httpd_t` to execute files of type `bin_t` . Include the ability to request an explicit domain transition but not the ability to execute without transition. Assume that the appropriate rules giving transition and entrypoint are already present in the policy.