Section 8.3. MLS Constraints
8.3. MLS ConstraintsSELinux supports two MLS constraint statements, mlsconstrain and mlsvalidatetrans, which together enable us to specify the optional MLS access enforcement rules. These two statements are identical to their non-MLS counterparts except that they allow you to also express constraints based on the security levels of a security context. You may only use the MLS constraints in policies that have the optional MLS features enabled. You may use the non-MLS constraint statements from Chapter 7, "Constraints," in either type of policy. 8.3.1. mlsconstrain StatementThe mlsconstrain statement is based on the constrain statement. We can use any of the syntax discussed for the constrain statement in Chapter 7. The mlsconstrain statement adds new keywords for stating constraints based on the low and high security levels of the source (l1 and h1) and target (l2 and H2). The sidebar on page 171 contains the full syntax for the mlsconstrain statement.
To illustrate the mlsconstrain statement, let's look at applying MLS to ordinary filesystem objects. As a simple constraint suppose that we want to ensure that file objects may have only a single level. (That is, the high and low levels must be the same.) We can accomplish this restriction with a constraint such as this: mlsconstrain file { create relabelto } ( l2 eq h2 );Assuming that create and relabelto are the file permissions required to set the security level of a file object, this constraint is sufficient to require that all files have high and low security levels that are the same. Let's now look at more central MLS policy restrictions. Recall the basic premise of MLS from Chapter 2, namely to prevent information from flowing "downward" from higher security levels to lower or incomparable security levels. We do this by enforcing the "no read up, no write down" rules on all objects. In SELinux, the low security level generally represents the current security level of processes and objects. Thus, we have the following MLS constraint for files: mlsconstrain file write ( l1 domby l2 ); In this statement we constrain write permissions for the file object class requiring the source security level (l1) to be dominated by ("lower than") the object security level (l2). In other words, a process can write files only at or "above" its current security level ("no write down"). This constraint is unfortunately too simple to ensure that MLS policy is enforced for file objects. First, let's consider file object class permissions. Many permissions other than write allow a process to "write" information to a file. For example, the append permission also allows information to flow from the process to the file. Likewise, less obvious permissions, such as rename, also allow some form of information to flow to the file (in this case, the name of the file). To be comprehensive, we need to expand our constraint to cover all "write-capable" file permissions: mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ( l1 domby l2 );We now include a list of several permissions besides the standard write permission, all of which allow some form of information to flow from the source to the object. The constraint expression remains the same. This constraint is still too simple. We need to address the situation where we have a trusted domain type that we need to give special permission to violate the "no write down" rule. Although you should avoid such trusted domains, nearly all applications of MLS systems have had a need for them. To accommodate this concept, we need to expand the constraint to allow for these trusted domains. To implement trusted downgrading domains, we can create a type attribute, say mlsfilewritedown, which identifies any such trusted domain. So now our constraint is this: mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ( ( l1 domby l2 ) or ( t1 == mlsfilewritedown ) );Now the constraint allows an exception for any source domain (t1) that has the mlsfilewritedown attribute (that is, trusted domains). For a complete MLS policy, we also need to also restrict read access (that is, "no read up"). As with write access, a number of permissions allow "read" access besides the read permission. For example execute permissions essentially allows a process to "read" the contents of an executable file. Here is a possible MLS read constraint for file objects: mlsconstrain file { read getattr execute } ( ( l1 dom l2 ) or ( t1 == mlsfilewritedown ) );As with the write restriction we have an attribute, mlsfilereadup, that allows for "read up" privilege for those few privileged domain types that have the attribute. In writing a complete MLS policy, you need to examine all object classes and their associated permissions to ensure read and write restrictions are properly constrained. For example, in the preceding "read" constraint, we might want to address all filesystem objects in a single statement, as follows: mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } ( ( l1 dom l2 ) or ( t1 == mlsfilereadup ) );You will typically find the MLS constraints for a given SELinux policy stated in a single source policy file, typically called mls. We do not extensively cover MLS features of SELinux outside of this chapter; if you are interested in additional information, find this file and examine it.
8.3.2. mlsvalidatetrans StatementWe have one more MLS constraint we need to examine, the MLS variant of the validatetrans constraint discussed in Chapter 7, namely mlsvalidatetrans. This statement is similar to the validatetrans statement except that it introduces the six keywords l1 and h1, l2 and h2, and l3 and h3, meaning old low and high security levels, new low and high security levels, and the source process low and high security levels, respectively. The other difference between the two statements is that the mlsvalidatetrans statement is more commonly used to support an MLS policy than the validatetrans statement is in a typical TE policy. The full syntax of the mlsvalidatetrans statement is in the sidebar on page 176.
As an example, for MLS we generally do not want file security levels to change; over the years of experimentation with operational MLS systems, however, we have learned that some MLS applications have evolved the need for a trustworthy application to change the security levels of existing objects such as files. So, to enforce this restriction while allowing for those trusted applications, we can use the mlsvalidatetrans constraint: mlsvalidatetrans file ( ( l1 eq l2 ) or (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or (( t3 == mlsfiledowngrade ) and ( l1 dom l2 or l1 incomp l2 )) ); This constraint has a number of features. First, it has the basic requirement that when a file object security context changes, its current (low) security level must be the same (l1 eq l2). However, it provides for upgrading (mlsfileupgrade attribute) and downgrading (mlsfiledowngrade attribute) privileges. Upgrading (that is, the old level l1 is dominated by the new level l2) is allowed if the process domain type has the mlsfileupgrade attribute. Likewise, downgrading (that is, the old level dominates or is incomparable to the new level) is allowed if the process domain type has the mlsfiledowngrade attribute.
Note Remember that, as of this writing, validatetrans and mlsvalidatetrans constraint statements support only filesystem objects, specifically, dir, file, lnk_file, chr_file, blk_file, sock_file, and fifo_file object classes. |
EAN: 2147483647
Pages: 154