10.2. File-Related Object LabelingIn SELinux, labeling most often refers to the labeling of file-related objects because this is the only form of label management that a normal user or administrator is likely to encounter. Much of the challenge with file labeling comes from the sheer number of files present on a normal system combined with the customization of how those files will be stored in the directory structure. The variety of filesystems available for Linux also contributes to the complexity. Common filesystems include traditional, native filesystems intended to store data on hard disks and removable media (for example, ext3 and XFS); non-native filesystems present for compatibility with other systems (for example, iso9660 and vfat); and in-memory, pseudo filesystems used for communication between the kernel and userspace (for example, proc and sysfs). How file-related objects are labeled varies according to the intended purpose of the filesystem and the specific semantics of how the objects are created, stored, and used. For example, files stored persistently to hard disk using the ext3 filesystem are labeled when created and the security context stored with the file. In contrast, files in the proc filesystem exist only at runtime and must have their labels generated at runtime instead of stored persistently.
SELinux supports four kinds of labeling for file-related objects to address the various types of filesystems: extended attribute, task-based, transition-based, and generalized security contexts. The primary difference between these mechanisms is how SELinux determines the initial label of inodes for the filesystem. Security-extended attribute labeling also stores security contexts persistently to disk. Table 10-1 lists the filesystem labeling mechanisms and the filesystems that use each labeling mechanism on a Fedora Core 4 (FC4) system.
The kind of labeling is specified per filesystem in the policy using either the filesystem use statements or the generalized filesystem labeling support statement, normally called the genfscon statement. The SELinux policy language supports three filesystem use statements: fs_use_xattr, fs_use_task, and fs_use_trans, which specify extended attribute, task-based, and transition-based labeling behaviors, respectively. The syntax for the all three filesystem use statements is identical (see the sidebar on page 211). As an example, consider the following fs_use_xattr statement: fs_use_xattr ext3 system_u:object_r:fs_t; This statement indicates that the ext3 filesystem (that is, all instances of ext3 on the system) will be labeled using security-extended attributes, and the filesystem object instance associated with all ext3 filesystems will be labeled with the security context system_u:object_r:fs_t. The filesystem name, ext3 in this example, is the same as that understood by the kernel and the mount(8) command. These names are listed in the file /proc/filesystems. The generalized filesystem labeling support statement (genfscon) specifies both that the filesystem will use generalized filesystem security context labeling and how the individual file-related objects in that filesystem are labeled. The genfscon syntax is more complicated; we describe it later in this section.
10.2.1. Extended Attribute Filesystems (fs_use_xattr)Most native, disk-based Linux filesystems use extended attribute labeling. This labeling mechanism extends the standard extended attribute mechanisms to support setting, retrieving, and storing the security contexts associated with all file-related objects. (See the sidebar on page 212 for more details.) Filesystems that use this labeling mechanism support program-requested labeling and, when stored to persistent media, preserve the security contexts across reboots.
10.2.1.1. Labeling Behavior for Extended Attribute FilesystemsLabeling decisions for extended attribute filesystems use a combination of policy rules and security context inheritance. By default, all new file-related objects inherit the type of the containing directory and the user of the creating process. The role is always set to the special object role object_r. If a type_transition rule matches the type of the creating process and the type of the directory that will contain the new object, the default type specified in that rule will be used for the type of the new file-related object. The rest of the security context is set in the same way as if there were no type_transition rule. Program-requested labeling allows processes to request a specific security context for a new file using the setfscreatecon(3) library call. In this situation, the object will be created with the requested security context unless the process lacks the required access. Normally, only applications that extend SELinux or are an SELinux utility (that is, so-called SELinux-aware applications) use this feature; files created by standard applications receive the correct security context through the automatic labeling decision described previously. In addition to setting security contexts on creation, file-related objects can be relabeled for extended attribute labeled filesystems. This is done with the setfilecon(3), lsetfilecon(3), and fsetfilecon(3) library calls. Explicitly changing the label of an object requires appropriate relabelfrom and relabelto permissions, which should be tightly controlled by the policy. (See the sidebar on page 213 for more information.)
10.2.1.2. Managing Security Contexts in Extended Attribute Filesystems (File Contexts)The labeling of file-related objects using extended attributes differs from the other filesystem and most other nonfile object classes. The security contexts using extended attributes are initialized, normally during installation with a package manager such as rpm, using runtime labeling requests. The runtime labeling requests are directed by one or more configuration files, called file context files, which list paths, or partial paths, and security contexts. The file context files are not included directly within the policy but are stored with it on the filesystem in a standard location (see Chapter 13, "Managing an SELinux System"). By using the appropriate file context files for a policy, the file-related object security contexts can be correctly initialized based on path name. Initialization puts the system in a known, secure state. After initialization, the automatic labeling decisions take over and ensure that any files created subsequently are correctly labeled and a secure state is always maintained. This label management strategy is used to separate the policy, which deals primarily with types and security contexts, from path names and filenames. This strategy has several advantages. First, the layout of filesystems can vary greatly because of differences between distributions or user customization. By removing this aspect of variability from the policy, a single policy can be more easily adapted to multiple systems. More important, in native Linux filesystems, file-related objects are not uniquely identified by a single path name. Hard links, chroot environments, and per-process filesystem namespaces all mean that a single file-related object could be identified by several path names. If the policy were enforced within the kernel using path names directly, there would be no way to determine which of these names was the correct one to use, possibly leading to a process having different access to the same object depending on how the access was attempted. For this reason, SELinux associates the security context directly with the object and uses only paths to initialize the security context. Only if initialization occurs when the system is in a protected, known-secure state (for example, during installation) is it safe from this ambiguity. The format of a line in the file context files is a regular expression representing one or more file-related object paths, an optional object class specification, and a security context. For example, consider the following portion of a file context file: 1 /bin(/.*)? system_u:object_r:bin_t 2 /bin/tcsh -- system_u:object_r:shell_exec_t 3 /bin/bash -- system_u:object_r:shell_exec_t 4 /bin/bash2 -- system_u:object_r:shell_exec_t 5 /bin/sash -- system_u:object_r:shell_exec_t 6 /bin/d?ash -- system_u:object_r:shell_exec_t 7 /bin/zsh.* -- system_u:object_r:shell_exec_t 8 /usr/sbin/sesh -- system_u:object_r:shell_exec_t 9 /bin/ls -- system_u:object_r:ls_exec_t 10 /boot(/.*)? system_u:object_r:boot_t 11 /boot/System\.map(-.*)? system_u:object_r:system_map_t 12 /dev(/.*)? system_u:object_r:device_t 13 /dev/pts(/.*)? <<none>> 14 /dev/cpu/.* -c system_u:object_r:cpu_device_t 15 /dev/microcode -c system_u:object_r:cpu_device_t 16 /dev/MAKEDEV -- system_u:object_r:sbin_t 17 /dev/null -c system_u:object_r:null_device_t 18 /dev/full -c system_u:object_r:null_device_t 19 /dev/zero -c system_u:object_r:zero_device_t This example specifies how the files in the /bin/, /boot/, and part of /dev/ directories should be labeled. For example, line 3 is a simple entry that matches the filename /bin/bash and specifies that it should be labeled with the security context system_u:object_r:shell_exec_t. The object class specification is in this case, which means a regular file. The object class specifications are the same as those understood by the command find(1). When processes query the file contexts, files using the matchpathcon(3) library call to match the name of a file-related object, the most specific entry is always used. For example, line 1 has a regular expression that will match all files in the /bin/ directory. If there is no object class specifier, as is the case in line 1, it will match all file-related objects. Lines 2 through 9, however, have regular expressions that are more specific and will match some files in the /bin/ directory. When the match for /bin/bash is requested, line 3 will match because it is an exact match. The file /bin/dd, however, has no more specific match than line 1. Line 13 uses the special <<none>> syntax to specify that file-related objects that match this entry should not be labeled. This is used for files that must be labeled at runtime. Entries with <<none>> are used to prevent other, more general regular expressions from matching and causing the file-related objects to be labeled. Many different utilities and applications use file contexts files, often during policy development and system administration. Chapter 13 describes these tools and their intended use. 10.2.2. Task-Based Filesystems (fs_use_task)With task-based labeling, new file-related objects inherit their security context from the creating process. Filesystems that use task-based labeling do not support program-requested labeling. This type of labeling behavior is useful for simple pseudo filesystems that are not truly intended to store user data but rather are designed to support certain kinds of kernel resources such as unnamed pipes. For example, consider the following fs_use_task statement: fs_use_task pipefs system_u:object_r:fs_t; This statement specifies that the pipefs filesystem uses task-based labeling and that the security context for the filesystem object for pipfs is system_u:object_r:fs_t. The pipefs filesystem is a good example of a filesystem that uses task-based labeling. This filesystem is a pseudo filesystem used to implement unnamed pipes. Unnamed pipes, created with the pipe(2) system call, are by their very nature not associated with a file in a user-space visible filesystem. Despite this, communications over pipes is done using standard read and write system calls on file descriptors. The Linux implementation, therefore, uses a special-purpose filesystem called pipefs that is not visible to userspace. The filesystem is mounted and used by the kernel internally and labeled using task labeling. 10.2.3. Transition-Based Filesystems (fs_use_trans)Transition-based filesystem labeling is similar to task-based labeling. Both are normally used for simple pseudo filesystems. However, instead of using the security context from the creating process, transition-based labeling sets the security context of file-related objects based on type transition (type_transition) rules. Type transition rules for transition-based labeling are subtly different from those for the more common extended attribute mechanism. On extended attribute labeled filesystems, labeling decisions use the security context of the creating process and the containing directory. For transition-based labeled filesystems, the type_transition rules use the security context of the creating process and the security context of the associated filesystem object instance for the filesystem. No provision exists for basing the security context of a new object on the context of the containing directory; the security context is always based on the type of the associated filesystem object. If there is not a relevant type_transition rule, the security context defaults to that of the filesystem object. Consider the following filesystem use statement: fs_use_trans devpts system_u:object_r:devpts_t; This statement specifies that the devpts filesystem uses transition-based labeling. The security context for the devpts filesystem object is specified as system_u:object_r:devpts_t. As mentioned previously, transition-based labeled filesystems use type_transition rules to derive the type for file-related objects. For example, consider the following type transition rule: type_transition sysadm_t devpts_t : chr_file sysadm_devpts_t; This rule states that when processes with the type sysadm_t create objects of chr_file class in filesystems labeled devpts_t, the resulting object should be labeled sysadm_devpts_t. The implied object class for the target of this type transition is filesystem rather than dir because this type transition will apply to the creation of objects in a transition-based filesystem regardless of the directory type. If there is no appropriate type_transition rule, any objects created on this filesystem will have the filesystem security context. 10.2.4. Generalized Security Context Labeling (genfscon)The generalized security context statement (genfscon) is used for runtime labeling of pseudo filesystems, such as proc or sysfs, and legacy filesystems that do not support extended attributes. Unlike the other filesystem labeling mechanisms discussed so far, which require modification of the kernel filesystem code, genfscon labeling, at least in a limited form, can be used with unmodified filesystems. The genfscon statement specifies both the labeling mechanism for the filesystem and the labeling for the file-related objects stored in the filesystem. There are two forms of genfscon statements: a full form that specifies fine-grained labeling for file-related objects and a limited form useful for legacy filesystems. 10.2.4.1. Fine-Grained Labeling with genfscon StatementConsider the following example of the full-feature genfscon statements for the proc filesystem: 1 genfscon proc / system_u:object_r:proc_t 2 genfscon proc /kmsg system_u:object_r:proc_kmsg_t 3 genfscon proc /kcore system_u:object_r:proc_kcore_t 4 genfscon proc /mdstat system_u:object_r:proc_mdstat_t 5 genfscon proc /mtrr system_u:object_r:mtrr_device_t 6 genfscon proc /net system_u:object_r:proc_net_t 7 genfscon proc /sysvipc system_u:object_r:proc_t 8 genfscon proc /sys system_u:object_r:sysctl_t 9 genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t 10 genfscon proc /sys/net system_u:object_r:sysctl_net_t 11 genfscon proc /sys/vm system_u:object_r:sysctl_vm_t 12 genfscon proc /sys/dev system_u:object_r:sysctl_dev_t 13 genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t 14 genfscon proc /irq system_u:object_r:sysctl_irq_t As these example statements show, the genfscon statement syntax requires the name of the filesystem, a full or partial path name (relative to the root of the filesystem), and a security context. The full syntax for the genfscon statement can be found on page 220. These example genfscon statements show that there can be multiple genfscon statements for the same filesystem. For filesystems that support this full form of the genfscon statement, the multiple statements are used to specify fine-grained labels for file-related objects. When multiple genfscon statements are present, the security context for file-related objects is determined by matching the genfscon statement with the most specific partial path name and using the security context from that statement. For example, assume that the proc filesystem is mounted at /proc (the standard location). Using these example genfscon statements, the file /proc/filesystems would match the statement on line 1 and receive the security context system_u:object_r:proc_t. Similarly, the directory /proc/sys/kernel/ would match the genfscon statement on line 9 (with the partial path /sys/kernel) and be labeled system_u:object_r:sysctl_kernel_t. All filesystems that use genfscon labeling include at least one genfscon statement with / as the partial path. The security context in this genfscon statement is used to label the filesystem object associated with the filesystem in addition to being the default security context for all file-related objects stored in the filesystem. In the preceding example, the filesystem object for proc would receive the security context system_u:object_r:proc_t.
10.2.4.2. Legacy Filesystem Labeling with the genfscon StatementAs mentioned previously, genfscon can be used in two ways. Before examining the more limited form of this statement intended for legacy filesystems, let's examine some properties of the proc filesystem that make it work well with the full genfscon statement. This will help you understand why other filesystems cannot use the features. These properties concern how file-related object naming is handled on a Linux system. First, the names of all the files and directories that can appear in the proc filesystem are well known and consistent across systems, with the exception of the files and directories representing active processes. For example, /proc/sys/kernel/hostname is always a file that is used to get or set the host name. Although the location of important files is often known for other filesystems (for example, /etc/shadow), the location is seldom known relative to the filesystem mount point and, more important, it is seldom the case that the security properties of all of the file-related objects can be determined by the path. Second, file-related objects are uniquely identified by path name in the proc filesystem, and the kernel can easily determine this absolute path in all circumstances. The proc filesystem does not support the concept of hard links. This means, for example, the object identified by the path /proc/sys/kernel/hostname is never identified by any other path. Together these properties make the proc filesystem suitable for labeling based on path name, as is done by genfscon labeling. Very few filesystems exhibit these properties, making labeling by path name not only difficult but potentially dangerous, as discussed previously. We use the limited form of genfscon for labeling many legacy filesystems, including many that do not exhibit the same properties as proc. To handle filesystems that cannot be safely labeled by path name, we set a default label using the genfscon statement for the filesystem and all the file-related objects in that filesystem. We do this with a single genfscon statement for the entire filesystem. For example, consider the following genfscon statements: genfscon vfat / system_u:object_r:dosfs_t genfscon msdos / system_u:object_r:dosfs_t genfscon fat / system_u:object_r:dosfs_t genfscon ntfs / system_u:object_r:dosfs_t These genfscon statements for the vfat, msdos, fat, and ntfs filesystems set the security context for the associated filesystem objects and all the file-related objects stored in the filesystems to system_u:object_r:dosfs_t.
|