7.4 Examining a Sample Policy

     

Seeing the syntax of individual policy declarations is not the same as seeing how they work together to establish a useful policy. In this section, we'll look at the policy that governs the ping_t domain, and the related domain ping_exec_t , as implemented in Fedora Core 2. Like most policies, this policy resides in two files:


file_contexts/program/ping.fc

Specifies security contexts for files related to the domains.


domains/program/ping.te

Specifies the RBAC declarations related to the domains.

The ping.fc file has these contents:

 # ping /bin/ping.*     -- system_u:object_r:ping_exec_t /usr/sbin/hping2   --   system_u:object_r:ping_exec_t 

When the filesystems are labeled, these specifications cause ordinary files matching the first regular expression /bin/ping.* to be labeled with the security context system_u:object_r:ping_exec_t . Ordinary files matching the second regular expression /usr/sbin/hping2 are also labeled with that security context. The ping.te file is considerably longer than the ping.fc file, so we'll analyze it a few lines at a time. The first several lines are merely comments:

 #DESC Ping - Send ICMP messages to network hosts # # Author:  David A. Wheeler <dwheeler@ida.org> # X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 # ################################# # # Rules for the ping_t domain. # # ping_t is the domain for the ping program. # ping_exec_t is the type of the corresponding program. # 

The comments point out that the domain has two associated types, ping_t and ping_exec_t . Most domains have at least two types such as these: a type synonymous with the domain ( ping_t ) and another type used for programs that serve as entry points to the domain ( ping_exec_t ).

The next line identifies ping_t as a type and gives it the domain and privlog attributes, marking the type as a domain that is authorized to communicate with the system log process.

 type ping_t, domain, privlog; 

The next two lines identify two roles, sysadm_r and system_r , authorized to access the ping_t domain:

 role sysadm_r types ping_t; role system_r types ping_t; 

The next line invokes an M4 macro:

 in_user_role(ping_t) 

The macro definition resides in macros/ user_macros.te . Its expansion generates the declarations:

 role user_r  types ping_t; role staff_r types ping_t; 

These declarations extend the list of roles privileged to access the ping_t domain. However, as we will see, the role statement is not enough to ensure that ordinary users can execute a ping . A transition must also be authorized.

The next line defines the ping_exec_t type, marking it as a file type rather than a domain:

 type ping_exec_t, file_type, sysadmfile, exec_type; 

The declaration also marks the type as related to an executable file that is accessible to the system administrator.

The next line initializes a policy Boolean with the value false :

 bool user_ping false; 

This Boolean controls whether ordinary users are permitted to use the ping command and related commands.

The next several lines compose a conditional declaration that affects policy only if the policy Boolean user_ping has the value true :

 if (user_ping) {  domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)  # allow access to the terminal  allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;  ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') } 

The conditional declaration uses an M4 macro to generate declarations authorizing processes in unprivileged domains to automatically enter the ping_t domain via execution of a ping_exec_t executable file. It also authorizes access to the TTY or PTY and authorizes use of a file descriptor marked with the gphdomain (Gnome PTY helper) attribute.

Access to the TTY or PTY file is granted through the ttyfile and ptyfile type attributes. These attributes, defined in the file attrib.te , are associated with the three types used to label all TTYs and PTYs: sysadm_tty_device_t , staff_tty_device_t , and user_tty_device_t . For instance, the macros/admin_macros.te file contains macros that expand upon invocation to the following declaration:

 type sysadm_tty_device_t, file_type, sysadmfile, ttyfile; 

The declaration binds the type attribute ttyfile to the type sysadm_tty_device_t . Thus, the allow declaration within the ping_t domain permits processes within that domain to permit read and write operations on device files labeled sysadm_tty_device_t .

The next several lines cause an automatic transition to the ping_t domain when a sysadm_t or initrc_t process loads a ping_exec_t executable:

 # Transition into this domain when you run this program. domain_auto_trans(sysadm_t, ping_exec_t, ping_t) domain_auto_trans(initrc_t, ping_exec_t, ping_t) 

Because these declarations are specified unconditionally, system administrators and processes running under init can always ping .

The next several lines invoke M4 macros that generate declarations enabling access to shared libraries, network resources, and use Network Information Service (NIS) (also known as yp):

 uses_shlib(ping_t) can_network(ping_t) can_ypbind(ping_t) 

Most of the remaining lines extend specific permissions to processes in the ping_t domain. First, such processes are allowed to get the attributes of and read etc_t files:

 allow ping_t etc_t:file { getattr read }; 

Such processes are also allowed to create Unix stream sockets:

 allow ping_t self:unix_stream_socket create_socket_perms; 

Likewise, such processes can create and perform several other operations on raw IP sockets:

 # Let ping create raw ICMP packets. allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; 

Processes in ping_t can send and receive raw IP packets using any interface and node:

 allow ping_t netif_type:netif { rawip_send rawip_recv }; allow ping_t node_type:node { rawip_send rawip_recv }; 

Likewise, they can use the net_raw and setuid capabilities.

 # Use capabilities. allow ping_t self:capability { net_raw setuid }; 

Finally, they can access the terminal:

 # Access the terminal. allow ping_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') allow ping_t { userdomain privfd kernel_t }:fd use; 

Two additional declarations avoid cluttering the system log with useless chatter resulting from failed attempts to get filesystem attributes and search var_t directories:

 dontaudit ping_t fs_t:filesystem getattr; dontaudit ping_t var_t:dir search; 

Exactly why ping wants to perform these operations isn't clear; presumably study of its source code would disclose the reason. But ping seems to work fine even when it is prohibited from performing these operations, so, consistent with the principle of least privilege, we choose not to enable them.

ping isn't alone in attempting unnecessary operations; quite a few programs do so. It's best to determine experimentally whether failed operations are really needed, rather than give a program free rein by enabling every operation it attempts.


The ping.te file, which contains 57 lines, is actually a bit longer than the median TE file size of 54 lines. So if you understand it, you're likely to experience no significant difficulty in understanding all but the most complex TE files. In Chapter 9we move on to consider how to modify existing policies and create policies of your own.



SELinux. NSA's Open Source Security Enhanced Linux
Selinux: NSAs Open Source Security Enhanced Linux
ISBN: 0596007167
EAN: 2147483647
Year: 2003
Pages: 100
Authors: Bill McCarty

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net