7.1. A Closer Look at the Access Decision AlgorithmTo understand the purpose of constraints, let's revisit the SELinux Linux Security Module (LSM). Recall the SELinux kernel architecture discussed in Chapter 3, "Architecture," the salient portion of which is depicted again in Figure 7-1. Figure 7-1. Review of the SELinux LSM moduleWe want to take a closer look at how the access decision logic works within the security server. The access vector cache (AVC)[1] is keyed by a triple of source security identifier (SID), target SID, and object class. SIDs are internal references to security contexts (see the sidebar on page 151).
In the source code, you can see the policy-neutral portions of the SELinux LSM module, including the AVC, in linux-2.6/security/selinux/*.c and the policy-specific portions (that is, the security server) in linux-2.6/security/selinux/ss/*. When the SELinux LSM hooks [2] ask for an access decision, they provide the SIDs of the subject (source) and object (target) and the object class. The AVC uses the SID-SID-class triple to look up allowed access, which is stored as a bit mask.
When a cache miss occurs, the AVC calls the security server function security_compute_av()[3] to determine allowed access. This function has two basic steps in its access decision logic: 1) create a mask representing the object permissions allowed according to the TE allow rules for the type-type-class triple, and 2) remove from the allowed mask those permissions disallowed by any constraint. This second step allows a constraint to be a means to restrict permissions that otherwise would be allowed by the policy.
The primary purpose of constraints is to enforce global restrictions for certain permissions regardless of the allow rules in the policy. All constraints are checked each time the security_compute_av() function is called before returning the allowed access mask to the AVC. So, as you can see, constraints further limit the access allowed in an SELinux policy. SELinux has two types of constraints. The constrain statement is the most common constraint and enables you to further restrict access based on the user, role, and/or type of the source and target security contexts. The validatetrans statement is a more recent addition to SELinux and enables you to further restrict access for security context change events based on the old, new, and process security context. Note At the time of this writing, the apol tool does not support constraints. Therefore, you cannot view these statements with that tool. Support for constraints is planned and should be available in the future. |