7.3. Label Transition ConstraintsSELinux supports a second constraint statement, validatetrans. This statement was added as part of the modified multilevel security features we discuss in the next chapter. With the validatetrans statement, we can further control the ability to change the security context of supported objects. As of this writing, the only supported objects for this constraint are the filesystem objects (file, directory, device files, and so on). Unlike the constrain statement, the validatetrans statement allows you to relate the new and old security context of an object with each other and/or with a third security context, that of the process attempting to relabel the object. Thus, new keywords are added for this statement, specifically t3, r3, and u3, respectively representing the type, role, and user of the process security context. The *1 keywords represent the old security context, and the *2 keywords represent the new security context. The full syntax for this statement is available in the sidebar on page 157. Warning Be careful not to confuse the keyword associations between the constrain and validatetrans statements. For the constrain statement, t1 represents the source (or calling process) type, and t2 represents the target (object) type. However, in the validatetrans statement, t3 is now the source process type, t1 is the "old" type, and t2 is the "new" type.
Validatetrans statements are valid only in monolithic policies and base loadable modules. They are not valid in conditional statements and non-base loadable modules. To date, we have seen no example use of the validatetrans constraint. This statement was added as the cousin to the multilevel security (MLS) variant described in Chapter 8, "Multilevel Security," on the future possibility of it being useful. To help understand how one might use this statement, let's look at example. The key feature of the validatetrans statement is that it enables us to associate old and new security contexts on a label change for file objects. Suppose that we have a type user_tmp_t that in our policy we use as the type for ordinary untrusted user programs' temporary files. We might, for example, want to ensure that a domain with privilege to change all file labels (for example, a label maintenance program an administrator might run) does not accidentally relabel a file with user_tmp_t as its type to certain highly critical types (say shadow_t type, which is the type of the /etc/shadow file). Here's our constraint that would provide this restriction: validatetrans {file lnk_file} ( t2 != shadow_t or t1 != user_tmp_t ); Notice several features of this constraint. First, notice that we included both ordinary files and symbolic links (lnk_file) because we do not want someone to use a link in place of a file. Now examine the constraint expressions. In simple language, the constraint says that for a security context change to be allowed for file and symbolic link objects, the new type may only be shadow_t if the old type is not user_tmp_t. In other words, no domain type may be authorized to relabel a user temporary file into the type of the shadow password file. To expand this example, assume there are a subset of domain types that we do want to allow to relabel user_tmp_t to shadow_t. (It is hard to imagine a situation where this would be advisable, but you never know.) So, now we create an attribute relabel_any and assign it to those domain types we want to grant this privilege. We then expand this constraint as follows: validatetrans {file lnk_file} ( ( t3 == relabel_any) or ( t2 != shadow_t or t1 != user_tmp_t ) ); Now we have a set of domain types (those with the relabel_any attribute) that this constraint will not restrict in any way.
|