8.1 Constraint Declarations

Previous page
Table of content
Next page
     

SELinux policy constraint declarations superficially resemble the constraints implemented via neverallow rules. However, they support a richer language for specifying constraints and, at the same time, have a narrower purpose: constraint declarations restrict the permissions that can be granted by an access-vector rule.

Figures Figure 8-1 through Figure 8-5 show the statement syntax, which is relatively complex. Fortunately, it's unusual for a system administrator to need to modify the constraint declarations supplied by a sample SELinux policy.

Figure 8-1. Constraint declaration
figs/selx_0801.gif

Figure 8-2. Syntax of cexpr
figs/selx_0802.gif

Figure 8-3. Syntax of cexpr_prim
figs/selx_0803.gif

Figure 8-4. Syntax of user_names
figs/selx_0804.gif

Figure 8-5. Syntax of cnames
figs/selx_0805.gif

Constraint declarations impose restrictions on access-vector rules. Therefore, constraint declarations and access-vector rules share some syntactic elements. In particular, recall that access-vector rules involve two security contexts: a source context and a target context. In constraint declarations, you can refer to these contexts by using the special tokens summarized in Table 8-1.

Table 8-1. Special tokens used in constraint declarations

Token

Description 

 u1

User given in source context 

 u2

User given in target context 

 r1

Role given in source context 

 r2

Role given in target context 

 t1

Type given in source context 

 t2

Type given in target context


Constraints declarations reside in the file constraints . Only a handful of constraints appear within the sample SELinux policies distributed with SELinux. For instance, the Fedora Core 2 implementation defines two constraints that restrict the ability to transition between user and role identities: 

 constrain process transition     ( u1 == u2      or (t1 == privuser and t2 == userdomain )     or (t1 == crond_t and t2 == user_crond_domain)     or (t1 == userhelper_t)     or (t1 == priv_system_role and u2 == system_u )     ); constrain process transition     ( r1 == r2      or ( t1 == privrole and t2 == userdomain )     or (t1 == crond_t and t2 == user_crond_domain)     or (t1 == userhelper_t)     or (t1 == priv_system_role and r2 == system_r )     );

The first constraint allows these identity changes to occur only if one of the following circumstances exists:

  • The user identity is unchanged.

  • The source type has the privuser attribute and the target type has the userdomain attribute.

  • The source type is crond_t and the target type has the attribute user_crond_domain (only the domains user_crond_t and sysadm_crond_t have this attribute).

  • The source type is userhelper_t .

  • The source type has the priv_system_role attribute and the target user is system_u .

  • The priv_system_role attribute indicates domains that change role from a user role to system_r or change identity from a user identity to system_u .

The second constraint operates analogously but constrains changes of role rather user identity. These constraints are intended to allow only safe transitions between user identities and roles. Hence, with only the few identified exceptions, only privileged users can transition to new identities or roles.

The policy of Fedora Core 2 also defines two constraints that restrict the ability to label objects with a user identity other than the current identity: 

 constrain { dir file lnk_file sock_file fifo_file chr_file blk_file }  { create relabelto relabelfrom }     ( u1 == u2 or t1 == privowner ); constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket  unix_stream_socket unix_dgram_socket }  { create relabelto relabelfrom }     ( u1 == u2 or t1 == privowner );

The first constraint restricts create , relabelto , and relabelfrom permissions over seven classes of file-like objects ( dir , file , lnk_file , sock_file , fifo_file , chr_file , and blk_file ). The operations are permitted only if they do not alter the user identity or the source type has the attribute privowner . The second constraint operates similarly but restricts operations over seven classes of network- related objects, rather than file-like objects.

Because constraints currently play a small role in typical SELinux policies, you likely don't need to understand them in complete detail. It's enough that you understand their function, which is to prevent certain changes to security contexts.



Previous page
Table of content
Next page
SELinux. NSA's Open Source Security Enhanced Linux
Selinux: NSAs Open Source Security Enhanced Linux
ISBN: 0596007167
EAN: 2147483647
Year: 2003
Pages: 100
Authors: Bill McCarty
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Extending and Embedding PHP
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
DNS & BIND Cookbook
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy