Policy Editor for Security Enhanced Linux

Policy Editor is a tool to streamline and simplify your complicated settings for Security Enhanced Linux (SE Linux). Designed for professionals in Network industries.

This document is designed to describe Flask security model, which is used for the SE Linux, and to provide instructions for the setting up our powerful tool, the Policy Editor. In the last section, there is a basic explanation of how to verify logs.

For more information, see the manual of SE Linux Policy Editor.

1. Security Model for SE Linux. 1

1.1      Security Decision Based on Labeled Object 1

1.2      Type Enforcement (Domain Transition) 7

1.3      Role Based Access Control (RBAC) 19

2.    How to Configure Policy rules with Policy Editor?. 28

3.    Setting a Process (bind) 44

3.1      Creating a Domain. 47

3.2      Domain Transition. 50

3.3      Granting Permissions. 55

3.4      Update Configuration. 85

3.5      Confirming the Settings. 88

4     Setting an Administrative role for bind. 100

4.1      Creating a Role. 103

4.2      Domain Transition. 106

4.3      Granting Permissions. 117

4.4      Associating a User to the Role. 148

4.5      Update Configuration. 151

4.6      Changing UID.. 154

5. Logs. 159

5.1      Overview. 160

5.2      File ACL. 176

5.3      Network ACL. 201

5.4      IPC ACL. 211

5.5      TTY ACL. 219

5.6      Administrative ACL. 239

5.7      proc File System ACL. 261

5.8      tmpfs File System ACL. 264

 

1. Security Model for SE Linux

1.1            Security Decision Based on Labeled Object

The security model used by SE Linux is called Flask. One of the main features of Flask is the separation of policy definition and

policy enforcement. All security policy related to logic is done by the security server but is implemented in Linux as a kernel subsystem.

Under SE Linux, a Domain is appended to each processes and a Type is appended to each resource which includes not only a file

but also a network socket and a port as a label based on the security policy.

You can set permissions by setting rights for the type to the Domain. Each domain and type should be ended with _t.

See an example for the setting which allows httpd domain to access to a homepage in Figure 0.1.

In the example, httpd_t domain is attached to /usr/sbin/httpd and contents_t type is attached to /var/www. httpd domain has a

permission to read to contents_t. As a default, a domain doesnt have any permission. You can add permissions to a domain one by

one by specifying permissions to each resource label. Therefore, each process can have minimum right(s) and reduce the damage by exposure or the threat of loss on your network.

 

 

 

 

 

 

 


Figure 0.1 An example of access control by labeled object

Notes: Under SE Linux, access control is compatible with normal Linux permissions. Make sure you can access to the type only by setting

permissions to both SE Linux and normal Linux.

 

1.2            Type Enforcement (Domain Transition)

To allocate a domain label to each process, most of the cases, Domain Transition scheme is used, which is very similar to Linux setuid.

When a parent process pornes a set of child processes, the domain of the parent process will be inherited to the child processes.

Under SE Linux, you can change the domain and attached a different domain to each child process. This is called Domain Transition.

The syntax is as follows:

When running Program X, any process run on Domain A will be run on Domain B.

Program X here, to be a trigger of domain transition, is called Entry point.

See some examples shown bellow.

Example A: init process runs in init_t domain. When a process of init_t domain is executed by script under /etc/rc.d, itts child

Process(es) are run in initrc_t domain.

Example B: xinetd runs in xinetd_t domain. When executing /sbin/in.telnetd, its child process(es) run in rlogind_t domain.

 

Repeating domain transition like this allocates a domain to process to prevent from centralized permission to specific process.

For any other examples, see the screen image of [Configure domain transition] from SE Linux Policy Editor.

 

1.3            Role Based Access Control (RBAC)

Each user in SE Linux has one or more Roles. Role is a set of rights you set in the system. Based on the role they play in the system,

Role Based Access Control (RBAC) assigns permissions to objects. Any role name you set in your system should be ended with _r.

For example, as a default in SE Linux Policy Editor, you can choose either sysadm_r or secadm_r for root user when logging in to the system. If choosing sysadm_r, root user will log in as Linux system administrator, choosing secadm_r will log in as SE Linux security manager. Also, user shell runs with a domain name with which is changed from _r to _t. Which means, when root user login as sysadm_r, user shell runs in sysadm_t domain.

You can grant permission to a role with SE Linux Policy Editor. User shell runs based on the permission set to the role.

Note that you need to configure relationship between user and role in [Relationship between user and role] from menu of SE Linux

Policy Editor in advance to allow user to login with one or more roles.

 

 

2. How to Configure Policy rules with Policy Editor?

You can configure policy rules of your SE Linux with Policy Editor with the following steps:

1.          Create a domain (role).

2.          Set up domain transition.

3.          Grant proper permission to the domain (role).

4.          Set the role to one or more users. (for role)

5.          Load the configurations to your Linux kernel.

6.          Update file labeling.

A)       If granting permission to a file, you need to label a new type label again. Type label will be generated automatically by Policy Editor.

B)       If there is no change in file labeling, you do not need to do so.e.g. setting only network-related ACL

7.          Run a program and check logs. If your configurations are not completed properly or incorrect, you will find an error in a log which indicates access has been denied. See section 5 for your understanding of how to verify a log.

8.          If you find any error message in a log, go back to step 3.

 

It is recommended that these configurations above will be done with permissive mode.

 

 

3. Configure a Process (bind)

For an example of process configuration, see the example for bind (/usr/sbin/named) below. Suppose you allocate a domain named

named_t in bind. This section describes the configuration based on Redhat7.2, so see your manual for proper path if using other

distributions. Configuration for other deamon programs is same as this one.

 

3.1           Creating a Domain

Click on [Create new domain/role] from menu and enter named_t in Domain/Role name field to click [Create] button.

 

3.2           Domain Transition

Link the domain you created to a program. Click on [Configure domain transition] from menu. Since bind is run by a script under

/etc/rc.d/init.d so the original domain of the bind will be initrc_t. Then, Select [Add new transition] and click [initrc_t]. From your right pane,

enter named_t as domain name and /usr/sbin/named as entry point to click [apply] button. Now, the bind will be started on named_t domain.

 

3.3      Granting Permissions

Next, grant permission to the bind to any required resource. Typically, run the process in permissive mode and verify the log to identify

the resources needed to access.

(1)     Verify the original domain has permission to run the entry-point.

Initrc_t is required to be allowed to execute named.

Select [Configure ACL(Access Control List)] [initrc_t] [File ACL] [/usr/sbin] and verify the checks in r, x, y in named.

(2)     Set permission to files

(a)     Set Deny access

Select [Configure ACL(Access Control List)] [global] [File ACL].

Check deny for /var/named,/var/run/named. This make all access to /var/named (zone file) and /var/run/named (pid file) will be denied to

all domains in your system. (*Notes)

(b)     Grant permission to file(s)

Select [Configure ACL(Access Control List)][named][File ACL].

Check [r] for /var/named.

Check [r] and [w] for /var/run/named.

Grant reed permission to /etc/mtab. Also, grant access to etc_runtime_t from [dynamic labeled files] in /etc directory.

 

* NotesFor the case of named, a pid file will be created under /var/run/named, however most of the cases, deamon will create a pid file under

 /var/run. If you keep a pid file under /var/run, you need to configure the file in [dynamic labeled files].

 

(3)     Network ACL

Check [allow network socket] from [Network ACL]. Enter 53 for TCP and 953 for UDP in [reserve well-known port].

(4)     Required configuration for communicating with syslog

Since bind will create a log through syslog, you need to configure communication with syslog. The way to configure a domain to communicate with Syslog is fixed as follows:

Choose syslogd_t from [unix domain socket] in [Network ACL].

Check [r] and [w] for /dev/log in [File ACL]. You can find /dev/log under [dynamic labeled files] under /dev as dev_log_t.

(1)     Miscellaneous

A message might be displayed on administrators console by deamon. If you see any message, add sysadm_r to read

/write permission in [communication with tty] and [communication with psd] from [TTY ACL].

Also, grant read / write permission to initrc_t for /var/run/named since started script needs to read / write pid file.

 

3.4           Update Configuration

Go to top menu to select [Update configuration] and click [update all configuration].

 

3.5           Confirming the Settings

(1)     Start bind

Log in as sysadm_r and enter the following command;

run_init /etc/rc.d/init.d/named restart

Bind will start following sequence.

              run_init command(run_init domain) -> start up script(initrc_t domain) -> bind(named_t domain)

(2)     Confirm bind domain

Enter the following command;

ps ax --context

Confirm the following line will be displayed;

system_u:system_r:named_t           named

 

 

4      Setting an Administrative role for bind

As an example, create namemaster_r role for administrative name server.

 

4.1           Creating a Role

Create a role named namemaster_r .

 

4.2           Domain Transition

Go to [Configure domain transition].

(1) Configure domain transition for login

Configuration of domain transition for login depends on when to allow login. You need to add domain transition if necessary. Please make sure to set entry point as /bin/sh,/bin/bash. See the following examples;

allow login from local console: add namemaster_r under login_t.

allow login via telnet command: add namemaster_r under remote_login_t.

allow login with ssh: add namemaster_r under sshd_t

 

(2) Configure domain transition for named

Add a domain transition to named_t under namemaster_r since bind needs to be run in named_t domain when re-start bind from namemaseter_r. Entry point will be /usr/sbin/named.

 

4.3           Granting Permissions

(1)     File ACL

Select namemaster_r from [Configure ACL(Access Control List)] to click [File ACL].

(a)     Grant write permission to home directory

For root user, check [r] and [w] for /root. For any other user(s), check [r] and [w] under /home.

(b)     Grant write permission to zone file

Check [r], [w], and [s] for /var/named.

(c)      Grant reed permission to bind log file

It depends on bind settings. In this example, check [r] and [s] for bind log file.

(d)     Grant permission to run bind executable file or script.

Check [r], [x], and [s] for /usr/sbin/named.

Check [r], [x], and [s] for /etc/rc.d/init.d.

(e)     Grant permission to command(s)

Check [r], [x], and [s] for a directory where commands are in, such as /bin,/sbin,/usr/bin,/usr/sbin,/usr/local/selinux/bin.

(f)       Grant permission to read a mail

Check [s] for /var/spool and [r] and [s] for /var/spool/mail/.

(g)     Miscellaneous

Check [r] for /etc/mtab. You can find etc/mtab under /etc directory as a dynamic labeled file named etc_runtime_t.

 

(2)     Other configurations

(a)     Network

Check [allow network socket] from [Network ACL].

(b)     Communication with bind

To communicate with local bind, you need to allow communication between bind and process.

From [Configuration of IPC ACL ], choose named_t for [tcp socket] and [udp socket] under [Socket] to click [apply] button.

(c)      Terminal settings

From [TTY ACL], check create tty under Communicate with tty. This setting is needed to create a role-specific tty when login program

 run at login.

From [TTY ACL], add namemaster_r for [read] and [write] under [Communication with tty] and [Communication with ps]. (Skip this step if you

do not need remote login.)

 

4.4           Associating a User to the Role

Select [relationship between user and role]. Choose a user who login for namemaster_r and add namemaster_r in [allowed role].

 

4.5           Update Configuration

Select [Update configuration] to click [update all configuration]. All configurations will be read to kernel system and re-label files.

 

4.6           Changing UID

To use namemaster_r with a user except root user, you need to set the users uid as 0 since zone file can be written only by root

user with normal permission settings in UNIX. In SE Linux, normal UNIX permission is considered to be editable, so whenever you create administrative role, the uid should be set to 0.

 

 

5. Logs

5.1           Overview

SE Linux outputs a log as a kernel message when any access is denied. As a default, a log from SE Linux will be outputted to /var/log/messages See an example of a log in figure 0.1 below:

 

avc:  denied  { read } for  pid=8903 exe=/bin/cat path=/var/www/html/index.html

dev=08:01 ino=131308 scontext=root:sysadm_r:sysadm_t

tcontext=system_u:object_r:var_www_t tclass=file

Figure 0.1 Example of log

 

You can see a variety of information in the log above, but see the information in red for common part of logs. This section describes

the information (field) in red.

l         {(manipulation)}: indicating the denied manipulation. In the example above, read is denied.

l         scontext: indicating a domain name which try to access to the target resource.

l         tcontext: indicating a label name associated to the target resource.

l         tclass: indicating a type of the target resource.

 

In the example in figure 0.1, the log indicates that a process with sysadm_t as a domain name failed to read a file labeled var_www_t. This log tells us that read permission is needed to granted to var_www_t in sysadm_t domain. Of course, you need to investigate if the access is needed or not.

However, it is a little complicated for user to verify what permissions needed to be granted, so see more examples below.

(Examples explain the information in a log according to the Policy Editor settings.)

 

5.2           File ACL

If any configuration missing for a file, the following log (figure 0.2) will be displayed indicating access to the file is denied.

 

avc:  denied  { read } for  pid=8903 exe=/bin/cat path=/var/www/html/index.html

dev=08:01 ino=131308 scontext=root:sysadm_r:sysadm_t

tcontext=system_u:object_r:var_www_t tclass=file

Figure 0.2 Example of a log for file

The information in red in the log above is related to a file configuration. You can see read access to /var/www/html/index.html is

denied in sysadm_t domain.

Note that the path is shown  from your mount point. For example, file system is mounted to /usr/local, you never know if it is

/var/www/html or /usr/local/var/www/html by the path shown above. You can see which file system you are using by checking

dev field. dev=08:01 is the partition major and minor number mounted. From /etc/mtab, you can find how the major / minor

numbers and mount point corresponded each other.

Figure 0.3 shows permission you can grant with SE Linux Policy Editor and log information. See the figure below to consider your

permission.

 

Figure 0.3 Grantable permission with SE Linux Policy Editor and log information (for files)

Permission

Log information

r

read lock unlock ioctl is shown in {}.

w

write append create setattr addname unlink link rename is shown in {}.

x

execute execute_no_trans is shown in {}.

s

search getattr is displayed in {}.

 

From the example log above, you need to grant read access to /var/www/html/index.html in sysadm_t domain. With SE Linux

Policy Editor, sysadm_t is a domain of user shell when user with sysadm_r role logs in, so that grant read access to

/var/www/html/index.html in sysadm_r role as well.

 

5.3           Network ACL

Various logs will be outputted when network-related manipulation is denied. See the Figure 0.4 for grantable permission with

SE Linux Policy Editor.

 

Figure 0.4 Grantable permission with SE Linux Policy Editor and log information (for network)

Permission

Log information

Allow network socket

netif=eth0tclass=tcp_socket(udp_socket)

Allow Raw socket

{net_raw}

Reserve Well-known port / Allow all of non-reserved Well-known port / Reserve Well-known port reserved by other domain

For the entry of { name_bind }port=xxxtclass=tcp_socket (udp_socket), xxx֤tcp/udp port xxx is denied.

 

5.4           IPC ACL

See the Figure 0.5 for grantable permission with SE Linux Policy Editor and log information for interprocess communication.

Figure 0.5 Grantable permission with SE Linux Policy Editor and log information (for interprocess communication)

Permission

Log information

tcp/udp/unix socket

For the entry of tclass=tcp_socket/udp_socket/unix_stream_socket

scontext = domain A

tcontext = domain B,

You need to allow domain A to communicate

with domain B.

Semaphore/Message/Message Queue/Shared Memory/Pipe

tclass=sem/msg/msgq/shm/pipe

scontext = domain A

tcontext = domain B

sigchld/sigkill/sigstop/other signals

{ sigchld }/{ sigkill }/{ sigstop }/{ signal }

scontext = domain A

tcontext = domain B

 

5.5           TTY ACL

5.5.1        Terminal

We have following names for domain/role terminal;

Normal terminal: (domain / role name) _tty_device_t

Pseudo terminal: (domain / role name) _pts_device_t.

 

Also as label names, we have the following:

Normal terminal name before rabelling: tty_device_t

Pseudo terminal name before rabelling: devpts_t,ptmx_t.

 

5.5.2        Log information

See the Figure 0.6 for grantable permission with SE Linux Policy Editor and log information for terminal-related.

 

Figure 0.6 Grantable permission with SE Linux Policy Editor and log information (for terminal)

Permission

Log information

Create TTY

In this case, it is difficult to find an error from log file.

Create TTY is used only for roles and sshd_login_t / rlogind_t.

Actually, it is used only when creating a new role.

To verify the setting is done successfully, see the role / domain-specific terminal name is named as

ls –context /dev/tty (terminal number) for local login, 

ls--context/dev/pts/ for remote login.

Grant reed / write permission

If the following message is outputted to a log, you need to grant permission to terminal corresponding to tcontext.

{ read } {write}

tcontext = terminal name

Allow labeled

It is very rare to configure, however, if you see the following message, verify any lack of configuration.

Tcontext = terminal name

{relabelfrom relabelto}

 

5.6           Administrative ACL

 

Figure 0.7 Grantable permission with SE Linux Policy Editor and log information (for administrative)

Permission

Log information

labeled all files

labeled files that this domain can write access

One of the permission from left should be granted, if necessary.

{ relabelfrom relabelto }

Use of chsid system call

{ chsid }

Use avc_toggle command

{ avc_toggle }

Use load_policy command

{ load_policy }

Re-write arp,route table

{ net_admin }

Use of boot system call

{ sys_boot }

Reload kernel module

{ sys_module }

Use quotaon

{ quotaon }

swapon

{ swapon }

Use of mount system call

{ mounton }

raw I/O

{ sys_rawio }

Use of ptrace system call

{ sys_ptrace }

Use of chroot system call

{ sys_chroot }

Search all directories

Read all files

Write all files

Read / write un-labeled files

 

5.7           proc File System ACL

When a message path=/xxx,dev=00:02 outputted to a log, you will see the log is related to proc file system.

Grant permission according to the file name in message.

 

5.8           tmpfs File System ACL

When a message path=/xxx,dev=00:07 outputted to a log, you will see the log is related to tmpfs file system.

 

5.8.1        Label name

A file will be created to tmpfs with the following Type.

Before labeling: tmpfs_t

Files created by domain or role<domain / role name>_tmpfs_t

These label names are shown in tcontext. See the Figure 0.8 for grantable permission and log information.

 

5.8.2        log information

 

Figure 0.8 Grantable permission with SE Linux Policy Editor and log information (for tmpfs file system)

Permission

Log information

Can create my own file in tmpfs

{ write } tcontext=tmpfs_t

Reed / write

{ read }/{ write } is displayed and a label

name specified in 5.8.1 is shown in

tcontext.