├── .github ├── actions │ └── setup │ │ └── action.yml └── workflows │ ├── checkers.yml │ ├── epub.yml │ ├── html.yml │ └── pdf.yml ├── .gitignore ├── BUILD.md ├── CONTRIBUTING.md ├── LICENSE ├── MAINTAINER_PROCESS.md ├── Makefile ├── README.md ├── scripts ├── macros_doc.sh └── macros_section.sh └── src ├── apache_support.md ├── auditing.md ├── avc_rules.md ├── bounds_rules.md ├── cil_overview.md ├── class_permission_statements.md ├── computing_access_decisions.md ├── computing_security_contexts.md ├── conditional_statements.md ├── configuration_files.md ├── constraint_statements.md ├── core_components.md ├── cover.md ├── cover_epub.md ├── debug_policy_hints.md ├── default_rules.md ├── domain_object_transitions.md ├── embedded_systems.md ├── file_labeling_statements.md ├── global_config_files.md ├── hardening.md ├── images ├── 1-core.odt ├── 1-core.png ├── 10-fork.odt ├── 10-fork.png ├── 11-transition.odt ├── 11-transition.png ├── 12-lsm-selinux-arch.odt ├── 12-lsm-selinux-arch.png ├── 13-secmark.odt ├── 13-secmark.png ├── 14-fallback.odt ├── 14-fallback.png ├── 15-mls1.odt ├── 15-mls1.png ├── 16-mls2.odt ├── 16-mls2.png ├── 17-ipsec.odt ├── 17-ipsec.png ├── 18-kvm.odt ├── 18-kvm.png ├── 19-shareable.odt ├── 19-shareable.png ├── 2-high-level-arch.odt ├── 2-high-level-arch.png ├── 20-clone.odt ├── 20-clone.png ├── 21-error.odt ├── 21-error.png ├── 22-xen.odt ├── 22-xen.png ├── 23-x-server.odt ├── 23-x-server.png ├── 24-database-table.odt ├── 24a-sepostgresql.odt ├── 24a-sepostgresql.png ├── 25-file_contexts.odt ├── 25-file_contexts.png ├── 26-ref-policy.odt ├── 26-ref-policy.png ├── 27-ref-doc.odt ├── 27-ref-doc.png ├── 28-mod-expand-1.odt ├── 28-mod-expand-1.png ├── 29-mod-expand-2.odt ├── 29-mod-expand-2.png ├── 3-processing-call.odt ├── 3-processing-call.png ├── 4-RBAC.odt ├── 4-RBAC.png ├── 5-object-class.odt ├── 5-object-class.png ├── 6-allow-rule.odt ├── 6-allow-rule.png ├── 7-domain-transition.odt ├── 7-domain-transition.png ├── 8-security-levels.odt ├── 8-security-levels.png ├── 9-mls-constrain.odt ├── 9-mls-constrain.png └── selinux-penguin.png ├── implementing_seaware_apps.md ├── infiniband_statements.md ├── kernel_policy_language.md ├── libselinux_functions.md ├── lsm_selinux.md ├── mac.md ├── metadata.yaml ├── mls_mcs.md ├── mls_statements.md ├── modes.md ├── modular_policy_statements.md ├── network_statements.md ├── network_support.md ├── notebook-examples ├── README.md ├── cil-policy │ ├── Makefile │ ├── README.md │ └── cil-policy.cil ├── embedded-policy │ ├── android-policy │ │ ├── README.md │ │ ├── android-10 │ │ │ └── Makefile │ │ ├── android-4 │ │ │ └── Makefile │ │ ├── brillo-device │ │ │ └── Makefile │ │ └── brillo │ │ │ └── Makefile │ └── reference-policy │ │ ├── README.md │ │ ├── build.conf │ │ └── modules.conf ├── network │ ├── Makefile │ ├── README.md │ ├── ipsec │ │ ├── ip-xfrm.sh │ │ ├── ipsec-flush.sh │ │ ├── setkey │ │ └── setkey.sh │ ├── nb_client.c │ ├── nb_server.c │ └── netlabel │ │ ├── calipso-flush.sh │ │ ├── calipso.sh │ │ ├── cipso-flush.sh │ │ └── cipso.sh ├── selinux-policy │ ├── README.md │ ├── cil │ │ ├── CIL_Reference_Guide.pdf │ │ ├── Makefile │ │ ├── README.md │ │ └── cil-nb-policy.txt │ ├── flask-files │ │ ├── README │ │ ├── access_vectors │ │ ├── initial_sids │ │ └── security_classes │ ├── kernel │ │ ├── Makefile │ │ ├── README.md │ │ └── kern-nb-policy.txt │ ├── policy-files │ │ ├── dbus_contexts │ │ ├── default_contexts │ │ ├── default_type │ │ ├── file_contexts │ │ ├── mls │ │ │ ├── default_contexts │ │ │ ├── default_type │ │ │ ├── file_contexts │ │ │ ├── seusers │ │ │ └── x_contexts │ │ ├── seusers │ │ └── x_contexts │ └── tools │ │ ├── build-sepolicy │ │ └── build-sepolicy.md └── sepgsql │ ├── README.md │ └── testdb-example.sql ├── object_classes_permissions.md ├── objects.md ├── pam_login.md ├── policy_config_files.md ├── policy_config_statements.md ├── policy_languages.md ├── policy_store_config_files.md ├── policy_validation_example.md ├── polyinstantiation.md ├── postgresql.md ├── rbac.md ├── reference_policy.md ├── role_statements.md ├── seandroid.md ├── section_list.txt ├── security_context.md ├── selinux_cmds.md ├── selinux_overview.md ├── sid_statement.md ├── styles_epub.css ├── styles_html.css ├── styles_pdf.css ├── subjects.md ├── terminology.md ├── title.md ├── toc.md ├── type_enforcement.md ├── type_statements.md ├── types_of_policy.md ├── user_statements.md ├── users.md ├── userspace_libraries.md ├── vm_support.md ├── x_windows.md ├── xen_statements.md └── xperm_rules.md /.github/actions/setup/action.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Github Action to setup The SELinux Notebook build 3 | # 4 | # Copyright (c) 2022 Microsoft Corporation 5 | # Author: Paul Moore 6 | # 7 | 8 | name: Setup the build for The SELinux Notebook 9 | description: "Install dependencies for The SELinux Notebook build" 10 | runs: 11 | using: "composite" 12 | steps: 13 | - run: sudo apt-get update 14 | shell: bash 15 | - run: sudo apt-get install -y build-essential weasyprint pandoc calibre 16 | shell: bash 17 | -------------------------------------------------------------------------------- /.github/workflows/checkers.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Github Action to perform a number of context checks 3 | # 4 | # Copyright (c) 2022 Microsoft Corporation 5 | # Author: Paul Moore 6 | # 7 | 8 | name: Content Checking 9 | on: ["push", "pull_request", "workflow_dispatch"] 10 | 11 | jobs: 12 | codespell: 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - name: Checkout from github 17 | uses: actions/checkout@v2 18 | - name: Spellcheck 19 | uses: codespell-project/actions-codespell@master 20 | with: 21 | ignore_words_list: te msdos 22 | skip: src/notebook-examples/selinux-policy/tools/build-sepolicy 23 | -------------------------------------------------------------------------------- /.github/workflows/epub.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Github Action to build The SELinux Notebook 3 | # 4 | # Copyright (c) 2022 Microsoft Corporation 5 | # Author: Paul Moore 6 | # 7 | 8 | name: EPUB build 9 | on: ["push", "pull_request", "workflow_dispatch"] 10 | 11 | jobs: 12 | epub: 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - name: Checkout from GitHub 17 | uses: actions/checkout@v2 18 | - name: Setup the build directory 19 | uses: ./.github/actions/setup 20 | - name: Run the build 21 | run: make epub 22 | - name: Archive the rendering 23 | uses: actions/upload-artifact@v4 24 | with: 25 | name: EPUB rendering 26 | path: ./epub/SELinux_Notebook.azw3 27 | -------------------------------------------------------------------------------- /.github/workflows/html.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Github Action to build The SELinux Notebook 3 | # 4 | # Copyright (c) 2022 Microsoft Corporation 5 | # Author: Paul Moore 6 | # 7 | 8 | name: HTML build 9 | on: ["push", "pull_request", "workflow_dispatch"] 10 | 11 | jobs: 12 | html: 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - name: Checkout from GitHub 17 | uses: actions/checkout@v2 18 | - name: Setup the build directory 19 | uses: ./.github/actions/setup 20 | - name: Run the build 21 | run: make html 22 | - name: Archive the rendering 23 | uses: actions/upload-artifact@v4 24 | with: 25 | name: HTML rendering 26 | path: ./html/SELinux_Notebook.html 27 | -------------------------------------------------------------------------------- /.github/workflows/pdf.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Github Action to build The SELinux Notebook 3 | # 4 | # Copyright (c) 2022 Microsoft Corporation 5 | # Author: Paul Moore 6 | # 7 | 8 | name: PDF build 9 | on: ["push", "pull_request", "workflow_dispatch"] 10 | 11 | jobs: 12 | pdf: 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - name: Checkout from GitHub 17 | uses: actions/checkout@v2 18 | - name: Setup the build directory 19 | uses: ./.github/actions/setup 20 | - name: Run the build 21 | run: make pdf 22 | - name: Archive the rendering 23 | uses: actions/upload-artifact@v4 24 | with: 25 | name: PDF rendering 26 | path: ./pdf/SELinux_Notebook.pdf 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .tmp/ 2 | html/ 3 | pdf/ 4 | epub/ 5 | -------------------------------------------------------------------------------- /BUILD.md: -------------------------------------------------------------------------------- 1 | # Viewing the Markdown Versions 2 | 3 | In addition to viewing the notebook markdown files on GitHub, the markdown 4 | files can be viewed with Firefox using the following Markdown Viewer: 5 | 6 | * https://github.com/KeithLRobertson/markdown-viewer 7 | 8 | Extract from the README: 9 | 10 | > On Linux: Firefox may not know how to handle markdown files by default. 11 | > A workaround for this is to add a new MIME type for markdown file extensions. 12 | > Add the following XML to *~/.local/share/mime/packages/text-markdown.xml*: 13 | > 14 | > ```xml 15 | > 16 | > 17 | > 18 | > 19 | > 20 | > 21 | > 22 | > 23 | > 24 | > 25 | > 26 | > ``` 27 | > 28 | > Then run: 29 | > 30 | > % update-mime-database ~/.local/share/mime 31 | 32 | # Build HTML, PDF, or EPUB Versions 33 | 34 | The SELinux Notebook can be rendered in HTML, PDF, or EPUB using the included 35 | Makefile. In order to build these versions of the notebook, "pandoc" and 36 | "weasyprint" must be installed on your system; consult your distribution 37 | documentation for information on installing these packages. 38 | 39 | The EPUB build will also produce a Kindle "azw3" formatted version if "calibre" 40 | is installed on your system (specifically the "ebook-convert" command). 41 | 42 | Once the required packages are installed can generate the PDF notebook with the 43 | following command: 44 | 45 | % make pdf 46 | 47 | ... the following will generate the HTML notebook: 48 | 49 | % make html 50 | 51 | ... and the following will generate the EPUB notebook: 52 | 53 | % make epub 54 | 55 | The PDF, HTML, and EPUB notebooks will be generated in newly created "pdf", 56 | "html" and "epub" directories. 57 | 58 | **Notes:** 59 | 60 | - The Notebook examples are not embedded into any of the document formats, 61 | however they will have links to them via their build directory. 62 | - When viewing the Notebook EPUB version, eBook readers do vary on rendering 63 | tables, displaying images and resolving links to the examples. For Linux, 64 | Foliate was found to be the most consistent, and can be found at: 65 | 66 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | How to Contribute to The SELinux Notebook 2 | =============================================================================== 3 | https://github.com/SELinuxProject/selinux-notebook 4 | 5 | This document is intended to act as a guide to help you contribute to the 6 | The SELinux Notebook. It is not perfect, and there will always be exceptions 7 | to the rules described here, but by following the instructions below you 8 | should have a much easier time getting your work merged with the upstream 9 | project. 10 | 11 | ## Make Sure Your Changes Render Correctly 12 | 13 | The SELinux Notebook can be viewed in four different formats: Markdown, HTML, 14 | PDF, and EPUB. Your changes need to render correctly in all four formats. 15 | The HTML, PDF, and EPUB formatted notebooks can be created using the included 16 | Makefile and Markdown can be viewed directly via the GitHub source browser 17 | or any number of Markdown viewers. 18 | 19 | Note that the EPUB build will optionally produce a version suitable for 20 | viewing on a Kindle that supports the "azw3" file format. 21 | 22 | ## Explain Your Work 23 | 24 | At the top of every patch you should include a description of the change you 25 | are making as well as your motivation. 26 | 27 | ## Sign Your Work 28 | 29 | The sign-off is a simple line at the end of the patch description, which 30 | certifies that you wrote it or otherwise have the right to pass it on as an 31 | open-source patch. The "Developer's Certificate of Origin" pledge is taken 32 | from the Linux Kernel and the rules are pretty simple: 33 | 34 | Developer's Certificate of Origin 1.1 35 | 36 | By making a contribution to this project, I certify that: 37 | 38 | (a) The contribution was created in whole or in part by me and I 39 | have the right to submit it under the open source license 40 | indicated in the file; or 41 | 42 | (b) The contribution is based upon previous work that, to the best 43 | of my knowledge, is covered under an appropriate open source 44 | license and I have the right under that license to submit that 45 | work with modifications, whether created in whole or in part 46 | by me, under the same open source license (unless I am 47 | permitted to submit under a different license), as indicated 48 | in the file; or 49 | 50 | (c) The contribution was provided directly to me by some other 51 | person who certified (a), (b) or (c) and I have not modified 52 | it. 53 | 54 | (d) I understand and agree that this project and the contribution 55 | are public and that a record of the contribution (including all 56 | personal information I submit with it, including my sign-off) is 57 | maintained indefinitely and may be redistributed consistent with 58 | this project or the open source license(s) involved. 59 | 60 | ... then you just add a line to the bottom of your patch description, with 61 | your real name, saying: 62 | 63 | Signed-off-by: Random J Developer 64 | 65 | You can add this to your commit description in `git` with `git commit -s` 66 | 67 | ## Post Your Patches Upstream 68 | 69 | The SELinux Notebook accepts both GitHub pull requests and patches sent via 70 | the SELinux developers mailing list. GitHub pull requests are preferred. The 71 | sections below explain how to contribute via either method. Please read each 72 | step and perform all steps that apply to your chosen contribution method. 73 | 74 | ### Submitting via Email 75 | 76 | Depending on how you decided to work with the notebook sources and what 77 | tools you are using there are different ways to generate your patch(es). 78 | However, regardless of what tools you use, you should always generate your 79 | patches using the "unified" diff/patch format and the patches should always 80 | apply to the notebook source tree using the following command from the top 81 | directory of the notebook sources: 82 | 83 | % patch -p1 < changes.patch 84 | 85 | If you are not using git, stacked git (stgit), or some other tool which can 86 | generate patch files for you automatically, you may find the following command 87 | helpful in generating patches, where "selinux-notebook.orig/" is the unmodified 88 | source code directory and "selinux-notebook/" is the source code directory with your 89 | changes: 90 | 91 | % diff -purN selinux-notebook.orig/ selinux-notebook/ 92 | 93 | When in doubt please generate your patch and try applying it to an unmodified 94 | copy of the notebook sources; if it fails for you, it will fail for the rest 95 | of us. 96 | 97 | Finally, you will need to email your patches to the mailing list so they can 98 | be reviewed and potentially merged into the main notebook repository. When 99 | sending patches to the mailing list it is important to send your email in text 100 | form, no HTML mail please, and ensure that your email client does not mangle 101 | your patches. It should be possible to save your raw email to disk and apply 102 | it directly to the notebook sources; if that fails then you likely have 103 | a problem with your email client. When in doubt try a test first by sending 104 | yourself an email with your patch and attempting to apply the emailed patch to 105 | the notebook repository; if it fails for you, it will fail for the rest of 106 | us. 107 | 108 | ### Submitting via GitHub 109 | 110 | See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before. 111 | -------------------------------------------------------------------------------- /MAINTAINER_PROCESS.md: -------------------------------------------------------------------------------- 1 | The SELinux Notebook Maintainer Process 2 | =============================================================================== 3 | https://github.com/SELinuxProject/selinux-notebook 4 | 5 | This document attempts to describe the processes that should be followed by the 6 | various SELinux Notebook maintainers. It is not intended as a hard requirement, 7 | but rather as a guiding document intended to make it easier for multiple 8 | co-maintainers to manage the SELinux Notebook project. 9 | 10 | We recognize this document, like all other parts of the Notebook project, is 11 | not perfect. If changes need to be made, they should be made following the 12 | guidelines described here. 13 | 14 | ### Reviewing and Merging Patches 15 | 16 | In a perfect world each patch would be independently reviewed and ACK'd by each 17 | maintainer, but we recognize that is not likely to be practical for each patch. 18 | Under normal circumstances, each patch should be reviewed by at least two 19 | maintainers before being merged into the repository; reviewing includes both 20 | an 'Acked-by:' tag as well as the 'Signed-off-by:' tag used by the maintainer 21 | that merged the patch into the main repository. Maintainers should ACK patches 22 | using a format similar to the Linux Kernel, for example: 23 | 24 | ``` 25 | Acked-by: John Smith 26 | ``` 27 | 28 | The maintainer who merged the patch into the repository should add their 29 | sign-off after ensuring that it is correct to do so (see the documentation on 30 | submitting patches); if it is not correct for the maintainer to add their 31 | sign-off, it is likely the patch should not be merged. The maintainer should 32 | add their sign-off using the standard format at the end of the patch's 33 | metadata, for example: 34 | 35 | ``` 36 | Signed-off-by: Jane Smith 37 | ``` 38 | 39 | The maintainers are encouraged to communicate with each other for many reasons, 40 | one of which is to let the others when one is going to be unreachable for an 41 | extended period of time. If a patch is being held due to a lack of ACKs and 42 | the other maintainers are not responding after a reasonable period of time (for 43 | example, a delay of over two weeks), as long as there are no outstanding NACKs 44 | the patch can be merged with only a single review. 45 | 46 | ### Managing the GitHub Issue Tracker 47 | 48 | We use the GitHub issue tracker to track bugs, feature requests, and sometimes 49 | unanswered questions. The conventions here are intended to help distinguish 50 | between the different uses, and prioritize within those categories. 51 | 52 | Feature requests MUST have a "RFE:" prefix added to the issue name and use the 53 | "enhancement" label. Bug reports MUST a "BUG:" prefix added to the issue name 54 | and use the "bug" label. 55 | 56 | Issues CAN be additionally labeled with the "pending/info", "pending/review", 57 | and "pending/revision" labels to indicate that additional information is 58 | needed, the issue/patch is pending review, and/or the patch requires changes. 59 | 60 | ### Handling Inappropriate Community Behavior 61 | 62 | The SELinux project community is relatively small, and almost always respectful 63 | and considerate. However, it is the responsibility of the maintainers to deal 64 | with inappropriate behavior if it should occur. 65 | 66 | As mentioned above, the maintainers are encouraged to communicate with each 67 | other, and this communication is very important in this case. When 68 | inappropriate behavior is identified in the project (e.g. mailing list, GitHub, 69 | etc.) the maintainers should talk with each other as well as the responsible 70 | individual to try and correct the behavior. If the individual continues to act 71 | inappropriately the maintainers can block the individual from the project using 72 | whatever means are available. This should only be done as a last resort, and 73 | with the agreement of all the maintainers. In cases where a quick response is 74 | necessary, a maintainer can unilaterally block an individual, but the block 75 | should be reviewed by all the other maintainers soon afterwards. 76 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | ## 2 | # The SELinux Notebook 3 | # 4 | 5 | SED = sed 6 | PANDOC = pandoc 7 | # Find if Calibre ebook-convert command is installed, if so produce a 8 | # Kindle version in azw3 format 9 | EBOOK_CONVERT = $(shell whereis -b ebook-convert | cut -f 2 -d :) 10 | CWD ?= $(shell pwd) 11 | SCRIPTS = $(CWD)/scripts 12 | SRCDIR = $(CWD)/src 13 | HTMLDIR ?= $(CWD)/html 14 | PDFDIR ?= $(CWD)/pdf 15 | EPUBDIR ?= $(CWD)/epub 16 | IMAGES = $(SRCDIR)/images 17 | EXAMPLES = $(SRCDIR)/notebook-examples 18 | EXAMPLES_EPUB = $(shell echo $(EXAMPLES) | $(SED) 's;/;\\/;g') 19 | METADATA = $(SRCDIR)/metadata.yaml 20 | EXAMPLES_GITHUB = $(shell echo https://github.com/SELinuxProject/selinux-notebook/tree/main/src/notebook-examples | $(SED) 's;/;\\/;g') 21 | 22 | HTML_OUT = SELinux_Notebook.html 23 | PDF_OUT = SELinux_Notebook.pdf 24 | EPUB_OUT = SELinux_Notebook.epub 25 | AZW3_OUT = SELinux_Notebook.azw3 26 | 27 | PANDOC_OPTS = --from markdown+pipe_tables 28 | PANDOC_OPTS += -V mainfont='DejaVu Serif' -V monofont='DejaVu Sans Mono' 29 | 30 | # the individual section files, in order 31 | FILE_LIST = $(shell cat src/section_list.txt) 32 | DEP_FILE_LIST = $(addprefix src/,$(FILE_LIST)) 33 | 34 | help: 35 | @echo "targets:" 36 | @grep "^#@ " Makefile | cut -c4- 37 | 38 | #@ all build the PDF, HTML, and EPUB versions 39 | all: html pdf epub 40 | 41 | #@ navlinks update the navigation links in the markdown sources 42 | .PHONY: navlinks 43 | navlinks: 44 | for i in $(DEP_FILE_LIST); do \ 45 | file=$$(basename $$i); \ 46 | prev=$$(sed -n "/$$file/{x;p;d;}; x" src/section_list.txt); \ 47 | next=$$(sed -n "/$$file/{n;p;}" src/section_list.txt); \ 48 | sed "//q" -i $$i; \ 49 | echo "" >> $$i; \ 50 | echo "---" >> $$i; \ 51 | [[ "x$$prev" != "x" ]] && echo -n "**[[ PREV ]]($$prev)**" >> $$i; \ 52 | echo -n " **[[ TOP ]](#)** " >> $$i; \ 53 | [[ "x$$next" != "x" ]] && echo -n "**[[ NEXT ]]($$next)**" >> $$i; \ 54 | echo "" >> $$i; \ 55 | done 56 | 57 | #@ pdf build PDF version 58 | .PHONY: pdf 59 | pdf: $(DEP_FILE_LIST) $(METADATA) 60 | mkdir -p $(PDFDIR) 61 | cat $(METADATA) > $(PDFDIR)/.full_document.md 62 | cat $(SRCDIR)/cover.md | $(SCRIPTS)/macros_section.sh \ 63 | >> $(PDFDIR)/.full_document.md 64 | for i in $(DEP_FILE_LIST); do \ 65 | cat $$i | $(SCRIPTS)/macros_section.sh \ 66 | >> $(PDFDIR)/.full_document.md; \ 67 | echo '' \ 68 | >> $(PDFDIR)/.full_document.md; \ 69 | done 70 | $(SCRIPTS)/macros_doc.sh $(PDFDIR)/.full_document.md 71 | # embed the images into the PDF 72 | $(SED) -i 's/!\[].*\images/!\[]('"$(subst /,\/,./images)"'/' \ 73 | $(PDFDIR)/.full_document.md 74 | $(SED) -i 's/](.*\.md#/](#/' $(PDFDIR)/.full_document.md 75 | # remove the section file name from all HTML links 76 | $(SED) -i 's/href=.*\.md#/href="#/' $(PDFDIR)/.full_document.md 77 | # fixup path for examples, directing at the github repo 78 | $(SED) -i 's/](.\/notebook-examples/]($(EXAMPLES_GITHUB)/g' \ 79 | $(PDFDIR)/.full_document.md 80 | [ -e $(PDFDIR)/images ] || ln -s $(IMAGES) $(PDFDIR) 81 | [ -e $(PDFDIR)/notebook-examples ] || ln -s $(EXAMPLES) $(PDFDIR) 82 | (cd $(PDFDIR); $(PANDOC) --pdf-engine=weasyprint $(PANDOC_OPTS) \ 83 | --css=$(SRCDIR)/styles_pdf.css --self-contained \ 84 | $(PDFDIR)/.full_document.md -o $(PDFDIR)/$(PDF_OUT)) 85 | 86 | #@ html build HTML version 87 | .PHONY: html 88 | html: $(DEP_FILE_LIST) $(METADATA) 89 | mkdir -p $(HTMLDIR) 90 | cat $(METADATA) > $(HTMLDIR)/.full_document.md 91 | cat $(SRCDIR)/cover.md | $(SCRIPTS)/macros_section.sh \ 92 | >> $(HTMLDIR)/.full_document.md 93 | for i in $(DEP_FILE_LIST); do \ 94 | cat $$i | $(SCRIPTS)/macros_section.sh \ 95 | >> $(HTMLDIR)/.full_document.md; \ 96 | echo '' \ 97 | >> $(HTMLDIR)/.full_document.md; \ 98 | done 99 | $(SCRIPTS)/macros_doc.sh $(HTMLDIR)/.full_document.md 100 | # remove the section file name from all MD links 101 | $(SED) -i 's/](.*\.md#/](#/' $(HTMLDIR)/.full_document.md 102 | # remove the section file name from all HTML links 103 | $(SED) -i 's/href=.*\.md#/href="#/' $(HTMLDIR)/.full_document.md 104 | [ -e $(HTMLDIR)/images ] || ln -s $(IMAGES) $(HTMLDIR) 105 | [ -e $(HTMLDIR)/notebook-examples ] || ln -s $(EXAMPLES) $(HTMLDIR) 106 | (cd $(HTMLDIR); $(PANDOC) $(PANDOC_OPTS) \ 107 | --css=$(SRCDIR)/styles_html.css --self-contained \ 108 | $(HTMLDIR)/.full_document.md -o $(HTMLDIR)/$(HTML_OUT)) 109 | 110 | #@ epub build EPUB version 111 | .PHONY: epub 112 | epub: $(DEP_FILE_LIST) $(METADATA) 113 | mkdir -p $(EPUBDIR) 114 | cat $(METADATA) > $(EPUBDIR)/.full_document.md 115 | cat $(SRCDIR)/cover_epub.md | $(SCRIPTS)/macros_section.sh \ 116 | >> $(EPUBDIR)/.full_document.md 117 | for i in $(DEP_FILE_LIST); do \ 118 | cat $$i | $(SCRIPTS)/macros_section.sh \ 119 | >> $(EPUBDIR)/.full_document.md; \ 120 | echo '' \ 121 | >> $(EPUBDIR)/.full_document.md; \ 122 | done 123 | $(SCRIPTS)/macros_doc.sh $(EPUBDIR)/.full_document.md 124 | $(SED) -i 's/](.*\.md#/](#/' $(EPUBDIR)/.full_document.md 125 | # remove the section file name from all HTML links 126 | $(SED) -i 's/href=.*\.md#/href="#/' $(EPUBDIR)/.full_document.md 127 | # fixup path for examples, directing at the github repo 128 | $(SED) -i 's/](.\/notebook-examples/]($(EXAMPLES_GITHUB)/g' \ 129 | $(EPUBDIR)/.full_document.md 130 | [ -e $(EPUBDIR)/images ] || ln -s $(IMAGES) $(EPUBDIR) 131 | [ -e $(EPUBDIR)/notebook-examples ] || ln -s $(EXAMPLES) $(EPUBDIR) 132 | (cd $(EPUBDIR); $(PANDOC) $(PANDOC_OPTS) \ 133 | --epub-cover-image=$(SRCDIR)/images/selinux-penguin.png \ 134 | --css=$(SRCDIR)/styles_epub.css --self-contained \ 135 | $(EPUBDIR)/.full_document.md -o $(EPUBDIR)/$(EPUB_OUT)) 136 | # Convert to Kindle format if Calibre ebook-convert is installed 137 | [ -b $(EBOOK_CONVERT) ] || $(EBOOK_CONVERT) $(EPUBDIR)/$(EPUB_OUT) \ 138 | $(EPUBDIR)/$(AZW3_OUT) 139 | 140 | #@ clean clean any build artifacts 141 | .PHONY: clean 142 | clean: 143 | rm -rf $(HTMLDIR) $(PDFDIR) $(EPUBDIR) 144 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The SELinux Notebook 2 | 3 | ![SELinux Logo](./src/images/selinux-penguin.png) 4 | 5 | ## Introduction 6 | 7 | The SELinux Notebook is an Open Source book on SELinux, originally created by 8 | [Richard Haines](mailto:richard_c_haines@btinternet.com) and donated to the 9 | SELinux community. The Notebook's goal is to be the most current and 10 | comprehensive book on SELinux, covering the Linux Kernel components, the 11 | userspace libraries and tools, the policy toolchain, and the policy itself. 12 | 13 | The SELinux Notebook is freely available, and contributions from the community 14 | are welcome and encouraged! 15 | 16 | * [Contribute to The SELinux Notebook](CONTRIBUTING.md) 17 | 18 | ## Viewing the Notebook Directly on GitHub 19 | 20 | The SELinux Notebook is available in many different formats, including an 21 | online format that can be viewed directly on GitHub, one section at a time, 22 | starting with the link below: 23 | 24 | * [The SELinux Notebook](src/title.md) 25 | 26 | ## Viewing the Notebook Offline 27 | 28 | While The SELinux Notebook is a living book which is constantly updated, we do 29 | occasionally make new releases with pre-built versions in a variety of formats 30 | that can be downloaded and read offline. Our release page has more 31 | information on each release, as well as the pre-built Notebooks: 32 | 33 | * https://github.com/SELinuxProject/selinux-notebook/releases 34 | 35 | ## Build Your Own SELinux Notebook 36 | 37 | The [**BUILD.md**](BUILD.md) file has more information on building HTML, PDF 38 | and EPUB versions of the notebook as well as alternate ways to view the 39 | source markdown. Note that the EPUB build will optionally produce a version 40 | suitable for viewing on a Kindle that supports the "azw3" file format. 41 | -------------------------------------------------------------------------------- /scripts/macros_doc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## 4 | # process the entire document ($1) 5 | # 6 | 7 | [[ ! -r $1 ]] && exit 1 8 | 9 | sed "s//\
\<\/div\>/g" -i $1 10 | -------------------------------------------------------------------------------- /scripts/macros_section.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## 4 | # process a single section (stdin -> stdout) 5 | # 6 | 7 | var_date="$(date "+%B %-d, %Y")" 8 | var_githead="$(git rev-parse HEAD | cut -c 1-12)" 9 | 10 | sed \ 11 | -e "//q" \ 12 | -e "s//${var_date}/g" \ 13 | -e "s//(rev ${var_githead})/g" \ 14 | -e "s//\
/g" \ 15 | -e "s//\<\/div\>/g" \ 16 | -------------------------------------------------------------------------------- /src/apache_support.md: -------------------------------------------------------------------------------- 1 | # Apache SELinux Support 2 | 3 | - [*mod_selinux* Overview](#mod_selinux-overview) 4 | - [Bounds Overview](#bounds-overview) 5 | 6 | Apache web servers are supported by SELinux using the Apache policy 7 | modules from the Reference Policy (*httpd* modules), however there is no 8 | specific Apache object manager. There is though an SELinux-aware shared 9 | library and policy that will allow finer grained access control when 10 | using Apache with threads. The additional Apache module is called 11 | *mod_selinux.so* and has a supporting policy module called *mod_selinux.pp*. 12 | 13 | ``` 14 | dnf install mod_selinux 15 | ``` 16 | 17 | The *mod_selinux* policy module makes use of the *typebounds* statement that 18 | was introduced into version 24 of the policy (requires a minimum kernel of 19 | 2.6.28). *mod_selinux* allows threads in a multi-threaded application (such 20 | as Apache) to be bound within a defined set of permissions in that the 21 | child domain cannot have greater permissions than the parent domain. 22 | 23 | These components are known as 'Apache / SELinux Plus' and are described 24 | in the sections that follow, however a full description including 25 | configuration details is available from: 26 | 27 | 28 | 29 | The objective of these Apache add-on services is to achieve a fully 30 | SELinux-aware web stack (although not there yet). For example, currently 31 | the LAPP[^fn_as_1] (Linux, Apache, PostgreSQL, PHP / Perl / Python) 32 | stack has the following support: 33 | 34 | **L** - Linux has SELinux support. 35 | 36 | **A** - Apache has partial SELinux support using the 'Apache SELinux Plus' module. 37 | 38 | **P** - PostgreSQL has SELinux support using the PostgreSQL *sepgsql* extension. 39 | 40 | **P** - PHP / Perl / Python are not currently SELinux-aware, however PHP 41 | and Python do have support for libselinux functions in packages: PHP - with 42 | the *php-pecl-selinux* package, Python - with the *libselinux-python* package. 43 | 44 | The "[A secure web application platform powered by SELinux](https://raw.githubusercontent.com/kaigai/slides/master/20090120_LCA2009_LAPP_SELINUX.pdf)" 45 | document gives a good overview of the LAPP architecture. 46 | 47 | ## *mod_selinux* Overview 48 | 49 | What the *mod_selinux* module achieves is to allow a web application 50 | (or a 'request handler') to be launched by Apache with a security 51 | context based on policy rather than that of the web server process 52 | itself, for example: 53 | 54 | 1. A user sends an HTTP request to Apache that requires the services of 55 | a web application (Apache may or may not apply HTTP authentication). 56 | 2. Apache receives the request and launches the web application 57 | instance to perform the task: 58 | - Without *mod_selinux* enabled the web applications security context 59 | is identical to the Apache web server process, it is therefore not 60 | possible to restrict it privileges. 61 | - With *mod_selinux* enabled, the web application is launched with 62 | the security context defined in the *mod_selinux.conf* file 63 | (*selinuxDomainVal \* entry). It is also 64 | possible to restrict its privileges as described in the 65 | [Bounds Overview](#bounds-overview) section. 66 | 3. The web application exits, handing control back to the web server 67 | that replies with the HTTP response. 68 | 69 | ## Bounds Overview 70 | 71 | Because multiple threads share the same memory segment, SELinux was 72 | unable to check the information flows between these different threads 73 | when using ***setcon**(3)* in pre 2.6.28 kernels. This meant that if a 74 | thread (the parent) should launch another thread (a child) with a 75 | different security context, SELinux could not enforce the different 76 | permissions. 77 | 78 | To resolve this issue the *typebounds* statement was introduced with 79 | kernel support in 2.6.28 that stops a child thread (the 'bounded domain') 80 | having greater privileges than the parent thread (the 'bounding domain') 81 | i.e. the child thread must have equal or less permissions than the parent. 82 | 83 | For example the following *typebounds* statement and *allow* rules: 84 | 85 | ``` 86 | # parent | child 87 | # domain | domain 88 | typebounds httpd_t httpd_child_t; 89 | 90 | allow httpd_t etc_t:file { getattr read }; 91 | allow httpd_child_t etc_t:file { read write }; 92 | ``` 93 | 94 | State that the parent domain (*httpd_t*) has *file : { getattr read }* 95 | permissions. However the child domain (*httpd_child_t*) has been given 96 | *file : { read write }*. At run-time, this would not be allowed by the 97 | kernel because the parent does not have *write* permission, thus 98 | ensuring the child domain will always have equal or less privileges than 99 | the parent. 100 | 101 | When ***setcon**(3)* is used to set a different context on a new thread 102 | without an associated *typebounds* policy statement, then the call will 103 | return 'Operation not permitted' and an *SELINUX_ERR* entry will be added 104 | to the audit log stating *op=security_bounded_transition result=denied* 105 | with the old and new context strings. 106 | 107 | Should there be a valid *typebounds* policy statement and the child 108 | domain exercises a privilege greater that that of the parent domain, the 109 | operation will be denied and an *SELINUX_ERR* entry will be added to 110 | the audit log stating *op=security_compute_av reason=bounds* with 111 | the context strings and the denied class and permissions. 112 | 113 | [^fn_as_1]: This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python) 114 | stack, however MySQL is not SELinux-aware. 115 | 116 | 117 | 118 | --- 119 | **[[ PREV ]](postgresql.md)** **[[ TOP ]](#)** **[[ NEXT ]](configuration_files.md)** 120 | -------------------------------------------------------------------------------- /src/bounds_rules.md: -------------------------------------------------------------------------------- 1 | # Bounds Rules 2 | 3 | - [*typebounds*](#typebounds) 4 | 5 | Bounds handling was added in version 24 of the policy and consisted of 6 | adding *userbounds*, *rolebounds* and *typebounds* information to the 7 | policy. However only the *typebounds* rule is currently implemented by 8 | ***checkpolicy**(8)* and ***checkmodule**(8)* with kernel support from 9 | 2.6.28. 10 | 11 | The CIL language does support *userbounds* and *rolebounds* but these are 12 | resolved at policy compile time, not via the kernel at run-time (i.e. they are 13 | NOT enforced by the SELinux kernel services). The 14 | [**CIL Reference Guide**](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) 15 | gives details. 16 | 17 | ## *typebounds* 18 | 19 | The *typebounds* rule was added in version 24 of the policy. This 20 | defines a hierarchical relationship between domains where the bounded 21 | domain cannot have more permissions than its bounding domain (the 22 | parent). It requires kernel 2.6.28 and above to control the security 23 | context associated to threads in multi-threaded applications. 24 | 25 | **The statement definition is:** 26 | 27 | ``` 28 | typebounds bounding_domain bounded_domain; 29 | ``` 30 | 31 | **Where:** 32 | 33 | *typebound* 34 | 35 | The *typebounds* keyword. 36 | 37 | *bounding_domain* 38 | 39 | The *type* or *typealias* identifier of the parent domain. 40 | 41 | *bounded_domain* 42 | 43 | One or more *type* or *typealias* identifiers of the child domains. 44 | Multiple entries consist of a comma ',' separated list. 45 | 46 | **The statement is valid in:** 47 | 48 | Policy Type 49 | 50 | | Monolithic Policy | Base Policy | Module Policy | 51 | | ----------------------- | ----------------------- | ----------------------- | 52 | | Yes | Yes | Yes | 53 | 54 | Conditional Policy Statements 55 | 56 | | *if* Statement | *optional* Statement | *require* Statement | 57 | | ----------------------- | ----------------------- | ----------------------- | 58 | | No | Yes | No | 59 | 60 | **Example:** 61 | 62 | ``` 63 | # This example states that: 64 | # The httpd_child_t cannot have file:{write} due to lack of permissions 65 | # on httpd_t which is the parent. It means the child domains will always 66 | # have equal or less privileges than the parent. 67 | 68 | # The typebounds statement: 69 | typebounds httpd_t httpd_child_t; 70 | 71 | # The parent is allowed file 'getattr' and 'read': 72 | allow httpd_t etc_t : file { getattr read }; 73 | 74 | # However the child process has been given 'write' access that 75 | # will not be allowed by the kernel SELinux security server. 76 | allow httpd_child_t etc_t : file { read write }; 77 | ``` 78 | 79 | 80 | 81 | --- 82 | **[[ PREV ]](type_statements.md)** **[[ TOP ]](#)** **[[ NEXT ]](avc_rules.md)** 83 | -------------------------------------------------------------------------------- /src/cil_overview.md: -------------------------------------------------------------------------------- 1 | # CIL Overview 2 | 3 | The CIL language statements are not included in the SELinux Notebook as they 4 | have been documented within the CIL compiler source, available at: 5 | 6 | 7 | 8 | A PDF version is included in this documentation: 9 | [**CIL Reference Guide**](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) 10 | 11 | The CIL compiler source can be found at: 12 | within the *secilc* and 13 | *libsepol* sections and can be cloned via: 14 | - *git clone https://github.com/SELinuxProject/selinux.git* 15 | 16 | While the CIL design web pages give the main objectives of CIL, from a 17 | language perspective it will: 18 | 19 | - Apply name and usage consistency to the current kernel language 20 | statements. For example the kernel language uses *attribute* and 21 | *attribute_role* to declare identifiers, whereas CIL uses 22 | *typeattribute* and *roleattribute*. Also statements to associate 23 | types or roles have been made consistent and enhanced to allow 24 | expressions to be defined. Some examples are: 25 | 26 | | Kernel | CIL | 27 | | ---------------- | ------------------ | 28 | | *attribute* | *typeattribute* | 29 | | *typeattribute* | *typeattributeset* | 30 | | *attribute_role* | *roleattribute* | 31 | | *roleattribute* | *roleattributeset* | 32 | | *allow* | *allow* | 33 | | *allow* (role) | *roleallow* | 34 | | *dominance* | *sensitivityorder* | 35 | 36 | - Additional CIL statements have been defined to enhance 37 | functionality: 38 | - *classpermission* - Declare a *classpermissionset* identifier. 39 | - *classpermissionset* - Associate class / permissions also supporting 40 | expressions. 41 | - *classmap* / *classmapping* - Statements to support declaration and 42 | association of multiple *classpermissionset*'s. Useful when defining an 43 | *allow* rule with multiple class/permissions. 44 | - *context* - Statement to declare security context. 45 | - Allow named and anonymous definitions to be supported. 46 | - Support namespace features allowing policy modules to be defined 47 | within blocks with inheritance and template features. 48 | - Remove the order dependency in that policy statements can be 49 | anywhere within the source (i.e. remove dependency of class, sid 50 | etc. being within a base module). 51 | - Able to define macros and calls that will remove any dependency on 52 | M4 macro support. 53 | - Directly generate the binary policy file and other configuration 54 | files - currently the *file_contexts* file. 55 | - Support transformation services such as delete, transform and 56 | inherit with exceptions. 57 | 58 | An simple CIL policy is as follows: 59 | 60 | ``` 61 | ; These CIL statements declare a user, role, type and range of: 62 | ; unconfined.user:unconfined.role:unconfined.process:s0-s0 63 | ; 64 | ; A CIL policy requires at least one 'allow' rule and sid to be declared 65 | ; before a policy will build. 66 | ; 67 | (handleunknown allow) 68 | (mls true) 69 | (policycap open_perms) 70 | (category c0) 71 | (categoryorder (c0)) 72 | (sensitivity s0) 73 | (sensitivityorder (s0)) 74 | (sensitivitycategory s0 (c0)) 75 | (level systemLow (s0)) 76 | (levelrange low_low (systemLow systemLow)) 77 | (sid kernel) 78 | (sidorder (kernel)) 79 | (sidcontext kernel unconfined.sid_context) 80 | (classorder (file)) 81 | (class file (read write open getattr)) 82 | 83 | ; Define object_r role. This must be assigned in CIL. 84 | (role object_r) 85 | 86 | ; The unconfined namespace: 87 | (block unconfined 88 | (user user) 89 | (userrange user (systemLow systemLow)) 90 | (userlevel user systemLow) 91 | (userrole user role) 92 | (role role) 93 | (type process) 94 | (roletype object_r process) 95 | (roletype role process) 96 | 97 | ; Define a SID context: 98 | (context sid_context (user role process low_low)) 99 | 100 | (type object) 101 | (roletype object_r object) 102 | 103 | ; An allow rule: 104 | (allow process object (file (read))) 105 | ) 106 | ``` 107 | 108 | For more complex CIL policy example, look at 109 | 110 | There is a CIL policy in the Notebook examples with a utility 111 | that will produce a base policy in either the kernel policy language or 112 | CIL (*notebook-tools/build-sepolicy*). The only requirement is that the 113 | *initial_sids*, *security_classes* and *access_vectors* files from 114 | the Reference policy are required, although the Fedora 31 versions are 115 | supplied in the *notebook-examples/selinux-policy/flask-files* directory. 116 | 117 | An example output: 118 | [**CIL policy**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt) 119 | 120 | ``` 121 | Usage: build-sepolicy [-k] [-M] [-c|-p|-s] -d flask_directory -o output_file 122 | -k Output kernel classes only. 123 | -M Output an MLS policy. 124 | -c Output a policy in CIL language (else generate kernel policy language policy). 125 | -p Output a file containing class and classpermissionsets + their order for use by CIL policies. 126 | -s Output a file containing initial SIDs + their order for use by CIL policies. 127 | -d Directory containing the initial_sids, security_classes and access_vectors Flask files. 128 | -o The output file that will contain the policy source or header file. 129 | ``` 130 | There is another CIL policy in the notebook examples called 131 | "cil-policy" that takes a slightly different approach where the goal 132 | is to keep the policy as simple as possible. It requires *semodule*, 133 | Linux 5.7, SELinux 3.1 and can be installed by executing 134 | *make install*. It leverages some modern SELinux features, most 135 | notably where the requirement for ordered security classes is lifted. 136 | With this you are no longer expected to be aware of all the access 137 | vectors managed by Linux in order to align your security class 138 | declarations with the order in which they are declared in the kernel. 139 | A module store is created by *semodule* to give easy access to the 140 | source and that allows for full control over the policy. 141 | 142 | 143 | 144 | --- 145 | **[[ PREV ]](policy_languages.md)** **[[ TOP ]](#)** **[[ NEXT ]](kernel_policy_language.md)** 146 | -------------------------------------------------------------------------------- /src/class_permission_statements.md: -------------------------------------------------------------------------------- 1 | # Object Class and Permission Statements 2 | 3 | - [*class* (1)](#class-1) 4 | - [Associating Permissions to a Class](#associating-permissions-to-a-class) 5 | - [*common*](#common) 6 | - [*class* (2)](#class-2) 7 | 8 | For those who write or manager SELinux policy, there is no need to 9 | define new objects and their associated permissions as these would be 10 | done by those who actually design and/or write object managers. 11 | 12 | A list of object classes used by the [**Reference 13 | Policy**](https://github.com/SELinuxProject/refpolicy) can be found in the 14 | [*./policy/flask/security\_classes*](https://github.com/SELinuxProject/refpolicy/tree/master/policy/flask/security_classes) 15 | file. 16 | 17 | There are two variants of the *class* statement for writing policy: 18 | 19 | 1. There is the *class* statement that declares the actual class 20 | identifier or name. 21 | 2. There is a further refinement of the *class* statement that 22 | associates permissions to the class as discussed in the 23 | [**Associating Permissions to a Class**](#associating-permissions-to-a-class) 24 | section. 25 | 26 | ## *class* (1) 27 | 28 | Object classes are declared within a policy with the following statement 29 | definition: 30 | 31 | ``` 32 | class class_id 33 | ``` 34 | 35 | **Where:** 36 | 37 | *class* 38 | 39 | The *class* keyword. 40 | 41 | *class_id* 42 | 43 | The *class* identifier. 44 | 45 | **The statement is valid in:** 46 | 47 | Policy Type 48 | 49 | | Monolithic Policy | Base Policy | Module Policy | 50 | | ----------------------- | ----------------------- | ----------------------- | 51 | | Yes | Yes | No | 52 | 53 | Conditional Policy Statements 54 | 55 | | *if* Statement | *optional* Statement | *require* Statement | 56 | | ----------------------- | ----------------------- | ----------------------- | 57 | | No | No | Yes | 58 | 59 | **Example:** 60 | 61 | ``` 62 | # Define the PostgreSQL db_tuple object class 63 | # 64 | class db_tuple 65 | ``` 66 | 67 | ### Associating Permissions to a Class 68 | 69 | Permissions can be defined within policy in two ways: 70 | 71 | 1. Define a set of common permissions that can then be inherited by one 72 | or more object classes using further *class* statements. 73 | 2. Define *class* specific permissions. This is where permissions are 74 | declared for a specific object class only (i.e. the permission is 75 | not inherited by any other object class). 76 | 77 | A list of classes and their permissions used by the [**Reference 78 | Policy**](https://github.com/SELinuxProject/refpolicy) can be found in 79 | the 80 | [*./policy/flask/access\_vectors*](https://github.com/SELinuxProject/refpolicy/tree/master/policy/flask/access_vectors) 81 | file. 82 | 83 | ## *common* 84 | 85 | Declare a *common* identifier and associate one or more *common* permissions. 86 | 87 | The statement definition is: 88 | 89 | ``` 90 | common common_id { perm_set } 91 | ``` 92 | 93 | **Where:** 94 | 95 | *common* 96 | 97 | The *common* keyword. 98 | 99 | *common_id* 100 | 101 | The *common* identifier. 102 | 103 | *perm_set* 104 | 105 | One or more permission identifiers in a space separated list enclosed within 106 | braces \'\{\}\'. 107 | 108 | **The statement is valid in:** 109 | 110 | Policy Type 111 | 112 | | Monolithic Policy | Base Policy | Module Policy | 113 | | ----------------------- | ----------------------- | ----------------------- | 114 | | Yes | Yes | No | 115 | 116 | Conditional Policy Statements 117 | 118 | | *if* Statement | *optional* Statement | *require* Statement | 119 | | ----------------------- | ----------------------- | ----------------------- | 120 | | No | No | No | 121 | 122 | **Example:** 123 | 124 | ``` 125 | # Define the common PostgreSQL permissions 126 | 127 | common database { create drop getattr setattr relabelfrom relabelto } 128 | ``` 129 | 130 | ## *class* (2) 131 | 132 | Inherit and / or associate permissions to a previously declared *class* 133 | identifier. 134 | 135 | **The statement definition is:** 136 | 137 | ``` 138 | class class_id [ inherits common_set ] [ { perm_set } ] 139 | ``` 140 | 141 | **Where:** 142 | 143 | *class* 144 | 145 | The *class* keyword. 146 | 147 | *class_id* 148 | 149 | The previously declared *class* identifier. 150 | 151 | *inherits* 152 | 153 | The optional *inherits* keyword that allows a set of common permissions to be 154 | inherited. 155 | 156 | *common_set* 157 | 158 | A previously declared *common* identifier. 159 | 160 | *perm_set* 161 | 162 | One or more optional permission identifiers in a space separated list enclosed 163 | within braces \'\{\}\'. 164 | 165 | Note: There must be at least one *common_set* or one *perm_set* defined within 166 | the statement. 167 | 168 | **The statement is valid in:** 169 | 170 | Policy Type 171 | 172 | | Monolithic Policy | Base Policy | Module Policy | 173 | | ----------------------- | ----------------------- | ----------------------- | 174 | | Yes | Yes | No | 175 | 176 | Conditional Policy Statements 177 | 178 | | *if* Statement | *optional* Statement | *require* Statement | 179 | | ----------------------- | ----------------------- | ----------------------- | 180 | | No | No | Yes | 181 | 182 | **Examples:** 183 | 184 | ``` 185 | # The following example shows the db_tuple object class being 186 | # allocated two permissions: 187 | 188 | class db_tuple { relabelfrom relabelto } 189 | ``` 190 | 191 | ``` 192 | # The following example shows the db_blob object class inheriting 193 | # permissions from the database set of common permissions (as described 194 | # in the Associating Permissions to a Class section): 195 | 196 | class db_blob inherits database 197 | ``` 198 | 199 | ``` 200 | # The following example (from the access_vector file) shows the 201 | # db_blob object class inheriting permissions from the database 202 | # set of common permissions and adding a further four permissions: 203 | 204 | class db_blob inherits database { read write import export } 205 | ``` 206 | 207 | 208 | 209 | --- 210 | **[[ PREV ]](xperm_rules.md)** **[[ TOP ]](#)** **[[ NEXT ]](conditional_statements.md)** 211 | -------------------------------------------------------------------------------- /src/computing_access_decisions.md: -------------------------------------------------------------------------------- 1 | # Computing Access Decisions 2 | 3 | There are a number of ways to compute access decisions within userspace 4 | SELinux-aware applications or object managers: 5 | 6 | 1. Use of the ***selinux_check_access**(3)* function is the 7 | recommended option. This utilises the AVC services discussed in 8 | bullet 3 in a single call that: 9 | - Dynamically resolves class and permissions strings to their 10 | class/permission values using ***string_to_security_class**(3)* 11 | and ***string_to_av_perm**(3)* with 12 | ***security_deny_unknown**(3)* to handle unknown 13 | classes/permissions. 14 | - Uses ***avc_has_perm**(3)* to check whether the decision is cached 15 | before calling ***security_compute_av_flags**(3)* (and caching 16 | the result), checks enforcing mode (both global and per-domain 17 | (permissive)), and logs any denials (there is also an option to add 18 | supplemental auditing information that is handled as described in 19 | ***avc_audit**(3)*. 20 | 2. Use functions that do not cache access decisions (i.e. they do not 21 | use the *libselinux* AVC services). These require a call to the 22 | kernel for every decision using ***security_compute_av**(3)* or 23 | ***security_compute_av_flags**(3)*. The ***avc_netlink_\***(3)* 24 | functions can be used to detect policy change events. Auditing would 25 | need to be implemented if required. 26 | 3. Use functions that utilise the *libselinux* userspace AVC services 27 | that are initialised with ***avc_open**(3)*. These can be built in 28 | various configurations such as: 29 | - Using the default single threaded mode where ***avc_has_perm**(3)* 30 | will automatically cache entries, audit the decision and manage 31 | the handling of policy change events. 32 | - Implementing threads or a similar service that will handle policy 33 | change events and auditing in real time with 34 | ***avc_has_perm**(3)* or ***avc_has_perm_noaudit**(3)* 35 | handling decisions and caching. This has the advantage of better 36 | performance, which can be further increased by caching the entry 37 | reference. 38 | 4. Implement custom caching services with 39 | ***security_compute_av**(3)* or 40 | ***security_compute_av_flags**(3)* for computing access 41 | decisions. The ***avc_netlink_\***(3)* functions can then be used to 42 | detect policy change events. Auditing would need to be implemented 43 | if required. 44 | 45 | Where performance is important when making policy decisions, then the 46 | ***selinux_status_open**(3)*, ***selinux_status_updated**(3)*, 47 | ***selinux_status_getenforce**(3)*, 48 | ***selinux_status_policyload**(3)* and ***selinux_status_close**(3)* 49 | functions could be used to detect policy updates etc. as these do not 50 | require kernel system call over-heads once set up. Note that these 51 | functions are only available from *libselinux* 2.0.99, with Linux kernel 52 | 2.6.37 and above. 53 | 54 | 55 | 56 | --- 57 | **[[ PREV ]](computing_security_contexts.md)** **[[ TOP ]](#)** **[[ NEXT ]](domain_object_transitions.md)** 58 | -------------------------------------------------------------------------------- /src/conditional_statements.md: -------------------------------------------------------------------------------- 1 | # Conditional Policy Statements 2 | 3 | - [*if*](#if) 4 | - [*bool*](#bool) 5 | 6 | Conditional policies consist of a bool statement that defines a 7 | condition as *true* or *false*, with a supporting *if* / *else* construct that 8 | specifies what rules are valid under the condition as shown in the 9 | example below: 10 | 11 | ``` 12 | bool allow_daemons_use_tty true; 13 | 14 | if (allow_daemons_use_tty) { 15 | # Rules if condition is true; 16 | } else { 17 | # Rules if condition is false; 18 | } 19 | ``` 20 | 21 | [**Table 3** in the 'Kernel Policy Language'](kernel_policy_language.md#kernel-policy-language) 22 | section shows what policy statements or rules are valid within the 23 | *if* / *else* construct under the "Conditional Statements" column. 24 | 25 | The *bool* statement default value can be changed when a policy is active 26 | by using the ***setsebool**(3)* command as follows: 27 | 28 | ``` 29 | # This command will set the allow_daemons_use_tty bool to false, 30 | # however it will only remain false until the next system 31 | # re-boot where it will then revert back to its default state 32 | # (in the above case, this would be true). 33 | 34 | setsebool allow_daemons_use_tty false 35 | ``` 36 | 37 | ``` 38 | # This command will set the allow_daemons_use_tty bool to false, 39 | # and because the -P option is used (for persistent), the value 40 | # will remain across system re-boots. Note however that all 41 | # other pending bool values will become persistent across 42 | # re-boots as well (see setsebool(8) man page). 43 | 44 | setsebool -P allow_daemons_use_tty false 45 | ``` 46 | 47 | The ***getsebool**(3)* command can be used to query the current *bool* statement 48 | value as follows: 49 | 50 | ``` 51 | # This command will list all bool values in the active policy: 52 | getsebool -a 53 | ``` 54 | 55 | ``` 56 | # This command will show the current allow_daemons_use_tty bool 57 | # value in the active policy: 58 | 59 | getsebool allow_daemons_use_tty 60 | ``` 61 | 62 | ## *bool* 63 | 64 | The *bool* statement is used to specify a boolean identifier and its 65 | initial state (*true* or *false*) that can then be used with the 66 | *if* statement to form a 'conditional policy' as described in the 67 | [Types of SELinux Policy](types_of_policy.md#conditional-policy) section. 68 | 69 | **The statement definition is:** 70 | 71 | ``` 72 | bool bool_id default_value; 73 | ``` 74 | 75 | **Where:** 76 | 77 | *bool* 78 | 79 | The *bool* keyword. 80 | 81 | *bool_id* 82 | 83 | The boolean identifier. 84 | 85 | *default_value* 86 | 87 | Either true or false. 88 | 89 | **The statement is valid in:** 90 | 91 | Policy Type 92 | 93 | | Monolithic Policy | Base Policy | Module Policy | 94 | | ----------------------- | ----------------------- | ----------------------- | 95 | | Yes | Yes | Yes | 96 | 97 | Conditional Policy Statements 98 | 99 | | *if* Statement | *optional* Statement | *require* Statement | 100 | | ----------------------- | ----------------------- | ----------------------- | 101 | | No | Yes | Yes | 102 | 103 | **Examples:** 104 | 105 | ``` 106 | # Using the bool statement to allow unconfined executables to 107 | # make their memory heap executable or not. As the value is 108 | # false, then by default they cannot make their heap executable. 109 | 110 | bool allow_execheap false; 111 | ``` 112 | 113 | ``` 114 | # Using the bool statement to allow unconfined executables to 115 | # make their stack executable or not. As the value is true, 116 | # then by default their stacks are executable. 117 | 118 | bool allow_execstack true; 119 | ``` 120 | 121 | ## *if* 122 | 123 | The if statement is used to form a 'conditional block' of statements and 124 | rules that are enforced depending on whether one or more boolean 125 | identifiers evaluate to *TRUE* or *FALSE*. An *if* / *else* 126 | construct is also supported. 127 | 128 | The only statements and rules allowed within the *if* / *else* construct 129 | are: 130 | 131 | *allow*, *auditallow*, *auditdeny*, *dontaudit*, *type_member*, *type_transition* 132 | (except *file_name_transition*), *type_change* and *require*. 133 | 134 | **The statement definition is:** 135 | 136 | ``` 137 | if (conditional_expression) { true_list } [ else { false_list } ] 138 | ``` 139 | 140 | **Where:** 141 | 142 | *if* 143 | 144 | The *if* keyword. 145 | 146 | *conditional_expression* 147 | 148 | One or more *bool_name* identifiers that have been previously defined by the 149 | *bool* Statement. Multiple identifiers must be separated by the following 150 | logical operators: &&, ¦¦, ^, !, ==, !=. 151 | The *conditional_expression* is enclosed in brackets \'\(\)\'. 152 | 153 | *true_list* 154 | 155 | A list of rules enclosed within braces \'\{\}\' that will be executed when the 156 | *conditional_expression* is 'true'. 157 | Valid statements and rules are highlighted within each language definition 158 | statement. 159 | 160 | *else* 161 | 162 | Optional *else* keyword. 163 | 164 | *false_list* 165 | 166 | A list of rules enclosed within braces \'\{\}\' that will be executed when the 167 | optional *else* keyword is present and the *conditional_expression* is *false*. 168 | Valid statements and rules are highlighted within each language definition 169 | statement. 170 | 171 | **The statement is valid in:** 172 | 173 | Policy Type 174 | 175 | | Monolithic Policy | Base Policy | Module Policy | 176 | | ----------------------- | ----------------------- | ----------------------- | 177 | | Yes | Yes | Yes | 178 | 179 | Conditional Policy Statements 180 | 181 | | *if* Statement | *optional* Statement | *require* Statement | 182 | | ----------------------- | ----------------------- | ----------------------- | 183 | | No | Yes | No | 184 | 185 | **Examples:** 186 | 187 | ``` 188 | # An example showing a boolean and supporting if statement. 189 | bool allow_execmem false; 190 | ``` 191 | 192 | ``` 193 | # The bool allow_execmem is FALSE therefore the allow statement is not executed: 194 | 195 | if (allow_execmem) { 196 | allow sysadm_t self:process execmem; 197 | 198 | } 199 | ``` 200 | 201 | ``` 202 | # An example showing two booleans and a supporting if statement. 203 | 204 | bool allow_execmem false; 205 | bool allow_execstack true; 206 | 207 | # The bool allow_execmem is FALSE and allow_execstack is TRUE 208 | # therefore the allow statement is not executed: 209 | 210 | if (allow_execmem && allow_execstack) { 211 | allow sysadm_t self:process execstack; 212 | 213 | } 214 | ``` 215 | 216 | ``` 217 | # An example of an IF - ELSE statement where the bool statement 218 | # is FALSE, therefore the ELSE statements will be executed. 219 | # 220 | 221 | bool read_untrusted_content false; 222 | 223 | if (read_untrusted_content) { 224 | allow sysadm_t { sysadm_untrusted_content_t sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl }; 225 | ..... 226 | 227 | } else { 228 | dontaudit sysadm_t { sysadm_untrusted_content_t 229 | sysadm_untrusted_content_tmp_t }:dir { getattr search read lock ioctl }; 230 | ... 231 | } 232 | ``` 233 | 234 | 235 | 236 | --- 237 | **[[ PREV ]](class_permission_statements.md)** **[[ TOP ]](#)** **[[ NEXT ]](constraint_statements.md)** 238 | -------------------------------------------------------------------------------- /src/cover.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # The SELinux Notebook 5 | 6 | 7 | 8 | ![](./images/selinux-penguin.png) 9 | 10 | 11 | **** 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /src/cover_epub.md: -------------------------------------------------------------------------------- 1 | **** 2 | 3 | -------------------------------------------------------------------------------- /src/debug_policy_hints.md: -------------------------------------------------------------------------------- 1 | # Appendix D - Debugging Policy - Hints and Tips 2 | 3 | I'm sure there is more to add here !!! 4 | 5 | 6 | 7 | --- 8 | **[[ PREV ]](selinux_cmds.md)** **[[ TOP ]](#)** **[[ NEXT ]](policy_validation_example.md)** 9 | -------------------------------------------------------------------------------- /src/images/1-core.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/1-core.odt -------------------------------------------------------------------------------- /src/images/1-core.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/1-core.png -------------------------------------------------------------------------------- /src/images/10-fork.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/10-fork.odt -------------------------------------------------------------------------------- /src/images/10-fork.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/10-fork.png -------------------------------------------------------------------------------- /src/images/11-transition.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/11-transition.odt -------------------------------------------------------------------------------- /src/images/11-transition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/11-transition.png -------------------------------------------------------------------------------- /src/images/12-lsm-selinux-arch.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/12-lsm-selinux-arch.odt -------------------------------------------------------------------------------- /src/images/12-lsm-selinux-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/12-lsm-selinux-arch.png -------------------------------------------------------------------------------- /src/images/13-secmark.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/13-secmark.odt -------------------------------------------------------------------------------- /src/images/13-secmark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/13-secmark.png -------------------------------------------------------------------------------- /src/images/14-fallback.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/14-fallback.odt -------------------------------------------------------------------------------- /src/images/14-fallback.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/14-fallback.png -------------------------------------------------------------------------------- /src/images/15-mls1.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/15-mls1.odt -------------------------------------------------------------------------------- /src/images/15-mls1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/15-mls1.png -------------------------------------------------------------------------------- /src/images/16-mls2.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/16-mls2.odt -------------------------------------------------------------------------------- /src/images/16-mls2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/16-mls2.png -------------------------------------------------------------------------------- /src/images/17-ipsec.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/17-ipsec.odt -------------------------------------------------------------------------------- /src/images/17-ipsec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/17-ipsec.png -------------------------------------------------------------------------------- /src/images/18-kvm.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/18-kvm.odt -------------------------------------------------------------------------------- /src/images/18-kvm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/18-kvm.png -------------------------------------------------------------------------------- /src/images/19-shareable.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/19-shareable.odt -------------------------------------------------------------------------------- /src/images/19-shareable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/19-shareable.png -------------------------------------------------------------------------------- /src/images/2-high-level-arch.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/2-high-level-arch.odt -------------------------------------------------------------------------------- /src/images/2-high-level-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/2-high-level-arch.png -------------------------------------------------------------------------------- /src/images/20-clone.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/20-clone.odt -------------------------------------------------------------------------------- /src/images/20-clone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/20-clone.png -------------------------------------------------------------------------------- /src/images/21-error.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/21-error.odt -------------------------------------------------------------------------------- /src/images/21-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/21-error.png -------------------------------------------------------------------------------- /src/images/22-xen.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/22-xen.odt -------------------------------------------------------------------------------- /src/images/22-xen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/22-xen.png -------------------------------------------------------------------------------- /src/images/23-x-server.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/23-x-server.odt -------------------------------------------------------------------------------- /src/images/23-x-server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/23-x-server.png -------------------------------------------------------------------------------- /src/images/24-database-table.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/24-database-table.odt -------------------------------------------------------------------------------- /src/images/24a-sepostgresql.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/24a-sepostgresql.odt -------------------------------------------------------------------------------- /src/images/24a-sepostgresql.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/24a-sepostgresql.png -------------------------------------------------------------------------------- /src/images/25-file_contexts.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/25-file_contexts.odt -------------------------------------------------------------------------------- /src/images/25-file_contexts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/25-file_contexts.png -------------------------------------------------------------------------------- /src/images/26-ref-policy.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/26-ref-policy.odt -------------------------------------------------------------------------------- /src/images/26-ref-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/26-ref-policy.png -------------------------------------------------------------------------------- /src/images/27-ref-doc.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/27-ref-doc.odt -------------------------------------------------------------------------------- /src/images/27-ref-doc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/27-ref-doc.png -------------------------------------------------------------------------------- /src/images/28-mod-expand-1.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/28-mod-expand-1.odt -------------------------------------------------------------------------------- /src/images/28-mod-expand-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/28-mod-expand-1.png -------------------------------------------------------------------------------- /src/images/29-mod-expand-2.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/29-mod-expand-2.odt -------------------------------------------------------------------------------- /src/images/29-mod-expand-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/29-mod-expand-2.png -------------------------------------------------------------------------------- /src/images/3-processing-call.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/3-processing-call.odt -------------------------------------------------------------------------------- /src/images/3-processing-call.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/3-processing-call.png -------------------------------------------------------------------------------- /src/images/4-RBAC.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/4-RBAC.odt -------------------------------------------------------------------------------- /src/images/4-RBAC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/4-RBAC.png -------------------------------------------------------------------------------- /src/images/5-object-class.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/5-object-class.odt -------------------------------------------------------------------------------- /src/images/5-object-class.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/5-object-class.png -------------------------------------------------------------------------------- /src/images/6-allow-rule.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/6-allow-rule.odt -------------------------------------------------------------------------------- /src/images/6-allow-rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/6-allow-rule.png -------------------------------------------------------------------------------- /src/images/7-domain-transition.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/7-domain-transition.odt -------------------------------------------------------------------------------- /src/images/7-domain-transition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/7-domain-transition.png -------------------------------------------------------------------------------- /src/images/8-security-levels.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/8-security-levels.odt -------------------------------------------------------------------------------- /src/images/8-security-levels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/8-security-levels.png -------------------------------------------------------------------------------- /src/images/9-mls-constrain.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/9-mls-constrain.odt -------------------------------------------------------------------------------- /src/images/9-mls-constrain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/9-mls-constrain.png -------------------------------------------------------------------------------- /src/images/selinux-penguin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/images/selinux-penguin.png -------------------------------------------------------------------------------- /src/infiniband_statements.md: -------------------------------------------------------------------------------- 1 | # InfiniBand Labeling Statements 2 | 3 | - [*ibpkeycon*](#ibpkeycon) 4 | - [*ibendportcon*](#ibendportcon) 5 | 6 | To support access control for InfiniBand (IB) partitions and subnet 7 | management, security contexts are provided for: Partition Keys (Pkey) 8 | that are 16 bit numbers assigned to subnets and their IB end ports. An 9 | overview of the SELinux IB implementation can be found at: 10 | . 11 | 12 | Note that there are no terminating semi-colons ';' on these statements. 13 | 14 | ## *ibpkeycon* 15 | 16 | The *ibpkeycon* statement is used to label IB partition keys. 17 | 18 | It is also possible to add a security context to partition keys outside 19 | the policy using the *semanage ibpkey* command that will associate the 20 | *pkey* (or range of pkeys) to a security context. 21 | 22 | **The statement definition is:** 23 | 24 | ``` 25 | ibpkeycon subnet pkey pkey_context 26 | ``` 27 | 28 | **Where:** 29 | 30 | *ibpkeycon* 31 | 32 | The *ibpkeycon* keyword. 33 | 34 | *subnet* 35 | 36 | IP address in IPv6 format. 37 | 38 | *pkey* 39 | 40 | Partition key number or range. The range is separated by a hyphen \'\-\'. 41 | 42 | *pkey_context* 43 | 44 | The security context for the pkey(s). 45 | 46 | **The statement is valid in:** 47 | 48 | Policy Type 49 | 50 | | Monolithic Policy | Base Policy | Module Policy | 51 | | ----------------------- | ----------------------- | ----------------------- | 52 | | Yes | Yes | Yes | 53 | 54 | Conditional Policy Statements 55 | 56 | | *if* Statement | *optional* Statement | *require* Statement | 57 | | ----------------------- | ----------------------- | ----------------------- | 58 | | No | No | No | 59 | 60 | **Examples:** 61 | 62 | ``` 63 | ibpkeycon fe80:: 0xFFFF system_u:object_r:default_ibpkey_t:s0 64 | ibpkeycon fe80:: 0-0x10 system_u:object_r:public_ibpkey_t:s0 65 | ``` 66 | 67 | ***semanage**(8)* **Command example:** 68 | 69 | ``` 70 | semanage ibpkey -a -t default_ibpkey_t -x fe80:: 0xFFFF 71 | ``` 72 | 73 | The above command will produce the following file: 74 | */var/lib/selinux/\/active/ibpkeys.local* 75 | in the default *\* policy store and then activate the policy: 76 | 77 | ``` 78 | # This file is auto-generated by libsemanage 79 | # Do not edit directly. 80 | 81 | ibpkeycon fe80:: 0xFFFF system_u:object_r:default_ibpkey_t:s0 82 | ``` 83 | 84 | ## *ibendportcon* 85 | 86 | The *ibendportcon* statement is used to label IB end ports. 87 | 88 | It is also possible to add a security context to ports outside the 89 | policy using the *semanage ibendport* command that will associate the 90 | end port to a security context. 91 | 92 | **The statement definition is:** 93 | 94 | ``` 95 | ibendportcon device_id port_number port_context 96 | ``` 97 | 98 | **Where:** 99 | 100 | *ibendportcon* 101 | 102 | The *ibendportcon* keyword. 103 | 104 | *device_id* 105 | 106 | Device name 107 | 108 | *port_number* 109 | 110 | Single port number. 111 | 112 | *port_context* 113 | 114 | The security context for the port. 115 | 116 | **The statement is valid in:** 117 | 118 | Policy Type 119 | 120 | | Monolithic Policy | Base Policy | Module Policy | 121 | | ----------------------- | ----------------------- | ----------------------- | 122 | | Yes | Yes | Yes | 123 | 124 | Conditional Policy Statements 125 | 126 | | *if* Statement | *optional* Statement | *require* Statement | 127 | | ----------------------- | ----------------------- | ----------------------- | 128 | | No | No | No | 129 | 130 | **Examples:** 131 | 132 | ``` 133 | ibendportcon mlx4_0 2 system_u:object_r:opensm_ibendport_t:s0 134 | ibendportcon mlx5_0 1 system_u:object_r:opensm_ibendport_t:s0 135 | ``` 136 | 137 | ***semanage**(8)* **Command example:** 138 | 139 | ``` 140 | semanage ibendport -a -t opensm_ibendport_t -z mlx4_0 2 141 | ``` 142 | 143 | This command will produce the following file 144 | */var/lib/selinux/\/active/ibendports.local* in the default 145 | *\* policy store and then activate the policy: 146 | 147 | ``` 148 | # This file is auto-generated by libsemanage 149 | # Do not edit directly. 150 | 151 | ibendportcon mlx4_0 2 system_u:object_r:opensm_ibendport_t:s0 152 | ``` 153 | 154 | 155 | 156 | --- 157 | **[[ PREV ]](network_statements.md)** **[[ TOP ]](#)** **[[ NEXT ]](xen_statements.md)** 158 | -------------------------------------------------------------------------------- /src/mac.md: -------------------------------------------------------------------------------- 1 | # Mandatory Access Control 2 | 3 | Mandatory Access Control (MAC) is a type of access control in which the 4 | operating system is used to constrain a user or process (the subject) 5 | from accessing or performing an operation on an object (such as a file, 6 | disk, memory etc.). 7 | 8 | Each of the subjects and objects have a set of security attributes that 9 | can be interrogated by the operating system to check if the requested 10 | operation can be performed or not. For SELinux the: 11 | 12 | - [**subjects**](subjects.md#subjects) are processes. 13 | - [**objects**](objects.md#objects) are system resources such as files, 14 | sockets, etc. 15 | - security attributes are the [**security context**](security_context.md#security-context). 16 | - Security Server within the Linux kernel authorizes access (or not) 17 | using the security policy (or policy) that describes rules that must 18 | be enforced. 19 | 20 | Note that the subject (and therefore the user) cannot decide to bypass 21 | the policy rules being enforced by the MAC policy with SELinux enabled. 22 | Contrast this to standard Linux Discretionary Access Control (DAC), 23 | which also governs the ability of subjects to access objects, however it 24 | allows users to make policy decisions. The steps in the decision making 25 | chain for DAC and MAC are shown in **Figure 3**. 26 | 27 | ![](./images/3-processing-call.png) 28 | 29 | **Figure 3: Processing a System Call** - *The DAC checks are carried out 30 | first, if they pass then the Security Server is consulted for a decision.* 31 | 32 | SELinux supports two forms of MAC: 33 | 34 | **Type Enforcement** - Where processes run in domains and the actions on 35 | objects are controlled by policy. This is the implementation used for 36 | general purpose MAC within SELinux along with Role Based Access Control. 37 | The [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) and 38 | [**Role Based Access Control**](rbac.md#role-based-access-control) sections 39 | covers these in more detail. 40 | 41 | **Multi-Level Security** - This is an implementation based on the 42 | Bell-La Padula (BLP) model, and used by organizations where different 43 | levels of access are required so that restricted information is 44 | separated from classified information to maintain confidentiality. This 45 | allows enforcement rules such as 'no write down' and 'no read up' to be 46 | implemented in a policy by extending the security context to include 47 | security levels. The [**MLS**](mls_mcs.md#multi-level-and-multi-category-security) 48 | section covers this in more detail along with a variant called 49 | Multi-Category Security (MCS). 50 | 51 | The MLS / MCS services are now more generally used to maintain 52 | application separation, for example SELinux enabled: 53 | 54 | - virtual machines use MCS categories to allow each VM to run within 55 | its own domain to isolate VMs from each other (see the 56 | [**SELinux Virtual Machine Support**](vm_support.md#selinux-virtual-machine-support) 57 | section). 58 | - Android devices use dynamically generated MCS categories so that an 59 | app running on behalf of one user cannot read or write files created 60 | by the same app running on behalf of another user (see the 61 | [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section). 62 | 63 | 64 | 65 | --- 66 | **[[ PREV ]](core_components.md)** **[[ TOP ]](#)** **[[ NEXT ]](users.md)** 67 | -------------------------------------------------------------------------------- /src/metadata.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | title: The SELinux Notebook 3 | author: Originally created by Richard Haines 4 | subject: Security-Enhanced Linux (SELinux) 5 | description: | 6 | Gives a description of SELinux and its major components to provide 7 | Mandatory Access Control services for GNU / Linux. Hopefully it will 8 | show how the SELinux components link together and how SELinux-aware 9 | applications / object manager have been implemented. 10 | contributor: | 11 | Anyone may contribute to this book, see 12 | 13 | rights: | 14 | Permission is granted to copy, distribute and/or modify this document 15 | under the terms of the GNU Free Documentation License, Version 1.3 or 16 | any later version published by the Free Software Foundation. 17 | --- 18 | -------------------------------------------------------------------------------- /src/modes.md: -------------------------------------------------------------------------------- 1 | # SELinux Permissive and Enforcing Modes 2 | 3 | SELinux has three major modes of operation: 4 | 5 | **Enforcing** - SELinux is enforcing the loaded policy. 6 | 7 | **Permissive** - SELinux has loaded the policy, however it is not 8 | enforcing the policy rules. This is generally used for testing as the 9 | audit log will contain the AVC denied messages as defined in the 10 | [**Auditing SELinux Events**](auditing.md#auditing-selinux-events) section. 11 | The SELinux utilities such as ***audit2allow**(1)* and 12 | ***audit2why**(8)* can then be used to determine the cause and possible 13 | resolution by generating the appropriate allow rules. 14 | 15 | **Disabled** - The SELinux infrastructure is not enabled, therefore no 16 | policy can be loaded. 17 | 18 | These flags are set in the */etc/selinux/config* file as described in the 19 | [**Global Configuration Files**](global_config_files.md#etcselinuxconfig) 20 | section. 21 | 22 | There is another method for running specific domains in permissive mode 23 | using the kernel policy *permissive* statement. This can be used directly in a 24 | user written module or ***semanage**(8)* will generate the appropriate 25 | module and load it using the following example command: 26 | 27 | ``` 28 | # This example will add a new module in: 29 | # /var/lib/selinux//active/modules/400/permissive_unconfined_t 30 | # and then reload the policy: 31 | 32 | semanage permissive -a unconfined_t 33 | ``` 34 | 35 | It is also possible to set permissive mode on a userspace object manager 36 | using the *libselinux* function ***avc_open**(3)*, for example the 37 | [**X-Windows Object Manager**](x_windows.md#x-windows-selinux-support) 38 | uses *avc_open()* to set whether it will always run permissive, 39 | enforcing or follow the current SELinux enforcement mode. 40 | 41 | The ***sestatus**(8)* command will show the current SELinux 42 | enforcement mode in its output, however it does not display individual 43 | domain or object manager enforcement modes. 44 | 45 | 46 | 47 | --- 48 | **[[ PREV ]](types_of_policy.md)** **[[ TOP ]](#)** **[[ NEXT ]](auditing.md)** 49 | -------------------------------------------------------------------------------- /src/notebook-examples/README.md: -------------------------------------------------------------------------------- 1 | # SELinux Notebook Examples 2 | 3 | This area contains the following directories: 4 | 5 | ***cil-policy*** - Contains info to build and install simple CIL policy. 6 | 7 | ***network*** - Contains CIPSO, CALIPSO and IPSEC examples. 8 | 9 | ***selinux-policy*** - Contains info to build simple kernel and CIL policy. 10 | 11 | ***sepgsql*** - Contains SE-PostgreSQL database example. 12 | 13 | **NOTE:** To run the majority of these examples requires root privilege, 14 | therefore need to su etc. (or just log on as root and be damned) 15 | -------------------------------------------------------------------------------- /src/notebook-examples/cil-policy/Makefile: -------------------------------------------------------------------------------- 1 | # -*- Mode: makefile; indent-tabs-mode: t -*- 2 | # SPDX-License-Identifier: Unlicense 3 | 4 | .PHONY: install 5 | 6 | all: install 7 | 8 | install: 9 | mkdir -p /etc/selinux/cil-policy/{contexts,logins,policy,contexts/files,contexts/users} 10 | touch /etc/selinux/cil-policy/contexts/customizable_types 11 | touch /etc/selinux/cil-policy/contexts/file_contexts.subs_dist 12 | echo -e """ \ 15 | \n \ 16 | \n \ 17 | \n \ 18 | \n""" > /etc/selinux/cil-policy/contexts/dbus_contexts 19 | echo "sys.role:sys.isid sys.role:sys.isid" > /etc/selinux/cil-policy/contexts/default_contexts 20 | echo "sys.role:sys.isid" > /etc/selinux/cil-policy/contexts/default_type 21 | echo "sys.role:sys.isid" > /etc/selinux/cil-policy/contexts/failsafe_context 22 | echo -e """cdrom sys.id:sys.role:sys.isid \ 23 | \nfloppy sys.id:sys.role:sys.isid \ 24 | \ndisk sys.id:sys.role:sys.isid""" > /etc/selinux/cil-policy/contexts/files/media 25 | echo "privsep_preauth=sys.isid" > /etc/selinux/cil-policy/contexts/openssh_contexts 26 | echo "sys.id:sys.role:sys.isid" > /etc/selinux/cil-policy/contexts/removable_context 27 | echo "sys.isid" > /etc/selinux/cil-policy/contexts/securetty_types 28 | echo "sys.id:sys.role:sys.isid" > /etc/selinux/cil-policy/contexts/virtual_domain_context 29 | echo -e """sys.id:sys.role:sys.isid \ 30 | \nsys.id:sys.role:sys.isid""" > /etc/selinux/cil-policy/contexts/virtual_image_context 31 | semodule --priority=100 -N -s cil-policy -i cil-policy.cil 32 | -------------------------------------------------------------------------------- /src/notebook-examples/cil-policy/README.md: -------------------------------------------------------------------------------- 1 | # Tiny CIL policy that is mutable at runtime 2 | 3 | The purpose of this tiny SELinux policy is to demonstrate what is 4 | least required to get started, and it can be used as a base for your 5 | own security policy or just to experiment with. The policy is written 6 | in Common Intermediate Language and is installed with semodule to 7 | provide easy access to all aspects at runtime. 8 | 9 | A single security context is provided that is associated with 10 | everything in memory only and to really get started you are expected 11 | to make an inventory of your filesystems and to enable labeling 12 | support for your filesystems accordingly before you proceed. 13 | 14 | Only eight security classes and two access vector permissions are 15 | declared. AVC allow rules for these two access vector permissions are 16 | associated with the single security context to give full access. 17 | Unknown access vectors are allowed to enable you to pick and choose 18 | which access vectors to leverage. You can get a list of unknown Linux 19 | security classes and access vector permissions from `dmesg`, and any 20 | user space object managers are likely to report unknown access vectors 21 | using either "USER_AVC" or "USER_SELINUX_ERR" type audit records. You 22 | are expected to declare any access vectors you require and then to 23 | associate them accordingly with access vector rules to allow access. 24 | 25 | The type-enforcement (TE), as well as identity-based (IBAC) and 26 | role-based (RBAC) access control security models are enabled. Optional 27 | security models such as multi-level security can be added with 28 | relative easy. 29 | 30 | Common Intermediate Language is a modern source based policy language 31 | that together with a module store that can be accessed with `semodule` 32 | at runtime provides optimal flexibility in your interactions with 33 | SELinux. It is recommended that you use the `setools` policy analysis 34 | suite to its full potential to get any information about the state of 35 | your policy. 36 | 37 | The cil-policy addresses some of the intricacies involved with getting 38 | started without making assumptions about your environment and 39 | requirements. You are encouraged to leverage CIL to its full potential 40 | and to keep its documentation handy. 41 | 42 | ## Getting started 43 | 44 | ``` 45 | make install 46 | cat > /etc/selinux/config < myfs.cil 68 | semodule -i myfs.cil 69 | fixfiles -F onboot && reboot 70 | ``` 71 | 72 | To modify the existing cil-policy: 73 | 74 | ``` 75 | semodule -E cil-policy 76 | emacs cil-policy.cil 77 | semodule -X 101 -i cil-policy.cil 78 | ``` 79 | 80 | Use your favorite text editor to write policy in [Common Intermediate Language](https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/README.md), 81 | manage it with `semodule`, and analyze it with `setools`. 82 | 83 | ## Important 84 | 85 | If you are using Xserver or Xwayland then the following is required: 86 | 87 | ``` 88 | echo "(boolean xserver_object_manager false)" > disablexace.cil 89 | semodule -i disablexace.cil 90 | ``` 91 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/android-policy/README.md: -------------------------------------------------------------------------------- 1 | # Android Policy 2 | 3 | The Android policies defined in these *Makefile* files will allow them to be 4 | built for inspection without obtaining the full AOSP source and build 5 | environment. 6 | 7 | Note that the core policy is built in most cases as within Android each 8 | device adds their specific policy modules. 9 | 10 | The build process will produce two files: 11 | 12 | - *policy.conf* that can be examined with a text editor. 13 | - *sepolicy* that can be viewed using tools such as ***apol**(1)*. 14 | 15 | The ***git**(1)* commands required to obtain the policies are defined in 16 | each *Makefile*. 17 | 18 | - *android-4/Makefile* 19 | - The initial Android basic policy. 20 | 21 | - *brillo/Makefile* 22 | - The Brillo release was their first IoT release. 23 | 24 | - *android-10/Makefile* 25 | - The Android 10 release split the policy into private and public segments 26 | and has started using some CIL modules (although for simplicity they are 27 | not built). 28 | 29 | ## Build policy with a Device 30 | 31 | The *brillo-device/Makefile* has instructions to build the Brillo policy with 32 | a suitable device using the 33 | *https://android.googlesource.com/platform/external/sepolicy/+archive/refs/heads/brillo-m7-release.tar.gz* 34 | device policy file. 35 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/android-policy/android-10/Makefile: -------------------------------------------------------------------------------- 1 | #### Build android-10 base policy Makefile #### 2 | 3 | # git clone https://android.googlesource.com/platform/system/sepolicy 4 | # cd sepolicy 5 | # git checkout android10-dev 6 | # Copy this Makefile to the sepolicy directory and run 'make' to build the 7 | # policy files. 8 | # 9 | # The policy.conf file can be examined with a text editor and the binary 10 | # sepolicy file can be viewed using tools such as apol(1). 11 | # 12 | # Note this is built with 'target_build_variant=user' and will not have the 13 | # 'su' permissive domain. Set to 'eng' to add 'su' permissive domain. 14 | 15 | build_policy: 16 | m4 -D mls_num_sens=1 \ 17 | -D mls_num_cats=1024 \ 18 | -D target_build_variant=user \ 19 | -D target_recovery=false \ 20 | -s private/security_classes \ 21 | private/initial_sids \ 22 | private/access_vectors \ 23 | public/global_macros \ 24 | public/neverallow_macros \ 25 | private/mls_macros \ 26 | private/mls_decl \ 27 | private/mls \ 28 | private/policy_capabilities \ 29 | public/te_macros \ 30 | public/attributes \ 31 | public/ioctl_defines \ 32 | public/ioctl_macros \ 33 | public/*.te \ 34 | private/*.te \ 35 | private/roles_decl \ 36 | public/roles \ 37 | private/users \ 38 | private/initial_sid_contexts \ 39 | private/fs_use \ 40 | private/genfs_contexts \ 41 | private/port_contexts > policy.conf 42 | checkpolicy -U deny -M -o sepolicy policy.conf 43 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/android-policy/android-4/Makefile: -------------------------------------------------------------------------------- 1 | #### Build android-4.1.1_r1 base policy Makefile #### 2 | 3 | # git clone https://android.googlesource.com/platform/external/sepolicy 4 | # cd sepolicy 5 | # git checkout android-4.1.1_r1 6 | # Copy this Makefile to the sepolicy directory and run 'make' to build the 7 | # policy files. 8 | # 9 | # The policy.conf file can be examined with a text editor and the binary 10 | # sepolicy file can be viewed using tools such as apol(1). 11 | 12 | build_policy: 13 | # 14 | # Note the order in which the policy.conf file is built: 15 | # 16 | m4 -D mls_num_sens=1 \ 17 | -D mls_num_cats=1024 \ 18 | -s security_classes \ 19 | initial_sids \ 20 | access_vectors \ 21 | global_macros \ 22 | mls_macros \ 23 | mls \ 24 | policy_capabilities \ 25 | te_macros \ 26 | attributes \ 27 | *.te \ 28 | roles \ 29 | users \ 30 | ocontexts > policy.conf 31 | checkpolicy -U deny -M -o sepolicy policy.conf 32 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/android-policy/brillo-device/Makefile: -------------------------------------------------------------------------------- 1 | #### Build brillo-m10 + device policy Makefile #### 2 | 3 | # git clone https://android.googlesource.com/platform/external/sepolicy 4 | # cd sepolicy 5 | # git checkout brillo-m10-release 6 | # Copy this Makefile to the sepolicy directory and run 'make' to build the 7 | # policy files. 8 | # 9 | # To obtain a buildable device the brillo-m7-dev tar file is downloaded and 10 | # installed into the sepolicy directory. 11 | # 12 | # The policy.conf file can be examined with a text editor and the binary 13 | # sepolicy file can be viewed using tools such as apol(1). 14 | 15 | DEV_DIR := brillo-m7-dev 16 | 17 | build_policy: 18 | mkdir -p $(DEV_DIR) 19 | wget https://android.googlesource.com/device/generic/brillo/+archive/refs/heads/brillo-m7-dev.tar.gz -O - | tar -C $(DEV_DIR) -xz 20 | m4 -D mls_num_sens=1 \ 21 | -D mls_num_cats=1024 \ 22 | -D target_build_variant=eng \ 23 | -D target_recovery=false \ 24 | -s security_classes \ 25 | $(DEV_DIR)/sepolicy/security_classes \ 26 | initial_sids \ 27 | access_vectors \ 28 | $(DEV_DIR)/sepolicy/access_vectors \ 29 | global_macros \ 30 | mls_macros \ 31 | mls \ 32 | policy_capabilities \ 33 | te_macros \ 34 | $(DEV_DIR)/sepolicy/te_macros \ 35 | neverallow_macros \ 36 | attributes \ 37 | ioctl_macros \ 38 | *.te \ 39 | $(DEV_DIR)/sepolicy/*.te \ 40 | roles \ 41 | users \ 42 | initial_sid_contexts \ 43 | fs_use \ 44 | genfs_contexts \ 45 | port_contexts > policy.conf 46 | checkpolicy -U deny -M -o sepolicy policy.conf 47 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/android-policy/brillo/Makefile: -------------------------------------------------------------------------------- 1 | #### Build brillo-m10 base policy Makefile #### 2 | 3 | # git clone https://android.googlesource.com/platform/external/sepolicy 4 | # cd sepolicy 5 | # git checkout brillo-m10-release 6 | # Copy this Makefile to the sepolicy directory and run 'make' to build the 7 | # policy files. 8 | # 9 | # The policy.conf file can be examined with a text editor and the binary 10 | # sepolicy file can be viewed using tools such as apol(1). 11 | # 12 | # Note this is built with 'target_build_variant=eng' and will have the 'su' 13 | # permissive domain. Set to 'user' to remove the 'su' permissive domain. 14 | 15 | build_policy: 16 | m4 -D mls_num_sens=1 \ 17 | -D mls_num_cats=1024 \ 18 | -D target_build_variant=eng \ 19 | -D target_recovery=false \ 20 | -s security_classes \ 21 | initial_sids \ 22 | access_vectors \ 23 | global_macros \ 24 | mls_macros \ 25 | mls \ 26 | policy_capabilities \ 27 | te_macros \ 28 | neverallow_macros \ 29 | attributes \ 30 | ioctl_macros \ 31 | *.te \ 32 | roles \ 33 | users \ 34 | initial_sid_contexts \ 35 | fs_use \ 36 | genfs_contexts \ 37 | port_contexts > policy.conf 38 | checkpolicy -U deny -M -o sepolicy policy.conf 39 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/reference-policy/README.md: -------------------------------------------------------------------------------- 1 | # Building A Small Monolithic Reference Policy 2 | 3 | The *modules.conf* file supports the minimum of policy modules that can be 4 | defined to build a small monolithic policy as described in the 5 | [Building A Small Monolithic Reference Policy](embedded_systems.md#building-a-small-monolithic-reference-policy) 6 | section. 7 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/reference-policy/build.conf: -------------------------------------------------------------------------------- 1 | ######################################## 2 | # 3 | # Policy build options 4 | # 5 | 6 | # Policy version 7 | # By default, checkpolicy will create the highest 8 | # version policy it supports. Setting this will 9 | # override the version. This only has an 10 | # effect for monolithic policies. 11 | #OUTPUT_POLICY = 18 12 | 13 | # Policy Type 14 | # standard, mls, mcs 15 | TYPE = standard 16 | 17 | # Policy Name 18 | # If set, this will be used as the policy 19 | # name. Otherwise the policy type will be 20 | # used for the name. 21 | NAME = refpolicy 22 | 23 | # Distribution 24 | # Some distributions have portions of policy 25 | # for programs or configurations specific to the 26 | # distribution. Setting this will enable options 27 | # for the distribution. 28 | # redhat, gentoo, debian, suse, and rhel4 are current options. 29 | # Fedora users should enable redhat. 30 | #DISTRO = redhat 31 | 32 | # Unknown Permissions Handling 33 | # The behavior for handling permissions defined in the 34 | # kernel but missing from the policy. The permissions 35 | # can either be allowed, denied, or the policy loading 36 | # can be rejected. 37 | # allow, deny, and reject are current options. 38 | UNK_PERMS = deny 39 | 40 | # Direct admin init 41 | # Setting this will allow sysadm to directly 42 | # run init scripts, instead of requiring run_init. 43 | # This is a build option, as role transitions do 44 | # not work in conditional policy. 45 | DIRECT_INITRC = n 46 | 47 | # Systemd 48 | # Setting this will configure systemd as the init system. 49 | SYSTEMD = n 50 | 51 | # Build monolithic policy. Putting y here 52 | # will build a monolithic policy. 53 | MONOLITHIC = y 54 | 55 | # User-based access control (UBAC) 56 | # Enable UBAC for role separations. 57 | UBAC = n 58 | 59 | # Custom build options. This field enables custom 60 | # build options. Putting foo here will enable 61 | # build option blocks named foo. Options should be 62 | # separated by spaces. 63 | CUSTOM_BUILDOPT = 64 | 65 | # Number of MLS Sensitivities 66 | # The sensitivities will be s0 to s(MLS_SENS-1). 67 | # Dominance will be in increasing numerical order 68 | # with s0 being lowest. 69 | MLS_SENS = 16 70 | 71 | # Number of MLS Categories 72 | # The categories will be c0 to c(MLS_CATS-1). 73 | MLS_CATS = 1024 74 | 75 | # Number of MCS Categories 76 | # The categories will be c0 to c(MLS_CATS-1). 77 | MCS_CATS = 1024 78 | 79 | # Set this to y to only display status messages 80 | # during build. 81 | QUIET = n 82 | 83 | # Set this to treat warnings as errors. 84 | WERROR = n 85 | -------------------------------------------------------------------------------- /src/notebook-examples/embedded-policy/reference-policy/modules.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This file contains a listing of available modules. 3 | # To prevent a module from being used in policy 4 | # creation, set the module name to "off". 5 | # 6 | # For monolithic policies, modules set to "base" and "module" 7 | # will be built into the policy. 8 | # 9 | # For modular policies, modules set to "base" will be 10 | # included in the base module. "module" will be compiled 11 | # as individual loadable modules. 12 | # 13 | 14 | # Layer: kernel 15 | # Module: corecommands 16 | # Required in base 17 | # 18 | # Core policy for shells, and generic programs 19 | # in /bin, /sbin, /usr/bin, and /usr/sbin. 20 | # 21 | corecommands = base 22 | 23 | # Layer: kernel 24 | # Module: corenetwork 25 | # Required in base 26 | # 27 | # Policy controlling access to network objects 28 | # 29 | corenetwork = base 30 | 31 | # Layer: kernel 32 | # Module: devices 33 | # Required in base 34 | # 35 | # Device nodes and interfaces for many basic system devices. 36 | # 37 | devices = base 38 | 39 | # Layer: kernel 40 | # Module: domain 41 | # Required in base 42 | # 43 | # Core policy for domains. 44 | # 45 | domain = base 46 | 47 | # Layer: kernel 48 | # Module: files 49 | # Required in base 50 | # 51 | # Basic filesystem types and interfaces. 52 | # 53 | files = base 54 | 55 | # Layer: kernel 56 | # Module: filesystem 57 | # Required in base 58 | # 59 | # Policy for filesystems. 60 | # 61 | filesystem = base 62 | 63 | # Layer: kernel 64 | # Module: kernel 65 | # Required in base 66 | # 67 | # Policy for kernel threads, proc filesystem, 68 | # and unlabeled processes and objects. 69 | # 70 | kernel = base 71 | 72 | # Layer: kernel 73 | # Module: mcs 74 | # Required in base 75 | # 76 | # Multicategory security policy 77 | # 78 | mcs = base 79 | 80 | # Layer: kernel 81 | # Module: mls 82 | # Required in base 83 | # 84 | # Multilevel security policy 85 | # 86 | mls = base 87 | 88 | # Layer: kernel 89 | # Module: selinux 90 | # Required in base 91 | # 92 | # Policy for kernel security interface, in particular, selinuxfs. 93 | # 94 | selinux = base 95 | 96 | # Layer: kernel 97 | # Module: terminal 98 | # Required in base 99 | # 100 | # Policy for terminals. 101 | # 102 | terminal = base 103 | 104 | # Layer: kernel 105 | # Module: ubac 106 | # Required in base 107 | # 108 | # User-based access control policy 109 | # 110 | ubac = base 111 | 112 | # Layer: kernel 113 | # Module: storage 114 | # 115 | # Policy controlling access to storage devices 116 | # 117 | storage = module 118 | 119 | # Layer: system 120 | # Module: application 121 | # 122 | # Policy for user executable applications. 123 | # 124 | application = module 125 | 126 | # Layer: system 127 | # Module: authlogin 128 | # 129 | # Common policy for authentication and user login. 130 | # 131 | authlogin = module 132 | 133 | # Layer: system 134 | # Module: clock 135 | # 136 | # Policy for reading and setting the hardware clock. 137 | # 138 | clock = module 139 | 140 | # Layer: system 141 | # Module: getty 142 | # 143 | # Manages physical or virtual terminals. 144 | # 145 | getty = module 146 | 147 | # Layer: system 148 | # Module: init 149 | # 150 | # System initialization programs (init and init scripts). 151 | # 152 | init = module 153 | 154 | # Layer: system 155 | # Module: libraries 156 | # 157 | # Policy for system libraries. 158 | # 159 | libraries = module 160 | 161 | # Layer: system 162 | # Module: locallogin 163 | # 164 | # Policy for local logins. 165 | # 166 | locallogin = module 167 | 168 | # Layer: system 169 | # Module: logging 170 | # 171 | # Policy for the kernel message logger and system logging daemon. 172 | # 173 | logging = module 174 | 175 | # Layer: system 176 | # Module: miscfiles 177 | # 178 | # Miscellaneous files. 179 | # 180 | miscfiles = module 181 | 182 | # Layer: system 183 | # Module: modutils 184 | # 185 | # Policy for kernel module utilities 186 | # 187 | modutils = module 188 | 189 | # Layer: system 190 | # Module: mount 191 | # 192 | # Policy for mount. 193 | # 194 | mount = module 195 | 196 | # Layer: system 197 | # Module: selinuxutil 198 | # 199 | # Policy for SELinux policy and userland applications. 200 | # 201 | selinuxutil = module 202 | 203 | # Layer: system 204 | # Module: sysnetwork 205 | # 206 | # Policy for network configuration: ifconfig and dhcp client. 207 | # 208 | sysnetwork = module 209 | 210 | # Layer: system 211 | # Module: udev 212 | # 213 | # Policy for udev. 214 | # 215 | udev = module 216 | 217 | # Layer: system 218 | # Module: unconfined 219 | # 220 | # The unconfined domain. 221 | # 222 | unconfined = module 223 | 224 | # Layer: system 225 | # Module: userdomain 226 | # 227 | # Policy for user domains 228 | # 229 | userdomain = module 230 | 231 | # Layer: roles 232 | # Module: sysadm 233 | # 234 | # General system administration role 235 | # 236 | sysadm = module 237 | -------------------------------------------------------------------------------- /src/notebook-examples/network/Makefile: -------------------------------------------------------------------------------- 1 | TARGETS = nb_client nb_server 2 | CFLAGS ?= -Wall 3 | LDLIBS += -lselinux 4 | 5 | cipso: $(TARGETS) 6 | ./netlabel/cipso.sh 7 | 8 | calipso: $(TARGETS) 9 | ./netlabel/calipso.sh 10 | 11 | ip-xfrm: $(TARGETS) 12 | ./ipsec/ip-xfrm.sh 13 | 14 | setkey: $(TARGETS) 15 | ./ipsec/setkey.sh 16 | 17 | clean: 18 | ./netlabel/cipso-flush.sh 19 | ./netlabel/calipso-flush.sh 20 | ./ipsec/ipsec-flush.sh 21 | echo 1 > /proc/sys/net/ipv4/conf/lo/disable_xfrm 22 | echo 1 > /proc/sys/net/ipv4/conf/lo/disable_policy 23 | 24 | clean-all: clean 25 | rm -f $(TARGETS) 26 | -------------------------------------------------------------------------------- /src/notebook-examples/network/README.md: -------------------------------------------------------------------------------- 1 | # CIPSO, CALIPSO and IPSEC Demo 2 | 3 | This section will allow simple demos to show networking information from: 4 | 5 | 1) CIPSO using ***netlabelctl**(8)* - Shows peerlabel + CIPSO netlabel config, DOI and Tag type 6 | - Use `make cipso` 7 | 2) CALIPSO using ***netlabelctl**(8)* - Shows peerlabel + CIPSO netlabel config and DOI 8 | - Use `make calipso` 9 | 3) IPSEC using ***ip-xfrm**(8)* - Shows peerlabel + ip config 10 | - Use `make ip-xfrm` 11 | 4) IPSEC using ***setkey**(8)* - Shows peerlabel + ip config 12 | - Use `make setkey` 13 | 14 | The Makefile will build the client/server by default. 15 | 16 | 1) Make the applicable target. 17 | 2) In one terminal session run the server: 18 | `./nb_server 9999` 19 | 20 | 3) In another terminal session (for CIPSO and IPSEC build) run: 21 | `./nb_client 127.0.0.1 9999` 22 | 23 | - for CALIPSO (as IPV6) run: 24 | `./nb_client ::1 9999` 25 | 26 | For the CIPSO demo (using Tag type 5) the client will display: 27 | 28 | ``` 29 | ./nb_client 127.0.0.1 9999 30 | open socket - Peer Context: system_u:object_r:unlabeled_t:s0 31 | connect - Peer Context: system_u:object_r:netlabel_peer_t:s0 32 | CIPSO DOI: 87654321 Tag: 5 33 | Client Receive Buffer IP Options - Family: IPv4 Length: 12 34 | IP Option data: 860a05397fb1050400000000 35 | recv - Peer Context: system_u:object_r:netlabel_peer_t:s0 36 | 37 | Information from Server in RED: 38 | This is Message-1 from the server listening on port: 9999 39 | Client source port: 35378 40 | Server Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 41 | Server Peer Context: system_u:object_r:netlabel_peer_t:s0 42 | 43 | Client Information in GREEN: 44 | Client Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 45 | Client Peer Context: system_u:object_r:netlabel_peer_t:s0 46 | ``` 47 | 48 | 4) Once finished, run `make clean` to remove the configurations. 49 | -------------------------------------------------------------------------------- /src/notebook-examples/network/ipsec/ip-xfrm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm 4 | echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy 5 | ip xfrm policy flush 6 | ip xfrm state flush 7 | 8 | ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x200 ctx "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" auth sha1 0123456789012345 9 | ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:object_r:ipsec_spd_t:s0" tmpl proto ah mode transport level required 10 | 11 | ip xfrm policy show 12 | ip xfrm state show 13 | -------------------------------------------------------------------------------- /src/notebook-examples/network/ipsec/ipsec-flush.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo 1 > /proc/sys/net/ipv4/conf/lo/disable_xfrm 4 | echo 1 > /proc/sys/net/ipv4/conf/lo/disable_policy 5 | ip xfrm policy flush 6 | ip xfrm state flush 7 | -------------------------------------------------------------------------------- /src/notebook-examples/network/ipsec/setkey: -------------------------------------------------------------------------------- 1 | # setkey -f configuration file entries for MANUAL SA configuration 2 | # 3 | # 4 | # Flush the SAD and SPD 5 | flush; 6 | spdflush; 7 | 8 | # 9 | ########## Security Association Database entries ################# 10 | # 11 | # Authentication Header info 12 | # AH SAs using 128 bit long keys 13 | 14 | add 127.0.0.1 127.0.0.1 ah 0x300 15 | -ctx 1 1 "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" 16 | -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; 17 | # 18 | # Encapsulated Security Payload info 19 | # The -ctx context MUST be exact else get "connect: No such process" 20 | # message when running client: 21 | # ESP SAs using 192 bit long keys (168 + 24 parity) 22 | 23 | add 127.0.0.1 127.0.0.1 esp 0x301 24 | -ctx 1 1 "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" 25 | -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; 26 | 27 | # 28 | ########### Security Policy Database entries ########################## 29 | # 30 | spdadd 127.0.0.1 127.0.0.1 tcp 31 | -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" 32 | -P out ipsec esp/transport//require 33 | ah/transport//require; 34 | 35 | spdadd 127.0.0.1 127.0.0.1 tcp 36 | -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" 37 | -P in ipsec esp/transport//require 38 | ah/transport//require; 39 | -------------------------------------------------------------------------------- /src/notebook-examples/network/ipsec/setkey.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm 4 | echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy 5 | 6 | setkey -f ./ipsec/setkey 7 | setkey -DP 8 | -------------------------------------------------------------------------------- /src/notebook-examples/network/nb_client.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | static char *get_ip_option(int fd, bool ipv4, socklen_t *opt_len) 12 | { 13 | int ret, i; 14 | uint32_t doi; 15 | unsigned char ip_options[1024], *opt_ptr; 16 | socklen_t len = sizeof(ip_options); 17 | char *ip_optbuf; 18 | 19 | if (ipv4) 20 | ret = getsockopt(fd, IPPROTO_IP, IP_OPTIONS, 21 | ip_options, &len); 22 | else 23 | ret = getsockopt(fd, IPPROTO_IPV6, IPV6_HOPOPTS, 24 | ip_options, &len); 25 | if (ret < 0) { 26 | perror("get ip options error"); 27 | return NULL; 28 | } 29 | 30 | ip_optbuf = calloc(1, len * 2 + 1); 31 | if (!ip_optbuf) { 32 | perror("get ip options malloc error"); 33 | return NULL; 34 | } 35 | 36 | if (len > 0) { 37 | if (ipv4) { 38 | opt_ptr = &ip_options[2]; 39 | memcpy(&doi, opt_ptr, sizeof(uint32_t)); 40 | printf("CIPSO DOI: %d Tag: %d\n", ntohl(doi), 41 | ip_options[6]); 42 | } else { 43 | opt_ptr = &ip_options[4]; 44 | memcpy(&doi, opt_ptr, sizeof(uint32_t)); 45 | printf("CALIPSO DOI: %d\n", ntohl(doi)); 46 | } 47 | 48 | for (i = 0; i < len; i++) 49 | sprintf(&ip_optbuf[i * 2], "%02x", ip_options[i]); 50 | 51 | *opt_len = len; 52 | return ip_optbuf; 53 | } 54 | 55 | return NULL; 56 | } 57 | 58 | static void print_ip_option(int fd, bool ipv4, char *text) 59 | { 60 | char *ip_options; 61 | socklen_t len; 62 | 63 | ip_options = get_ip_option(fd, ipv4, &len); 64 | 65 | if (ip_options) { 66 | printf("%s IP Options - Family: %s Length: %d\n\tIP Option data: %s\n", 67 | text, ipv4 ? "IPv4" : "IPv6", len, ip_options); 68 | free(ip_options); 69 | } else { 70 | printf("%s No IP Options set\n", text); 71 | } 72 | } 73 | 74 | #define MAXBUFFERSIZE 256 75 | #define RED "\x1b[31m" 76 | #define GREEN "\x1b[32m" 77 | #define RESET "\x1b[0m" 78 | 79 | int main(int argc, char *argv[]) 80 | { 81 | int sock, bytes_received, ret; 82 | char buffer[MAXBUFFERSIZE]; 83 | char *context, *peer_context, *peer_context_str; 84 | bool ipv4 = false; 85 | struct addrinfo hints, *serverinfo; 86 | struct timeval tm; 87 | 88 | if (argc != 3) { 89 | fprintf(stderr, "usage: %s
\n", argv[0]); 90 | exit(1); 91 | } 92 | 93 | memset(&hints, 0, sizeof(struct addrinfo)); 94 | hints.ai_socktype = SOCK_STREAM; 95 | hints.ai_protocol = IPPROTO_TCP; 96 | 97 | ret = getaddrinfo(argv[1], argv[2], &hints, &serverinfo); 98 | if (ret < 0) { 99 | fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret)); 100 | exit(1); 101 | } 102 | 103 | if (serverinfo->ai_family == AF_INET) 104 | ipv4 = true; 105 | 106 | sock = socket(serverinfo->ai_family, serverinfo->ai_socktype, 107 | serverinfo->ai_protocol); 108 | if (sock < 0) { 109 | perror("Client Socket"); 110 | exit(1); 111 | } 112 | 113 | tm.tv_sec = 5; 114 | tm.tv_usec = 0; 115 | if (setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tm, sizeof(tm)) < 0) { 116 | perror("setsockopt: SO_SNDTIMEO"); 117 | exit(1); 118 | } 119 | 120 | if (getpeercon(sock, &peer_context) < 0) { 121 | printf("open socket - No Peer Context Available\n"); 122 | } else { 123 | printf("open socket - Peer Context: %s\n", peer_context); 124 | free(peer_context); 125 | } 126 | 127 | if (connect(sock, serverinfo->ai_addr, serverinfo->ai_addrlen) < 0) { 128 | perror("connect"); 129 | close(sock); 130 | exit(1); 131 | } 132 | 133 | if (getpeercon(sock, &peer_context) < 0) { 134 | printf("connect - No Peer Context Available\n"); 135 | } else { 136 | printf("connect - Peer Context: %s\n", peer_context); 137 | free(peer_context); 138 | } 139 | 140 | memset(buffer, 0, sizeof(buffer)); 141 | bytes_received = recv(sock, buffer, MAXBUFFERSIZE-1, 0); 142 | if (bytes_received < 0) { 143 | perror("Client recv"); 144 | exit(1); 145 | } 146 | 147 | print_ip_option(sock, ipv4, "Client Receive Buffer"); 148 | 149 | if (getpeercon(sock, &peer_context) < 0) { 150 | printf("recv - No Peer Context Available\n"); 151 | } else { 152 | printf("recv - Peer Context: %s\n", peer_context); 153 | free(peer_context); 154 | } 155 | 156 | buffer[bytes_received] = '\0'; /* Add null at end of line. */ 157 | printf("\n%sInformation from Server in RED:\n%s%s\n", 158 | RED, buffer, RESET); 159 | 160 | /* Print the Clients context information */ 161 | if (getcon(&context) < 0) { 162 | perror("Client context"); 163 | exit(1); 164 | } 165 | 166 | if (getpeercon(sock, &peer_context) < 0) { 167 | peer_context_str = strdup("No Peer Context Available"); 168 | } else { 169 | peer_context_str = strdup(peer_context); 170 | free(peer_context); 171 | } 172 | printf("%sClient Information in GREEN:\n", GREEN); 173 | printf("Client Context: %s\nClient Peer Context: %s%s\n", 174 | context, peer_context_str, RESET); 175 | 176 | free(context); 177 | close(sock); 178 | exit(0); 179 | } 180 | -------------------------------------------------------------------------------- /src/notebook-examples/network/nb_server.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define MAXBUFFERSIZE 256 13 | 14 | int main(int argc, char *argv[]) 15 | { 16 | int sock, new_sock, message_id = 1, on = 1, ret; 17 | struct addrinfo hints, *res; 18 | struct sockaddr_in client_addr; 19 | socklen_t sin_size; 20 | char buffer[MAXBUFFERSIZE]; 21 | char *context, *peer_context; 22 | char *peer_context_str = NULL; 23 | 24 | if (argc < 2) { 25 | fprintf(stderr, "Usage: %s \n", argv[0]); 26 | exit(1); 27 | } 28 | 29 | /* Add port info to send buffer and also display */ 30 | sprintf(buffer, "Listening on port %s", argv[1]); 31 | printf("%s\n", buffer); 32 | 33 | memset(&hints, 0, sizeof(struct addrinfo)); 34 | hints.ai_flags = AI_PASSIVE; 35 | hints.ai_family = AF_INET6; 36 | 37 | ret = getaddrinfo(NULL, argv[1], &hints, &res); 38 | if (ret < 0) { 39 | printf("getaddrinfo: %s\n", gai_strerror(ret)); 40 | exit(1); 41 | } 42 | 43 | sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); 44 | if (sock < 0) { 45 | perror("socket"); 46 | exit(1); 47 | } 48 | 49 | if (getpeercon(sock, &peer_context) < 0) { 50 | printf("open socket - No Peer Context Available\n"); 51 | } else { 52 | printf("open socket - Peer Context: %s\n", peer_context); 53 | free(peer_context); 54 | } 55 | 56 | if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) { 57 | perror("Server setsockopt: SO_REUSEADDR"); 58 | close(sock); 59 | exit(1); 60 | } 61 | 62 | if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { 63 | perror("Server bind"); 64 | exit(1); 65 | } 66 | 67 | if (getpeercon(sock, &peer_context) < 0) { 68 | printf("bind - No Peer Context Available\n"); 69 | } else { 70 | printf("bind - Peer Context: %s\n", peer_context); 71 | free(peer_context); 72 | } 73 | 74 | if (listen(sock, 5) < 0) { 75 | perror("Server listen"); 76 | exit(1); 77 | } 78 | 79 | if (getpeercon(sock, &peer_context) < 0) { 80 | printf("listen - No Peer Context Available\n"); 81 | } else { 82 | printf("listen - Peer Context: %s\n", peer_context); 83 | free(peer_context); 84 | } 85 | 86 | while (1) { 87 | sin_size = sizeof(struct sockaddr_in); 88 | 89 | new_sock = accept(sock, (struct sockaddr *)&client_addr, 90 | &sin_size); 91 | if (new_sock < 0) { 92 | perror("Server accept"); 93 | continue; 94 | } 95 | 96 | /* Get context assigned to the new socket */ 97 | if (fgetfilecon_raw(new_sock, &context) < 0) { 98 | perror("fgetfilecon - FAILED"); 99 | exit(1); 100 | } 101 | printf("accept on new socket - context assigned to new "); 102 | printf("socket is (using fgetfilecon):\n\t%s\n", context); 103 | free(context); 104 | 105 | /* Then check if peer context is assigned to this new socket */ 106 | if (getpeercon(new_sock, &peer_context) < 0) { 107 | printf("accept new socket - No Peer Context Available\n"); 108 | } else { 109 | printf("accept new socket - Peer Context: %s\n", 110 | peer_context); 111 | free(peer_context); 112 | } 113 | 114 | /* Get Server context information */ 115 | if (getcon(&context) < 0) { 116 | perror("Server context"); 117 | exit(1); 118 | } 119 | 120 | if (getpeercon(new_sock, &peer_context) < 0) { 121 | peer_context_str = strdup("No Peer Context Available"); 122 | } else { 123 | peer_context_str = strdup(peer_context); 124 | free(peer_context); 125 | } 126 | /* Clear the buffer of rubbish */ 127 | memset(buffer, 0, sizeof(buffer)); 128 | 129 | /* Print Server network information */ 130 | printf("Server has connection from client: host = %s " 131 | "destination port = %s source port = %d\n", 132 | inet_ntoa(client_addr.sin_addr), 133 | argv[1], ntohs(client_addr.sin_port)); 134 | 135 | printf("Server Context: %s\nServer Peer Context: %s\n", 136 | context, peer_context_str); 137 | 138 | /* Now send the buffer. */ 139 | sprintf(buffer, "This is Message-%d from the server listening " 140 | "on port: %s\nClient source port: %d\n" 141 | "Server Context: %s\nServer Peer Context: %s\n", 142 | message_id, argv[1], 143 | ntohs(client_addr.sin_port), 144 | context, peer_context_str); 145 | 146 | if (send(new_sock, buffer, strlen(buffer), 0) < 0) 147 | perror("Server send"); 148 | 149 | message_id++; 150 | free(context); 151 | free(peer_context_str); 152 | close(new_sock); 153 | } 154 | 155 | exit(0); 156 | } 157 | -------------------------------------------------------------------------------- /src/notebook-examples/network/netlabel/calipso-flush.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | netlabelctl map del default 4 | netlabelctl calipso del doi:12345678 5 | netlabelctl map add default protocol:unlbl 6 | -------------------------------------------------------------------------------- /src/notebook-examples/network/netlabel/calipso.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | netlabelctl calipso add pass doi:12345678 4 | netlabelctl map del default 5 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl 6 | netlabelctl map add default address:::/0 protocol:unlbl 7 | netlabelctl map add default address:::1 protocol:calipso,12345678 8 | netlabelctl -p map list 9 | -------------------------------------------------------------------------------- /src/notebook-examples/network/netlabel/cipso-flush.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | netlabelctl map del default 4 | netlabelctl cipsov4 del doi:87654321 5 | netlabelctl map add default protocol:unlbl 6 | -------------------------------------------------------------------------------- /src/notebook-examples/network/netlabel/cipso.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | netlabelctl cipsov4 add pass doi:87654321 tags:5 4 | netlabelctl map del default 5 | netlabelctl map add default address:0.0.0.0/0 protocol:unlbl 6 | netlabelctl map add default address:::/0 protocol:unlbl 7 | netlabelctl map add default address:127.0.0.1 protocol:cipsov4,87654321 8 | netlabelctl -p map list 9 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/README.md: -------------------------------------------------------------------------------- 1 | # Sample Policy Builds 2 | 3 | **Have a recovery disk at the ready** 4 | 5 | This area contains the following: 6 | 7 | ***tools*** - Contains the `build-sepolicy` script and man page. This is used 8 | to build the kernel and CIL policy files. It does have many hardcoded items. 9 | Another basic kernel policy build is available in the kernel source, see the 10 | *scripts/selinux/mdp* and *Documentation/admin-guide/LSM/SELinux.rst* files. 11 | 12 | ***cil*** - Contains the CIL_Reference_Guide, Makefile to build CIL policy 13 | (MLS or non MLS). 14 | 15 | ***kernel*** - Contains the Makefile to build kernel language policy 16 | (MLS or non MLS). 17 | 18 | ***policy-files*** - Contains the kernel and CIL policy configuration files. 19 | 20 | ***flask-files*** - Contains the Fedora 31 policy source initial_sids, 21 | security_classes and access_vectors flask files. 22 | 23 | ## Building the Kernel Source MDP 24 | 25 | **Note** that the kernel mdp `install_policy.sh` script will not build 26 | the policy if SELinux is already enabled. The sample MLS policy source 27 | can be built after a kernel build by: 28 | 29 | ./mdp -m policy.conf file_contexts 30 | 31 | **IMPORTANT:** If the MDP policy is going to run on a system with 32 | Xwayland, then the XSELinux object manager **must be** disabled 33 | by adding the highlighted `bool` statement in the *policy.conf* 34 | file (as on Fedora 32 WS it currently core dumps if enabled 35 | when in permissive mode): 36 | 37 | ``` 38 | mlsconstrain lockdown { 39 | integrity 40 | confidentiality 41 | } (l2 eq h2 and h1 dom h2); 42 | ``` 43 | **`bool xserver_object_manager false;`** 44 | ``` 45 | type base_t; 46 | ``` 47 | 48 | The binary policy can then be built by: 49 | 50 | checkpolicy -U allow -M -c 32 -o policy.32 policy.conf 51 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/8cfd893c16a82d86b42c9c684330e2f8db3bd137/src/notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/cil/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | ############################################################### 3 | # # 4 | # Makefile for the CIL Policy # 5 | # # 6 | ############################################################### 7 | # 8 | 9 | BASE_DIR = /etc/selinux 10 | FLASK_FILES = ../flask-files 11 | POLICY_FILES = ../policy-files 12 | TOOLS = ../tools 13 | POL_VERS := $(shell checkpolicy -V | cut -f 1 -d ' ') 14 | 15 | build_policy: 16 | $(TOOLS)/build-sepolicy -c -o policy.cil -d $(FLASK_FILES) 17 | secilc -f file_contexts policy.cil -o policy.$(POL_VERS) 18 | 19 | build_mls_policy: 20 | $(TOOLS)/build-sepolicy -c -M -o mls-policy.cil -d $(FLASK_FILES) 21 | secilc mls-policy.cil -o mls-policy.$(POL_VERS) 22 | 23 | install_policy: build_policy 24 | mkdir -p $(BASE_DIR)/nb-cil/policy 25 | mkdir -p $(BASE_DIR)/nb-cil/contexts/files 26 | install -m 644 $(POLICY_FILES)/seusers $(BASE_DIR)/nb-cil 27 | install -m 644 $(POLICY_FILES)/dbus_contexts $(BASE_DIR)/nb-cil/contexts 28 | install -m 644 $(POLICY_FILES)/default_contexts $(BASE_DIR)/nb-cil/contexts 29 | install -m 644 $(POLICY_FILES)/default_type $(BASE_DIR)/nb-cil/contexts 30 | install -m 644 $(POLICY_FILES)/x_contexts $(BASE_DIR)/nb-cil/contexts 31 | install -m 644 $(POLICY_FILES)/file_contexts $(BASE_DIR)/nb-cil/contexts/files 32 | install -m 644 policy.$(POL_VERS) $(BASE_DIR)/nb-cil/policy 33 | 34 | install_mls_policy: build_mls_policy 35 | mkdir -p $(BASE_DIR)/nb-mls-cil/policy 36 | mkdir -p $(BASE_DIR)/nb-mls-cil/contexts/files 37 | install -m 644 $(POLICY_FILES)/mls/seusers $(BASE_DIR)/nb-mls-cil 38 | install -m 644 $(POLICY_FILES)/dbus_contexts $(BASE_DIR)/nb-mls-cil/contexts 39 | install -m 644 $(POLICY_FILES)/mls/default_contexts $(BASE_DIR)/nb-mls-cil/contexts 40 | install -m 644 $(POLICY_FILES)/mls/default_type $(BASE_DIR)/nb-mls-cil/contexts 41 | install -m 644 $(POLICY_FILES)/mls/x_contexts $(BASE_DIR)/nb-mls-cil/contexts 42 | install -m 644 $(POLICY_FILES)/mls/file_contexts $(BASE_DIR)/nb-mls-cil/contexts/files 43 | install -m 644 mls-policy.$(POL_VERS) $(BASE_DIR)/nb-mls-cil/policy/policy.$(POL_VERS) 44 | 45 | clean: 46 | rm -f *.$(POL_VERS) 47 | rm -f *.cil 48 | rm -f file_contexts 49 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/cil/README.md: -------------------------------------------------------------------------------- 1 | # Sample CIL Policy 2 | 3 | This requires the following package to be installed: 4 | 5 | `dnf install secilc` 6 | 7 | This section will build/install sample CIL policy files: 8 | 9 | 1) Build a non MLS policy: `make build_policy` 10 | 2) Install the non MLS policy in /etc/selinux/nb-cil: `make install_policy` 11 | 3) Build an MLS policy: `make build_mls_policy` 12 | 4) Install the MLS policy in /etc/selinux/nb-mls-cil: `make install_mls_policy` 13 | 14 | 15 | To run these policy: 16 | edit the */etc/selinux/config* file entries: 17 | SELINUXTYPE= 18 | SELINUX=permissive. 19 | 20 | touch /.autorelabel 21 | reboot the system 22 | 23 | The *Makefile* and *tools/build-sepolicy* build script should be 24 | read to find out how the policy is built and installed. 25 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/flask-files/README: -------------------------------------------------------------------------------- 1 | These flask files are from Fedora 31 policy source. 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/flask-files/initial_sids: -------------------------------------------------------------------------------- 1 | # FLASK 2 | 3 | # 4 | # Define initial security identifiers 5 | # 6 | 7 | sid kernel 8 | sid security 9 | sid unlabeled 10 | sid fs 11 | sid file 12 | sid file_labels 13 | sid init 14 | sid any_socket 15 | sid port 16 | sid netif 17 | sid netmsg 18 | sid node 19 | sid igmp_packet 20 | sid icmp_socket 21 | sid tcp_socket 22 | sid sysctl_modprobe 23 | sid sysctl 24 | sid sysctl_fs 25 | sid sysctl_kernel 26 | sid sysctl_net 27 | sid sysctl_net_unix 28 | sid sysctl_vm 29 | sid sysctl_dev 30 | sid kmod 31 | sid policy 32 | sid scmp_packet 33 | sid devnull 34 | 35 | # FLASK 36 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/flask-files/security_classes: -------------------------------------------------------------------------------- 1 | # FLASK 2 | 3 | # 4 | # Define the security object classes 5 | # 6 | 7 | # Classes marked as userspace are classes 8 | # for userspace object managers 9 | 10 | class security 11 | class process 12 | class system 13 | class capability 14 | 15 | # file-related classes 16 | class filesystem 17 | class file 18 | class dir 19 | class fd 20 | class lnk_file 21 | class chr_file 22 | class blk_file 23 | class sock_file 24 | class fifo_file 25 | 26 | # network-related classes 27 | class socket 28 | class tcp_socket 29 | class udp_socket 30 | class rawip_socket 31 | class node 32 | class netif 33 | class netlink_socket 34 | class packet_socket 35 | class key_socket 36 | class unix_stream_socket 37 | class unix_dgram_socket 38 | 39 | # sysv-ipc-related classes 40 | class sem 41 | class msg 42 | class msgq 43 | class shm 44 | class ipc 45 | 46 | # 47 | # userspace object manager classes 48 | # 49 | 50 | # passwd/chfn/chsh 51 | class passwd # userspace 52 | 53 | # SE-X Windows stuff (more classes below) 54 | class x_drawable # userspace 55 | class x_screen # userspace 56 | class x_gc # userspace 57 | class x_font # userspace 58 | class x_colormap # userspace 59 | class x_property # userspace 60 | class x_selection # userspace 61 | class x_cursor # userspace 62 | class x_client # userspace 63 | class x_device # userspace 64 | class x_server # userspace 65 | class x_extension # userspace 66 | 67 | # extended netlink sockets 68 | class netlink_route_socket 69 | class obsolete_netlink_firewall_socket 70 | class netlink_tcpdiag_socket 71 | class netlink_nflog_socket 72 | class netlink_xfrm_socket 73 | class netlink_selinux_socket 74 | class netlink_audit_socket 75 | class obsolete_netlink_ip6fw_socket 76 | class netlink_dnrt_socket 77 | 78 | class dbus # userspace 79 | class nscd # userspace 80 | 81 | # IPSec association 82 | class association 83 | 84 | # Updated Netlink class for KOBJECT_UEVENT family. 85 | class netlink_kobject_uevent_socket 86 | 87 | class appletalk_socket 88 | 89 | class packet 90 | 91 | # Kernel access key retention 92 | class key 93 | 94 | class context # userspace 95 | 96 | class dccp_socket 97 | 98 | class memprotect 99 | 100 | class db_database # userspace 101 | class db_table # userspace 102 | class db_procedure # userspace 103 | class db_column # userspace 104 | class db_tuple # userspace 105 | class db_blob # userspace 106 | class db_exception # userspace 107 | class db_datatype # userspace 108 | 109 | # network peer labels 110 | class peer 111 | 112 | # Capabilities >= 32 113 | class capability2 114 | 115 | # More SE-X Windows stuff 116 | class x_resource # userspace 117 | class x_event # userspace 118 | class x_synthetic_event # userspace 119 | class x_application_data # userspace 120 | 121 | # kernel services that need to override task security, e.g. cachefiles 122 | class kernel_service 123 | 124 | class tun_socket 125 | 126 | class binder 127 | 128 | # Updated netlink classes for more recent netlink protocols. 129 | class netlink_iscsi_socket 130 | class netlink_fib_lookup_socket 131 | class netlink_connector_socket 132 | class netlink_netfilter_socket 133 | class netlink_generic_socket 134 | class netlink_scsitransport_socket 135 | class netlink_rdma_socket 136 | class netlink_crypto_socket 137 | 138 | # Still More SE-X Windows stuff 139 | class x_pointer # userspace 140 | class x_keyboard # userspace 141 | 142 | # Infiniband 143 | class infiniband_pkey 144 | class infiniband_endport 145 | 146 | # More Database stuff 147 | class db_schema # userspace 148 | class db_view # userspace 149 | class db_sequence # userspace 150 | class db_language # userspace 151 | 152 | class service # userspace 153 | 154 | # Capability checks when on a non-init user namespace 155 | class cap_userns 156 | class cap2_userns 157 | 158 | # New socket classes introduced by extended_socket_class policy capability. 159 | # These two were previously mapped to rawip_socket. 160 | class sctp_socket 161 | class icmp_socket 162 | # These were previously mapped to socket. 163 | class ax25_socket 164 | class ipx_socket 165 | class netrom_socket 166 | class atmpvc_socket 167 | class x25_socket 168 | class rose_socket 169 | class decnet_socket 170 | class atmsvc_socket 171 | class rds_socket 172 | class irda_socket 173 | class pppox_socket 174 | class llc_socket 175 | class can_socket 176 | class tipc_socket 177 | class bluetooth_socket 178 | class iucv_socket 179 | class rxrpc_socket 180 | class isdn_socket 181 | class phonet_socket 182 | class ieee802154_socket 183 | class caif_socket 184 | class alg_socket 185 | class nfc_socket 186 | class vsock_socket 187 | class kcm_socket 188 | class qipcrtr_socket 189 | class smc_socket 190 | 191 | class process2 192 | 193 | class bpf 194 | 195 | class xdp_socket 196 | 197 | class perf_event 198 | 199 | class lockdown 200 | 201 | # FLASK 202 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/kernel/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | ############################################################### 3 | # # 4 | # Makefile for the Kernel Policy # 5 | # # 6 | ############################################################### 7 | # 8 | 9 | BASE_DIR = /etc/selinux 10 | FLASK_FILES = ../flask-files 11 | POLICY_FILES = ../policy-files 12 | TOOLS = ../tools 13 | POL_VERS := $(shell checkpolicy -V | cut -f 1 -d ' ') 14 | 15 | build_policy: 16 | $(TOOLS)/build-sepolicy -o policy.conf -d $(FLASK_FILES) 17 | checkpolicy -U allow -c $(POL_VERS) -o policy.$(POL_VERS) policy.conf 18 | 19 | build_mls_policy: 20 | $(TOOLS)/build-sepolicy -M -o mls-policy.conf -d $(FLASK_FILES) 21 | checkpolicy -U allow -M -c $(POL_VERS) -o mls-policy.$(POL_VERS) mls-policy.conf 22 | 23 | install_policy: build_policy 24 | mkdir -p $(BASE_DIR)/nb-kernel/policy 25 | mkdir -p $(BASE_DIR)/nb-kernel/contexts/files 26 | install -m 644 $(POLICY_FILES)/seusers $(BASE_DIR)/nb-kernel 27 | install -m 644 $(POLICY_FILES)/dbus_contexts $(BASE_DIR)/nb-kernel/contexts 28 | install -m 644 $(POLICY_FILES)/default_contexts $(BASE_DIR)/nb-kernel/contexts 29 | install -m 644 $(POLICY_FILES)/default_type $(BASE_DIR)/nb-kernel/contexts 30 | install -m 644 $(POLICY_FILES)/x_contexts $(BASE_DIR)/nb-kernel/contexts 31 | install -m 644 $(POLICY_FILES)/file_contexts $(BASE_DIR)/nb-kernel/contexts/files 32 | install -m 644 policy.$(POL_VERS) $(BASE_DIR)/nb-kernel/policy 33 | 34 | install_mls_policy: build_mls_policy 35 | mkdir -p $(BASE_DIR)/nb-mls-kernel/policy 36 | mkdir -p $(BASE_DIR)/nb-mls-kernel/contexts/files 37 | install -m 644 $(POLICY_FILES)/mls/seusers $(BASE_DIR)/nb-mls-kernel 38 | install -m 644 $(POLICY_FILES)/dbus_contexts $(BASE_DIR)/nb-mls-kernel/contexts 39 | install -m 644 $(POLICY_FILES)/mls/default_contexts $(BASE_DIR)/nb-mls-kernel/contexts 40 | install -m 644 $(POLICY_FILES)/mls/default_type $(BASE_DIR)/nb-mls-kernel/contexts 41 | install -m 644 $(POLICY_FILES)/mls/x_contexts $(BASE_DIR)/nb-mls-kernel/contexts 42 | install -m 644 $(POLICY_FILES)/mls/file_contexts $(BASE_DIR)/nb-mls-kernel/contexts/files 43 | install -m 644 mls-policy.$(POL_VERS) $(BASE_DIR)/nb-mls-kernel/policy/policy.$(POL_VERS) 44 | 45 | clean: 46 | rm -f *.$(POL_VERS) 47 | rm -f *.conf 48 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/kernel/README.md: -------------------------------------------------------------------------------- 1 | # Sample Kernel Policy 2 | 3 | This section will build/install sample kernel policy files: 4 | 5 | 1) Build a non MLS policy: `make build_policy` 6 | 2) Install the non MLS policy in /etc/selinux/nb-kernel: `make install_policy` 7 | 3) Build an MLS policy: `make build_mls_policy` 8 | 4) Install the MLS policy in /etc/selinux/nb-mls-kernel: `make install_mls_policy` 9 | 10 | 11 | To run these policy: 12 | edit the */etc/selinux/config* file entries: 13 | SELINUXTYPE= 14 | SELINUX=permissive. 15 | 16 | touch /.autorelabel 17 | reboot the system 18 | 19 | The *Makefile* and *tools/build-sepolicy* build script should be 20 | read to find out how the policy is built and installed. 21 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/dbus_contexts: -------------------------------------------------------------------------------- 1 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/default_contexts: -------------------------------------------------------------------------------- 1 | unconfined_r:unconfined_t unconfined_r:unconfined_t 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/default_type: -------------------------------------------------------------------------------- 1 | unconfined_r:unconfined_t 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/file_contexts: -------------------------------------------------------------------------------- 1 | /.* system_u:object_r:unconfined_t 2 | / system_u:object_r:unconfined_t 3 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/mls/default_contexts: -------------------------------------------------------------------------------- 1 | unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/mls/default_type: -------------------------------------------------------------------------------- 1 | unconfined_r:unconfined_t:s0 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/mls/file_contexts: -------------------------------------------------------------------------------- 1 | /.* system_u:object_r:unconfined_t:s0 2 | / system_u:object_r:unconfined_t:s0 3 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/mls/seusers: -------------------------------------------------------------------------------- 1 | __default__:unconfined_u:s0 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/mls/x_contexts: -------------------------------------------------------------------------------- 1 | client * system_u:object_r:unconfined_t:s0 2 | property * system_u:object_r:unconfined_t:s0 3 | extension * system_u:object_r:unconfined_t:s0 4 | selection * system_u:object_r:unconfined_t:s0 5 | event * system_u:object_r:unconfined_t:s0 6 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/seusers: -------------------------------------------------------------------------------- 1 | __default__:unconfined_u 2 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/policy-files/x_contexts: -------------------------------------------------------------------------------- 1 | client * system_u:object_r:unconfined_t 2 | property * system_u:object_r:unconfined_t 3 | extension * system_u:object_r:unconfined_t 4 | selection * system_u:object_r:unconfined_t 5 | event * system_u:object_r:unconfined_t 6 | -------------------------------------------------------------------------------- /src/notebook-examples/selinux-policy/tools/build-sepolicy.md: -------------------------------------------------------------------------------- 1 | # build-sepolicy 2 | 3 | This will build CIL or kernel policy files based on the Reference Policy 4 | *initial_sids*, *security_classes* and *access_vectors* Flask files. 5 | 6 | See the *cil/README.md* and *kernel/README.md* for build details. 7 | 8 | ``` 9 | Usage: build-sepolicy [-k] [-M] [-c|-p|-s] -d flask_directory -o output_file 10 | 11 | -k Output kernel classes only (exclude # userspace entries in the 12 | security_classes file). 13 | -M Output an MLS policy. 14 | -c Output a policy in CIL language (otherwise generate a kernel policy 15 | language policy). 16 | -p Output a file containing class and classpermissionsets + their order 17 | for use by CIL policies. 18 | -s Output a file containing initial SIDs + their order for use by 19 | CIL policies. 20 | -o The output file that will contain the policy source or header file. 21 | -d Directory containing the initial_sids, security_classes and 22 | access_vectors Flask files. 23 | ``` 24 | -------------------------------------------------------------------------------- /src/notebook-examples/sepgsql/README.md: -------------------------------------------------------------------------------- 1 | # SE-PostgreSQL Demo 2 | 3 | This README describes the instructions to build the initial testdb database 4 | that is used to test SE-PostgreSQL functionality. 5 | 6 | All tests have been carried out on Fedora 31 with the targeted policy 7 | using PostgreSQL server 11.7. 8 | 9 | The testdb-example.sql script is used to build the db. 10 | 11 | The Notebook SE-PostgreSQL demo requires the following packages to be 12 | installed: 13 | 14 | ``` 15 | postgresql 16 | postgresql-libs 17 | postgresql-server 18 | postgresql-contrib # This contains the sepgsql SELinux object manager 19 | postgresql-devel 20 | postgresql-docs 21 | ``` 22 | 23 | ## Installing PostgreSQL + sepgsql and building sample testdb database 24 | 25 | For a good intro to sepgsql read the following: 26 | [*/usr/share/doc/postgresql-docs/html/sepgsql.html*](/usr/share/doc/postgresql-docs/html/sepgsql.html) 27 | that should be installed with postgresql package. This also has instructions on 28 | how to initialise sepgsql and label the database. The instructions below 29 | have been extracted and modified to suit the demo. 30 | 31 | The following assumes the packages are installed and this is a first 32 | installation. Ensure SELinux is in permissive mode, otherwise various 33 | error are shown. Once installation is complete, enforcement mode can be ON. 34 | 35 | Note that the targeted policy will have installed the `postgresql` policy 36 | module. 37 | 38 | Must be set to permissive mode for setup - Probably because initially 39 | database is set to 'unlabeled' 40 | 41 | 1. `setenforce 0` 42 | 43 | 2. As root initialise PostgreSQL: 44 | 45 | `postgresql-setup --initdb --unit postgresql` 46 | 47 | If an error states that the 'Data directory is not empty!' then you 48 | have already built a database service (*/var/lib/pgsql/data* exists). 49 | 50 | 3. To use the SELinux sepgsql extension module, the *postgresql.conf* file 51 | needs to be updated as follows: 52 | 53 | `vi /var/lib/pgsql/data/postgresql.conf` 54 | 55 | and change the: 56 | 57 | #shared_preload_libraries = '' 58 | 59 | entry to read: 60 | 61 | shared_preload_libraries = 'sepgsql' 62 | 63 | 4. Start the PostgreSQL database by: 64 | 65 | `service postgresql start` 66 | 67 | 5. su to the postgres user and create roles for any database users giving 68 | them superuser rights: 69 | 70 | ``` 71 | su - postgres 72 | createuser root 73 | createuser .... 74 | ``` 75 | 76 | 6. Create the testdb database: 77 | 78 | `createdb --owner=root testdb` 79 | 80 | 7. Now Crtl\D to exit the postgres user and as root stop the db: 81 | 82 | `service postgresql stop` 83 | 84 | 8. The database now needs to be initialised to support labeling. This 85 | involves running an SQL script that is supplied in the 86 | postgresql-contrib package: 87 | 88 | `su - postgres` 89 | 90 | paste the following in to the terminal session: 91 | 92 | 93 | ``` 94 | for testdb in template0 template1 postgres; do 95 | postgres --single -F -c exit_on_error=true testdb \ 96 | 120 | 121 | --- 122 | **[[ PREV ]](polyinstantiation.md)** **[[ TOP ]](#)** **[[ NEXT ]](lsm_selinux.md)** 123 | -------------------------------------------------------------------------------- /src/policy_config_statements.md: -------------------------------------------------------------------------------- 1 | # Policy Configuration Statements 2 | 3 | - [*policycap*](#policycap) 4 | - [Adding A New Policy Capability](#adding-a-new-policy-capability) 5 | - [Kernel Updates](#kernel-updates) 6 | - [*libsepol* Library Updates](#libsepol-library-updates) 7 | - [Reference Policy Updates](#reference-policy-updates) 8 | - [CIL Policy Updates](#cil-policy-updates) 9 | 10 | ## *policycap* 11 | 12 | Policy version 22 introduced the *policycap* statement to allow new 13 | capabilities to be enabled or disabled in the kernel via policy in a 14 | backward compatible way. For example policies that are aware of a new 15 | capability can enable the functionality, while older policies would 16 | continue to use the original functionality. 17 | 18 | **The statement definition is:** 19 | 20 | ``` 21 | policycap capability; 22 | ``` 23 | 24 | **Where:** 25 | 26 | *policycap* 27 | 28 | The *policycap* keyword. 29 | 30 | *capability* 31 | 32 | A single *capability* identifier that will be enabled for this policy. 33 | 34 | **The statement is valid in:** 35 | 36 | Policy Type 37 | 38 | | Monolithic Policy | Base Policy | Module Policy | 39 | | ----------------------- | ----------------------- | ----------------------- | 40 | | Yes | Yes | No | 41 | 42 | Conditional Policy Statements 43 | 44 | | *if* Statement | *optional* Statement | *require* Statement | 45 | | ----------------------- | ----------------------- | ----------------------- | 46 | | No | No | No | 47 | 48 | **Example:** 49 | 50 | ``` 51 | # This statement enables the network_peer_controls to be enabled 52 | # for use by the policy. 53 | # 54 | policycap network_peer_controls; 55 | ``` 56 | 57 | ## Adding A New Policy Capability 58 | 59 | The kernel, userspace libsepol library and policy must be updated to enable 60 | the new capability as described below. For readability, the new capability 61 | should follow a consistent naming convention, where: 62 | 63 | - policy capability identifier is a lower-case string. 64 | - enum definition is ```POLICYDB_CAP_``` with the identifier appended in 65 | upper-case. 66 | - kernel function call is ```selinux_policycap_``` with the identifier 67 | appended in lower-case. 68 | 69 | ### Kernel Updates 70 | 71 | In kernel source update the following three files with the new capability: 72 | 73 | ***security/selinux/include/policycap_names.h*** 74 | 75 | Add new entry at end of this list: 76 | 77 | ``` 78 | /* Policy capability names */ 79 | const char *selinux_policycap_names[__POLICYDB_CAP_MAX] = { 80 | ... 81 | "genfs_seclabel_symlinks", 82 | "ioctl_skip_cloexec", 83 | "new_name" 84 | }; 85 | ``` 86 | 87 | ***security/selinux/include/policycap.h*** 88 | 89 | Add new entry at end of this list: 90 | 91 | ``` 92 | /* Policy capabilities */ 93 | enum { 94 | ... 95 | POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS, 96 | POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, 97 | POLICYDB_CAP_NEW_NAME, 98 | __POLICYDB_CAP_MAX 99 | }; 100 | ``` 101 | 102 | ***security/selinux/include/security.h*** 103 | 104 | Add a new call to retrieve the loaded policy capability state: 105 | 106 | ``` 107 | static inline bool selinux_policycap_new_name(void) 108 | { 109 | struct selinux_state *state = &selinux_state; 110 | 111 | return READ_ONCE(state->policycap[POLICYDB_CAP_NEW_NAME]); 112 | } 113 | ``` 114 | 115 | Finally in the updated code that utilises the new policy capability do 116 | something like: 117 | 118 | ``` 119 | if (selinux_policycap_new_name()) 120 | do this; 121 | else 122 | do that; 123 | ``` 124 | 125 | ### *libsepol* Library Updates 126 | 127 | In selinux userspace source update the following two files with the new 128 | capability: 129 | 130 | ***selinux/libsepol/src/polcaps.c*** 131 | 132 | Add new entry at end of this list: 133 | 134 | ``` 135 | static const char * const polcap_names[] = { 136 | ... 137 | "genfs_seclabel_symlinks", /* POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS */ 138 | "ioctl_skip_cloexec", /* POLICYDB_CAP_IOCTL_SKIP_CLOEXEC */ 139 | "new_name", /* POLICYDB_CAP_NEW_NAME */ 140 | NULL 141 | }; 142 | ``` 143 | 144 | ***selinux/libsepol/include/sepol/policydb/polcaps.h*** 145 | 146 | Add new entry at end of this list: 147 | 148 | ``` 149 | /* Policy capabilities */ 150 | enum { 151 | ... 152 | POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS, 153 | POLICYDB_CAP_IOCTL_SKIP_CLOEXEC, 154 | POLICYDB_CAP_NEW_NAME, 155 | __POLICYDB_CAP_MAX 156 | }; 157 | ``` 158 | 159 | ### Reference Policy Updates 160 | 161 | To enable the new capability in Reference Policy, add a new entry to this file: 162 | 163 | ***policy/policy_capabilities*** 164 | 165 | New *policycap* statement added to end of file: 166 | 167 | ``` 168 | # A description of the capability 169 | policycap new_name; 170 | ``` 171 | 172 | To disable the capability, comment out the entry: 173 | 174 | ``` 175 | # A description of the capability 176 | #policycap new_name; 177 | ``` 178 | 179 | ### CIL Policy Updates 180 | 181 | To enable the capability in policy, add the following entry to a CIL 182 | source file: 183 | 184 | ``` 185 | ; A description of the capability 186 | (policycap new_name) 187 | ``` 188 | 189 | 190 | 191 | --- 192 | **[[ PREV ]](kernel_policy_language.md)** **[[ TOP ]](#)** **[[ NEXT ]](default_rules.md)** 193 | -------------------------------------------------------------------------------- /src/policy_languages.md: -------------------------------------------------------------------------------- 1 | # The SELinux Policy Languages 2 | 3 | There are two methods of writing 'raw' policy statements and rules: 4 | 5 | 1. The [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language) 6 | section is intended as a reference of the kernel policy language statements 7 | and rules with supporting examples taken from the Reference Policy sources. 8 | Also all of the language updates to Policy DB version 32 should have been 9 | captured. For a more detailed explanation of the policy language the 10 | [**SELinux by Example**](https://www.worldcat.org/title/selinux-by-example-using-security-enhanced-linux/oclc/85872880) 11 | book is recommended. 12 | 2. The Common Intermediate Language (CIL) project defines a new policy 13 | definition language that has an overview of its motivation and design 14 | at: , however some of the 15 | language statement definitions are out of date. The 16 | [**CIL Policy Language**](cil_overview.md#cil-overview) section gives 17 | an overview. 18 | 19 | However more likely, policy is written using the 20 | [**The Reference Policy**](reference_policy.md#the-reference-policy) 21 | as the base with kernel policy statements and rules added as required, for 22 | example: 23 | 24 | ``` 25 | ################################# 26 | # 27 | # Policy for testing stat operations 28 | # 29 | 30 | attribute test_stat_domain; ### Kernel policy statement ### 31 | 32 | # Types for test file. 33 | type test_stat_file_t; ### Kernel policy statement ### 34 | files_type(test_stat_file_t) ### Reference Policy macro ### 35 | 36 | # Domain for process that can get attributes on the test file. 37 | type test_stat_t; 38 | domain_type(test_stat_t) 39 | unconfined_runs_test(test_stat_t) 40 | typeattribute test_stat_t test_stat_domain; 41 | typeattribute test_stat_t testdomain; 42 | allow test_stat_t test_stat_file_t:file getattr; ### Kernel policy rule ### 43 | 44 | # Domain for process that cannot set attributes on the test file. 45 | type test_nostat_t; 46 | domain_type(test_nostat_t) 47 | unconfined_runs_test(test_nostat_t) 48 | typeattribute test_nostat_t test_stat_domain; 49 | typeattribute test_nostat_t testdomain; 50 | 51 | # TODO: what is a replacement for this in refpolicy??? 52 | # Allow all of these domains to be entered from sysadm domain 53 | require { ### Modular Policy rule ### 54 | type ls_exec_t; 55 | } 56 | domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain) 57 | domain_entry_file(test_stat_domain, ls_exec_t) 58 | ``` 59 | 60 | 61 | 62 | --- 63 | **[[ PREV ]](policy_config_files.md)** **[[ TOP ]](#)** **[[ NEXT ]](cil_overview.md)** 64 | -------------------------------------------------------------------------------- /src/policy_validation_example.md: -------------------------------------------------------------------------------- 1 | # Appendix E - Policy Validation Example 2 | 3 | This example has been taken from 4 | [**http://selinuxproject.org/page/PolicyValidate**](http://selinuxproject.org/page/PolicyValidate) 5 | just in case the site is removed some day. 6 | 7 | ***libsemanage(8)*** is the library responsible for building a kernel policy 8 | from policy modules. It has many features but one that is rarely 9 | mentioned is the policy validation hook. This example will show how to 10 | make a basic validator and tell ***libsemanage*** to run it before 11 | allowing any policy updates. 12 | 13 | The sample validator uses ***sesearch**(1)* to search for a rule 14 | between *user_t* and *shadow_t*. The purpose of this validator is 15 | to never allow a policy update that allows *user_t* to access *shadow_t*. 16 | 17 | To use the script below requires the **setools-console** package to be 18 | installed. 19 | 20 | Make a file in */usr/local/bin/validate* that contains the following (run 21 | *chmod +x* or ***semodule**(8)* will fail): 22 | 23 | ``` 24 | #!/bin/bash 25 | 26 | # Usage: validate 27 | 28 | # The following searches for a file rule with user_t as the source and 29 | # shadow_t as the target. 30 | # If the output of sesearch has "Found", meaning matching rules were found, 31 | # then grep will return 0 otherwise it will return 1. This is actually the 32 | # reverse of the logic we want, so we'll reverse it. 33 | 34 | sesearch --allow -s user_t -t shadow_t -c file $1 | grep "Found" > /dev/null 35 | 36 | if [ $? == 1 ]; then 37 | exit 0 38 | fi 39 | 40 | exit 1 41 | ``` 42 | 43 | Then add the validation script to */etc/selinux/semanage.conf*: 44 | 45 | ``` 46 | [verify kernel] 47 | path = /usr/local/bin/validate 48 | args = $@ 49 | [end] 50 | ``` 51 | 52 | Next try rebuilding the policy with no changes: 53 | 54 | ``` 55 | semodule -B 56 | ``` 57 | 58 | It should succeed, therefore build a module that would violate this rule: 59 | 60 | ``` 61 | module badmod 1.0; 62 | 63 | require { 64 | type user_t, shadow_t; 65 | class file { read }; 66 | } 67 | 68 | allow user_t shadow_t : file read; 69 | ``` 70 | 71 | Do the standard compilation steps: 72 | 73 | ``` 74 | checkmodule -o badmod.mod badmod.te -m -M 75 | 76 | checkmodule: loading policy configuration from badmod.te 77 | checkmodule: policy configuration loaded 78 | checkmodule: writing binary representation (version 17) to badmod.mod 79 | 80 | semodule_package -m badmod.mod -o badmod.pp 81 | ``` 82 | 83 | And then attempt to insert it: 84 | 85 | ``` 86 | semodule -i badmod.pp 87 | semodule: Failed! 88 | ``` 89 | 90 | Now run ***sesearch*** to ensure that there is no matching rule: 91 | 92 | ``` 93 | sesearch --allow -s user_t -t shadow_t -c file 94 | ``` 95 | 96 | Note that there are also a **\[verify module\]** and **\[verify linked\]** 97 | options as described in the 98 | [**Global Configuration Files** - *semanage.conf*](global_config_files.md#etcselinuxsemanage.conf) 99 | file section. 100 | 101 | 102 | 103 | --- 104 | **[[ PREV ]](debug_policy_hints.md)** **[[ TOP ]](#)** 105 | -------------------------------------------------------------------------------- /src/rbac.md: -------------------------------------------------------------------------------- 1 | # Role-Based Access Control 2 | 3 | To further control access to TE domains SELinux makes use of role-based 4 | access control (RBAC). This feature allows SELinux users to be 5 | associated to one or more roles, where each role is then associated to 6 | one or more domain types as shown in **Figure 4: Role Based Access Control**. 7 | 8 | The SELinux role name is the second component of a 'security context' 9 | and by convention SELinux roles end in *\_r*, however this is not 10 | enforced by any SELinux service (i.e. it is only used to identify the 11 | role component), although CIL with namespaces does make identification 12 | of a role easier for example a 'role' could be declared as 13 | *unconfined.role*. 14 | 15 | It is possible to add constraints and bounds on roles as discussed in 16 | the [**Type Enforcement**](type_enforcement.md#type-enforcement) section. 17 | 18 | Some policies, for example Android, only make use of one role called *r*. 19 | 20 | ![](./images/4-RBAC.png) 21 | 22 | **Figure 4: Role Based Access Control** - *Showing how SELinux controls 23 | access via user, role and domain type association.* 24 | 25 | 26 | 27 | --- 28 | **[[ PREV ]](users.md)** **[[ TOP ]](#)** **[[ NEXT ]](type_enforcement.md)** 29 | -------------------------------------------------------------------------------- /src/section_list.txt: -------------------------------------------------------------------------------- 1 | title.md 2 | toc.md 3 | terminology.md 4 | selinux_overview.md 5 | core_components.md 6 | mac.md 7 | users.md 8 | rbac.md 9 | type_enforcement.md 10 | security_context.md 11 | subjects.md 12 | objects.md 13 | computing_security_contexts.md 14 | computing_access_decisions.md 15 | domain_object_transitions.md 16 | mls_mcs.md 17 | types_of_policy.md 18 | modes.md 19 | auditing.md 20 | polyinstantiation.md 21 | pam_login.md 22 | lsm_selinux.md 23 | userspace_libraries.md 24 | network_support.md 25 | vm_support.md 26 | x_windows.md 27 | postgresql.md 28 | apache_support.md 29 | configuration_files.md 30 | global_config_files.md 31 | policy_store_config_files.md 32 | policy_config_files.md 33 | policy_languages.md 34 | cil_overview.md 35 | kernel_policy_language.md 36 | policy_config_statements.md 37 | default_rules.md 38 | user_statements.md 39 | role_statements.md 40 | type_statements.md 41 | bounds_rules.md 42 | avc_rules.md 43 | xperm_rules.md 44 | class_permission_statements.md 45 | conditional_statements.md 46 | constraint_statements.md 47 | mls_statements.md 48 | sid_statement.md 49 | file_labeling_statements.md 50 | network_statements.md 51 | infiniband_statements.md 52 | xen_statements.md 53 | modular_policy_statements.md 54 | reference_policy.md 55 | hardening.md 56 | implementing_seaware_apps.md 57 | embedded_systems.md 58 | seandroid.md 59 | object_classes_permissions.md 60 | libselinux_functions.md 61 | selinux_cmds.md 62 | debug_policy_hints.md 63 | policy_validation_example.md 64 | -------------------------------------------------------------------------------- /src/security_context.md: -------------------------------------------------------------------------------- 1 | # Security Context 2 | 3 | SELinux requires a security context to be associated with every process 4 | (or subject) and object that are used by the security server to decide 5 | whether access is allowed or not as defined by the policy. 6 | 7 | The security context is also known as a 'security label' or just label 8 | that can cause confusion as there are many types of label depending on 9 | the context. 10 | 11 | Within SELinux, a security context is represented as variable-length 12 | strings that define the SELinux user (this is not the Linux user id. The 13 | Linux user id is mapped to the SELinux user id by configuration files), 14 | their role, a type identifier and an optional MCS / MLS security range or 15 | level as follows: 16 | 17 | ``` 18 | user:role:type[:range] 19 | ``` 20 | 21 | **Where:** 22 | 23 | *user* 24 | 25 | - The SELinux user identity. This can be associated to one or more roles 26 | that the SELinux user is allowed to use. 27 | 28 | *role* 29 | 30 | - The SELinux role. This can be associated to one or more types the SELinux 31 | user is allowed to access. 32 | 33 | *type* 34 | 35 | - When a type is associated with a process, it defines what processes 36 | (or domains) the SELinux user (the subject) can access. 37 | When a type is associated with an object, it defines what access 38 | permissions the SELinux user has to that object. 39 | 40 | *range* 41 | 42 | - This field can also be know as a *level* and is only present if the policy 43 | supports MCS or MLS. The entry can consist of: 44 | - A single security level that contains a sensitivity level and zero 45 | or more categories (e.g. *s0*, *s1:c0*, *s7:c10.c15*). 46 | - A range that consists of two security levels (a low and high) separated 47 | by a hyphen (e.g. *s0 - s15:c0.c1023*). 48 | - These components are discussed in the 49 | [**Security Levels**]( mls_mcs.md#security-levels) section. 50 | 51 | However note that: 52 | 53 | 1. Access decisions regarding a subject make use of all the components 54 | of the **security context**. 55 | 2. Access decisions regarding an object make use of the components as 56 | follows: 57 | 1. the user is either set to a special user called *system_u*[^fn_sc_1] 58 | or it is set to the SELinux user id of the creating process. It is 59 | possible to add constraints on users within policy based on 60 | their object class (an example of this is the Reference Policy 61 | UBAC (User Based Access Control) option. 62 | 2. the role is generally set to a special SELinux internal role of 63 | *object_r*, although policy version 26 with kernel 2.6.39 and 64 | above do support role transitions on any object class. It is 65 | then possible to add constraints on the role within policy 66 | based on their object class. 67 | 68 | The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts) 69 | section describes how SELinux computes the security context components based 70 | on a *source context*, *target context* and object *class*. 71 | 72 | The examples below show security contexts for processes, directories and files 73 | (note that the policy did not support MCS or MLS, therefore no *level* field): 74 | 75 | **Example Process Security Context:** 76 | 77 | ``` 78 | # These are process security contexts taken from a ps -Z command 79 | # (edited for clarity) that show four processes: 80 | 81 | LABEL PID TTY CMD 82 | unconfined_u:unconfined_r:unconfined_t 2539 pts/0 bash 83 | unconfined_u:message_filter_r:ext_gateway_t 3134 pts/0 secure_server 84 | unconfined_u:message_filter_r:int_gateway_t 3138 pts/0 secure_server 85 | unconfined_u:unconfined_r:unconfined_t 3146 pts/0 ps 86 | 87 | # Note the bash and ps processes are running under the 88 | # unconfined_t domain, however the secure_server has two instances 89 | # running under two different domains (ext_gateway_t and 90 | # int_gateway_t). Also note that they are using the 91 | # message_filter_r role whereas bash and ps use unconfined_r. 92 | # 93 | # These results were obtained by running the system in permissive mode. 94 | ``` 95 | 96 | **Example Object Security Context:** 97 | 98 | ``` 99 | # These are the message queue directory object security contexts 100 | # taken from an ls -Zd command (edited for clarity): 101 | system_u:object_r:in_queue_t /usr/message_queue/in_queue 102 | system_u:object_r:out_queue_t /usr/message_queue/out_queue 103 | 104 | # Note that they are instantiated with system_u and object_r 105 | ``` 106 | 107 | ``` 108 | # These are the message queue file object security contexts 109 | # taken from an ls -Z command (edited for clarity): 110 | /usr/message_queue/in_queue: 111 | unconfined_u:object_r:in_file_t Message-1 112 | unconfined_u:object_r:in_file_t Message-2 113 | /usr/message_queue/out_queue: 114 | unconfined_u:object_r:out_file_t Message-10 115 | unconfined_u:object_r:out_file_t Message-11 116 | 117 | # Note that they are instantiated with unconfined_u as that was 118 | # the SELinux user id of the process that created the files 119 | # (see the process example above). The role remained as object_r. 120 | ``` 121 | 122 | [^fn_sc_1]: The user *system_u* name is not mandatory, it is used to signify 123 | a special user in the Reference Policy. It is also used in some SELinux 124 | utilities. 125 | 126 | 127 | 128 | --- 129 | **[[ PREV ]](type_enforcement.md)** **[[ TOP ]](#)** **[[ NEXT ]](subjects.md)** 130 | -------------------------------------------------------------------------------- /src/selinux_cmds.md: -------------------------------------------------------------------------------- 1 | # Appendix C - SELinux Commands 2 | 3 | This section gives a brief summary of the SELinux specific commands. 4 | Some of these have been used within this Notebook, however the 5 | appropriate man pages do give more detail and the SELinux project site 6 | has a page that details all the available tools and commands at: 7 | 8 | 9 | 10 | ***audit2allow**(1)* 11 | 12 | Generates policy allow rules from an audit log file. 13 | 14 | ***audit2why**(8)* 15 | 16 | Describes audit log messages and why access was denied. 17 | 18 | ***avcstat**(8)* 19 | 20 | Displays the AVC statistics. 21 | 22 | ***chcat**(8)* 23 | 24 | Change or remove a category from a file or user. 25 | 26 | ***chcon**(1)* 27 | 28 | Changes the security context of a file. 29 | 30 | ***checkmodule**(8)* 31 | 32 | Compiles base and loadable modules from source. 33 | 34 | ***checkpolicy**(8)* 35 | 36 | Compiles a monolithic policy from source. 37 | 38 | ***fixfiles**(8)* 39 | 40 | Update / correct the security context of for filesystems that use extended 41 | attributes. 42 | 43 | ***genhomedircon**(8)* 44 | 45 | Generates file configuration entries for users home directories. 46 | This command has also been built into ***semanage**(8)*, therefore when using 47 | the policy store / loadable modules this does not need to be used. 48 | 49 | ***getenforce**(1)* 50 | 51 | Shows the current enforcement state. 52 | 53 | ***getsebool**(8)* 54 | 55 | Shows the state of the booleans. 56 | 57 | ***load_policy**(8)* 58 | 59 | Loads a new policy into the kernel. Not required when using ***semanage**(8)* / 60 | ***semodule**(8)* commands. 61 | 62 | ***matchpathcon**(8)* 63 | 64 | Show a files path and security context. 65 | 66 | ***newrole**(1)* 67 | 68 | Allows users to change roles - runs a new shell with the new security context. 69 | 70 | ***restorecon**(8)* 71 | 72 | Sets the security context on one or more files. 73 | 74 | ***run_init**(8)* 75 | 76 | Runs an *init* script under the correct context. 77 | 78 | ***runcon**(1)* 79 | 80 | Runs a command with the specified context. 81 | 82 | ***selinuxenabled**(1)* 83 | 84 | Shows whether SELinux is enabled or not. 85 | 86 | ***semanage**(8)* 87 | 88 | Used to configure various areas of a policy within a policy store. 89 | 90 | ***semodule**(8)* 91 | 92 | Used to manage the installation, upgrading etc. of policy modules. 93 | 94 | ***semodule_expand**(8)* 95 | 96 | Manually expand a base policy package into a kernel binary policy file. 97 | 98 | ***semodule_link**(8)* 99 | 100 | Manually link a set of module packages. 101 | 102 | ***semodule_package**(8)* 103 | 104 | Create a module package with various configuration files (file context etc.) 105 | 106 | ***sestatus**(8)* 107 | 108 | Show the current status of SELinux and the loaded policy. 109 | 110 | ***setenforce**(1)* 111 | 112 | Sets / unsets enforcement mode. 113 | 114 | ***setfiles**(8)* 115 | 116 | Initialise the extended attributes of filesystems. 117 | 118 | ***setsebool**(8)* 119 | 120 | Sets the state of a boolean to on or off persistently across reboots or for 121 | this session only. 122 | 123 | 124 | 125 | --- 126 | **[[ PREV ]](libselinux_functions.md)** **[[ TOP ]](#)** **[[ NEXT ]](debug_policy_hints.md)** 127 | -------------------------------------------------------------------------------- /src/selinux_overview.md: -------------------------------------------------------------------------------- 1 | # SELinux Overview 2 | 3 | SELinux is the primary Mandatory Access Control (MAC) mechanism built 4 | into a number of GNU / Linux distributions. SELinux originally started 5 | as the Flux Advanced Security Kernel (FLASK) development by the Utah 6 | university Flux team and the US Department of Defence. The development 7 | was enhanced by the NSA and released as open source software (see: 8 | ). 9 | 10 | Each of the sections that follow will describe a component of SELinux, 11 | and hopefully they are in some form of logical order. 12 | 13 | ## Is SELinux useful 14 | 15 | There are many views on the usefulness of SELinux on Linux based 16 | systems, this section gives a brief view of what SELinux is good at and 17 | what it is not (because it's not designed to do it). 18 | 19 | SELinux is not just for military or high security systems where 20 | Multi-Level Security (MLS) is required (for functionality such as 'no 21 | read up' and 'no write down'), as using the 'type enforcement' (TE) 22 | functionality applications can be confined (or contained) within domains 23 | and limited to the minimum privileges required to do their job, so in a 24 | 'nutshell': 25 | 26 | 1. **The First Security Principle:** ***Trust nothing, trust nobody, all 27 | they want is your money and/or your information*** (*unless of course you 28 | can prove otherwise beyond all reasonable doubt*). 29 | 2. If SELinux is enabled, the policy defines what access to resources 30 | and operations on them (e.g. read, write) are allowed (i.e. SELinux 31 | stops all access unless allowed by policy). This is why SELinux is 32 | called a 'mandatory access control' (MAC) system. 33 | 3. The policy design, implementation and testing against a defined 34 | security policy or requirements is important, otherwise there could 35 | be 'a false sense of security'. 36 | 4. SELinux can confine an application within its own 'domain' and allow 37 | it to have the minimum privileges required to do its job. Should 38 | the application require access to networks or other applications (or 39 | their data), then (as part of the security policy design), this 40 | access would need to be granted (so at least it is known what 41 | interactions are allowed and what are not - a good security goal). 42 | 5. Should an application 'do something' it is not allowed by policy 43 | (intentional or otherwise), then SELinux would stop these actions. 44 | 6. Should an application 'do something' it is allowed by policy, then 45 | SELinux may contain any damage that maybe done intentional or 46 | otherwise. For example if an application is allowed to delete all of 47 | its data files or database entries and the bug, virus or malicious 48 | user gains these privileges then it would be able to do the same. 49 | However the good news is that if the policy 'confined' the 50 | application and data, all your other data should still be there. 51 | 7. User login sessions can be confined to their own domains. This 52 | allows clients they run to be given only the privileges they need 53 | (e.g. admin users, sales staff users, HR staff users etc.). This 54 | again will confine/limit any damage or leakage of data. 55 | 8. Some applications (X-Windows for example) are difficult to confine 56 | as they are generally designed to have total access to all 57 | resources. SELinux can generally overcome these issues by providing 58 | sandboxing services. 59 | 9. SELinux will not stop memory leaks or buffer over-runs (because it's 60 | not designed to do this), however it may contain the damage that may 61 | be caused by these flaws. 62 | 10. SELinux will not stop all viruses/malware getting into the system, 63 | as there are many ways they could be introduced (including 64 | legitimate users), however it should limit the damage or leaks they 65 | cause. 66 | 11. SELinux will not stop kernel vulnerabilities, however it may limit 67 | their effects. 68 | 12. If a user has the relevant permissions it is easy to add new rules 69 | to a SELinux policy using tools such as ***audit2allow**(1)*. 70 | Nevertheless be aware that this may start opening holes, so do 71 | double check the necessity of a given rule. 72 | 13. Finally, SELinux cannot stop anything allowed by the security 73 | policy, so good design is important. 74 | 75 | The following maybe useful in providing a practical view of SELinux: 76 | 77 | 1. Your visual how-to guide for SELinux policy enforcement, available from: 78 | 79 | 2. A discussion regarding Apache servers and SELinux that may look 80 | negative at first but highlights the containment points above. This 81 | is the initial study: 82 | , 83 | and this is a response to the study: 84 | . 85 | 3. SELinux services have been added to Android. The presentation 86 | "Security Enhancements (SE) for Android" gives use-cases and 87 | types of Android exploits that SELinux could have overcome. The 88 | presentation and others are available at: 89 | 90 | 4. Older NSA documentation at: 91 | that is informative. 92 | 93 | 94 | 95 | --- 96 | **[[ PREV ]](terminology.md)** **[[ TOP ]](#)** **[[ NEXT ]](core_components.md)** 97 | -------------------------------------------------------------------------------- /src/sid_statement.md: -------------------------------------------------------------------------------- 1 | # Security ID (SID) Statement 2 | 3 | - [*sid*](#sid) 4 | - [*sid context*](#sid-context) 5 | 6 | There are two *sid* statements, the first one declares the actual *sid* 7 | identifier and is defined at the start of a policy source file. The 8 | second statement is used to associate an initial security context to the 9 | *sid*, this is used when SELinux initialises but the policy has not yet 10 | been activated or as a default context should an object have an invalid 11 | label. 12 | 13 | ## *sid* 14 | 15 | The *sid* statement declares the actual SID identifier and is defined at 16 | the start of a policy source file. 17 | 18 | **The statement definition is:** 19 | 20 | ``` 21 | sid sid_id 22 | ``` 23 | 24 | **Where:** 25 | 26 | *sid* 27 | 28 | The *sid* keyword. 29 | 30 | *sid_id* 31 | 32 | The *sid* identifier. 33 | 34 | **The statement is valid in:** 35 | 36 | Policy Type 37 | 38 | | Monolithic Policy | Base Policy | Module Policy | 39 | | ----------------------- | ----------------------- | ----------------------- | 40 | | Yes | Yes | No | 41 | 42 | Conditional Policy Statements 43 | 44 | | *if* Statement | *optional* Statement | *require* Statement | 45 | | ----------------------- | ----------------------- | ----------------------- | 46 | | No | No | No | 47 | 48 | **Example:** 49 | 50 | ``` 51 | # This example has been taken from the Reference Policy source 52 | # policy/flask/initial_sids file and declares some of the initial SIDs: 53 | # 54 | 55 | sid kernel 56 | sid security 57 | sid unlabeled 58 | sid fs 59 | ``` 60 | 61 | ## *sid context* 62 | 63 | The *sid context* statement is used to associate an initial security 64 | context to the SID. 65 | 66 | **The statement definition is:** 67 | 68 | ``` 69 | sid sid_id context 70 | ``` 71 | 72 | **Where:** 73 | 74 | *sid* 75 | 76 | The *sid* keyword. 77 | 78 | *sid_id* 79 | 80 | The previously declared *sid* identifier. 81 | 82 | *context* 83 | 84 | The initial security context. 85 | 86 | **The statement is valid in:** 87 | 88 | Policy Type 89 | 90 | | Monolithic Policy | Base Policy | Module Policy | 91 | | ----------------------- | ----------------------- | ----------------------- | 92 | | Yes | Yes | No | 93 | 94 | Conditional Policy Statements 95 | 96 | | *if* Statement | *optional* Statement | *require* Statement | 97 | | ----------------------- | ----------------------- | ----------------------- | 98 | | No | No | No | 99 | 100 | **Examples:** 101 | 102 | ``` 103 | # This is from a targeted policy: 104 | 105 | sid unlabeled 106 | ... 107 | sid unlabeled system_u:object_r:unlabeled_t 108 | ``` 109 | 110 | ``` 111 | # This is from an MLS policy. Note that the security level 112 | # is set to SystemHigh as it may need to label any object in 113 | # the system. 114 | 115 | sid unlabeled 116 | ... 117 | sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 118 | ``` 119 | 120 | 121 | 122 | --- 123 | **[[ PREV ]](mls_statements.md)** **[[ TOP ]](#)** **[[ NEXT ]](file_labeling_statements.md)** 124 | -------------------------------------------------------------------------------- /src/styles_epub.css: -------------------------------------------------------------------------------- 1 | 2 | .title { 3 | /* pandoc generates the h1 title with the "title" class */ 4 | display: none; 5 | } 6 | 7 | .author { 8 | display: none; 9 | } 10 | 11 | .rights { 12 | display: none; 13 | } 14 | 15 | html { 16 | font-size: 100%; 17 | } 18 | 19 | a { 20 | color: blue; 21 | } 22 | 23 | table { 24 | /* limit to 95% page width */ 25 | min-width: 50%; 26 | max-width: 95%; 27 | /* combine table borders when they are adjacent */ 28 | border-collapse: collapse; 29 | } 30 | table th { 31 | padding: 0.5em; 32 | border: 1px solid black; 33 | background-color: #d3d3d3; 34 | } 35 | table tr, td { 36 | padding: 0.5em; 37 | border: 1px solid black; 38 | } 39 | 40 | img { 41 | /* center and limit to 95% page width */ 42 | display: block; 43 | margin-left: auto; 44 | margin-right: auto; 45 | max-width: 95%; 46 | } 47 | 48 | pre { 49 | width: 95%; 50 | padding: 1em; 51 | background-color: #f5f5f5; 52 | } 53 | -------------------------------------------------------------------------------- /src/styles_html.css: -------------------------------------------------------------------------------- 1 | 2 | .title { 3 | /* pandoc generates the h1 title with the "title" class */ 4 | display: none; 5 | } 6 | 7 | .author { 8 | display: none; 9 | } 10 | 11 | .rights { 12 | display: none; 13 | } 14 | 15 | html { 16 | /* 1em is specified as 16pt, 75% should be 12pt */ 17 | font-size: 100%; 18 | } 19 | 20 | a { 21 | color: blue; 22 | } 23 | 24 | table { 25 | /* limit to 95% page width */ 26 | min-width: 50%; 27 | max-width: 95%; 28 | /* combine table borders when they are adjacent */ 29 | border-collapse: collapse; 30 | } 31 | table th { 32 | padding: 0.5em; 33 | border: 1px solid black; 34 | background-color: #d3d3d3; 35 | } 36 | table tr, td { 37 | padding: 0.5em; 38 | border: 1px solid black; 39 | } 40 | 41 | img { 42 | /* center and limit to 95% page width */ 43 | display: block; 44 | margin-left: auto; 45 | margin-right: auto; 46 | max-width: 95%; 47 | } 48 | 49 | pre { 50 | width: 95%; 51 | padding: 1em; 52 | background-color: #f5f5f5; 53 | } 54 | -------------------------------------------------------------------------------- /src/styles_pdf.css: -------------------------------------------------------------------------------- 1 | 2 | @page :first { 3 | /* printed page - 1st page */ 4 | 5 | /* header and footer */ 6 | @top-center { 7 | content: ""; 8 | width: 100%; 9 | border-bottom: 1px solid black; 10 | margin-bottom: 1em; 11 | } 12 | @bottom-right { 13 | content: ""; 14 | width: 100%; 15 | border-top: 1px solid black; 16 | margin-top: 1em; 17 | } 18 | } 19 | 20 | @page { 21 | /* printed page - defaults */ 22 | 23 | /* page size defaults */ 24 | size: Letter; 25 | margin: 0.75in 0.75in 0.75in 0.75in; 26 | 27 | /* widow/orphan control */ 28 | widows: 3; 29 | orphans: 3; 30 | 31 | /* header and footer */ 32 | @top-center { 33 | content: "The SELinux Notebook"; 34 | width: 100%; 35 | border-bottom: 1px solid black; 36 | margin-bottom: 1em; 37 | } 38 | @bottom-right { 39 | content: "Page " counter(page); 40 | width: 100%; 41 | border-top: 1px solid black; 42 | margin-top: 1em; 43 | } 44 | } 45 | 46 | .title { 47 | /* pandoc generates the h1 title with the "title" class */ 48 | display: none; 49 | } 50 | 51 | .author { 52 | display: none; 53 | } 54 | 55 | .rights { 56 | display: none; 57 | } 58 | 59 | html { 60 | /* 1em is specified as 16pt, 75% should be 12pt */ 61 | font-size: 75%; 62 | } 63 | 64 | a { 65 | color: blue; 66 | } 67 | 68 | table { 69 | /* center and force/limit to 95% page width */ 70 | margin-left: auto; 71 | margin-right: auto; 72 | width: 95%; 73 | /* combine table borders when they are adjacent */ 74 | border-collapse: collapse; 75 | /* TODO: once we finish the HTML->Markdown conversion we should 76 | * revaluate the 'table-layout: fixed' hack below */ 77 | table-layout: fixed; 78 | } 79 | table th { 80 | padding: 0.5em; 81 | border: 1px solid black; 82 | background-color: #d3d3d3; 83 | /* TODO: once we finish the HTML->Markdown conversion we should 84 | * revaluate the 'word-wrap: break-word' hack below */ 85 | word-wrap: break-word; 86 | } 87 | table tr, td { 88 | padding: 0.5em; 89 | border: 1px solid black; 90 | /* TODO: once we finish the HTML->Markdown conversion we should 91 | * revaluate the 'word-wrap: break-word' hack below */ 92 | word-wrap: break-word; 93 | } 94 | 95 | img { 96 | /* center and limit to 95% page width */ 97 | display: block; 98 | margin-left: auto; 99 | margin-right: auto; 100 | max-width: 95%; 101 | } 102 | 103 | pre { 104 | /* force/limit to 95% page width */ 105 | width: 95%; 106 | padding: 1em; 107 | background-color: #f5f5f5; 108 | } 109 | -------------------------------------------------------------------------------- /src/subjects.md: -------------------------------------------------------------------------------- 1 | # Subjects 2 | 3 | A subject is an active entity generally in the form of a person, 4 | process, or device that causes information to flow among objects or 5 | changes the system state. 6 | 7 | Within SELinux a subject is an active process and has a 8 | [**security context**](security_context.md#security-context) associated with 9 | it, however a process can also be referred to as an object depending on the 10 | context in which it is being taken, for example: 11 | 12 | 1. A running process (i.e. an active entity) is a subject because it 13 | causes information to flow among objects or can change the system 14 | state. 15 | 2. The process can also be referred to as an object because each 16 | process has an associated object class[^fn_sub_1] 17 | called ***process***. This process 'object', defines what permissions the 18 | policy is allowed to grant or deny on the active process. 19 | 20 | An example is given of the above scenarios in the 21 | [**Allowing a Process Access to Resources**](objects.md#allowing-a-process-access-to-resources) 22 | section. 23 | 24 | In SELinux subjects can be: 25 | 26 | **Trusted** - Generally these are commands, applications etc. that have 27 | been written or modified to support specific SELinux functionality to 28 | enforce the security policy (e.g. the kernel, init, pam, xinetd and 29 | login). However, it can also cover any application that the organisation 30 | is willing to trust as a part of the overall system. Although (depending 31 | on your paranoia level), the best policy is to trust nothing until it 32 | has been verified that it conforms to the security policy. Generally 33 | these trusted applications would run in either their own domain (e.g. 34 | the audit daemon could run under auditd\_t) or grouped together (e.g. 35 | the ***semanage**(8)* and ***semodule**(8)* commands could be grouped 36 | under *semanage_t*). 37 | 38 | **Untrusted** - Everything else. 39 | 40 | [^fn_sub_1]: The object class and its associated permissions are explained in 41 | [**Appendix A - Object Classes and Permissions - Process Object Class**](object_classes_permissions.md#process-object-class) 42 | 43 | 44 | 45 | --- 46 | **[[ PREV ]](security_context.md)** **[[ TOP ]](#)** **[[ NEXT ]](objects.md)** 47 | -------------------------------------------------------------------------------- /src/title.md: -------------------------------------------------------------------------------- 1 | 2 | ## Copyright Information 3 | 4 | Copyright (c) 2020 [*Richard Haines*](mailto:richard_c_haines@btinternet.com) 5 | 6 | Copyright (c) 2020 [*Paul Moore*](mailto:paul@paul-moore.com) 7 | 8 | Permission is granted to copy, distribute and/or modify this document 9 | under the terms of the GNU Free Documentation License, Version 1.3 or 10 | any later version published by the Free Software Foundation. 11 | 12 | See: **** 13 | 14 | ## Acknowledgements 15 | 16 | The Notebook was originally created by *Richard Haines* who graciously donated 17 | the source material to the SELinux project. 18 | 19 | The SELinux logo was designed by [*Máirín Duffy*](https://blog.linuxgrrl.com). 20 | 21 | 22 | 23 | ## Introduction 24 | 25 | This Notebook should help with explaining: 26 | 27 | 1. SELinux and its purpose in life. 28 | 2. The LSM / SELinux architecture, its supporting services and how they 29 | are implemented within GNU / Linux. 30 | 3. SELinux Networking, Virtual Machine, X-Windows, PostgreSQL and 31 | Apache/SELinux-Plus SELinux-aware capabilities. 32 | 4. The core SELinux kernel policy language and how basic policy modules 33 | can be constructed for instructional purposes. 34 | 5. An introduction to the new Common Intermediate Language (CIL) 35 | implementation. 36 | 6. The core SELinux policy management tools with examples of usage. 37 | 7. The Reference Policy architecture, its supporting services and how 38 | it is implemented. 39 | 8. The integration of SELinux within Android. 40 | 41 | ### Notebook Overview 42 | 43 | This volume has the following major sections: 44 | 45 | **SELinux Overview** - Gives a description of SELinux and its major 46 | components to provide Mandatory Access Control services for GNU / Linux. 47 | Hopefully it will show how all the SELinux components link together and 48 | how SELinux-aware applications / object manager have been implemented 49 | (such as Networking, X-Windows, PostgreSQL and virtual machines). 50 | 51 | **SELinux Configuration Files** - Describes all known SELinux 52 | configuration files with samples. Also lists any specific SELinux 53 | commands or libselinux APIs used by them. 54 | 55 | **SELinux Policy Language** - Gives a brief description of each policy 56 | language statement, with supporting examples taken from the Reference 57 | Policy source. Also an introduction to the new CIL language (Common 58 | Intermediate Language). 59 | 60 | **The Reference Policy** - Describes the Reference Policy and its 61 | supporting macros. 62 | 63 | **Android** - An overview of the SELinux services used to support 64 | Android. 65 | 66 | **Object Classes and Permissions** - Describes the SELinux object 67 | classes and permissions. 68 | 69 | #### Notebook Examples 70 | 71 | The Notebook examples are not embedded into any of the document formats 72 | described in 73 | ****, 74 | however they will have links to them in their build directories. 75 | 76 | ### Updated Editions 77 | 78 | The SELinux Notebook is being maintained as part of the SELinux project, more 79 | recent editions may be available. 80 | 81 | See: **** 82 | 83 | 84 | 85 | --- 86 | **[[ TOP ]](#)** **[[ NEXT ]](toc.md)** 87 | -------------------------------------------------------------------------------- /src/toc.md: -------------------------------------------------------------------------------- 1 | ## Table of Contents 2 | 3 | - [Abbreviations and Terminology](terminology.md#abbreviations-and-terminology) 4 | - [SELinux Overview](selinux_overview.md#selinux-overview) 5 | - [Core Components](core_components.md#core-selinux-components) 6 | - [Mandatory Access Control (MAC)](mac.md#mandatory-access-control) 7 | - [SELinux Users](users.md#selinux-users) 8 | - [Role-Based Access Control (RBAC)](rbac.md#role-based-access-control) 9 | - [Type Enforcement (TE)](type_enforcement.md#type-enforcement) 10 | - [Security Context](security_context.md#security-context) 11 | - [Subjects](subjects.md#subjects) 12 | - [Objects](objects.md#objects) 13 | - [Computing Security Contexts](computing_security_contexts.md#computing-security-contexts) 14 | - [Computing Access Decisions](computing_access_decisions.md#computing-access-decisions) 15 | - [Domain and Object Transitions](domain_object_transitions.md#domain-and-object-transitions) 16 | - [Multi-Level and Multi-Category Security](mls_mcs.md#multi-level-and-multi-category-security) 17 | - [Types of SELinux Policy](types_of_policy.md#types-of-selinux-policy) 18 | - [Permissive and Enforcing Modes](modes.md#selinux-permissive-and-enforcing-modes) 19 | - [Auditing Events](auditing.md#auditing-selinux-events) 20 | - [Polyinstantiation Support](polyinstantiation.md#polyinstantiation-support) 21 | - [PAM Login Process](pam_login.md#pam-login-process) 22 | - [Linux Security Module and SELinux](lsm_selinux.md#linux-security-module-and-selinux) 23 | - [Userspace Libraries](userspace_libraries.md#selinux-userspace-libraries) 24 | - [Networking Support](network_support.md#selinux-networking-support) 25 | - [Virtual Machine Support](vm_support.md#selinux-virtual-machine-support) 26 | - [X-Windows Support](x_windows.md#x-windows-selinux-support) 27 | - [SE-PostgreSQL Support](postgresql.md#postgresql-selinux-support) 28 | - [Apache-Plus Support](apache_support.md#apache-selinux-support) 29 | - [SELinux Configuration Files](configuration_files.md#selinux-configuration-files) 30 | - [Global Configuration Files](global_config_files.md#global-configuration-files) 31 | - [Policy Store Configuration Files](policy_store_config_files.md#policy-store-configuration-files) 32 | - [Policy Configuration Files](policy_config_files.md#policy-configuration-files) 33 | - [SELinux Policy Languages](policy_languages.md#the-selinux-policy-languages) 34 | - [CIL Policy Language](cil_overview.md#cil-overview) 35 | - [CIL Reference Guide](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf) 36 | - [Kernel Policy Language](kernel_policy_language.md#kernel-policy-language) 37 | - [Policy Configuration Statements](policy_config_statements.md#policy-configuration-statements) 38 | - [Default Rules](default_rules.md#default-object-rules) 39 | - [User Statements](user_statements.md#user-statements) 40 | - [Role Statements](role_statements.md#role-statements) 41 | - [Type Statements](type_statements.md#type-statements) 42 | - [Bounds Rules](bounds_rules.md#bounds-rules) 43 | - [Access Vector Rules](avc_rules.md#access-vector-rules) 44 | - [Extended Access Vector Rules](xperm_rules.md#extended-access-vector-rules) 45 | - [Object Class and Permission Statements](class_permission_statements.md#object-class-and-permission-statements) 46 | - [Conditional Policy Statements](conditional_statements.md#conditional-policy-statements) 47 | - [Constraint Statements](constraint_statements.md#constraint-statements) 48 | - [MLS Statements](mls_statements.md#mls-statements) 49 | - [Security ID (SID) Statement](sid_statement.md#security-id-sid-statement) 50 | - [File System Labeling Statements](file_labeling_statements.md#file-system-labeling-statements) 51 | - [Network Labeling Statements](network_statements.md#network-labeling-statements) 52 | - [InfiniBand Labeling Statements](infiniband_statements.md#infiniband-labeling-statements) 53 | - [XEN Statements](xen_statements.md#xen-statements) 54 | - [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements) 55 | - [The Reference Policy](reference_policy.md#the-reference-policy) 56 | - [Hardening SELinux](hardening.md#hardening-selinux) 57 | - [Implementing SELinux-aware Applications](implementing_seaware_apps.md#implementing-selinux-aware-applications) 58 | - [Embedded Systems](embedded_systems.md#embedded-systems) 59 | - [SE for Android](seandroid.md#security-enhancements-for-android) 60 | - [Appendix A - Object Classes and Permissions](object_classes_permissions.md#appendix-a---object-classes-and-permissions) 61 | - [Appendix B - *libselinux* API Summary](libselinux_functions.md#appendix-b---libselinux-api-summary) 62 | - [Appendix C - SELinux Commands](selinux_cmds.md#appendix-c---selinux-commands) 63 | - [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips) 64 | - [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example) 65 | 66 | 67 | 68 | --- 69 | **[[ PREV ]](title.md)** **[[ TOP ]](#)** **[[ NEXT ]](terminology.md)** 70 | -------------------------------------------------------------------------------- /src/type_enforcement.md: -------------------------------------------------------------------------------- 1 | # Type Enforcement 2 | 3 | - [Constraints](#constraints) 4 | - [Bounds](#bounds) 5 | 6 | SELinux makes use of a specific style of type enforcement (TE) to enforce 7 | mandatory access control. For SELinux it means that all 8 | [**subjects**](subjects.md#subjects) and [**objects**](objects.md#objects) 9 | have a *type* identifier associated to them that can then be used to enforce 10 | rules laid down by policy. 11 | 12 | The SELinux *type* identifier is a simple variable-length string that is 13 | defined in the policy and then associated to a 14 | [**security context**](security_context.md#security-context). 15 | It is also used in the majority of 16 | [**SELinux language statements and rules**](policy_languages.md#the-selinux-policy-languages) 17 | used to build a policy that will, when loaded into the security 18 | server, enforce policy via the object managers. 19 | 20 | Because the *type* identifier (or just 'type') is associated to all 21 | subjects and objects, it can sometimes be difficult to distinguish what 22 | the type is actually associated with (it's not helped by the fact that 23 | by convention, type identifiers end in *\_t*). In the end it comes down 24 | to understanding how they are allocated in the policy itself and how 25 | they are used by SELinux services (although CIL policies with namespaces 26 | do help in that a domain process 'type' could be declared as 27 | *msg_filter.ext_gateway.process* with object types being any others 28 | (such as *msg_filter.ext_gateway.exec*). 29 | 30 | Basically if the type identifier is used to reference a subject it is 31 | referring to a Linux process or collection of processes (a domain or 32 | domain type). If the type identifier is used to reference an object then 33 | it is specifying its object type (i.e. file type). 34 | 35 | While SELinux refers to a subject as being an active process that is 36 | associated to a domain type, the scope of an SELinux type enforcement 37 | domain can vary widely. For example in the simple 38 | [**Kernel policy**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt) 39 | in the *notebook-examples*, all the processes on the system run in the 40 | *unconfined_t* domain, therefore every process is 41 | 'of type *unconfined_t*' (that means it can do whatever it likes within 42 | the limits of the standard Linux DAC policy as all access is allowed by 43 | SELinux). 44 | 45 | It is only when additional policy statements are added to the simple 46 | policy that areas start to be confined. For example, an external gateway 47 | is run in its own isolated domain (*ext_gateway_t*) that cannot be 48 | 'interfered' with by any of the *unconfined_t* processes (except to run 49 | or transition the gateway process into its own domain). This scenario is 50 | similar to the 'targeted' policy delivered as standard in Red Hat Fedora 51 | where the majority of user space processes run under the *unconfined_t* 52 | domain. 53 | 54 | The SELinux type is the third component of a 'security context' and by 55 | convention SELinux types end in *\_t*, however this is not enforced by 56 | any SELinux service (i.e. it is only used to identify the type 57 | component), although as explained above CIL with namespaces does make 58 | identification of types easier. 59 | 60 | ### Constraints 61 | 62 | It is possible to add constraints on users, roles, types and MLS ranges, 63 | for example within a TE environment, the way that subjects are allowed 64 | to access an object is via a TE [***allow***](avc_rules.md#allow), for example: 65 | 66 | ``` 67 | allow unconfined_t ext_gateway_t : process transition; 68 | ``` 69 | 70 | This states that a process running in the *unconfined_t* domain has 71 | permission to transition a process to the *ext_gateway_t* domain. 72 | However it could be that the policy writer wants to constrain this 73 | further and state that this can only happen if the role of the source 74 | domain is the same as the role of the target domain. To achieve this a 75 | constraint can be imposed using a 76 | [***constrain***](constraint_statements.md#constrain) statement: 77 | 78 | ``` 79 | constrain process transition ( r1 == r2 ); 80 | ``` 81 | 82 | This states that a process transition can only occur if the source role 83 | is the same as the target role, therefore a constraint is a condition 84 | that must be satisfied in order for one or more permissions to be 85 | granted (i.e. a constraint imposes additional restrictions on TE rules). 86 | Note that the constraint is based on an object class (*process* in this 87 | case) and one or more of its permissions. 88 | 89 | The kernel policy language constraints are defined in the 90 | [**Constraint Statements**](constraint_statements.md#constraint-statements) 91 | section. 92 | 93 | ### Bounds 94 | 95 | It is possible to add bounds to users, roles and types, however 96 | currently only types are enforced by the kernel using the *typebounds* 97 | rule as described in the 98 | [**Apache-Plus Support - Bounds Overview**](apache_support.md#bounds-overview) 99 | section. 100 | 101 | User and role bounds may be declared using CIL, however they are validated at 102 | compile time by the CIL compiler and NOT enforced by the SELinux kernel 103 | services. The [**Bounds Rules**](bounds_rules.md#bounds-rules) 104 | section defines the *typebounds* rule and also gives a summary of the 105 | *userbounds* and *rolebounds* rules. 106 | 107 | 108 | 109 | --- 110 | **[[ PREV ]](rbac.md)** **[[ TOP ]](#)** **[[ NEXT ]](security_context.md)** 111 | -------------------------------------------------------------------------------- /src/user_statements.md: -------------------------------------------------------------------------------- 1 | # User Statements 2 | 3 | ## *user* 4 | 5 | The user statement declares an SELinux user identifier within the policy 6 | and associates it to one or more roles. The statement also allows an 7 | optional MLS level and range to control a users security level. It is 8 | also possible to add SELinux user id's outside the policy using the 9 | 'semanage user' command that will associate the user with roles 10 | previously declared within the policy. 11 | 12 | **The statement definition is:** 13 | 14 | ``` 15 | user seuser_id roles role_id; 16 | ``` 17 | 18 | Or for MCS/MLS Policy: 19 | 20 | ``` 21 | user seuser_id roles role_id level mls_level range mls_range; 22 | ``` 23 | 24 | Where: 25 | 26 | *user* 27 | 28 | The *user* keyword. 29 | 30 | *seuser_id* 31 | 32 | The SELinux user identifier. 33 | 34 | *roles* 35 | 36 | The *roles* keyword. 37 | 38 | *role_id* 39 | 40 | One or more previously declared *role* or *attribute_role* identifiers. 41 | Multiple *role* identifiers consist of a space separated list enclosed in 42 | braces '{}'. 43 | 44 | *level* 45 | 46 | If MLS is configured, the MLS *level* keyword. 47 | 48 | *mls_level* 49 | 50 | The users default MLS security level that has been previously declared with a 51 | *level* statement. Note that the compiler only accepts the *sensitivity* 52 | component of the *level* (e.g. s0). 53 | 54 | *range* 55 | 56 | If MLS is configured, the MLS *range* keyword. 57 | 58 | *mls_range* 59 | 60 | The range of security levels that the user can run. The format is described in 61 | the ["MLS *range* Definition"](mls_statements.md#mls-range-definition) section. 62 | 63 | **The statement is valid in:** 64 | 65 | Policy Type 66 | 67 | | Monolithic Policy | Base Policy | Module Policy | 68 | | ----------------------- | ----------------------- | ----------------------- | 69 | | Yes | Yes | Yes | 70 | 71 | Conditional Policy Statements 72 | 73 | | *if* Statement | *optional* Statement | *require* Statement | 74 | | ----------------------- | ----------------------- | ----------------------- | 75 | | No | Yes | Yes | 76 | 77 | **Examples:** 78 | 79 | ``` 80 | # Using the user statement to define an SELinux user user_u that 81 | # has been assigned the role of user_r. The SELinux user_u is a 82 | # generic user identity for Linux users who have no specific 83 | # SELinux user identity defined. 84 | # 85 | 86 | user user_u roles { user_r }; 87 | ``` 88 | 89 | **MLS Examples:** 90 | 91 | ``` 92 | # Using the user statement to define an MLS SELinux user user_u 93 | # that has been assigned the role of user_r and has a default 94 | # login security level of s0 assigned, and is only allowed 95 | # access to the s0 range of security levels: 96 | 97 | user user_u roles { user_r } level s0 range s0; 98 | ``` 99 | 100 | ``` 101 | # Using the user statement to define an MLS SELinux user 102 | # sysadm_u that has been assigned the role of sysadm_r and has 103 | # a default login security level of s0 assigned, and is 104 | # allowed access to the range of security levels (low - high) 105 | # between s0 and s15:c0.c255: 106 | 107 | user sysadm_u roles { sysadm_r } level s0 range s0-s15:c0.c255; 108 | ``` 109 | 110 | ***semanage**(8)* **Command example:** 111 | 112 | ``` 113 | # Add user mque_u to SELinux and associate to the unconfined_r role: 114 | 115 | semanage user -a -R unconfined_r mque_u 116 | ``` 117 | 118 | This command will produce the following files in the default 119 | \ policy store and then activate the policy: 120 | 121 | */var/lib/selinux/\/active/users.local*: 122 | 123 | ``` 124 | # This file is auto-generated by libsemanage 125 | # Do not edit directly. 126 | 127 | user mque_u roles { unconfined_r } ; 128 | ``` 129 | 130 | */var/lib/selinux/\/active/users_extra*: 131 | 132 | ``` 133 | # This file is auto-generated by libsemanage 134 | # Do not edit directly. 135 | 136 | user mque_u prefix user; 137 | ``` 138 | 139 | */var/lib/selinux/\/active/users_extra.local*: 140 | 141 | ``` 142 | # This file is auto-generated by libsemanage 143 | # Do not edit directly. 144 | 145 | user mque_u prefix user; 146 | ``` 147 | 148 | 149 | 150 | --- 151 | **[[ PREV ]](default_rules.md)** **[[ TOP ]](#)** **[[ NEXT ]](role_statements.md)** 152 | -------------------------------------------------------------------------------- /src/users.md: -------------------------------------------------------------------------------- 1 | # SELinux Users 2 | 3 | Users in Linux are generally associated to human users (such as 4 | Alice and Bob) or operator/system functions (such as admin), while this 5 | can be implemented in SELinux, SELinux user names are generally groups 6 | or classes of user. For example all the standard system users could be 7 | assigned an SELinux user name of *user_u* and administration staff 8 | under *staff_u*. 9 | 10 | There is one special SELinux user defined that must never be associated 11 | to a Linux user as it a special identity for system processes and 12 | objects, this user is *system_u*. 13 | 14 | The SELinux user name is the first component of a 15 | [**Security Context**](security_context.md#security-context) and 16 | by convention SELinux user names end in *\_u*, however this is not 17 | enforced by any SELinux service (i.e. it is only to identify the user 18 | component), although CIL with namespaces does make identification of an 19 | SELinux user easier for example a 'user' could be declared as 20 | *unconfined.user*. 21 | 22 | It is possible to add constraints and bounds on SELinux users as discussed in 23 | the [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) section. 24 | 25 | Some policies, for example Android, only make use of one user called *u*. 26 | 27 | 28 | 29 | --- 30 | **[[ PREV ]](mac.md)** **[[ TOP ]](#)** **[[ NEXT ]](rbac.md)** 31 | -------------------------------------------------------------------------------- /src/userspace_libraries.md: -------------------------------------------------------------------------------- 1 | # SELinux Userspace Libraries 2 | 3 | - [libselinux Library](#libselinux-library) 4 | - [libsepol Library](#libsepol-library) 5 | - [libsemanage Library](#libsemanage-library) 6 | 7 | The versions of kernel and SELinux tools and libraries influence the 8 | features available, therefore it is important to establish what level of 9 | functionality is required for the application. The 10 | [**Policy Versions**](types_of_policy.md#policy-versions) 11 | section shows the policy versions and the additional features they support. 12 | 13 | Details of the libraries, core SELinux utilities and commands with 14 | source code are available at: 15 | 16 | 17 | 18 | ## libselinux Library 19 | 20 | *libselinux* contains all the SELinux functions necessary to build 21 | userspace SELinux-aware applications and object managers using 'C', 22 | Python, Ruby and PHP languages. 23 | 24 | The library hides the low level functionality of (but not limited to): 25 | 26 | - The SELinux filesystem that interfaces to the SELinux kernel 27 | security server. 28 | - The proc filesystem that maintains process state information and 29 | security contexts - see ***proc**(5)*. 30 | - Extended attribute services that manage the extended attributes 31 | associated to files, sockets etc. - see ***attr**(5)*. 32 | - The SELinux policy and its associated configuration files. 33 | 34 | The general category of functions available in *libselinux* are shown below, 35 | with [**Appendix B - *libselinux* API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary) 36 | giving a complete list of functions. 37 | 38 | **Access Vector Cache Services** 39 | 40 | Allow access decisions to be cached and audited. 41 | 42 | **Boolean Services** 43 | 44 | Manage booleans. 45 | 46 | **Class and Permission Management** 47 | 48 | Class / permission string conversion and mapping. 49 | 50 | **Compute Access Decisions** 51 | 52 | Determine if access is allowed or denied. 53 | 54 | **Compute Labeling** 55 | 56 | Compute labels to be applied to new instances of on object. 57 | 58 | **Default File Labeling** 59 | 60 | Obtain default contexts for file operations. 61 | 62 | **File Creation Labeling** 63 | 64 | Get and set file creation contexts. 65 | 66 | **File Labeling** 67 | 68 | Get and set file and file descriptor extended attributes. 69 | 70 | **General Context Management** 71 | 72 | Check contexts are valid, get and set context components. 73 | 74 | **Key Creation Labeling** 75 | 76 | Get and set kernel key creation contexts. 77 | 78 | **Label Translation Management** 79 | 80 | Translate to/from, raw/readable contexts. 81 | 82 | **Netlink Services** 83 | 84 | Used to detect policy reloads and enforcement changes. 85 | 86 | **Process Labeling** 87 | 88 | Get and set process contexts. 89 | 90 | **SELinux Management Services** 91 | 92 | Load policy, set enforcement mode, obtain SELinux configuration information. 93 | 94 | **SELinux-aware Application Labeling** 95 | 96 | Retrieve default contexts for applications such as database and X-Windows. 97 | 98 | **Socket Creation Labeling** 99 | 100 | Get and set socket creation contexts. 101 | 102 | **User Session Management** 103 | 104 | Retrieve default contexts for user sessions. 105 | 106 | The *libselinux* functions make use of a number of files within the 107 | SELinux sub-system: 108 | 109 | 1. The SELinux configuration file *config* that is described in the 110 | [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) section. 111 | 2. The SELinux filesystem interface between userspace and kernel that 112 | is generally mounted as */selinux* or */sys/fs/selinux* and 113 | described in the 114 | [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. 115 | 3. The *proc* filesystem that maintains process state information and 116 | security contexts - see ***proc**(5)*. 117 | 4. The extended attribute services that manage the extended attributes 118 | associated to files, sockets etc. - see ***attr**(5)*. 119 | 5. The SELinux kernel binary policy that describes the enforcement 120 | policy. 121 | 6. A number of *libselinux* functions have their own configuration 122 | files that in conjunction with the policy, allow additional levels 123 | of configuration. These are described in the 124 | [**Policy Configuration Files**](policy_config_files.md#policy-configuration-files) 125 | section. 126 | 127 | There is a static version of the library that is not installed by default: 128 | 129 | ``` 130 | dnf install libselinux-static 131 | ``` 132 | 133 | ## libsepol Library 134 | 135 | *libsepol* - To build and manipulate the contents of SELinux kernel 136 | binary policy files. 137 | 138 | There is a static version of the library that is not installed by default: 139 | 140 | ``` 141 | dnf install libsepol-static 142 | ``` 143 | 144 | This is used by commands such as ***audit2allow**(8)* and ***checkpolicy**(8)* 145 | as they require access to functions that are not available in the dynamic 146 | library, such as *sepol_compute_av()*, *sepol_compute_av_reason()* and 147 | *sepol_context_to_sid()*. 148 | 149 | ## libsemanage Library 150 | 151 | *libsemanage* - To manage the policy infrastructure. 152 | 153 | 154 | 155 | --- 156 | **[[ PREV ]](lsm_selinux.md)** **[[ TOP ]](#)** **[[ NEXT ]](network_support.md)** 157 | -------------------------------------------------------------------------------- /src/xen_statements.md: -------------------------------------------------------------------------------- 1 | # Xen Statements 2 | 3 | - [*iomemcon*](#iomemcon) 4 | - [*ioportcon*](#ioportcon) 5 | - [*pcidevicecon*](#pcidevicecon) 6 | - [*pirqcon*](#pirqcon) 7 | - [*devicetreecon*](#devicetreecon) 8 | 9 | Xen policy supports additional policy language statements: *iomemcon*, 10 | *ioportcon*, *pcidevicecon*, *pirqcon* and *devicetreecon* that are 11 | discussed in the sections that follow, also the 12 | [**XSM/FLASK Configuration**](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) 13 | document contains further information. 14 | 15 | Policy version 30 introduced the *devicetreecon* statement and also 16 | expanded the existing I/O memory range to 64 bits in order to support 17 | hardware with more than 44 bits of physical address space (32-bit count 18 | of 4K pages). 19 | 20 | To compile these additional statements using ***semodule**(8)*, ensure 21 | that the ***semanage.conf**(5)* file has the *policy-target=xen* entry. 22 | 23 | ## *iomemcon* 24 | 25 | Label i/o memory. This may be a single memory location or a range. 26 | 27 | **The statement definition is:** 28 | 29 | ``` 30 | iomemcon addr context 31 | ``` 32 | 33 | **Where:** 34 | 35 | *iomemcon* 36 | 37 | The *iomemcon* keyword. 38 | 39 | *addr* 40 | 41 | The memory address to apply the context. This may also be a range that consists 42 | of a start and end address separated by a hyphen \'-\'. 43 | 44 | *context* 45 | 46 | The security context to be applied. 47 | 48 | **The statement is valid in:** 49 | 50 | Policy Type 51 | 52 | | Monolithic Policy | Base Policy | Module Policy | 53 | | ----------------------- | ----------------------- | ----------------------- | 54 | | Yes | Yes | No | 55 | 56 | Conditional Policy Statements 57 | 58 | | *if* Statement | *optional* Statement | *require* Statement | 59 | | ----------------------- | ----------------------- | ----------------------- | 60 | | No | No | No | 61 | 62 | **Examples:** 63 | 64 | ``` 65 | iomemcon 0xfebd9 system_u:object_r:nicP_t 66 | iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t 67 | ``` 68 | 69 | ## *ioportcon* 70 | 71 | Label i/o ports. This may be a single port or a range. 72 | 73 | **The statement definition is:** 74 | 75 | ``` 76 | ioportcon port context 77 | ``` 78 | 79 | **Where:** 80 | 81 | *ioportcon* 82 | 83 | The *ioportcon* keyword. 84 | 85 | *port* 86 | 87 | The *port* to apply the context. This may also be a range that consists of a 88 | start and end port number separated by a hyphen \'-\'. 89 | 90 | *context* 91 | 92 | The security context to be applied. 93 | 94 | **The statement is valid in:** 95 | 96 | Policy Type 97 | 98 | | Monolithic Policy | Base Policy | Module Policy | 99 | | ----------------------- | ----------------------- | ----------------------- | 100 | | Yes | Yes | No | 101 | 102 | Conditional Policy Statements 103 | 104 | | *if* Statement | *optional* Statement | *require* Statement | 105 | | ----------------------- | ----------------------- | ----------------------- | 106 | | No | No | No | 107 | 108 | **Examples:** 109 | 110 | ``` 111 | ioportcon 0xeac0 system_u:object_r:nicP_t 112 | ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t 113 | ``` 114 | 115 | ## *pcidevicecon* 116 | 117 | Label a PCI device. 118 | 119 | **The statement definition is:** 120 | 121 | ``` 122 | pcidevicecon pci_id context 123 | ``` 124 | 125 | **Where:** 126 | 127 | *pcidevicecon* 128 | 129 | The *pcidevicecon* keyword. 130 | 131 | *pci_id* 132 | 133 | The PCI identifier. 134 | 135 | *context* 136 | 137 | The security context to be applied. 138 | 139 | **The statement is valid in:** 140 | 141 | Policy Type 142 | 143 | | Monolithic Policy | Base Policy | Module Policy | 144 | | ----------------------- | ----------------------- | ----------------------- | 145 | | Yes | Yes | No | 146 | 147 | Conditional Policy Statements 148 | 149 | | *if* Statement | *optional* Statement | *require* Statement | 150 | | ----------------------- | ----------------------- | ----------------------- | 151 | | No | No | No | 152 | 153 | **Example:** 154 | 155 | ``` 156 | pcidevicecon 0xc800 system_u:object_r:nicP_t 157 | ``` 158 | 159 | ## *pirqcon* 160 | 161 | Label an interrupt level. 162 | 163 | **The statement definition is:** 164 | 165 | ``` 166 | pirqcon irq context 167 | ``` 168 | 169 | **Where:** 170 | 171 | *pirqcon* 172 | 173 | The *pirqcon* keyword. 174 | 175 | *irq* 176 | 177 | The interrupt request number. 178 | 179 | *context* 180 | 181 | The security context to be applied. 182 | 183 | **The statement is valid in:** 184 | 185 | Policy Type 186 | 187 | | Monolithic Policy | Base Policy | Module Policy | 188 | | ----------------------- | ----------------------- | ----------------------- | 189 | | Yes | Yes | No | 190 | 191 | Conditional Policy Statements 192 | 193 | | *if* Statement | *optional* Statement | *require* Statement | 194 | | ----------------------- | ----------------------- | ----------------------- | 195 | | No | No | No | 196 | 197 | **Example:** 198 | 199 | ``` 200 | pirqcon 33 system_u:object_r:nicP_t 201 | ``` 202 | 203 | ## *devicetreecon* 204 | 205 | Label device tree nodes. 206 | 207 | **The statement definition is:** 208 | 209 | ``` 210 | devicetreecon path context 211 | ``` 212 | 213 | **Where:** 214 | 215 | *devicetreecon* 216 | 217 | The *devicetreecon* keyword. 218 | 219 | *path* 220 | 221 | The device tree path. If this contains spaces enclose within *""* as shown in 222 | the example. 223 | 224 | *context* 225 | 226 | The security context to be applied. 227 | 228 | **The statement is valid in:** 229 | 230 | Policy Type 231 | 232 | | Monolithic Policy | Base Policy | Module Policy | 233 | | ----------------------- | ----------------------- | ----------------------- | 234 | | Yes | Yes | No | 235 | 236 | Conditional Policy Statements 237 | 238 | | *if* Statement | *optional* Statement | *require* Statement | 239 | | ----------------------- | ----------------------- | ----------------------- | 240 | | No | No | No | 241 | 242 | **Example:** 243 | 244 | ``` 245 | devicetreecon "/this is/a/path" system_u:object_r:arm_path 246 | ``` 247 | 248 | 249 | 250 | --- 251 | **[[ PREV ]](infiniband_statements.md)** **[[ TOP ]](#)** **[[ NEXT ]](modular_policy_statements.md)** 252 | --------------------------------------------------------------------------------