Linux with Operating System Concepts

342
◾
Linux with Operating System Concepts
(1 means Enforcing and 0 means Permissive). To see the current mode of SELinux, use 
getenforce
.
8.8.1 SELinux Components
With these basics stated, let us now consider SELinux in some detail. First, we return to the 
types of entities that we deal with in SELinux: users, roles, types, and objects. We throw in 
another type called a context.
A user is someone who uses the system. However, the user is not equivalent to a specific 
user. Instead, there are types of users including, for instance, user, guest, and root. Another 
type of user is known as unconfined that provides a user with broader access rights than 
the user. User names are specified using 
name
_u with already-established user names of 
guest _u
, 
root
, 
staff_u
, 
unconfined_u
, 
user_u,
and 
xguest_u
. Upon logging 
in, the normal setting is to establish the user as an unconfined user. While many users of the 
Linux system will map to one of these categories, it can also be the case that a user, during a 
Linux session, can change from one type to another (for instance through su or sudo).
The role allows SELinux to provide access rights (or place access restrictions) on users 
based on the role they are currently playing. Roles come from role-based access control. 
This idea comes from database applications. In large organizations, access to data is con-
trolled by the 
role
of the user. In such an organization, we might differentiate roles between 
manager, marketing, production, clerical, and research. Some files would be accessible to 
multiple roles (manager, for instance, might have access to all files) while others such as 
production would only have access to production-oriented files.
In SELinux, roles are generally assigned to the users such as 
unconfined_r
, 
guest_r
, 
user_r,
and 
system_r
. However, it is possible for a user to take on several roles at dif-
ferent times. For instance, the user unconfined_u may operate using the role unconfined_r 
at one time and system_r at another time.
The type specifies the level of enforcement. The type is tailored for the type of object 
being referenced whether it is a process, file, directory, or other. For instance, types avail-
able for a file include read and write. When a type is placed on a process, it is sometimes 
referred to as a domain. In this case, the domain dictates which processes the user is able 
to access. As with users and roles, SELinux contains predefined types of 
auditadm_t
, 
sysadm_t
, 
guest_t
, 
staff_t
, 
unconfined_t,
and 
user_t
among others.
We can now apply the users, roles, and types. We specify a context as a set of three or 
four values. These are at a minimum, a user, a role, and a type, separated by colons. For 
instance, we might have a context of 
unconfined_u:object_r:user_home_t
. This 
is a context of the user unconfined_u on an object object_r with the type user_home_t. In 
fact, this context is the one defined for all users’ home directories.
In this case, the context is incomplete. The fourth entry in a context is optional but 
specifies the security level. The security level itself is indicated by a sensitivity or a range of 
sensitivities, optionally followed by a category. For instance, we might find security levels 
of s0 to indicate sensitive level of s0, or s0-s3 if the sensitive level includes all of s0, s1, s2, 
and s3. The category can be a single-category value such as c0, a list of category values such 
as c0,c1,c2, or a range of categories denoted as c0.c3. The full security level might look like 

Installing Linux
◾
343
s0-s3:c0.c2. As an example, we might define c0 as meaning general data, c1 as being confi-
dential data, c2 as being sensitive data, and c3 as being top secret data.
Let us look at some examples as preestablished in CentOS.
• User home directories: unconfined_u:object_r:user_home_t:s0
• User file: unconfined_u:object_r:user_home_t:s0
• Running user process: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
• /bin directory: system_u:object_r:bin_t:s0
• /bin/bash file: system_u:object_r:shell_exec_t:s0
• /etc/shadow file: system_u:object_r:shadow_t:s0
• /dev/sda1: system_u:object_r:fixed_disk_device_t:s0
• Running root process: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
As you can see in the above examples, contexts are already defined for most situations 
that we will face whether they are user processes, root processes, software-owned pro-
cesses, user files and directories, or system files and directories. Also notice that most items 
use a security level of s0, which is the lowest level available.
8.8.2 Altering Contexts
You can obtain the contexts of a directory or file by using 
ls –Z
and the context of a run-
ning process through 
ps –Z
(or 
id –Z
). Many other Linux operations have a –Z option 
that can be used to see the context of the object in question. You can also find the predefined 
contexts in the directory /
etc/selinux/targeted/contexts
in which there are files 
for various types of processes as well as subdirectories of files for objects and user objects.
You can modify the context of an object in one of the two ways. First, if you issue a 
file command, you can include 
–Z 
context
to alter the default context. For instance, 
as we saw above, a user’s file may have the context 
unconfined_u:object_r:user_
home_t:s0
. Let us assume we want to copy the file to /tmp and alter its context to 
unconfined_u:object_r:user_tmp_t:s0
. We issue the command
cp –Z unconfined_u:object_r:user_tmp_t:s0 

Download 5,65 Mb.

Do'stlaringiz bilan baham: