CentOS 6
Sponsored Link

SELinux : SELinux Context
2016/07/26
 
Access Controls to files or directories are controled by additional informations which is called SELinux Context.
SELinux Context has following syntax.
⇒ [SELinux User]:[Role]:[Type]:[Level]
SELinux User :
SELinux User Attribute
Each Linux User is mapped to an SELinux User by SELinux Policy.
Role :
RBAC (Role Based Access Control) Attribute
It defines SELinux User's Roles.
It controls Accesses which defined role can access to Domains by SELinux Policy.
Type :
TE (Type Enforcement) Attribute
It defines Domains for processes, and also defines Types for Files.
Level :
MLS (Multi Level Security) and MCS (Multi Category Security) Attribute
Level has [sensitivity]:[category] syntax.
By the way, "targeted" Policy which is the default Policy on RHEL/CentOS forces MCS and it is used only "s0" sensitivity on the Policy.
But for Category, it is supported c0-c1023.
MLS forces the Bell-La Padula Mandatory Access Model.
If you'd like to use it, it needs to install MLS Policy package on RHEL/CentOS.
But it does not support X Window System, so it's impossible to use it on Desktop Environment.
[1] For displaying SELinux Contexts for files or processes, add "Z" option to commands.
# files/directories

[root@dlp ~]#
ls -Z /root 

-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog
                      --------:--------:------------:------
                       User   : Role   : Type       : Level
# processes

[root@dlp ~]#
ps axZ 

LABEL                             PID TTY      STAT   TIME COMMAND
system_u:system_r:init_t:s0         1 ?        Ss     0:00 /sbin/init
system_u:system_r:kernel_t:s0       2 ?        S      0:00 [kthreadd]
system_u:system_r:kernel_t:s0       3 ?        S      0:00 [migration/0]
.....
.....
system_u:system_r:getty_t:s0     1205 tty5     Ss+    0:00 /sbin/mingetty /dev/t
system_u:system_r:getty_t:s0     1207 tty6     Ss+    0:00 /sbin/mingetty /dev/t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1212 ttyS0 Ss   0:00 -bash
system_u:system_r:initrc_t:s0    1225 ?        S      0:00 pickup -l -t fifo -u
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1226 ttyS0 R+   0:00 ps ax
# own ID

[root@dlp ~]#
id -Z 

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[2] Each Linux User is mapped to an SELinux User by SELinux Policy.
It's possible to show the mapping list like follows.
[root@dlp ~]#
semanage login -l 


Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
#* if semanage command does not exist, install like follows

[root@dlp ~]#
yum -y install policycoreutils-python
 
For the example above (RHEL/CentOS Default), "root" is mapped to "unconfined_u". System users like "bin" or "daemon" and others are mapped to "system_u". Other common users are mapped to "__default__" once and finally mapped to "unconfined_u".
"unconfined_u" users are assigned "unconfined_r" Role, and Processes which are started by "unconfined_u" users are run as "unconfined_t" Domain.
Processes which "unconfined_t" Domain are assigned are not controled by SELinux.
[root@dlp ~]#
ps axZ | grep unconfined_t 

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1212 ttyS0 Ss   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1231 ttyS0 R+   0:00 ps axZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1232 ttyS0 S+   0:00 grep unconfined_t
 
Tweet