Setting security contexts for files and directories

Think of SELinux as a glorified labeling system. It adds labels, known as security contexts, to files and directories through extended file attributes. It also adds the same type of label, known as domains, to system processes. To see these contexts and domains on your CentOS machines, use the -Z option with either ls or ps. For example, files and directories in my own home directory would look like the following:

[donnie@localhost ~]$ ls -Z
drwxrwxr-x. donnie donnie unconfined_u:object_r:user_home_t:s0 acl_demo_dir
-rw-rw-r--. donnie donnie unconfined_u:object_r:user_home_t:s0 yum_list.txt
[donnie@localhost ~]$

Processes on my system would look something like the following:

[donnie@localhost ~]$ ps -Z
LABEL                             PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1322 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3978 pts/0 00:00:00 ps
[donnie@localhost ~]$

Now, let's break this down. In the outputs of both the ls -Z and ps -Z commands, we have the following parts:

  • The SELinux user: In both cases, the SELinux user is the generic unconfined_u.
  • The SELinux role: In the ls -Z example, we see that the role is object_r, and in the ps -Z example it's unconfined_r.
  • The type: It's user_home_t in the ls -Z output and unconfined_t in the ps -Z output.
  • The sensitivity: In the ls -Z output it's s0. In the ps -Z output, it's s0-s0.
  • The category: We don't see a category in the ls -Z output, but we do see c0.c1023 in the ps -Z output.

Out of all of the preceding security context and security domain components, the only one that interests us now is the type. For the purposes of this chapter, we're only interested in covering what a normal Linux administrator would need to know to keep intruders from exploiting the system, and the type is the only one of these components that we need to use for that. All of the other components come into play when we set up advanced, security classification-based access control and role-based access control. 

Okay, the following is a somewhat over-simplified explanation of how this helps a Linux administrator maintain security. What we want is for system processes to only access objects that we allow them to access. (System processes include things such as the web server daemon, the FTP daemon, the Samba daemon, and the Secure Shell daemon. Objects include things such as files, directories, and network ports.) To achieve this, we'll assign a type to all of our processes and all of our objects. We'll then create policies that define which process types can access which object types.

Fortunately, whenever you install any Red Hat-type distribution, pretty much all of the hard work has already been done for you. Red Hat-type distributions all come with SELinux already enabled and set up with the targeted policy. Think of this targeted policy as a somewhat relaxed policy, that allows a casual desktop user to sit down at the computer and actually conduct business without having to tweak any SELinux settings. But if you're a server administrator, you may find yourself having to tweak this policy in order to allow server daemons to do what you need them to do.

The targeted policy, which comes installed by default, is what a normal Linux administrator will use in his or her day-to-day duties. If you look in the repositories of your CentOS virtual machine, you'll see that there are also several others, which we won't cover in this book.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.183.172