Object Classes and Permissions

Object Classes and Permissions Security Policy Development Primer for Security Enhanced Linux (Module 5)

2 SE Linux Policy Structure Top-level sections of policy.conf: Flask definitions object classes, permissions, initial SIDs TE and RBAC declarations and statements defines the type enforcement and role access control policies user declarations identify users to policy and associate users with roles constraints additional restrictions based on types, roles, and users security context specifications special security context specifications

3 Object Classes Basis for access control in SE Linux specified in terms of subject s access to objects subjects processes objects 29 distinct object classes access numerous permissions each class with its own permission specification

4 Object Class Definitions Object classes are defined in: /usr/local/selinux/flask/security_classes same definitions built into kernel Object class definition statement class file class identifier simply defines an object class identifier Policy writers should never change security_classes changed only when object classes change in kernel

5 Summary of Object Classes File-related Object Classes file: regular file dir: directory fd: file descriptor opened object descriptors associated with processes lnk_file: symbolic link chr_file: character device (e.g., serial ports, terminals) blk_file: block device (e.g, disk drives) sock_file: Unix-domain socket local socket listed in file name space fifo_file: FIFO, aka named pipes filesystem abstract object representing controls on whole file systems

6 Summary of Object Classes Network-related object classes node: host(s) by IP address netif: network interfaces tcp_socket: IP stream socket udp_socket: IP datagram socket rawip_socket: IP raw socket netlink_socket: Netlink sockets packet_socket: low level packet socket unix_stream_socket: local stream socket unix_dgram_socket: local datagram socket key_socket: IPsec security association database socket socket: all other socket types

7 Summary of Object Classes System V IPC-related sem: semaphore set msgq: message queue msg: messages within a message queue shm: shared memory ipc: no longer used

8 Summary of Object Classes Process class both an object and a subject Security class abstract object to control call to in-kernel security server load new policy, get list of contexts and SIDs only one System class abstract object to control certain system behavior e.g. toggle enforcing mode only one Capability class provides a means to control Linux capabilities must have associated permission as well as capability

9 Object Class Permissions Each object class has a defined set of permissions called an access vector The permission definitions in the policy are in: /usr/local/selinux/flask/access_vectors Permission identifiers defined in two ways common statement (used for multiple classes as a group) class statement #2 (class-specific permissions) Policy writers should never change access_vectors as with object classes, hard coded into the kernel changed only when access vectors change in kernel

10 Object Class Permissions Common permissions defines group of permission identifiers associated with object classes as a group ensures all like permissions assigned same bit in kernel common file {ioctl read write create getattr setattr lock } common perm identifier permission identifiers assigned to object classes via class statement (#2)

11 Object Class Permissions Object class permission definition (class statement #2) assigns permissions to each object class can assign common and/or class-specific permissions class file inherits file { execute_no_trans entrypoint } optional common perms class ID (from previous class definition) common perms (from previous common stmnt) class-specific permissions Net effect: File class has following permissions defined: ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint

12 Object Class Permissions Exploring Object Classes and Permissions

13 File Object Class Permissions read: read file contents write: write or append file contents append: append file contents i.e., opened with O_APPEND flag create: create a new file getattr: read file attributes such as access mode stat, some ioctls, setattr: change file attributes such as access mode chmod, some ioctls, ioctl: ioctl sys call requests not addressed by other permissions unlink: remove hard link (delete) link: create hard link to file

14 File Object Class Permissions lock: set and unset file locks rename: rename a hard link relabelfrom: change the security context based on existing type relabelto: change the security context based on the new type mounton: only meaningful for directories in Linux swapon: allows file to be used for paging/swapping space quotaon: enabling quotas execute: same meaning as ordinary Linux execute execute_no_trans: permission to execute file without a domain transition entrypoint: permission to enter a new domain via this program

15 Process Object Class Permissions transition: permission to change security context checked against old domain type and new domain type fork: fork or clone a process sigchld: permission to signal SIGCHLD sigkill: permission to signal SIGKILL sigstop: permission to signal SIGSTOP signull: no signal sent, ala kill(pid, 0) signal: all other signal ptrace: ability to trace a process (e.g., debugging) getsched, setsched: get and set process priority getsession: get session information (getsid) getpgid, setpgid: get and set process group ID getcap, setcap: get and set capabilities (capget, capset) share: allows state sharing (via clone call)

16 More on Object Class Permissions Understanding all requires detailed understanding of implementation Additional references on classes and permissions www.nsa.gov/selinux/doc/slinux.pdf most comprehensive, but a little out of date www.nsa.gov/selinux/doc/module.pdf describes some changes from above report Example policy includes macros provides more abstract permission model using m4 macro processor language definitions in./policy/macros/global_macros.te

17 Permission Macro Examples All from policy/macros/global_macros.te rx_file_perms (file read/execute permission) read getattr lock execute ioctl r_dir_perms (read and traverse directory) read getattr lock search ioctl create_dir_perms (create and use new directory) create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir Permission macros can be used in place (or alongside) of explicit permission list

18 Interrelationship of Permissions Many actions require several permissions for several object classes Domain transition, for example process transition permission allow src_type new_type : process transition; program execution permission allow src_type program_type : file { getattr execute }; new domain execute access allow new_type program_type : file entrypoint; other issues file descriptor inheritance, signals, other IPC Macros can help here too see domain_trans() macro for example

19 QUESTIONS?