Red Hat Blog
This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label.
The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects.
Accidental Mislabeling
Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label. One example of this would be an administrator going into the /root
directory and creating the .ssh
directory. In previous versions of Red Hat Enterprise Linux, the directory would get created with a label of admin_home_t
, even though the policy requires it to be labeled ssh_home_t
. Later when the admin tries to use the content of the .ssh
directory to log in without a password, sshd
(sshd_t
) fails to read the directory's contents because sshd
is not allowed to read files labeled admin_home_t
. The administrator would need to run restorecon -R -v /home/.ssh
to fix the labels, and often they forget to do so.
Another example would be a user creating the public_html
directory in his home directory. The default label for content in the home directory is user_home_t
, but SELinux requires the public_html
directory to be labeled http_user_content_t
, which allows the Apache process (httpd_t
) to read the content. We block the Apache process from reading user_home_t
as valuable information like user secrets and credit-card data could be in the user's home directory.
File Transitions Policy
Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (NetworkManger_t
), the type of the directory that will contain the file object (etc_t
), and the class of the file object (file
). They can also specify the type of the created object (net_conf_t
):
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
This policy line says that a process running as NetworkManager_t
creating any file in a directory labeled etc_t
will create it with the label net_conf_t
.
Named File Transitions Policy
Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on four characteristics instead of just three. He added the base file name (not the path).
Now policy writers can write policy rules that state:
- If the
unconfined_t
user process creates the.ssh
directory in a directory labeledadmin_home_t
, then it will get created with the labelssh_home_t
: `filetrans_pattern(unconfined_t, admin_home_t, dir, ssh_home_t, ".ssh") - If the
staff_t
user process creates a directory namedpublic_html
in a directory labeleduser_home_dir_t
, it will get labeledhttp_user_content_t
: `filetrans_pattern(staff_t, user_home_dir_t, dir, http_user_content_t, "public_html")
Additionally, we have added rules to make sure that if the kernel creates content in /dev
, it will label it correctly rather than waiting for udev
to fix the label.
filetrans_pattern(kernel_t, device_t, chr_file, wireless_device_t, "rfkill")
Better Security
This can also be considered a security enhancement, since in Red Hat Enterprise Linux 6, policy writers could only write rules based on the the destination directory label. Consider the example above using NetworkManager_t
. In Red Hat Enterprise Linux 6, a policy writer would write filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
, which means the networkmanager
process could create any file in an etc_t
directory (/etc
) that did not exist. If for some reason the /etc/passwd
file did not exist, SELinux policy would not block NetworkManager_t
from creating /etc/passwd
. In Red Hat Enterprise Linux 7, we can write a tighter policy like this:
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t, "resolv.conf")
This states that NetworkManger can only create files named resolv.conf
in directories labeled etc_t
. If it tries to create the passwd
file in an etc_t
directory, the policy would check if NetworkManager_t
is allowed to create an etc_t
file, which is not allowed.
Bottom Line
This feature should result in less occurrences of accidental mislabels by users and hopefully a more secure and better-running SELinux system.
About the author
Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Senior Distinguished Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years.