This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label.
The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects.
Accidental Mislabeling
Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label. One example of this would be an administrator going into the /root
directory and creating the .ssh
directory. In previous versions of Red Hat Enterprise Linux, the directory would get created with a label of admin_home_t
, even though the policy requires it to be labeled ssh_home_t
. Later when the admin tries to use the content of the .ssh
directory to log in without a password, sshd
(sshd_t
) fails to read the directory's contents because sshd
is not allowed to read files labeled admin_home_t
. The administrator would need to run restorecon -R -v /home/.ssh
to fix the labels, and often they forget to do so.
Another example would be a user creating the public_html
directory in his home directory. The default label for content in the home directory is user_home_t
, but SELinux requires the public_html
directory to be labeled http_user_content_t
, which allows the Apache process (httpd_t
) to read the content. We block the Apache process from reading user_home_t
as valuable information like user secrets and credit-card data could be in the user's home directory.
File Transitions Policy
Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (NetworkManger_t
), the type of the directory that will contain the file object (etc_t
), and the class of the file object (file
). They can also specify the type of the created object (net_conf_t
):
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
This policy line says that a process running as NetworkManager_t
creating any file in a directory labeled etc_t
will create it with the label net_conf_t
.
Named File Transitions Policy
Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on four characteristics instead of just three. He added the base file name (not the path).
Now policy writers can write policy rules that state:
- If the
unconfined_t
user process creates the.ssh
directory in a directory labeledadmin_home_t
, then it will get created with the labelssh_home_t
: `filetrans_pattern(unconfined_t, admin_home_t, dir, ssh_home_t, ".ssh") - If the
staff_t
user process creates a directory namedpublic_html
in a directory labeleduser_home_dir_t
, it will get labeledhttp_user_content_t
: `filetrans_pattern(staff_t, user_home_dir_t, dir, http_user_content_t, "public_html")
Additionally, we have added rules to make sure that if the kernel creates content in /dev
, it will label it correctly rather than waiting for udev
to fix the label.
filetrans_pattern(kernel_t, device_t, chr_file, wireless_device_t, "rfkill")
Better Security
This can also be considered a security enhancement, since in Red Hat Enterprise Linux 6, policy writers could only write rules based on the the destination directory label. Consider the example above using NetworkManager_t
. In Red Hat Enterprise Linux 6, a policy writer would write filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
, which means the networkmanager
process could create any file in an etc_t
directory (/etc
) that did not exist. If for some reason the /etc/passwd
file did not exist, SELinux policy would not block NetworkManager_t
from creating /etc/passwd
. In Red Hat Enterprise Linux 7, we can write a tighter policy like this:
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t, "resolv.conf")
This states that NetworkManger can only create files named resolv.conf
in directories labeled etc_t
. If it tries to create the passwd
file in an etc_t
directory, the policy would check if NetworkManager_t
is allowed to create an etc_t
file, which is not allowed.
Bottom Line
This feature should result in less occurrences of accidental mislabels by users and hopefully a more secure and better-running SELinux system.
À propos de l'auteur
Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Senior Distinguished Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years.
Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox back in RHEL6 an early desktop container tool. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.
Parcourir par canal
Automatisation
Les dernières actualités en matière de plateforme d'automatisation qui couvre la technologie, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Services cloud
En savoir plus sur notre gamme de services cloud gérés
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Ressources développeurs
- Assistance client
- Calculateur de valeur Red Hat
- Red Hat Ecosystem Catalog
- Rechercher un partenaire
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit