New SELinux Feature: File Name Transitions

This article was originally published on the Red Hat Customer Portal. The information may no longer be current.

In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label.

The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects.

Accidental Mislabeling

Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label. One example of this would be an administrator going into the /root directory and creating the .ssh directory. In previous versions of Red Hat Enterprise Linux, the directory would get created with a label of admin_home_t, even though the policy requires it to be labeled ssh_home_t. Later when the admin tries to use the content of the .ssh directory to log in without a password, sshd (sshd_t) fails to read the directory's contents because sshd is not allowed to read files labeled admin_home_t. The administrator would need to run restorecon -R -v /home/.ssh to fix the labels, and often they forget to do so.

Another example would be a user creating the public_html directory in his home directory. The default label for content in the home directory is user_home_t, but SELinux requires the public_html directory to be labeled http_user_content_t, which allows the Apache process (httpd_t) to read the content. We block the Apache process from reading user_home_t as valuable information like user secrets and credit-card data could be in the user's home directory.

File Transitions Policy

Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (NetworkManger_t), the type of the directory that will contain the file object (etc_t), and the class of the file object (file). They can also specify the type of the created object (net_conf_t):

filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)

This policy line says that a process running as NetworkManager_t creating any file in a directory labeled etc_t will create it with the label net_conf_t.

Named File Transitions Policy

Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on four characteristics instead of just three. He added the base file name (not the path).

Now policy writers can write policy rules that state:

• If the unconfined_t user process creates the .ssh directory in a directory labeled admin_home_t, then it will get created with the label ssh_home_t: `filetrans_pattern(unconfined_t, admin_home_t, dir, ssh_home_t, ".ssh")
• If the staff_t user process creates a directory named public_html in a directory labeled user_home_dir_t, it will get labeled http_user_content_t: `filetrans_pattern(staff_t, user_home_dir_t, dir, http_user_content_t, "public_html")

Additionally, we have added rules to make sure that if the kernel creates content in /dev, it will label it correctly rather than waiting for udev to fix the label.

filetrans_pattern(kernel_t, device_t, chr_file, wireless_device_t, "rfkill")

Better Security

This can also be considered a security enhancement, since in Red Hat Enterprise Linux 6, policy writers could only write rules based on the the destination directory label. Consider the example above using NetworkManager_t. In Red Hat Enterprise Linux 6, a policy writer would write filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t), which means the networkmanager process could create any file in an etc_t directory (/etc) that did not exist. If for some reason the /etc/passwd file did not exist, SELinux policy would not block NetworkManager_t from creating /etc/passwd. In Red Hat Enterprise Linux 7, we can write a tighter policy like this:

filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t, "resolv.conf")

This states that NetworkManger can only create files named resolv.conf in directories labeled etc_t. If it tries to create the passwd file in an etc_t directory, the policy would check if NetworkManager_t is allowed to create an etc_t file, which is not allowed.

Bottom Line

This feature should result in less occurrences of accidental mislabels by users and hopefully a more secure and better-running SELinux system.