Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
redhat:base-redhat:selinux-redhat [2018/05/08 11:13] – [Role-Based Access Control (RBAC)] michael | redhat:base-redhat:selinux-redhat [2018/05/08 11:22] (current) – [Multi-Category Security (MCS)] michael | ||
---|---|---|---|
Line 193: | Line 193: | ||
<WRAP center box 100%> | <WRAP center box 100%> | ||
< | < | ||
- | sesearch -ACS -t ssh_home_t -c file -p read | + | # sesearch -ACS -t ssh_home_t -c file -p read |
</ | </ | ||
Line 244: | Line 244: | ||
</ | </ | ||
==== Multi-Category Security (MCS) ==== | ==== Multi-Category Security (MCS) ==== | ||
+ | |||
+ | Multi-Category Security provides a way to associate a set or range of **compartments** with SELinux contexts. The targeted policy model implements compartmentalization of types associated with mcs_constrained_type. To understand how this works, it's required to know how to inspect the MLS part of security contexts. This is the part after the user: | ||
+ | |||
+ | <sxh plain; gutter: false;> | ||
+ | system_u: | ||
+ | ▼ ▼ | ||
+ | Low security level, | ||
+ | associated with no | ||
+ | compartments. | ||
+ | </ | ||
+ | |||
+ | One thing that is noticeable above is the lack of compartments on the low security level, as well as both security levels being the same. The first point is an implementation detail of the MCS model in the targeted policy. When an access vector is computed for a process that is associated with mcs_constrained_type, | ||
+ | |||
+ | The compartment part of the above security context is a **category range**, but can also be a set of categories separated by commas. A range of categories results in the context being associated with an inclusive set of categories in that range. Understanding how access is computed for two processes with a set of categories requires looking at the **dominance** rules for SELinux security levels (access is only allowed if the source type's high security level **dominates** the target type's high security level). Those rules are as follows (only accounting for categories, and not MLS security levels) | ||
+ | |||
+ | * Source dominates the target if the categories in the source context are the same as or a superset of those in the target context. | ||
+ | * Source is dominated by the target if the categories in the source context are a subset of the categories of the target context. | ||
+ | * Source and target are equal and dominate each other if the set of categories are the same in each context. | ||
+ | |||
+ | With that in mind, we know that a context with a category set of c0.c5 will be granted access to a context with a category set of c0,c3, but not a category set of c0,c6, or c0.c1023. This rule is the reason that sVirt generates a random set of categories, so there will be no overlap where one virt domain will dominate another. The Android project also does the same thing, to put applications in isolated domains. | ||
+ | |||
+ | An example use of Multi-Category Security could be using NGINX with multiple vhosts that connect to backend servers that are also running as httpd domains (e.g., PHP-FPM). Normally these instances of the backend servers would be able to modify and manage each others domains simply due to type-enforcement rules. If they' | ||
+ | |||
+ | There are a couple of presequities to achieving this. First, '' | ||
+ | |||
+ | <WRAP center box 100%> | ||
+ | < | ||
+ | # seinfo -xamcs_constrained_type | ||
+ | </ | ||
+ | <sxh plain; gutter: false;> | ||
+ | | ||
+ | netlabel_peer_t | ||
+ | openshift_t | ||
+ | openshift_app_t | ||
+ | sandbox_min_t | ||
+ | sandbox_x_t | ||
+ | sandbox_web_t | ||
+ | sandbox_net_t | ||
+ | svirt_t | ||
+ | svirt_tcg_t | ||
+ | svirt_lxc_net_t | ||
+ | svirt_qemu_net_t | ||
+ | svirt_kvm_net_t | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | To add to this list of types it is necessary to create a local policy module that associates the desired type with the attribute. This is done using the typeattribute statement, and can be done like so: | ||
+ | |||
+ | <sxh plain; gutter: false;> | ||
+ | policy_module(httpd_mcs, | ||
+ | gen_require(` | ||
+ | type httpd_t; | ||
+ | attribute mcs_constrained_type; | ||
+ | ') | ||
+ | |||
+ | typeattribute httpd_t mcs_constrained_type; | ||
+ | </ | ||
+ | |||
+ | See FIXME Customizing Local Policy for instructions on building policy modules. | ||
+ | |||
+ | Once the type is associated with mcs_constrained_type each backend server must have their content relabeled to include the respective categories in their file context specifications. This can be achieved by adding the file types to / | ||
+ | |||
+ | < | ||
+ | # semanage fcontext -a -t httpd_sys_content_t -r " | ||
+ | # semanage fcontext -a -t httpd_sys_content_t -r " | ||
+ | </ | ||
+ | |||
+ | The next step is making sure the backend servers are started with the correct security context. On CentOS 7 with systemd this can be achieved with the '' | ||
+ | |||
+ | < | ||
+ | # runcon " | ||
+ | </ | ||
+ | |||
+ | Or in the systemd unit: | ||
+ | |||
+ | <sxh plain; gutter: false;> | ||
+ | SELinuxContext=system_u: | ||
+ | </ | ||
+ | |||
+ | Now each backend server should be isolated from the other, while allowing NGINX access to manage and send messages to both of them. | ||
Line 249: | Line 329: | ||
https:// | https:// | ||
- | |||