system_u:system_r:init_t:s0 1 ? 00:00:02 systemd
system_u:system_r:auditd_t:s0 663 ? 00:00:00 auditd
system_u:system_r:chronyd_t:s0 713 ? 00:00:00 chronyd
system_u:system_r:NetworkManager_t:s0 735 ? 00:00:15 NetworkManager
system_u:system_r:sshd_t:s0-s0:c0.c1023 1114 ? 00:00:00 sshdWhat are policies? A policy is a real-world application of SELinux controls. This chapter is an overview and examination of SELinux policy for Red Hat Enterprise Linux.
What is the Targeted Policy?
The SELinux policy is highly configurable. Starting with Red Hat Enterprise Linux 5, Red Hat defaulted to the targeted policy. The goal of this policy is to lock down all processes that listen for network connections and pretty much all processes that start at boot. Under the targeted policy, every subject and object runs in the unconfined_t domain except for the specific targeted daemons. Objects that are in the unconfined_t domain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons secured by the targeted policy run in their own domains and are restricted via type enforcement in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
Targeted policy has expanded and evolved over the years to provide coverage for nearly every system service and utility. As example ps output shows below, systemd, auditd, chronyd, NetworkManager and sshd each run in a unique domain:
Additional policies are available:
-
Multi-level security (MLS)
-
Minimum
-
Sandbox
The MLS SELinux policy applies a modified principle called Bell-La Padula with write equality. This means that users can read files at their own sensitivity level and lower, but can write only at exactly their own level. This prevents, for example, low-clearance users from writing content into top-secret files. MLS is the most strict policy and is rarely used in practice.
Minimum policy is built exactly the same as targeted policy, but installs ONLY the base policy package and the unconfined.pp. All of the SELinux policy modules from the targeted policy are in the selinux-policy-minimum rpm package but they are not compiled and loaded into the kernel in the post install.
Sandbox is a special-purpose policy and utility primarily for testing. The sandbox security utility adds a set of SELinux policies that allow a system administrator to run an application within a tightly confined SELinux domain. Restrictions on permission to open new files or access to the network can be defined. This enables testing the processing characteristics of untrusted software securely, without risking damage to the system.
We are only working with Targeted Policy in this workshop.
Important reminders
-
SELinux policy is consulted after normal DAC controls. So if DAC permissions already deny a particular access to a file, no further evaluations are done.
-
SELinux is a "default deny" system. Thus, that which is not explicitly permitted is denied.
To learn more
To better understand SELinux basic concepts, see the following resources:
×
Workshop Details
| Domain |
|
|
| Workshop | ||
| Student ID |
Workshop Details
| Domain |
|
|
| Workshop | ||
| Student ID |