Exercise 1.1 - SELinux policy in RHEL

Return to Workshop

What are policies? A policy is a real-world application of SELinux controls. This chapter is an overview and examination of SELinux policy for Red Hat Enterprise Linux.

What is the Targeted Policy?

The SELinux policy is highly configurable. Starting with Red Hat Enterprise Linux 5, Red Hat defaulted to the targeted policy. The goal of this policy is to lock down all processes that listen for network connections and pretty much all processes that start at boot. Under the targeted policy, every subject and object runs in the unconfined_t domain except for the specific targeted daemons. Objects that are in the unconfined_t domain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons secured by the targeted policy run in their own domains and are restricted via type enforcement in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.

For example, the http and ntp daemons are both protected in the default targeted policy, and run in the httpd_t and ntpd_t domains, respectively. The ssh daemon, however, is not protected in this policy, and consequently runs in the unconfined_t domain. The targeted daemons include most common system daemons (dhcpd, httpd, mysqld, named, nscd, ntpd, portmap, postgres, snmpd, squid, syslogd, and winbind) and the list grows with each RHEL generation.

Refer to the following sample output, which illustrates the various domains for the daemons mentioned above:

user_u:system_r:httpd_t         25129 ?        00:00:00 httpd
user_u:system_r:ntpd_t          25176 ?        00:00:00 ntpd
system_u:system_r:unconfined_t         25245 ? 00:00:00 sshd

Additional policies are available:

  • Multi-level security (MLS)

  • Minimum

  • Sandbox

The MLS SELinux policy applies a modified principle called Bell-La Padula with write equality. This means that users can read files at their own sensitivity level and lower, but can write only at exactly their own level. This prevents, for example, low-clearance users from writing content into top-secret files. MLS is the most strict policy and is rarely used in practice.

Minimum policy is built exactly the same as targeted policy, but installs ONLY the base policy package and the unconfined.pp. All of the SELinux policy modules from the targeted policy are in the selinux-policy-minimum rpm package but they are not compiled and loaded into the kernel in the post install.

Sandbox is a special-purpose policy and utility primarily for testing. The sandbox security utility adds a set of SELinux policies that allow a system administrator to run an application within a tightly confined SELinux domain. Restrictions on permission to open new files or access to the network can be defined. This enables testing the processing characteristics of untrusted software securely, without risking damage to the system.

We are only working with Targeted Policy in this workshop.

Additional reminders

  • SELinux policy is consulted after normal DAC controls. So if DAC permissions already deny a particular access to a file, no further evaluations are done.

  • SELinux is a "default deny" system. Thus, that which is not explicitly permitted is denied.

To learn more

To better understand SELinux basic concepts, see the following resources:


Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop