|
| 1 | +## Summary |
| 2 | +Introduced by the NSA for securing linux assets. |
| 3 | +- Enforces an admin-defined security policy ([[Mandatory Access Control]]) over all processes, objects and operations. |
| 4 | +- Can confine services and applications (even running as root) to mitigate the risks of flawed or malicious programs |
| 5 | + |
| 6 | +All subjects (processes) and objects (files, ports and other resources) are associated with labels used to describe authorisation. |
| 7 | + |
| 8 | +When an operation occurs (e.g. opening a file), the request is redirected to a *policy engine* which determines if the subject can perform the operation. |
| 9 | +- Deny all by default |
| 10 | + |
| 11 | +![[SELinux_flow.svg]] |
| 12 | +### Advantages |
| 13 | +- Can confine the operations of privileged system daemons (reduces the impact of a daemon being misused by a malicious process) |
| 14 | +- Centralized policy configuration is easier to manage and analyse than [[Discretionary Access Control]]'s scattered configuration. |
| 15 | +### Limitations |
| 16 | +- If the vulnerability used is in the kernel. |
| 17 | +- If a security policy is permissive ([[Security Enhanced Linux]] will merely enforce the policy it is given) |
| 18 | +## Type Enforcement |
| 19 | +```python |
| 20 | +# For each subject and object |
| 21 | +f"{user}:{role}:{type}:{security level}" |
| 22 | + |
| 23 | +# for example |
| 24 | +facebook = f"u:r:facebook:s0:c0" # level: s0 is sensitivity, c0 is category |
| 25 | +sys_directory = f"u:r:sysfs:s0:c0" |
| 26 | + |
| 27 | +``` |
| 28 | +*Note: Android uses the type field to isolate processes, and level to isolate device users* |
| 29 | +- Process types are called *domains* |
| 30 | +- *Domains*/*types* are [[Security Equivalence Classes]] |
| 31 | +- Same *domain*/*type* means same access & the subject/object is identified using this. |
| 32 | +- The security level (sensitivity and zero of more categories) os determined by [[Multi-Level Security]] |
| 33 | +![[domains_and_types.svg]] |
| 34 | +### Rules |
| 35 | +```python |
| 36 | +f"allow {domain} {type}:{class} \{{permissions}\}" |
| 37 | +"allow D1 T2:file read_write_execute" |
| 38 | + |
| 39 | +f"neverallow {domain} {type}:{class} \{{permissions}\}" |
| 40 | + |
| 41 | +# Disallow any system service apart from the dumpstate, shell etc of the domain attribute from executing files |
| 42 | +"neverallow {domain -appdomain -dumpstate -shell -system_server -zygote} {file_type -system_file -exec_type}:file execute" |
| 43 | +``` |
| 44 | +*Note: [AVCRules - SELinux Wiki (selinuxproject.org)](https://selinuxproject.org/page/AVCRules)* |
| 45 | +- `neverallow` is used to ensure no `allow` rules are added in future that accidentally conflict (the `checkpolicy` compiler issues a warning). |
| 46 | +- The last rule in a conflict is chosen |
| 47 | +## Configuration |
| 48 | + |
| 49 | +| Path | Description | |
| 50 | +| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | |
| 51 | +| `*.te` | Type Enforcement files (`D1.te`, `D2.te`, etc.) containing rules for a domain. | |
| 52 | +| `file_contexts` | File security contexts (labels for `\sys` at build time, `\dev, \data` at runtime). | |
| 53 | +| `mac_permissions.xml` | Assigns a seinfo tag to applications based on their signature (and optionally package name). Configuration is read during startup. | |
| 54 | +| `seapp_contexts` | Maps app UID (and optionally seinfo) to domain. | |
| 55 | +## Android |
| 56 | +Ported to android in 2012, and adopted in *permissive mode* in `4.3`, *enforcing mode* in `4.4`. |
| 57 | + |
0 commit comments