Difference between revisions of "PolicyStoreConfigurationFiles"
Line 1: | Line 1: | ||
= Policy Store Configuration Files = | = Policy Store Configuration Files = | ||
− | + | Depending on the release being used policy stores will be located at: | |
− | < | + | * <tt><nowiki>/etc/selinux/<policy_name>/modules</nowiki></tt><nowiki> - This is the default for systems that support versions < 2.4 of </nowiki><tt>libsemanage</tt>, <tt>libsepol</tt>, and <tt>policycoreutils</tt>. |
− | <nowiki>/etc/selinux/<policy_name></nowiki> | + | * <tt><nowiki>/var/lib/selinux/<policy_name>/modules</nowiki></tt> - This is the default for systems that support versions >= 2.4 of <tt>libsemanage</tt>, <tt>libsepol</tt>, and <tt>policycoreutils</tt>. The base (<tt>/var/lib/selinux</tt>) may be overridden by the <tt>store-root</tt> parameter defined in the [[GlobalConfigurationFiles#/etc/selinux/semanage.conf File | semanage.conf]] file. The migration process from previous releases is described at [https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration]. Note that once the policy store migration is complete, these files will no longer exist |
− | </ | + | |
− | + | Note: There can be multiple policy stores on a system at <tt><nowiki>/etc/selinux/<policy_name>/modules</nowiki></tt>. | |
− | The files | + | The Policy Store files are either installed, updated or built by the '''semodule'''(8) and '''semanage'''(8) commands as a part of the build process. The resulting files will either be copied over to the [[PolicyConfigurationFiles | Policy Configuration Files]] area, or used to rebuild the kernel binary policy located at <nowiki>/etc/selinux/<policy_name>/policy</nowiki>. |
− | + | All files may have comments inserted where each line must have the '#' symbol to indicate the start of a comment. | |
− | + | The command options and outputs shown in the text are based on the current F-20 build. | |
== modules/ Files == | == modules/ Files == | ||
Line 20: | Line 19: | ||
</pre> | </pre> | ||
− | == base.pp File == | + | == modules/active/base.pp File == |
− | This is the packaged base policy that contains the mandatory modules and policy components such as object classes | + | This is the packaged base policy that contains the mandatory modules and policy components such as object classes, permission declarations and initial SIDs. |
− | == base.linked File == | + | == modules/active/base.linked File == |
− | This is only present if the save-linked is set to TRUE as described in the /etc/selinux/semanage.conf section. It contains the modules that have been linked using the semodule_link(8) command. | + | This is only present if the save-linked is set to <tt>TRUE</tt> as described in the [[GlobalConfigurationFiles#/etc/selinux/semanage.conf File | /etc/selinux/semanage.conf]] section. It contains the modules that have been linked using the <tt>'''semodule_link'''(8)</tt> command. |
− | == commit_num File == | + | == modules/active/commit_num File == |
This is a binary file used by libsemanage for managing updates to the store. The format is not relevant to policy construction. | This is a binary file used by libsemanage for managing updates to the store. The format is not relevant to policy construction. | ||
− | == file_contexts.template File == | + | == modules/active/file_contexts.template File == |
− | This contains a copy all the modules 'Labeling Policy File' entries (e.g. the <nowiki><module_name>.fc</nowiki> files) that have been extracted from the base.pp and the loadable modules in the modules/active/modules directory. | + | This contains a copy all the modules 'Labeling Policy File' entries (e.g. the <nowiki><module_name>.fc</nowiki> files) that have been extracted from the [[#modules/active/base.pp | base.pp]] and the loadable modules in the [[#modules/active/modules_Directory_Contents | modules/active/modules]] directory. |
− | The entries in the file_contexts.template file are then used to build the following files: | + | The entries in the file_contexts.template file are then used to build the following files as shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/25-file_contexts.png File Context Configuration Files] diagram: |
+ | # [[#modules/active/homedir_template | homedir_template]] file that will be used to produce the [[#modules/active/file_contexts.homedirs | file_contexts.homedirs]] file which will then become the policies ./contexts/files/file_contexts.homedirs file. | ||
+ | # [[#modules/active/file_contexts | file_contexts]] file that will become the policies file_contexts file. | ||
− | + | Note that as a part of the <tt>semanage</tt> build process, these two files will also have <tt>file_contexts.bin</tt> and <tt>file_contexts.homedirs.bin</tt> files present in the [[PolicyConfigurationFiles#contexts/files/file_contexts File | Policy Configuration Files]] <tt>contexts/files</tt> directory. This is because <tt>semanage</tt> requires these in the Perl compatible regular expression (PCRE) internal format. They are generated by the <tt>'''sefcontext_compile'''(8)</tt> utility. | |
− | + | ||
− | The | + | The homedir_template and file_contexts files are built is as follows: |
+ | : '''homedir_template''' - Any line in the file_contexts.template file that has the keywords HOME_ROOT, HOME_DIR and/or USER are extracted and added to the homedir_template file. This is because these keywords are used to identify entries that are associated to a users home directory area. These lines may also have the ROLE keyword declared. | ||
+ | : The homedir_template file will then be processed by '''genhomedircon'''(8)<ref name="ftn34"><sup>The genhomedircon command has now been built into the libsemanage library as a function to build the file_contexts.homedirs file via '''semanage'''(8).</sup></ref> to generate individual SELinux user entries in the file_contexts.homedirs file as discussed in the [[#modules/active/file_contexts.homedirs | modules/active/file_contexts.homedirs]] section. | ||
− | + | These are examples of one line being processed as described above, taken from the F-20 targeted policy: | |
− | The | + | The master file_contexts.template entry: |
+ | <pre> | ||
+ | HOME_DIR\/.wine(/.*)? system_u:object_r:wine_home_t:s0 | ||
+ | </pre> | ||
+ | |||
+ | The <tt>homedir_</tt>template entry is created as: | ||
+ | <pre> | ||
+ | HOME_DIR\/.wine(/.*)? system_u:object_r:wine_home_t:s0 | ||
+ | </pre> | ||
+ | |||
+ | The file_contexts.homedirs entries are created by <tt>genhomedircon</tt> for the SELinux users extracted from the [[#modules/active/seusers.final and seusers Files | seusers]] file as follows: | ||
+ | <pre> | ||
+ | # Home Context for any Linux user that is assigned | ||
+ | # the SELinux user unconfined_u | ||
+ | /home/[^/]*/\.wine(/.*)? unconfined_u:object_r:wine_home_t:s0 | ||
+ | |||
+ | # Home Context for user root | ||
+ | /root/\.wine(/.*)? unconfined_u:object_r:wine_home_t:s0 | ||
+ | </pre> | ||
'''file_contexts''' - All other lines are extracted and added to the file_contexts file as they are files not associated to a users home directory. | '''file_contexts''' - All other lines are extracted and added to the file_contexts file as they are files not associated to a users home directory. | ||
Line 47: | Line 67: | ||
'''The format of the file_contexts.template file is as follows:''' | '''The format of the file_contexts.template file is as follows:''' | ||
− | Each line within the file consists of | + | Each line within the file consists of the following: |
<pre> | <pre> | ||
− | pathname_regexp | + | pathname_regexp [file_type] opt_security_context |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
</pre> | </pre> | ||
+ | '''Where:''' | ||
− | |||
{| border="1" | {| border="1" | ||
− | + | | pathname_regexp | |
− | + | | An entry that defines the pathname that may be in the form of a regular expression. | |
The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example file_contexts files below). | The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example file_contexts files below). | ||
− | There are also keywords of HOME_ROOT, HOME_DIR, ROLE and USER that are used by file labeling commands (see the keyword definitions below and the | + | There are also keywords of HOME_ROOT, HOME_DIR, ROLE and USER that are used by file labeling commands (see the keyword definitions below and the [[#modules/active/homedir_template | modules/active/homedir_template]] file section for their usage). |
|- | |- | ||
− | + | | file_type | |
− | | | + | | One of the following optional file_type entries (note if blank means "all file types"): |
− | '-b' - Block Device | + | '<tt>-b</tt>' - Block Device '<tt>-c</tt>' - Character Device |
− | '-d' - Directory | + | '<tt>-d</tt>' - Directory '<tt>-p</tt>' - Named Pipe (FIFO) |
− | '-l' - Symbolic Link | + | '<tt>-l</tt>' - Symbolic Link '<tt>-s</tt>' - Socket File |
− | '--' - Ordinary file | + | '<tt>--</tt>' - Ordinary file |
− | + | By convention this entry is known as 'file type', however it really represents the 'file object class'. | |
− | + | ||
− | + | ||
+ | |- | ||
+ | | opt_security_context | ||
+ | | This entry can be either: | ||
# The security context, including the MLS / MCS level or range if applicable that will be assigned to the file. | # The security context, including the MLS / MCS level or range if applicable that will be assigned to the file. | ||
− | # A value of <nowiki><<none>></nowiki> can be used to indicate that | + | # A value of <nowiki><<none>></nowiki> can be used to indicate that matching files should not be re-labeled. |
− | + | ||
− | + | ||
|} | |} | ||
− | '''Keywords that can be in the file_contexts.template | + | '''Keywords that can be in the file_contexts.template file are:''' |
+ | |||
{| border="1" | {| border="1" | ||
− | + | | HOME_ROOT | |
− | + | | This keyword is replaced by the GNU / Linux users root home directory, normally '/home' is the default. | |
|- | |- | ||
− | + | | HOME_DIR | |
− | + | | This keyword is replaced by the GNU / Linux users home directory, normally '/home/' is the default. | |
|- | |- | ||
− | | | | + | | USER |
− | | | This keyword is replaced by the 'prefix' entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are: | + | | This keyword will be replaced by the users GNU / Linux user id. |
+ | |||
+ | |- | ||
+ | | ROLE | ||
+ | | This keyword is replaced by the 'prefix' entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are: | ||
<pre> | <pre> | ||
− | user user_u | + | user user_u prefix user; |
− | user staff_u | + | user staff_u prefix staff; |
− | + | ||
</pre> | </pre> | ||
− | It is used for files and directories within the users home directory area | + | It is used for files and directories within the users home directory area. |
− | + | The prefix can be added by the semanage <tt>login</tt> command as follows (although note that the <tt>-P</tt> option is suppressed when help is displayed as it is generally it is not used (defaults to <tt>user</tt>) - see [http://blog.gmane.org/gmane.linux.redhat.fedora.selinux/month=20110701 http://blog.gmane.org/gmane.linux.redhat.fedora.selinux/month=20110701] for further information): | |
<pre> | <pre> | ||
− | + | # Add a Linux user: | |
− | + | adduser rch | |
− | + | # Modify staff_u SELinux user and prefix: | |
− | semanage login -a -s | + | semanage user -m -R staff_r -P staff staff_u |
+ | |||
+ | # Associate the SELinux user to the Linux user: | ||
+ | semanage login -a -s staff_u rch | ||
</pre> | </pre> | ||
− | |||
− | |||
− | |||
− | |||
|} | |} | ||
− | '''Example file_contexts.template''' '''contents:''' | + | '''Example file_contexts.template''' '''contents from targeted policy:''' |
<pre> | <pre> | ||
− | + | # modules/active/file_contexts.template - These sample entries | |
− | + | # have been taken from the targeted policy and show the | |
− | + | # HOME_DIR, HOME_ROOT and USER keywords whose lines will be | |
− | + | # extracted and added to the homedir_template file that is | |
− | + | # used to manage user home directory entries. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | /.* | + | /.* system_u:object_r:default_t:s0 |
− | /a?quota\.(user|group) | + | /[^/]+ -- system_u:object_r:etc_runtime_t:s0 |
− | / | + | /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 |
− | / | + | /nsr(/.*)? system_u:object_r:var_t:s0 |
− | + | /sys(/.*)? system_u:object_r:sysfs_t:s0 | |
− | / | + | ... |
− | + | /etc/ntop.* system_u:object_r:ntop_etc_t:s0 | |
− | / | + | HOME_DIR/.+ system_u:object_r:user_home_t:s0 |
− | + | /dev/dri/.+ -c system_u:object_r:dri_device_t:s0 | |
− | / | + | ... |
− | + | /tmp/gconfd-USER -d system_u:object_r:user_tmp_t:s0 | |
− | HOME_ROOT/ | + | ... |
− | + | /tmp/gconfd-USER/.* -- system_u:object_r:gconf_tmp_t:s0 | |
+ | ... | ||
+ | HOME_ROOT/\.journal <<none>> | ||
</pre> | </pre> | ||
− | |||
− | |||
− | The format of the file_contexts file is the same as the | + | == modules/active/file_contexts File == |
+ | This file becomes the policies [[PolicyConfigurationFiles#contexts/files/file_contexts | contexts/files/file_contexts]] file and is built from entries in the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file as explained above and shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/25-file_contexts.png File Context Configuration Files] diagram. It is then used by the file labeling utilities to ensure that files and directories are labeled according to the policy. | ||
+ | |||
+ | The format of the file_contexts file is the same as the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file. | ||
The USER keyword is replaced by the users GNU / Linux user id when the file labeling utilities are run. | The USER keyword is replaced by the users GNU / Linux user id when the file labeling utilities are run. | ||
Line 163: | Line 180: | ||
'''Example file_contexts contents:''' | '''Example file_contexts contents:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/file_contexts - These sample entries have | |
− | + | # been taken from the targeted policy. | |
− | + | # The keywords HOME_DIR, HOME_ROOT, USER and ROLE have been | |
− | + | # removed and put in the homedir_template file. | |
− | + | ||
− | + | ||
− | /.* | + | /.* system_u:object_r:default_t:s0 |
− | /a?quota\.(user|group) -- | + | /[^/]+ -- system_u:object_r:etc_runtime_t:s0 |
− | / | + | /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 |
− | / | + | /nsr(/.*)? system_u:object_r:var_t:s0 |
− | / | + | /sys(/.*)? system_u:object_r:sysfs_t:s0 |
− | / | + | /xen(/.*)? system_u:object_r:xen_image_t:s0 |
− | / | + | /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 |
− | + | /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 | |
− | /var/run/ | + | /bin/.* system_u:object_r:bin_t:s0 |
+ | /dev/.* system_u:object_r:device_t:s0 | ||
+ | /usr/.* system_u:object_r:usr_t:s0 | ||
+ | /var/.* system_u:object_r:var_t:s0 | ||
+ | /run/.* system_u:object_r:var_run_t:s0 | ||
+ | /srv/.* system_u:object_r:var_t:s0 | ||
+ | /tmp/.* <<none>> | ||
</pre> | </pre> | ||
+ | |||
<pre> | <pre> | ||
− | + | # contexts/files/file_contexts - Sample entries from the MLS reference policy. | |
− | + | # Notes: | |
− | + | # 1) The fixed_disk_device_t is labeled SystemHigh (s15:c0.c255) | |
− | + | # as it needs to be trusted. Also some logs and configuration | |
− | + | # files are labeled SystemHigh as they contain sensitive | |
− | + | # information used by trusted applications. | |
− | + | # | |
− | + | # 2) Some directories (e.g. ''/tmp'') are labeled | |
− | + | # SystemLow-SystemHigh (s0-s15:c0.c255) as they will | |
− | + | # support polyinstantiated directories. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | /.*system_u:object_r:default_t:s0 | ||
+ | /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 | ||
+ | /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 | ||
+ | /mnt/[^/]*/.* <<none>> | ||
+ | /dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 | ||
+ | /dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0 | ||
+ | /dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 | ||
+ | /var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t:s0 | ||
+ | /dev/(raw/)?rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 | ||
+ | /tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 | ||
+ | /dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255 | ||
+ | /var/log -d system_u:object_r:var_log_t:s0-s15:c0.c255 | ||
+ | /var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 | ||
+ | /var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255 | ||
+ | /usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 | ||
+ | <pre> | ||
− | == homedir_template File == | + | == modules/active/homedir_template File == |
− | This file is built from entries in the file_contexts.template file (as shown in | + | This file is built from entries in the [[#modules/active/file_contexts.template | file_contexts.template]] file (as shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/25-file_contexts.png File Context Configuration Files] diagram) and explained in the [[#modules/modules/active/file_contexts.template | modules/active/file_contexts.template]] section. |
− | The file is used by genhomedircon, semanage login or semanage user to generate individual user entries in the file_contexts.homedirs file. | + | The file is used by genhomedircon, semanage login or semanage user to generate individual user entries in the [[#modules/active/file_contexts.homedirs | file_contexts.homedirs]] file. |
− | The homedir_template file has the same per line format as the | + | The homedir_template file has the same per line format as the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file. |
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/homedir_template - These sample entries have | |
− | + | # been taken from the targeted policy and show the | |
− | + | # HOME_DIR, HOME_ROOT and USER keywords that are used to manage | |
− | + | # users home directories: | |
− | HOME_DIR/.+ | + | HOME_DIR/.+ system_u:object_r:user_home_t:s0 |
− | + | /tmp/gconfd-USER -d system_u:object_r:user_tmp_t:s0 | |
− | HOME_ROOT/ | + | /tmp/gconfd-USER/.* -- system_u:object_r:gconf_tmp_t:s0 |
− | + | HOME_ROOT/\.journal <<none>> | |
</pre> | </pre> | ||
− | == file_contexts.homedirs File == | + | == modules/active/file_contexts.homedirs File == |
− | This file becomes the policies | + | This file becomes the policies [[PolicyConfigurationFiles#contexts/files/file_contexts.homedirs | contexts/files/file_contexts.homedirs]] file when building policy as shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/25-file_contexts.png File Context Configuration Files] diagram. It is then used by the file labeling utilities to ensure that users home directory areas are labeled according to the policy. |
− | The file can be built by the genhomedircon command ( | + | The file can be built by the genhomedircon command (that just calls /usr/sbin/semodule -Bn) or if using semanage with user or login options to manage users, where it is called automatically as it is now a libsepol library function. |
− | The file_contexts.homedirs file has the same per line format as the . | + | The file_contexts.homedirs file has the same per line format as the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file, however the HOME_DIR, ROOT_DIR, <tt>ROLE</tt> and USER keywords will be replaced as explained in the keyword definitions section above. |
'''Example file_contexts.homedirs contents:''' | '''Example file_contexts.homedirs contents:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/file_contexts.homedirs - These sample entries | |
− | + | # have been taken from the targeted policy and show that | |
− | + | # the HOME_DIR, HOME_ROOT and USER keywords have been replaced | |
− | + | # by entries as explained above. | |
− | + | # | |
− | + | # Home Context for the default user (unconfined_u) | |
− | + | /home/[^/]*/.+ unconfined_u:object_r:user_home_t:s0 | |
− | + | /home/[^/]*/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0 | |
− | + | ... | |
+ | /tmp/gconfd-.*/.* -- unconfined_u:object_r:gconf_tmp_t:s0 | ||
+ | /tmp/gconfd-.* -d unconfined_u:object_r:user_tmp_t:s0 | ||
− | /home/.+ | + | # Home Context for user rch |
− | /home/ | + | /home/rch/.+ staff_u:object_r:user_home_t:s0 |
− | / | + | /home/rch/.maildir(/.*)? staff_u:object_r:mail_home_rw_t:s0 |
− | / | + | ... |
+ | /tmp/gconfd-rch/.* -- staff_u:object_r:gconf_tmp_t:s0 | ||
+ | /tmp/gconfd-rch -d staff_u:object_r:user_tmp_t:s0 | ||
− | + | # Home Context for user root | |
− | /root/.+ | + | /root/.+ unconfined_u:object_r:user_home_t:s0 |
− | /root/ | + | /root/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0 |
− | /root | + | ... |
− | / | + | /tmp/gconfd-root/.* -- unconfined_u:object_r:gconf_tmp_t:s0 |
+ | /tmp/gconfd-root -d unconfined_u:object_r:user_tmp_t:s0 | ||
</pre> | </pre> | ||
− | == netfilter_contexts & netfilter.local File == | + | == modules/active/netfilter_contexts & netfilter.local File == |
− | These files | + | These files are not used at present. There is code to produce a netfilter_contexts file for use by the GNU/Linux iptables service<ref name="ftn35"><sup>This uses SECMARK labeling that has been utilised by SELinux as described in the [[NB_Networking | SELinux Networking Support]] section.</sup></ref> in the Reference Policy that would generate a file similar to the example below, however there seems much debate on how they should be managed (see [https://bugzilla.redhat.com/show_bug.cgi?id=201573 bug 201573 - Secmark iptables integration] for details). |
− | + | == modules/active/policy.kern File == | |
− | + | This is the binary policy file built by either the '''semanage'''(8) or '''semodule'''(8) commands (depending on the configuration action), that then becomes the binary policy to be loaded into the kernel. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | This is the binary policy file built by either the semanage or semodule | + | |
− | + | ||
− | + | ||
− | + | ||
− | * Building a policy where an optional seusers file has been included in the base package via the semodule_package(8) command (signified by the -s flag) as follows | + | == modules/active/seusers.final and seusers Files == |
+ | The seusers.final file maps GNU / Linux users to SELinux users and becomes the policies seusers<ref name="ftn36"><sup>Many seusers make confusion: The modules/active/seusers file is used to hold initial seusers entries, the modules/active/seusers.final file holds the complete entries that then becomes the policy <tt>seusers</tt> file.</sup></ref> file as discussed in the [[PolicyConfigurationFiles#seusers | seusers]] section. The seusers.final file is built or modified when: | ||
+ | * Building a policy where an optional seusers file has been included in the base package via the '''semodule_package'''(8) command (signified by the -s flag) as follows<ref name="ftn37"><sup>The Reference Policy Makefile 'Rules.modular' script uses this method to install the initial seusers file.</sup></ref>: | ||
<pre> | <pre> | ||
semodule_package -o base.pp -m base.mod -s seusers ... | semodule_package -o base.pp -m base.mod -s seusers ... | ||
</pre> | </pre> | ||
− | |||
The seusers file would be extracted by the subsequent semodule command when building the policy to produce the seusers.final file. | The seusers file would be extracted by the subsequent semodule command when building the policy to produce the seusers.final file. | ||
Line 324: | Line 306: | ||
semanage login -a -s staff_u rch | semanage login -a -s staff_u rch | ||
</pre> | </pre> | ||
+ | This action will update the seusers file that would then be used to produce the seusers.final file with both policy and locally defined user mapping. | ||
− | + | It is also possible to associate a GNU / Linux group of users to an SELinux user as follows: | |
+ | <pre> | ||
+ | semanage login -a -s staff_u %staff_group | ||
+ | </pre> | ||
'''The format of the seusers.final & seusers files are as follows:''' | '''The format of the seusers.final & seusers files are as follows:''' | ||
<pre> | <pre> | ||
− | + | [%]user_id:seuser_id[:range] | |
</pre> | </pre> | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | user_id | |
− | | | + | | Where <tt>user_id</tt> is the GNU / Linux user identity. If this is a GNU / Linux <tt>group_id</tt> then it will be preceded with the '<tt>%</tt>' sign as shown in the example below. |
|- | |- | ||
− | + | | seuser_id | |
− | + | | The SELinux user identity. | |
|- | |- | ||
− | + | | range | |
− | + | | The optional <tt>level</tt> or range. | |
|} | |} | ||
Line 350: | Line 337: | ||
'''Example seusers.final file contents:''' | '''Example seusers.final file contents:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/seusers.final | |
− | + | ||
system_u:system_u | system_u:system_u | ||
root:root | root:root | ||
Line 359: | Line 345: | ||
'''Example semanage login command to add a GNU / Linux user mapping:''' | '''Example semanage login command to add a GNU / Linux user mapping:''' | ||
<pre> | <pre> | ||
− | + | # This command will add the rch:user_u entry in the seusers file: | |
semanage login -a -s user_u rch | semanage login -a -s user_u rch | ||
Line 366: | Line 352: | ||
'''The resulting seusers file would be:''' | '''The resulting seusers file would be:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/seusers | |
rch:user_u | rch:user_u | ||
</pre> | </pre> | ||
+ | |||
'''The seusers.final file that will become the <nowiki>./<policy_name>/seusers</nowiki> file is as follows:''' | '''The seusers.final file that will become the <nowiki>./<policy_name>/seusers</nowiki> file is as follows:''' | ||
<pre> | <pre> | ||
− | + | # /modules/active/seusers.final | |
system_u:system_u | system_u:system_u | ||
Line 380: | Line 367: | ||
</pre> | </pre> | ||
+ | '''Example semanage login command to add a GNU / Linux group mapping:''' | ||
+ | <pre> | ||
+ | # This command will add the %user_group:user_u entry in the seusers file: | ||
− | + | semanage login -a -s user_u %user_group | |
− | + | </pre> | |
− | * The users_extra and users_extra.local files are used to map a prefix to users home directories as discussed in the | + | '''The resulting seusers file would be:''' |
+ | <pre> | ||
+ | # /modules/active/seusers | ||
+ | |||
+ | rch:user_u | ||
+ | %user_group:user_u | ||
+ | </pre> | ||
+ | |||
+ | '''The seusers.final file that will become the <nowiki>./<policy_name>/seusers</nowiki> file is as follows:''' | ||
+ | <pre> | ||
+ | # modules/active/seusers.final | ||
+ | |||
+ | system_u:system_u | ||
+ | root:root | ||
+ | __default__:user_u | ||
+ | rch:user_u | ||
+ | %user_group:user_u | ||
+ | </pre> | ||
+ | |||
+ | == modules/active/users_extra, users_extra.local and users.local Files == | ||
+ | These three files work together to describe SELinux user information as follows: | ||
+ | * The users_extra and users_extra.local files are used to map a prefix to users home directories as discussed in the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file section, where it is used to replace the ROLE keyword. The prefix is linked to an SELinux user id and should reflect the users role. The semanage user command will allow a prefix to be added via the -P flag (although no longer used by policies as discussed in the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file section). | ||
The users_extra file contains all the policy prefix entries, and the users_extra.local file contains those generated by the semanage user command. | The users_extra file contains all the policy prefix entries, and the users_extra.local file contains those generated by the semanage user command. | ||
− | The users_extra file can optionally be included in the base package via the semodule_package(8) command (signified by the -u flag) as follows | + | The users_extra file can optionally be included in the base package via the '''semodule_package'''(8) command (signified by the -u flag) as follows<ref name="ftn38"><sup>The Reference Policy Makefile 'Rules.modular' script uses this method to install the initial users_extra file.</sup></ref>: |
<pre> | <pre> | ||
semodule_package -o base.pp -m base.mod -u users_extra ... | semodule_package -o base.pp -m base.mod -u users_extra ... | ||
Line 395: | Line 406: | ||
The users_extra file would then be extracted by a subsequent semodule command when building the policy. | The users_extra file would then be extracted by a subsequent semodule command when building the policy. | ||
− | * The users.local file is used to add new SELinux users to the policy without editing the policy source itself (with each line in the file following a | + | * The users.local file is used to add new SELinux users to the policy without editing the policy source itself (with each line in the file following a policy language [[KernelPolicyLanguage#user | user]] statement section). This is useful when only the Reference Policy headers are installed and additional users need to added. The semanage user command will allow a new SELinux user to be added that would generate the user.local file and if a -P flag has been specified, then a users_extra.local file is also updated (note: if this is a new SELinux user and a prefix is not specified a default prefix of user is generated). |
The sections that follow will: | The sections that follow will: | ||
− | |||
* Define the format and show example users_extra and users_extra.local files. | * Define the format and show example users_extra and users_extra.local files. | ||
* Execute an semanage user command that will add a new SELinux user and associated prefix, and show the resulting users_extra, users_extra.local and users.local files. | * Execute an semanage user command that will add a new SELinux user and associated prefix, and show the resulting users_extra, users_extra.local and users.local files. | ||
− | Note that each line of the users.local file contains a user statement that is defined in the policy language user | + | Note that each line of the users.local file contains a user statement that is defined in the policy language [[KernelPolicyLanguage#user | user]] statement section, and will be built into the policy via the semanage command. |
'''The format of the users_extra & users_extra.local files are as follows:''' | '''The format of the users_extra & users_extra.local files are as follows:''' | ||
Line 410: | Line 420: | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | user | |
− | + | | The user keyword. | |
|- | |- | ||
− | + | | seuser_id | |
− | + | | The SELinux user identity. | |
|- | |- | ||
− | + | | prefix | |
− | + | | The prefix keyword. | |
|- | |- | ||
− | + | | prefix_id | |
− | + | | An identifier that will be used to replace the ROLE keyword within the modules/active/homedir_template file when building the ./modules/active/file_contexts.homedirs file for the relabeling utilities to set the security context on users home directories. | |
|} | |} | ||
Line 431: | Line 442: | ||
'''Example users_extra file contents:''' | '''Example users_extra file contents:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/users_extra entries, note that the | |
− | + | # users_extra.local file contents are similar and generated by | |
− | + | # the semanage user command. | |
user user_u prefix user; | user user_u prefix user; | ||
Line 443: | Line 454: | ||
'''Example semanage user command to add a new SELinux user:''' | '''Example semanage user command to add a new SELinux user:''' | ||
<pre> | <pre> | ||
− | + | # This command will add the user test_u prefix staff entry in | |
− | + | # the users_extra.local file: | |
semanage user -a -R staff_r -P staff test_u | semanage user -a -R staff_r -P staff test_u | ||
Line 451: | Line 462: | ||
'''The resulting users_extra.local file is as follows:''' | '''The resulting users_extra.local file is as follows:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/users_extra.local | |
user test_u prefix staff; | user test_u prefix staff; | ||
Line 458: | Line 469: | ||
'''The resulting users_extra file is as follows:''' | '''The resulting users_extra file is as follows:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/users_extra | |
user user_u prefix user; | user user_u prefix user; | ||
Line 469: | Line 480: | ||
'''The resulting users.local file is as follows:''' | '''The resulting users.local file is as follows:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/users.local file entry: | |
user test_u roles { staff_r } level s0 range s0; | user test_u roles { staff_r } level s0 range s0; | ||
</pre> | </pre> | ||
− | == booleans.local File == | + | == modules/active/booleans.local File == |
− | This file is created and updated by the semanage boolean command and holds boolean value as requested | + | This file is created and updated by the <tt>semanage boolean</tt> command and holds boolean value as requested. |
'''Example semanage boolean command to modify a boolean value:''' | '''Example semanage boolean command to modify a boolean value:''' | ||
<pre> | <pre> | ||
− | + | # This command will add an entry in the booleans.local | |
− | + | # file and set the boolean value to 'off': | |
− | semanage boolean -m -0 ext_gateway_audit | + | semanage boolean -m -0 ext_gateway_audit |
</pre> | </pre> | ||
− | '''The resulting booleans.local file would be:''' | + | '''The resulting <tt>booleans.</tt>local file would be:''' |
<pre> | <pre> | ||
− | + | # modules/active/booleans.local | |
ext_gateway_audit=0 | ext_gateway_audit=0 | ||
</pre> | </pre> | ||
− | == file_contexts.local File == | + | == modules/active/file_contexts.local File == |
This file is created and updated by the semanage fcontext command. It is used to hold file context information on files and directories that were not delivered by the core policy (i.e. they are not defined in any of the <nowiki>*.fc</nowiki> files delivered in the base and loadable modules). | This file is created and updated by the semanage fcontext command. It is used to hold file context information on files and directories that were not delivered by the core policy (i.e. they are not defined in any of the <nowiki>*.fc</nowiki> files delivered in the base and loadable modules). | ||
The semanage command will add the information to the policy stores file_contexts.local file and then copy this file to the ./contexts/files/file_contexts.local file, where it will be used when the file context utilities are run. | The semanage command will add the information to the policy stores file_contexts.local file and then copy this file to the ./contexts/files/file_contexts.local file, where it will be used when the file context utilities are run. | ||
− | The format of the file_contexts.local file is the same as the | + | The format of the file_contexts.local file is the same as the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file. |
'''Example semanage fcontext command to add a new entry:''' | '''Example semanage fcontext command to add a new entry:''' | ||
<pre> | <pre> | ||
− | + | # This command will add an entry in the file_contexts.local file: | |
− | + | ||
semanage fcontext -a -t user_t /usr/move_file | semanage fcontext -a -t user_t /usr/move_file | ||
− | + | # Note that the type (-t flag) must exist in the policy | |
− | + | # otherwise the command will fail. | |
</pre> | </pre> | ||
'''The resulting file_contexts.local file would be:''' | '''The resulting file_contexts.local file would be:''' | ||
<pre> | <pre> | ||
− | + | # modules/active/file_contexts.local | |
/usr/move_filesystem_u:object_r:user_t | /usr/move_filesystem_u:object_r:user_t | ||
</pre> | </pre> | ||
+ | == modules/active/interfaces.local File == | ||
+ | This file is created and updated by the semanage interface command to hold network interface information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new interface information is then built into the policy by the '''semanage'''(8) command. | ||
− | + | Each line of the file contains a netifcon statement that is defined along with examples in the [[KernelPolicyLanguage#netifcon | netifcon]] statement section. | |
− | + | ||
− | + | == modules/active/nodes.local File == | |
+ | This file is created and updated by the semanage node command to hold network address information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new node information is then built into the policy by the '''semanage'''(8) command. | ||
− | + | Each line of the file contains a nodecon statement that is defined along with examples in the policy language [[KernelPolicyLanguage#nodecon | nodecon]] statement section. | |
− | + | ||
− | + | == modules/active/ports.local File == | |
+ | This file is created and updated by the semanage port command to hold network port information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new port information is then built into the policy by the '''semanage'''(8) command. | ||
− | + | Each line of the file contains a portcon statement that is defined along with examples in the policy language [[KernelPolicyLanguage#portcon | portcon]] statement section. | |
− | + | ||
− | + | == modules/active/preserve_tunables File == | |
+ | This file will only exist if the policy build specified that tunables should be preserved, if so they would be converted to booleans by the policy build process. | ||
− | == modules Directory Contents == | + | == modules/active/disable_dontaudit File == |
− | This directory contains | + | This file will only exist if the policy build specified that [[KernelPolicyLanguage#dontaudit | dontaudit]] rules should be disabled. |
+ | |||
+ | == modules/active/modules Directory Contents == | ||
+ | This directory contains loadable modules (<nowiki><module_name>.pp</nowiki> or when disabled <tt><nowiki><module_name>.pp.disabled</nowiki></tt>) that have been built by the semodule_package command and placed in the store by the semodule or <tt>semanage module -a</tt> commands as shown in the following example: | ||
<pre> | <pre> | ||
− | + | # Package the module move_file_c: | |
semodule_package -o move_file_c.pp -m move_file_c.mod -f move_file.fc | semodule_package -o move_file_c.pp -m move_file_c.mod -f move_file.fc | ||
− | + | # Then to install it in the store (at /etc/selinux/modular-test/ | |
− | + | # modules/active/modules/move_file_c.pp) and build the binary | |
− | + | # policy file, run the semodule command: | |
semodule -v -s modular-test -i move_file_c.pp | semodule -v -s modular-test -i move_file_c.pp | ||
+ | # Or: | ||
+ | semanage module -a -S modular-test move_file_c.pp | ||
</pre> | </pre> | ||
+ | |||
+ | The modules within the policy store may be compressed or not depending on the value of the <tt>bzip-blocksize</tt> parameter in the [[GlobalConfigurationFiles#/etc/selinux/semanage.conf File | semanage.conf]] file. The modules and their status can be listed using the <tt>semanage module -l</tt> command as shown below. | ||
+ | <pre> | ||
+ | semanage module -l | ||
+ | ext_gateway 1.1.0 | ||
+ | int_gateway 1.1.0 | ||
+ | move_file 1.1.0 | ||
+ | netlabel 1.0.0 Disabled | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[GlobalConfigurationFiles | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[PolicyConfigurationFiles | '''Next''']]</center> | ||
+ | |} | ||
+ | |||
+ | |||
+ | ---- | ||
+ | <references/> | ||
+ | |||
+ | [[Category:Notebook]] |
Revision as of 14:22, 10 December 2014
Contents
- 1 Policy Store Configuration Files
- 1.1 modules/ Files
- 1.2 modules/active/base.pp File
- 1.3 modules/active/base.linked File
- 1.4 modules/active/commit_num File
- 1.5 modules/active/file_contexts.template File
- 1.6 modules/active/file_contexts File
- 1.7 modules/active/file_contexts.homedirs File
- 1.8 modules/active/netfilter_contexts & netfilter.local File
- 1.9 modules/active/policy.kern File
- 1.10 modules/active/seusers.final and seusers Files
- 1.11 modules/active/users_extra, users_extra.local and users.local Files
- 1.12 modules/active/booleans.local File
- 1.13 modules/active/file_contexts.local File
- 1.14 modules/active/interfaces.local File
- 1.15 modules/active/nodes.local File
- 1.16 modules/active/ports.local File
- 1.17 modules/active/preserve_tunables File
- 1.18 modules/active/disable_dontaudit File
- 1.19 modules/active/modules Directory Contents
Policy Store Configuration Files
Depending on the release being used policy stores will be located at:
- /etc/selinux/<policy_name>/modules - This is the default for systems that support versions < 2.4 of libsemanage, libsepol, and policycoreutils.
- /var/lib/selinux/<policy_name>/modules - This is the default for systems that support versions >= 2.4 of libsemanage, libsepol, and policycoreutils. The base (/var/lib/selinux) may be overridden by the store-root parameter defined in the semanage.conf file. The migration process from previous releases is described at https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration. Note that once the policy store migration is complete, these files will no longer exist
Note: There can be multiple policy stores on a system at /etc/selinux/<policy_name>/modules.
The Policy Store files are either installed, updated or built by the semodule(8) and semanage(8) commands as a part of the build process. The resulting files will either be copied over to the Policy Configuration Files area, or used to rebuild the kernel binary policy located at /etc/selinux/<policy_name>/policy.
All files may have comments inserted where each line must have the '#' symbol to indicate the start of a comment.
The command options and outputs shown in the text are based on the current F-20 build.
modules/ Files
The policy store has two lock files that are used by libsemanage for managing the store. Their format is not relevant to policy construction:
semanage.read.LOCK semanage.trans.LOCK
modules/active/base.pp File
This is the packaged base policy that contains the mandatory modules and policy components such as object classes, permission declarations and initial SIDs.
modules/active/base.linked File
This is only present if the save-linked is set to TRUE as described in the /etc/selinux/semanage.conf section. It contains the modules that have been linked using the semodule_link(8) command.
modules/active/commit_num File
This is a binary file used by libsemanage for managing updates to the store. The format is not relevant to policy construction.
modules/active/file_contexts.template File
This contains a copy all the modules 'Labeling Policy File' entries (e.g. the <module_name>.fc files) that have been extracted from the base.pp and the loadable modules in the modules/active/modules directory.
The entries in the file_contexts.template file are then used to build the following files as shown in the File Context Configuration Files diagram:
- homedir_template file that will be used to produce the file_contexts.homedirs file which will then become the policies ./contexts/files/file_contexts.homedirs file.
- file_contexts file that will become the policies file_contexts file.
Note that as a part of the semanage build process, these two files will also have file_contexts.bin and file_contexts.homedirs.bin files present in the Policy Configuration Files contexts/files directory. This is because semanage requires these in the Perl compatible regular expression (PCRE) internal format. They are generated by the sefcontext_compile(8) utility.
The homedir_template and file_contexts files are built is as follows:
- homedir_template - Any line in the file_contexts.template file that has the keywords HOME_ROOT, HOME_DIR and/or USER are extracted and added to the homedir_template file. This is because these keywords are used to identify entries that are associated to a users home directory area. These lines may also have the ROLE keyword declared.
- The homedir_template file will then be processed by genhomedircon(8)[1] to generate individual SELinux user entries in the file_contexts.homedirs file as discussed in the modules/active/file_contexts.homedirs section.
These are examples of one line being processed as described above, taken from the F-20 targeted policy:
The master file_contexts.template entry:
HOME_DIR\/.wine(/.*)? system_u:object_r:wine_home_t:s0
The homedir_template entry is created as:
HOME_DIR\/.wine(/.*)? system_u:object_r:wine_home_t:s0
The file_contexts.homedirs entries are created by genhomedircon for the SELinux users extracted from the seusers file as follows:
# Home Context for any Linux user that is assigned # the SELinux user unconfined_u /home/[^/]*/\.wine(/.*)? unconfined_u:object_r:wine_home_t:s0 # Home Context for user root /root/\.wine(/.*)? unconfined_u:object_r:wine_home_t:s0
file_contexts - All other lines are extracted and added to the file_contexts file as they are files not associated to a users home directory.
The format of the file_contexts.template file is as follows:
Each line within the file consists of the following:
pathname_regexp [file_type] opt_security_context
Where:
pathname_regexp | An entry that defines the pathname that may be in the form of a regular expression.
The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example file_contexts files below). There are also keywords of HOME_ROOT, HOME_DIR, ROLE and USER that are used by file labeling commands (see the keyword definitions below and the modules/active/homedir_template file section for their usage). |
file_type | One of the following optional file_type entries (note if blank means "all file types"):
'-b' - Block Device '-c' - Character Device '-d' - Directory '-p' - Named Pipe (FIFO) '-l' - Symbolic Link '-s' - Socket File '--' - Ordinary file By convention this entry is known as 'file type', however it really represents the 'file object class'. |
opt_security_context | This entry can be either:
|
Keywords that can be in the file_contexts.template file are:
HOME_ROOT | This keyword is replaced by the GNU / Linux users root home directory, normally '/home' is the default. |
HOME_DIR | This keyword is replaced by the GNU / Linux users home directory, normally '/home/' is the default. |
USER | This keyword will be replaced by the users GNU / Linux user id. |
ROLE | This keyword is replaced by the 'prefix' entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are:
user user_u prefix user; user staff_u prefix staff; It is used for files and directories within the users home directory area. The prefix can be added by the semanage login command as follows (although note that the -P option is suppressed when help is displayed as it is generally it is not used (defaults to user) - see http://blog.gmane.org/gmane.linux.redhat.fedora.selinux/month=20110701 for further information): # Add a Linux user: adduser rch # Modify staff_u SELinux user and prefix: semanage user -m -R staff_r -P staff staff_u # Associate the SELinux user to the Linux user: semanage login -a -s staff_u rch
|
Example file_contexts.template contents from targeted policy:
# modules/active/file_contexts.template - These sample entries # have been taken from the targeted policy and show the # HOME_DIR, HOME_ROOT and USER keywords whose lines will be # extracted and added to the homedir_template file that is # used to manage user home directory entries. /.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 ... /etc/ntop.* system_u:object_r:ntop_etc_t:s0 HOME_DIR/.+ system_u:object_r:user_home_t:s0 /dev/dri/.+ -c system_u:object_r:dri_device_t:s0 ... /tmp/gconfd-USER -d system_u:object_r:user_tmp_t:s0 ... /tmp/gconfd-USER/.* -- system_u:object_r:gconf_tmp_t:s0 ... HOME_ROOT/\.journal <<none>>
modules/active/file_contexts File
This file becomes the policies contexts/files/file_contexts file and is built from entries in the modules/active/file_contexts.template file as explained above and shown in the File Context Configuration Files diagram. It is then used by the file labeling utilities to ensure that files and directories are labeled according to the policy.
The format of the file_contexts file is the same as the modules/active/file_contexts.template file.
The USER keyword is replaced by the users GNU / Linux user id when the file labeling utilities are run.
Example file_contexts contents:
# modules/active/file_contexts - These sample entries have # been taken from the targeted policy. # The keywords HOME_DIR, HOME_ROOT, USER and ROLE have been # removed and put in the homedir_template file. /.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 /xen(/.*)? system_u:object_r:xen_image_t:s0 /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 /bin/.* system_u:object_r:bin_t:s0 /dev/.* system_u:object_r:device_t:s0 /usr/.* system_u:object_r:usr_t:s0 /var/.* system_u:object_r:var_t:s0 /run/.* system_u:object_r:var_run_t:s0 /srv/.* system_u:object_r:var_t:s0 /tmp/.* <<none>>
# contexts/files/file_contexts - Sample entries from the MLS reference policy. # Notes: # 1) The fixed_disk_device_t is labeled SystemHigh (s15:c0.c255) # as it needs to be trusted. Also some logs and configuration # files are labeled SystemHigh as they contain sensitive # information used by trusted applications. # # 2) Some directories (e.g. ''/tmp'') are labeled # SystemLow-SystemHigh (s0-s15:c0.c255) as they will # support polyinstantiated directories. /.*system_u:object_r:default_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 /mnt/[^/]*/.* <<none>> /dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 /dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0 /dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 /var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t:s0 /dev/(raw/)?rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 /tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 /dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255 /var/log -d system_u:object_r:var_log_t:s0-s15:c0.c255 /var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 /var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255 /usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 <pre> == modules/active/homedir_template File == This file is built from entries in the [[#modules/active/file_contexts.template | file_contexts.template]] file (as shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/25-file_contexts.png File Context Configuration Files] diagram) and explained in the [[#modules/modules/active/file_contexts.template | modules/active/file_contexts.template]] section. The file is used by genhomedircon, semanage login or semanage user to generate individual user entries in the [[#modules/active/file_contexts.homedirs | file_contexts.homedirs]] file. The homedir_template file has the same per line format as the [[#modules/active/file_contexts.template | modules/active/file_contexts.template]] file. '''Example file contents:''' <pre> # modules/active/homedir_template - These sample entries have # been taken from the targeted policy and show the # HOME_DIR, HOME_ROOT and USER keywords that are used to manage # users home directories: HOME_DIR/.+ system_u:object_r:user_home_t:s0 /tmp/gconfd-USER -d system_u:object_r:user_tmp_t:s0 /tmp/gconfd-USER/.* -- system_u:object_r:gconf_tmp_t:s0 HOME_ROOT/\.journal <<none>>
modules/active/file_contexts.homedirs File
This file becomes the policies contexts/files/file_contexts.homedirs file when building policy as shown in the File Context Configuration Files diagram. It is then used by the file labeling utilities to ensure that users home directory areas are labeled according to the policy.
The file can be built by the genhomedircon command (that just calls /usr/sbin/semodule -Bn) or if using semanage with user or login options to manage users, where it is called automatically as it is now a libsepol library function.
The file_contexts.homedirs file has the same per line format as the modules/active/file_contexts.template file, however the HOME_DIR, ROOT_DIR, ROLE and USER keywords will be replaced as explained in the keyword definitions section above.
Example file_contexts.homedirs contents:
# modules/active/file_contexts.homedirs - These sample entries # have been taken from the targeted policy and show that # the HOME_DIR, HOME_ROOT and USER keywords have been replaced # by entries as explained above. # # Home Context for the default user (unconfined_u) /home/[^/]*/.+ unconfined_u:object_r:user_home_t:s0 /home/[^/]*/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0 ... /tmp/gconfd-.*/.* -- unconfined_u:object_r:gconf_tmp_t:s0 /tmp/gconfd-.* -d unconfined_u:object_r:user_tmp_t:s0 # Home Context for user rch /home/rch/.+ staff_u:object_r:user_home_t:s0 /home/rch/.maildir(/.*)? staff_u:object_r:mail_home_rw_t:s0 ... /tmp/gconfd-rch/.* -- staff_u:object_r:gconf_tmp_t:s0 /tmp/gconfd-rch -d staff_u:object_r:user_tmp_t:s0 # Home Context for user root /root/.+ unconfined_u:object_r:user_home_t:s0 /root/.maildir(/.*)? unconfined_u:object_r:mail_home_rw_t:s0 ... /tmp/gconfd-root/.* -- unconfined_u:object_r:gconf_tmp_t:s0 /tmp/gconfd-root -d unconfined_u:object_r:user_tmp_t:s0
modules/active/netfilter_contexts & netfilter.local File
These files are not used at present. There is code to produce a netfilter_contexts file for use by the GNU/Linux iptables service[2] in the Reference Policy that would generate a file similar to the example below, however there seems much debate on how they should be managed (see bug 201573 - Secmark iptables integration for details).
modules/active/policy.kern File
This is the binary policy file built by either the semanage(8) or semodule(8) commands (depending on the configuration action), that then becomes the binary policy to be loaded into the kernel.
modules/active/seusers.final and seusers Files
The seusers.final file maps GNU / Linux users to SELinux users and becomes the policies seusers[3] file as discussed in the seusers section. The seusers.final file is built or modified when:
- Building a policy where an optional seusers file has been included in the base package via the semodule_package(8) command (signified by the -s flag) as follows[4]:
semodule_package -o base.pp -m base.mod -s seusers ...
The seusers file would be extracted by the subsequent semodule command when building the policy to produce the seusers.final file.
- The semanage login command is used to map GNU / Linux users to SELinux users as follows:
semanage login -a -s staff_u rch
This action will update the seusers file that would then be used to produce the seusers.final file with both policy and locally defined user mapping.
It is also possible to associate a GNU / Linux group of users to an SELinux user as follows:
semanage login -a -s staff_u %staff_group
The format of the seusers.final & seusers files are as follows:
[%]user_id:seuser_id[:range]
Where:
user_id | Where user_id is the GNU / Linux user identity. If this is a GNU / Linux group_id then it will be preceded with the '%' sign as shown in the example below. |
seuser_id | The SELinux user identity. |
range | The optional level or range. |
Example seusers.final file contents:
# modules/active/seusers.final system_u:system_u root:root __default__:user_u
Example semanage login command to add a GNU / Linux user mapping:
# This command will add the rch:user_u entry in the seusers file: semanage login -a -s user_u rch
The resulting seusers file would be:
# modules/active/seusers rch:user_u
The seusers.final file that will become the ./<policy_name>/seusers file is as follows:
# /modules/active/seusers.final system_u:system_u root:root __default__:user_u rch:user_u
Example semanage login command to add a GNU / Linux group mapping:
# This command will add the %user_group:user_u entry in the seusers file: semanage login -a -s user_u %user_group
The resulting seusers file would be:
# /modules/active/seusers rch:user_u %user_group:user_u
The seusers.final file that will become the ./<policy_name>/seusers file is as follows:
# modules/active/seusers.final system_u:system_u root:root __default__:user_u rch:user_u %user_group:user_u
modules/active/users_extra, users_extra.local and users.local Files
These three files work together to describe SELinux user information as follows:
- The users_extra and users_extra.local files are used to map a prefix to users home directories as discussed in the modules/active/file_contexts.template file section, where it is used to replace the ROLE keyword. The prefix is linked to an SELinux user id and should reflect the users role. The semanage user command will allow a prefix to be added via the -P flag (although no longer used by policies as discussed in the modules/active/file_contexts.template file section).
The users_extra file contains all the policy prefix entries, and the users_extra.local file contains those generated by the semanage user command.
The users_extra file can optionally be included in the base package via the semodule_package(8) command (signified by the -u flag) as follows[5]:
semodule_package -o base.pp -m base.mod -u users_extra ...
The users_extra file would then be extracted by a subsequent semodule command when building the policy.
- The users.local file is used to add new SELinux users to the policy without editing the policy source itself (with each line in the file following a policy language user statement section). This is useful when only the Reference Policy headers are installed and additional users need to added. The semanage user command will allow a new SELinux user to be added that would generate the user.local file and if a -P flag has been specified, then a users_extra.local file is also updated (note: if this is a new SELinux user and a prefix is not specified a default prefix of user is generated).
The sections that follow will:
- Define the format and show example users_extra and users_extra.local files.
- Execute an semanage user command that will add a new SELinux user and associated prefix, and show the resulting users_extra, users_extra.local and users.local files.
Note that each line of the users.local file contains a user statement that is defined in the policy language user statement section, and will be built into the policy via the semanage command.
The format of the users_extra & users_extra.local files are as follows:
user seuser_id prefix prefix_id;
Where:
user | The user keyword. |
seuser_id | The SELinux user identity. |
prefix | The prefix keyword. |
prefix_id | An identifier that will be used to replace the ROLE keyword within the modules/active/homedir_template file when building the ./modules/active/file_contexts.homedirs file for the relabeling utilities to set the security context on users home directories. |
Example users_extra file contents:
# modules/active/users_extra entries, note that the # users_extra.local file contents are similar and generated by # the semanage user command. user user_u prefix user; user staff_u prefix user; user sysadm_u prefix user; user root prefix user;
Example semanage user command to add a new SELinux user:
# This command will add the user test_u prefix staff entry in # the users_extra.local file: semanage user -a -R staff_r -P staff test_u
The resulting users_extra.local file is as follows:
# modules/active/users_extra.local user test_u prefix staff;
The resulting users_extra file is as follows:
# modules/active/users_extra user user_u prefix user; user staff_u prefix user; user sysadm_u prefix user; user root prefix user; user test_u prefix staff;
The resulting users.local file is as follows:
# modules/active/users.local file entry: user test_u roles { staff_r } level s0 range s0;
modules/active/booleans.local File
This file is created and updated by the semanage boolean command and holds boolean value as requested.
Example semanage boolean command to modify a boolean value:
# This command will add an entry in the booleans.local # file and set the boolean value to 'off': semanage boolean -m -0 ext_gateway_audit
The resulting booleans.local file would be:
# modules/active/booleans.local ext_gateway_audit=0
modules/active/file_contexts.local File
This file is created and updated by the semanage fcontext command. It is used to hold file context information on files and directories that were not delivered by the core policy (i.e. they are not defined in any of the *.fc files delivered in the base and loadable modules).
The semanage command will add the information to the policy stores file_contexts.local file and then copy this file to the ./contexts/files/file_contexts.local file, where it will be used when the file context utilities are run.
The format of the file_contexts.local file is the same as the modules/active/file_contexts.template file.
Example semanage fcontext command to add a new entry:
# This command will add an entry in the file_contexts.local file: semanage fcontext -a -t user_t /usr/move_file # Note that the type (-t flag) must exist in the policy # otherwise the command will fail.
The resulting file_contexts.local file would be:
# modules/active/file_contexts.local /usr/move_filesystem_u:object_r:user_t
modules/active/interfaces.local File
This file is created and updated by the semanage interface command to hold network interface information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new interface information is then built into the policy by the semanage(8) command.
Each line of the file contains a netifcon statement that is defined along with examples in the netifcon statement section.
modules/active/nodes.local File
This file is created and updated by the semanage node command to hold network address information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new node information is then built into the policy by the semanage(8) command.
Each line of the file contains a nodecon statement that is defined along with examples in the policy language nodecon statement section.
modules/active/ports.local File
This file is created and updated by the semanage port command to hold network port information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new port information is then built into the policy by the semanage(8) command.
Each line of the file contains a portcon statement that is defined along with examples in the policy language portcon statement section.
modules/active/preserve_tunables File
This file will only exist if the policy build specified that tunables should be preserved, if so they would be converted to booleans by the policy build process.
modules/active/disable_dontaudit File
This file will only exist if the policy build specified that dontaudit rules should be disabled.
modules/active/modules Directory Contents
This directory contains loadable modules (<module_name>.pp or when disabled <module_name>.pp.disabled) that have been built by the semodule_package command and placed in the store by the semodule or semanage module -a commands as shown in the following example:
# Package the module move_file_c: semodule_package -o move_file_c.pp -m move_file_c.mod -f move_file.fc # Then to install it in the store (at /etc/selinux/modular-test/ # modules/active/modules/move_file_c.pp) and build the binary # policy file, run the semodule command: semodule -v -s modular-test -i move_file_c.pp # Or: semanage module -a -S modular-test move_file_c.pp
The modules within the policy store may be compressed or not depending on the value of the bzip-blocksize parameter in the semanage.conf file. The modules and their status can be listed using the semanage module -l command as shown below.
semanage module -l ext_gateway 1.1.0 int_gateway 1.1.0 move_file 1.1.0 netlabel 1.0.0 Disabled
Previous | |
|
- ↑ The genhomedircon command has now been built into the libsemanage library as a function to build the file_contexts.homedirs file via semanage(8).
- ↑ This uses SECMARK labeling that has been utilised by SELinux as described in the SELinux Networking Support section.
- ↑ Many seusers make confusion: The modules/active/seusers file is used to hold initial seusers entries, the modules/active/seusers.final file holds the complete entries that then becomes the policy seusers file.
- ↑ The Reference Policy Makefile 'Rules.modular' script uses this method to install the initial seusers file.
- ↑ The Reference Policy Makefile 'Rules.modular' script uses this method to install the initial users_extra file.