Difference between revisions of "PolicyConfigurationFiles"
(→contexts/initrc_context File) |
|||
Line 1: | Line 1: | ||
= Policy Configuration Files = | = Policy Configuration Files = | ||
Each file discussed in this section is relative to the policy name as follows: | Each file discussed in this section is relative to the policy name as follows: | ||
+ | <pre> | ||
+ | /etc/selinux/<policy_name> | ||
+ | </pre> | ||
+ | The majority of files are installed by the Reference Policy, '''semanage'''(8) or '''semodule'''(8) commands. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example the simple monolithic policy described in the Notebook source tarball could run at init 3 (i.e. no X-Windows) and only require the following configuration files: | ||
+ | : policy/policy.29 - The binary policy loaded into the kernel. | ||
+ | : context/files/file_contexts - To allow the filesystem to be relabeled. | ||
− | + | If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required: | |
− | + | : context/dbus_contexts - To allow the dbus messaging service to run under SELinux. | |
− | + | : context/x_contexts - To allow the X-Windows service to run under SELinux (or XSELinux could be disabled as discussed in the [[NB_XWIN | SELinux X-Windows Support]] section. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional | + | |
− | + | ||
− | + | ||
== seusers File == | == seusers File == | ||
− | + | The <tt>'''seusers'''(5)</tt> file is used by login programs (normally via the <tt>libselinux</tt> library) and maps GNU / Linux users (as defined in the <tt>user</tt> / <tt>passwd</tt> files) to SELinux users (defined in the policy). A typical login sequence would be: | |
− | + | ||
* Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry. | * Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry. | ||
− | * To determine the remaining context to be used as the security context, read the <nowiki> | + | * To determine the remaining context to be used as the security context, read the <nowiki>contexts/users/[seuser_id]</nowiki> file file. If this file is not present, then: |
− | + | * Check for a default context in the [[#contexts/default_contexts | contexts/default_contexts]] file. If no default context is found, then: | |
− | + | * Read the [[#contexts/failsafe_context | contexts/failsafe_context]] file to allow a fail safe context to be set. | |
Note: The system_u user is defined in this file, however there must be '''no''' system_u GNU / Linux user configured on the system. | Note: The system_u user is defined in this file, however there must be '''no''' system_u GNU / Linux user configured on the system. | ||
− | The format of the seusers file is the same as the files described in the | + | The format of the seusers file is the same as the files described in the [[PolicyStoreConfigurationFiles#modules/active/seusers.final_and_seusers | modules/active/seusers.final]] section, where an example semanage user command is also shown. |
'''Example seusers file contents:''' | '''Example seusers file contents:''' | ||
<pre> | <pre> | ||
− | + | # seusers file for non-MCS/MLS systems. | |
system_u:system_u | system_u:system_u | ||
Line 36: | Line 33: | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
− | + | # seusers file for an MLS system. Note that the system_u user | |
− | + | # has access to all security levels and therefore should not be | |
− | + | # configured as a valid GNU / Linux user. | |
system_u:system_u:s0-s15:c0.c255 | system_u:system_u:s0-s15:c0.c255 | ||
Line 52: | Line 49: | ||
</pre> | </pre> | ||
+ | == booleans and booleans.local File == | ||
+ | Generally these <tt>'''booleans'''(5)</tt> files are not present if <tt>'''semanage'''(8)</tt> is being used to manage booleans (see the modules/active/booleans.local File section). However if <tt>semanage</tt> is not being used or there is an SELinux-aware application that uses the <tt>libselinux</tt> functions listed below, then these files may be present (they could also be present in older Reference policies): | ||
+ | : <tt>'''security_set_boolean_list'''(3)</tt> - Writes a <tt>boolean.local</tt> file if flag <tt>permanent</tt> = '<tt>1</tt>'. | ||
+ | : <tt>'''security_load_booleans'''(3)</tt> - Will look for a <tt>booleans</tt> or <tt>booleans.local</tt> file here unless a specific path is specified. | ||
+ | |||
+ | Both files have the same format and contain one or more boolean names. The format is: | ||
+ | <pre> | ||
+ | boolean_name value | ||
+ | </pre> | ||
+ | |||
+ | '''Where:''' | ||
+ | |||
+ | {| border="1" | ||
+ | | boolean_name | ||
+ | | The name of the boolean. | ||
+ | |||
+ | |- | ||
+ | | value | ||
+ | | The default setting for the boolean that can be one of the following: | ||
+ | |||
+ | true | false | 1 | 0 | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | Note that if <tt>SETLOCALDEFS</tt> is set in the SELinux [[GlobalConfigurationFiles#/etc/selinux/config File | config]] file, then <tt>'''selinux_mkload_policy'''(3)</tt> will check for a <tt>booleans.local</tt> file in the <tt>'''selinux_booleans_path'''(3)</tt>, and also a <tt>local.users</tt> file in the <tt>'''selinux_users_path'''(3)</tt>. | ||
+ | |||
+ | == booleans.subs_dist File == | ||
+ | The <tt>booleans.subs_dist</tt> file (if present) will allow new boolean names to be allocated to those in the active policy. This file was added because many older booleans began with 'allow' that made it difficult to determine what they did. For example the boolean <tt>allow_console_login</tt> becomes more descriptive as <tt>login_console_enabled</tt>. If the <tt>booleans.subs_dist</tt> file is present, then either name maybe used. <tt>'''selinux_booleans_subs_path'''(3)</tt> will return the active policy path to this file and <tt>'''selinux_boolean_sub'''(3)</tt> will will return the translated name. | ||
+ | |||
+ | Each line within the substitution file <tt>booleans.subs_dist</tt> is: | ||
+ | <pre> | ||
+ | policy_bool_name new_name | ||
+ | </pre> | ||
+ | |||
+ | '''Where:''' | ||
+ | : policy_bool_name | ||
+ | :: The policy boolean name. | ||
+ | : new_name | ||
+ | :: The new boolean name. | ||
+ | |||
+ | '''Example:''' | ||
+ | <pre> | ||
+ | # booleans.subs_dist | ||
+ | |||
+ | # policy_bool_name new_name | ||
+ | allow_auditadm_exec_content auditadm_exec_content | ||
+ | allow_console_login login_console_enabled | ||
+ | allow_cvs_read_shadow cvs_read_shadow | ||
+ | allow_daemons_dump_core daemons_dump_core | ||
+ | </pre> | ||
+ | |||
+ | When <tt>'''security_get_boolean_names'''(3)</tt> or <tt>'''security_set_boolean'''(3)</tt> is called with a boolean name and the <tt>booleans.subs_dist</tt> file is present, the name will be looked up and if using the <tt>new_name</tt>, then the <tt>policy_bool_name</tt> will be used (as that is what is defined in the active policy). | ||
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
+ | <pre> | ||
+ | selinux_booleans_subs_path | ||
+ | selinux_booleans_sub | ||
+ | security_get_boolean_names | ||
+ | security_set_boolean | ||
+ | </pre> | ||
== setrans.conf File == | == setrans.conf File == | ||
− | + | The <tt>'''setrans.conf'''(8)</tt> file is used by the '''mcstransd'''(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels. | |
There are a number of sample configuration files within the <tt>mcstrans</tt> package that describe the configuration options in detail that are located at <tt>/usr/share/mcstrans/examples</tt>. | There are a number of sample configuration files within the <tt>mcstrans</tt> package that describe the configuration options in detail that are located at <tt>/usr/share/mcstrans/examples</tt>. | ||
Line 65: | Line 123: | ||
</pre> | </pre> | ||
− | The | + | This file will also support the display of information in colour. The configuration file that controls this is called <tt>secolor.conf</tt> and is described in the [[#secolor.conf File | secolor.conf]] section. |
− | + | The file format is described in <tt>'''setrans.conf'''(8)</tt> with the following giving an overview: | |
− | + | ||
− | ''' | + | |
− | + | ||
− | + | ||
<pre> | <pre> | ||
− | |||
− | |||
# Syntax | # Syntax | ||
Line 135: | Line 187: | ||
Include=PATH | Include=PATH | ||
Include=PATH | Include=PATH | ||
− | < | + | <pre> |
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | # | + | # setrans.conf |
# | # | ||
# Multi-Level Security translation table for SELinux | # Multi-Level Security translation table for SELinux | ||
Line 168: | Line 220: | ||
s2:c1-s15:c0.c1023=Secret:B-SystemHigh | s2:c1-s15:c0.c1023=Secret:B-SystemHigh | ||
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh | s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
Line 193: | Line 228: | ||
selinux_trans_to_raw_context | selinux_trans_to_raw_context | ||
</pre> | </pre> | ||
− | |||
== secolor.conf File == | == secolor.conf File == | ||
− | + | The '''secolor.conf'''(5) file controls the colour to be associated to the components of a context when information is displayed by an SELinux colour-aware application (currently none, although there are two examples in the Notebook source tarball under the <tt>libselinux/examples</tt> directory). The file format is as follows: | |
<pre> | <pre> | ||
− | color color_name = color_mask | + | color color_name = #color_mask |
− | + | context_component string fg_color_name bg_color_name | |
</pre> | </pre> | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
| color | | color | ||
Line 214: | Line 249: | ||
|- | |- | ||
| color_mask | | color_mask | ||
− | | A colour mask starting with a hash (<tt>#</tt>) that describes the | + | | A colour mask starting with a hash (<tt><nowiki>#</nowiki></tt>) that describes the RGB colours with black being <tt><nowiki>#000000</nowiki></tt> and white being <tt><nowiki>#ffffff</nowiki></tt>. |
|- | |- | ||
− | | | + | | context_component |
− | | The colour translation supports different colours on the context string components (<tt>user</tt>, <tt>role</tt>, <tt>type</tt> and <tt>range | + | | The colour translation supports different colours on the context string components (<tt>user</tt>, <tt>role</tt>, <tt>type</tt> and <tt>range</tt>). Each component is on a separate line. |
|- | |- | ||
| string | | string | ||
− | | This is | + | | This is the context_component string that will be matched with the <tt>raw</tt> context component passed by <tt>'''selinux_raw_context_to_color'''(3)</tt> |
+ | |||
+ | A wildcard '<tt>'''<nowiki>*</nowiki>'''</tt>' may be used to match any undefined <tt>string</tt> for the <tt>user</tt>, <tt>role</tt> and <tt>type context_component</tt> entries only | ||
+ | |||
+ | A wildcard '<tt>'''<nowiki>*</nowiki>'''</tt>' may be used to match any undefined <tt>string</tt> for the <tt>user</tt>, <tt>role</tt> and <tt>type context_component</tt> entries only. | ||
|- | |- | ||
− | | | + | | fg_color_name |
| The <tt>color_name</tt> string that will be used as the foreground colour. | | The <tt>color_name</tt> string that will be used as the foreground colour. | ||
+ | |||
+ | A <tt>color_mask</tt> may also be used. | ||
|- | |- | ||
− | | | + | | bg_color_name |
| The <tt>color_name</tt> string that will be used as the background colour. | | The <tt>color_name</tt> string that will be used as the background colour. | ||
+ | |||
+ | A <tt>color_mask</tt> may also be used. | ||
|} | |} | ||
Line 246: | Line 289: | ||
color tan = #D2B48C | color tan = #D2B48C | ||
− | user * = black | + | user * = black white |
role * = white black | role * = white black | ||
type * = tan orange | type * = tan orange | ||
Line 263: | Line 306: | ||
selinux_raw_context_to_color - this call returns the foreground | selinux_raw_context_to_color - this call returns the foreground | ||
and background colours of the context string as the specified | and background colours of the context string as the specified | ||
− | 'color' hex digits as follows: | + | RGB 'color' hex digits as follows: |
− | + | user : role : type : range | |
− | #000000 # | + | #000000 #ffffff #ffffff #000000 #d2b48c #ffa500 #000000 #008000 |
− | black | + | black white white black tan orange black green |
</pre> | </pre> | ||
− | == policy/policy. | + | == policy/policy.<ver> File == |
− | This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the [http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer] notes. | + | This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the "[http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/ SELinux Policy Module Primer]" notes. |
− | + | By convention the file name extension is the policy database version used to build the policy, however is is not mandatory as the true version is built into the policy file. The different policy versions are discussed in the [[NB_PolicyType#Policy_Versions | Policy Versions]] section. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | The different versions are discussed in the Policy Versions section. | + | |
== contexts/customizable_types File == | == contexts/customizable_types File == | ||
− | + | The '''customizable_types'''(5) file contains a list of types that will not be relabeled by the '''setfiles'''(8) or '''restorecon'''(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages). | |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
Line 289: | Line 326: | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | type | |
− | + | | The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work. | |
|} | |} | ||
Line 298: | Line 336: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/customizable_types | |
− | + | ||
mount_loopback_t | mount_loopback_t | ||
public_content_rw_t | public_content_rw_t | ||
Line 316: | Line 353: | ||
== contexts/default_contexts File == | == contexts/default_contexts File == | ||
− | + | The '''default_contexts'''(5) file is used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where: | |
# The GNU / Linux user identity should be known by the application. | # The GNU / Linux user identity should be known by the application. | ||
− | # If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section. | + | # If a login application, then the SELinux user (seuser), would have been determined as described in the [[#seusers | seusers]] file section. |
− | # The login applications will check the <nowiki> | + | # The login applications will check the <nowiki>contexts/users/[seuser_id]</nowiki>] file first and if no valid entry, will then look in the <nowiki>[seuser_id]</nowiki> file for a default context to use. |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
<pre> | <pre> | ||
− | role:type | + | role:type[:range] role:type[:range] ... |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
</pre> | </pre> | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | | | + | | <nowiki>role:type[:range]</nowiki> |
− | + | | The file contains one or more lines that consist of <nowiki>role:type[:range]</nowiki> pairs (including the MLS / MCS level or range if applicable). | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | The entry at the start of a new line corresponds to the partial <nowiki>role:type[:range]</nowiki> context of (generally) the login application. | ||
− | + | The other <nowiki>role:type[:range]</nowiki> entries on that line represent an ordered list of valid contexts that may be used to set the users context. | |
|} | |} | ||
Line 352: | Line 379: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/default_contexts | |
− | + | ||
− | + | ||
− | + | system_r:crond_t:s0 system_r:system_crond_t:s0 | |
− | + | system_r:local_login_t:s0 user_r:user_t:s0 | |
− | + | system_r:remote_login_t:s0 user_r:user_t:s0 | |
− | + | system_r:sshd_t:s0 user_r:user_t:s0 | |
− | + | system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 | |
− | + | system_r:xdm_t:s0 user_r:user_t:s0 | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | system_r:crond_t:s0 | + | |
− | system_r:local_login_t:s0 | + | |
− | system_r:remote_login_t:s0 | + | |
− | system_r:sshd_t:s0 | + | |
− | system_r:sulogin_t:s0 | + | |
− | system_r:xdm_t:s0 | + | |
</pre> | </pre> | ||
'''Supporting libselinux API functions are:''' | '''Supporting libselinux API functions are:''' | ||
<pre> | <pre> | ||
− | + | # Note that the contexts/users/[seuser_id] file is also read | |
− | + | # by some of these functions. | |
selinux_contexts_path | selinux_contexts_path | ||
Line 394: | Line 404: | ||
query_user_context | query_user_context | ||
manual_user_enter_context | manual_user_enter_context | ||
− | |||
</pre> | </pre> | ||
− | An example use (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was | + | An example use in this Notebook (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was unconfined_u:unconfined_r:unconfined_t). |
− | However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. | + | However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. unconfined_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to unconfined_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u'). |
The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to: | The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to: | ||
Line 406: | Line 415: | ||
</pre> | </pre> | ||
− | The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/ | + | The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/unconfined_u configuration file instead could also have achieved this. |
− | == contexts/ | + | == contexts/dbus_contexts File == |
− | This file is for the | + | This file is for the dbus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The '''dbus-daemon'''(1) man page details the contents and the Free Desktop web site has detailed information at: |
[http://dbus.freedesktop.org/ http://dbus.freedesktop.org] | [http://dbus.freedesktop.org/ http://dbus.freedesktop.org] | ||
Line 415: | Line 424: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/dbus_contexts | |
− | + | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/ | |
1.0/busconfig.dtd"> | 1.0/busconfig.dtd"> | ||
− | + | <busconfig> | |
− | + | <selinux> | |
− | + | </selinux> | |
− | + | </busconfig> | |
− | < | + | <pre> |
'''Supporting libselinux API function is:''' | '''Supporting libselinux API function is:''' | ||
Line 429: | Line 438: | ||
selinux_context_path | selinux_context_path | ||
</pre> | </pre> | ||
− | |||
== contexts/default_type File == | == contexts/default_type File == | ||
− | + | The '''default_type'''(5) file allows SELinux-aware applications such as '''newrole'''(1) to select a default type for a role if one is not supplied. | |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
Line 440: | Line 448: | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | role:type | |
− | + | | The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy. | |
|} | |} | ||
− | |||
− | |||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/default_type | |
auditadm_r:auditadm_t | auditadm_r:auditadm_t | ||
Line 461: | Line 468: | ||
'''Supporting libselinux API functions are:''' | '''Supporting libselinux API functions are:''' | ||
<pre> | <pre> | ||
− | + | selinux_default_type_path | |
get_default_type | get_default_type | ||
</pre> | </pre> | ||
− | |||
== contexts/failsafe_context File == | == contexts/failsafe_context File == | ||
− | + | The '''failsafe_context'''(5) is used when a login process cannot determine a default context to use. The file contents will then be used to allow an administrator access to the system. | |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
<pre> | <pre> | ||
− | role:type | + | role:type[:range] |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
</pre> | </pre> | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | | | + | | <nowiki>role:type[:range]</nowiki> |
− | | | + | | A single line that has a valid context to allow an administrator access to the system, including the MLS / MCS level or range if applicable. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
|} | |} | ||
Line 492: | Line 491: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/failsafe_context - Taken from the targeted policy. | |
− | + | unconfined_r:unconfined_t | |
</pre> | </pre> | ||
<pre> | <pre> | ||
− | + | # contexts/failsafe_context - Taken from the MLS policy. | |
− | + | ||
sysadm_r:sysadm_t:s0 | sysadm_r:sysadm_t:s0 | ||
</pre> | </pre> | ||
− | |||
'''Supporting libselinux API functions are:''' | '''Supporting libselinux API functions are:''' | ||
Line 508: | Line 505: | ||
selinux_context_path | selinux_context_path | ||
selinux_failsafe_context_path | selinux_failsafe_context_path | ||
+ | get_default_context | ||
+ | get_default_context_with_role | ||
+ | get_default_context_with_level | ||
+ | get_default_context_with_rolelevel | ||
+ | get_ordered_context_list | ||
+ | get_ordered_context_list_with_level | ||
</pre> | </pre> | ||
− | |||
== contexts/initrc_context File == | == contexts/initrc_context File == | ||
− | This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose. | + | This is used by the '''run_init'''(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose. |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
<pre> | <pre> | ||
− | + | user:role:type[:range] | |
</pre> | </pre> | ||
− | |||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | | | + | | <nowiki>user:role:type[:range]</nowiki> |
− | + | | The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable. | |
|} | |} | ||
Line 530: | Line 532: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/initrc_context - Taken from the targeted policy. | |
− | system_u:system_r:initrc_t | + | system_u:system_r:initrc_t:s0 |
</pre> | </pre> | ||
<pre> | <pre> | ||
− | + | # contexts/initrc_context - Taken from the MLS policy | |
− | + | # Note that the init process has full access via the | |
− | + | # range s0-s15:c0.c255. | |
system_u:system_r:initrc_t:s0-s15:c0.c255 | system_u:system_r:initrc_t:s0-s15:c0.c255 | ||
Line 545: | Line 547: | ||
<pre> | <pre> | ||
selinux_context_path | selinux_context_path | ||
+ | </pre> | ||
+ | |||
+ | == contexts/lxc_contexts File == | ||
+ | This file supports labeling lxc containers within the <tt>libvirt</tt> library (see libvirt source <tt>src/security/security_selinux.c</tt>). This is similar to the [[#contexts/virtual_domain_context File | virtual_domain_context]] and [[#contexts/virtual_image_context File | virtual_image_context]] files used by libvirt qemu services. | ||
+ | |||
+ | '''The file format is as follows:''' | ||
+ | <pre> | ||
+ | process = "security_context" | ||
+ | file = "security_context" | ||
+ | content = "security_context" | ||
+ | sandbox_kvm_process = "security_context" | ||
+ | sandbox_lxc_process = "security_context" | ||
+ | </pre> | ||
+ | |||
+ | '''Where:''' | ||
+ | |||
+ | {| border="1" | ||
+ | | process | ||
+ | | A single <tt>process</tt> entry that contains the lxc domain security context, including the MLS / MCS level or range if applicable. | ||
+ | |||
+ | |- | ||
+ | | file | ||
+ | | A single <tt>file</tt> entry that contains the lxc file security context, including the MLS / MCS level or range if applicable. | ||
+ | |||
+ | |- | ||
+ | | content | ||
+ | | A single <tt>content</tt> entry that contains the lxc content security context, including the MLS / MCS level or range if applicable. | ||
+ | |||
+ | |- | ||
+ | | sandbox_kvm_process | ||
+ | |||
+ | sandbox_lxc_process | ||
+ | | These entries may be present, however in F-20 they are not currently used. | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | '''Example file contents:''' | ||
+ | <pre> | ||
+ | # contexts/lxc_contexts | ||
+ | |||
+ | process = "system_u:system_r:svirt_lxc_net_t:s0" | ||
+ | content = "system_u:object_r:virt_var_lib_t:s0" | ||
+ | file = "system_u:object_r:svirt_sandbox_file_t:s0" | ||
+ | sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" | ||
+ | sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" | ||
+ | sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" | ||
+ | </pre> | ||
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
+ | <pre> | ||
+ | selinux_context_path | ||
+ | selinux_lxc_context_path | ||
</pre> | </pre> | ||
== contexts/netfilter_contexts File == | == contexts/netfilter_contexts File == | ||
− | This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the | + | This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the modules/active/netfilter_contexts file section for further information). |
'''Supporting libselinux API functions are:''' | '''Supporting libselinux API functions are:''' | ||
Line 556: | Line 611: | ||
</pre> | </pre> | ||
− | + | == contexts/removable_context File == | |
− | == contexts/ | + | The '''removable_context'''(5) file contains a single default label that should be used for removable devices that are not defined in the [[#contexts/files/media | contexts/files/media]] file. |
− | + | ||
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
<pre> | <pre> | ||
− | + | user:role:type[:range] | |
</pre> | </pre> | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | | | + | | <nowiki>user:role:type[:range]</nowiki> |
− | + | | The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable. | |
|} | |} | ||
− | |||
− | |||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/removable_contexts | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
system_u:object_r:removable_t:s0 | system_u:object_r:removable_t:s0 | ||
Line 592: | Line 639: | ||
== contexts/securetty_types File == | == contexts/securetty_types File == | ||
− | + | The '''securetty_types'''(5) file is used by the '''newrole'''(1) command to find the type to use with tty devices when changing roles or levels. | |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
Line 600: | Line 647: | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | type | |
− | + | | Zero or more type entries that are defined in the policy for tty devices. | |
|} | |} | ||
− | |||
− | |||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/securetty_types | |
sysadm_tty_device_t | sysadm_tty_device_t | ||
Line 615: | Line 661: | ||
staff_tty_device_t | staff_tty_device_t | ||
</pre> | </pre> | ||
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
<pre> | <pre> | ||
− | + | selinux_securetty_types_path | |
− | + | </pre> | |
− | + | == contexts/sepgsql_contexts File == | |
− | + | This file contains the default security contexts for SE-PostgreSQL database objects and is descibed in <tt>'''selabel_db'''(5)</tt>. | |
− | + | ||
− | + | '''The file format is as follows:''' | |
− | + | ||
+ | Each line within the database contexts file is as follows: | ||
+ | <pre> | ||
+ | object_type object_name context | ||
</pre> | </pre> | ||
− | ''' | + | '''Where:''' |
+ | |||
+ | {| border="1" | ||
+ | | <tt>object_type</tt> | ||
+ | | This is the string representation of the object type. | ||
+ | |||
+ | |- | ||
+ | | <tt>object_name</tt> | ||
+ | | These are the object names of the specific database objects. | ||
+ | |||
+ | The entry can contain '<tt><nowiki>*</nowiki></tt>' for wildcard matching or '<tt>?</tt>' for substitution. Note that if the '<tt><nowiki>*</nowiki></tt>' is used, then be aware that the order of entries in the file is important. The '<tt><nowiki>*</nowiki></tt>' on its own is used to ensure a default fallback context is assigned and should be the last entry in the <tt>object_type</tt> block. | ||
+ | |||
+ | |- | ||
+ | | <tt>context</tt> | ||
+ | | The security context that will be applied to the object. | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/sepgsql_contexts file | |
+ | |||
+ | # object_type object_name context | ||
+ | db_database my_database system_u:object_r:my_sepgsql_db_t:s0 | ||
+ | db_database * system_u:object_r:sepgsql_db_t:s0 | ||
+ | db_schema *.* system_u:object_r:sepgsql_schema_t:s0 | ||
</pre> | </pre> | ||
+ | == contexts/systemd_contexts File == | ||
+ | This file is not currently used in F-20 but seems to contain file contexts to be used by tasks run via <tt>'''systemd'''(8)</tt> in a later release. There are some patches in the <tt>systemd</tt> mail archive that relate to this file. | ||
+ | |||
+ | '''The file format is as follows:''' | ||
+ | <pre> | ||
+ | service_class = security_context | ||
+ | </pre> | ||
+ | |||
+ | '''Where:''' | ||
+ | |||
+ | {| border="1" | ||
+ | | service_class | ||
+ | | One or more entries that relate to the <tt>systemd</tt> service (e.g. runtime, transient). | ||
+ | |||
+ | |- | ||
+ | | security_context | ||
+ | | The security context, including the MLS / MCS level or range if applicable of the service to be run. | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | '''Example file contents:''' | ||
+ | <pre> | ||
+ | # contexts/systemd_contexts | ||
+ | |||
+ | runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 | ||
+ | </pre> | ||
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
+ | <pre> | ||
+ | selinux_context_path | ||
+ | selinux_systemd_contexts_path | ||
+ | </pre> | ||
== contexts/userhelper_context File == | == contexts/userhelper_context File == | ||
Line 641: | Line 749: | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | security_context | |
− | + | | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable. | |
|} | |} | ||
Line 650: | Line 759: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # /contexts/userhelper_context - Taken from the standard reference policy. | |
system_u:sysadm_r:sysadm_t | system_u:sysadm_r:sysadm_t | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
− | + | # contexts/userhelper_context - Taken from the MLS/MCS reference policy. | |
− | + | ||
system_u:sysadm_r:sysadm_t:s0 | system_u:sysadm_r:sysadm_t:s0 | ||
Line 665: | Line 773: | ||
selinux_context_path | selinux_context_path | ||
</pre> | </pre> | ||
− | |||
== contexts/virtual_domain_context File == | == contexts/virtual_domain_context File == | ||
− | + | The '''virtual_domain_context'''(5) file is used by the virtulization API (<tt>libvirt</tt>) and provides the qemu domain contexts available in the policy (see libvirt source <tt>src/security/security_selinux.c</tt>). There may be two entries in this file, with the second entry being an alternative domain context. | |
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | # | + | # contexts/virtual_domain_context - From targeted policy. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
system_u:system_r:svirt_t:s0 | system_u:system_r:svirt_t:s0 | ||
Line 689: | Line 788: | ||
selinux_virtual_domain_context_path | selinux_virtual_domain_context_path | ||
</pre> | </pre> | ||
− | |||
− | |||
== contexts/virtual_image_context File == | == contexts/virtual_image_context File == | ||
− | + | The '''virtual_image_context'''(5) file is used by the virtulization API (<tt>libvirt</tt>) and provides the image contexts that are available in the policy (see libvirt source <tt>src/security/security_selinux.c</tt>). The first entry is the image file context and the second entry is the image content context. | |
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | # | + | # contexts/virtual_image_context - From targeted policy. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
system_u:system_r:svirt_image_t:s0 | system_u:system_r:svirt_image_t:s0 | ||
Line 716: | Line 804: | ||
selinux_virtual_image_context_path | selinux_virtual_image_context_path | ||
</pre> | </pre> | ||
− | |||
== contexts/x_contexts File == | == contexts/x_contexts File == | ||
− | + | The '''x_contexts'''(5) file provides the default security contexts for the X-Windows SELinux security extension. The usage is discussed in the [[NB_XWIN | SELinux X-Windows Support]] section. The MCS / MLS version of the file has the appropriate level or range information added. | |
− | + | ||
− | + | ||
A typical entry is as follows: | A typical entry is as follows: | ||
<pre> | <pre> | ||
− | # object_type | + | # object_type object_name context |
− | selection | + | selection PRIMARY system_u:object_r:clipboard_xselection_t |
</pre> | </pre> | ||
− | Where: | + | '''Where:''' |
+ | |||
{| border="1" | {| border="1" | ||
| <tt>object_type</tt> | | <tt>object_type</tt> | ||
Line 736: | Line 822: | ||
|- | |- | ||
| <tt>object_name</tt> | | <tt>object_name</tt> | ||
− | | These are the object names of the specific X-server resource such as <tt>PRIMARY</tt>, <tt>CUT_BUFFER0</tt> etc. They are generally defined in the X-server source code (<tt>protocol.txt</tt> and <tt>BuiltInAtoms </tt>in the <tt>dix</tt> directory of the <tt>xorg-server</tt> source package | + | | These are the object names of the specific X-server resource such as <tt>PRIMARY</tt>, <tt>CUT_BUFFER0</tt> etc. They are generally defined in the X-server source code (<tt>protocol.txt</tt> and <tt>BuiltInAtoms </tt>in the <tt>dix</tt> directory of the <tt>xorg-server</tt> source package). |
− | This can contain '<tt>*</tt>' for 'any' or '<tt>?</tt>' for 'substitute' (see the <tt>CUT_BUFFER?</tt> entry where the '<tt>?</tt>' would be substituted for a number between 0 and 7 that represents the number of these buffers). | + | This can contain '<tt><nowiki>*</nowiki></tt>' for 'any' or '<tt>?</tt>' for 'substitute' (see the <tt>CUT_BUFFER?</tt> entry where the '<tt>?</tt>' would be substituted for a number between 0 and 7 that represents the number of these buffers). |
|- | |- | ||
| <tt>context</tt> | | <tt>context</tt> | ||
− | | This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label | + | | This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label. |
|} | |} | ||
− | '''Example file contents | + | '''Example file contents:''' |
<pre> | <pre> | ||
# | # | ||
# Config file for XSELinux extension | # Config file for XSELinux extension | ||
# | # | ||
+ | |||
### Rules for X Clients | ### Rules for X Clients | ||
# The default client rule defines a context to be used for all clients | # The default client rule defines a context to be used for all clients | ||
# connecting to the server from a remote host. | # connecting to the server from a remote host. | ||
# | # | ||
− | client * system_u:object_r:remote_t | + | client*system_u:object_r:remote_t |
# | # | ||
Line 763: | Line 850: | ||
# rule indicated by an asterisk should follow all other property rules. | # rule indicated by an asterisk should follow all other property rules. | ||
# | # | ||
− | |||
# Properties that normal clients may only read | # Properties that normal clients may only read | ||
− | property _SELINUX_* system_u:object_r:seclabel_xproperty_t | + | property _SELINUX_*system_u:object_r:seclabel_xproperty_t |
# Clipboard and selection properties | # Clipboard and selection properties | ||
− | property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t | + | property CUT_BUFFER?system_u:object_r:clipboard_xproperty_t |
# Default fallback type | # Default fallback type | ||
Line 779: | Line 865: | ||
# | # | ||
# Restricted extensions | # Restricted extensions | ||
− | extension | + | extension SELinuxsystem_u:object_r:security_xextension_t |
# Standard extensions | # Standard extensions | ||
Line 790: | Line 876: | ||
# | # | ||
# Standard selections | # Standard selections | ||
− | selection | + | selection PRIMARYsystem_u:object_r:clipboard_xselection_t |
− | selection | + | selection CLIPBOARDsystem_u:object_r:clipboard_xselection_t |
# Default fallback type | # Default fallback type | ||
− | selection * system_u:object_r:xselection_t | + | selection *system_u:object_r:xselection_t |
# | # | ||
Line 802: | Line 888: | ||
# | # | ||
# Input events | # Input events | ||
− | event X11: | + | event X11:KeyPresssystem_u:object_r:input_xevent_t |
− | event X11: | + | event X11:KeyReleasesystem_u:object_r:input_xevent_t |
− | event X11: | + | event X11:ButtonPresssystem_u:object_r:input_xevent_t |
− | event X11: | + | event X11:ButtonReleasesystem_u:object_r:input_xevent_t |
− | event X11: | + | event X11:MotionNotifysystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:DeviceKeyPresssystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:DeviceKeyReleasesystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:DeviceButtonPresssystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:DeviceButtonReleasesystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:DeviceMotionNotifysystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:DeviceValuatorsystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:ProximityInsystem_u:object_r:input_xevent_t |
− | event XInputExtension: | + | event XInputExtension:ProximityOutsystem_u:object_r:input_xevent_t |
# Client message events | # Client message events | ||
− | event X11: | + | event X11:ClientMessagesystem_u:object_r:client_xevent_t |
− | event X11: | + | event X11:SelectionNotifysystem_u:object_r:client_xevent_t |
− | event X11: | + | event X11:UnmapNotifysystem_u:object_r:client_xevent_t |
− | event X11: | + | event X11:ConfigureNotifysystem_u:object_r:client_xevent_t |
# Default fallback type | # Default fallback type | ||
− | event * system_u:object_r:xevent_t | + | event *system_u:object_r:xevent_t |
</pre> | </pre> | ||
Line 836: | Line 922: | ||
== contexts/files/file_contexts File == | == contexts/files/file_contexts File == | ||
− | + | The '''file_contexts'''(5) file is managed by the '''semodule'''(8) and '''semanage'''(8) commands<ref name="ftn39"><sup>As each module would have its own file_contexts component that is either added or removed from the policies overall <nowiki>/etc/selinux/<policy_name>/contexts/ files/file_contexts</nowiki> file. </sup></ref> as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited. | |
− | + | The file is used by a number of SELinux-aware commands ('''setfiles'''(8), '''fixfiles'''(8), '''matchpathcon'''(8), '''restorecon'''(8)) to relabel either part or all of the file system. | |
− | + | Note that users home directory file contexts are not present in this file as they are managed by the [[#contexts/files/file_contexts.homedirs | file_contexts.homedirs]] file as explained below. | |
− | + | The format of the file_contexts file is the same as the files described in the [[PolicyStoreConfigurationFiles#modules/active/file_contexts_File | modules/active/file_contexts]] file section. | |
− | The format of | + | There may also be a <tt>file_contexts.bin</tt> present that is built and used by <tt>'''semanage'''(8)</tt>. The format of this file conforms to the Perl compatible regular expression (PCRE) internal format. |
'''Supporting libselinux API functions are:''' | '''Supporting libselinux API functions are:''' | ||
<pre> | <pre> | ||
selinux_file_context_path | selinux_file_context_path | ||
− | + | selabel_open | |
− | + | selabel_close | |
+ | selabel_lookup | ||
+ | selabel_stats | ||
</pre> | </pre> | ||
− | |||
== contexts/files/file_contexts.local File == | == contexts/files/file_contexts.local File == | ||
− | This file is added by the semanage fcontext command as described in the | + | This file is added by the semanage fcontext command as described in the [[PolicyStoreConfigurationFiles#modules/active/file_contexts.local_File | modules/active/file_contexts.local]] file section to allow locally defined files to be labeled correctly. The '''file_contexts'''(5) man page also decribes this file. |
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
+ | <pre> | ||
+ | selinux_file_context_local_path | ||
+ | </pre> | ||
== contexts/files/file_contexts.homedirs File == | == contexts/files/file_contexts.homedirs File == | ||
− | This file is managed by the semodule and semanage commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited. | + | This file is managed by the '''semodule'''(8) and '''semanage'''(8) commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited. |
− | It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files. | + | It is generated by the '''genhomedircon'''(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files. |
− | It is fully described in the | + | It is fully described in the [[PolicyStoreConfigurationFiles#modules/active/file_contexts.homedirs | modules/active/file_contexts.homedirs]] file section. The '''file_contexts'''(5) man page also decribes this file. |
+ | |||
+ | There may also be a <tt>file_contexts.homedirs.bin</tt> present that is built and used by <tt>'''semanage'''(8)</tt>. The format of this file conforms to the Perl compatible regular expression (PCRE) internal format. | ||
'''Supporting libselinux API functions are:''' | '''Supporting libselinux API functions are:''' | ||
Line 870: | Line 964: | ||
</pre> | </pre> | ||
+ | == contexts/files/file_contexts.subs and file_contexts.subs_dist File == | ||
+ | These files allow substitution of file names (<tt>.subs</tt> for local use and <tt>.subs_dist</tt> for GNU / Linux distributions use) for the <tt>libselinux</tt> functions <tt>'''matchpatchcon'''(3)</tt> and <tt>'''selabel_lookup'''(3)</tt>. The '''file_contexts'''(5) man page also decribes this file. | ||
+ | |||
+ | The subs files contain a list of space separated path names such as: | ||
+ | <pre> | ||
+ | /myweb /var/www | ||
+ | /myspool /var/spool/mail | ||
+ | </pre> | ||
+ | |||
+ | Then (for example), when <tt>'''matchpatchcon'''(3)</tt> or <tt>'''selabel_lookup'''(3)</tt> is passed a path <tt>/myweb/index.html</tt> the functions will substitute the <tt>/myweb</tt> component with <tt>/var/www</tt>, with the final result being: | ||
+ | <pre> | ||
+ | /var/www/index.html | ||
+ | </pre> | ||
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
+ | <pre> | ||
+ | selinux_file_context_subs_path | ||
+ | selinux_file_context_subs_dist_path | ||
+ | selabel_lookup | ||
+ | matchpathcon | ||
+ | matchpathcon_index | ||
+ | </pre> | ||
== contexts/files/media File == | == contexts/files/media File == | ||
− | + | The '''media'''(5) file is used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the [[#contexts/removeable_contexts | contexts/removable_contexts]] is used instead. | |
'''The file format is as follows:''' | '''The file format is as follows:''' | ||
Line 880: | Line 996: | ||
'''Where:''' | '''Where:''' | ||
+ | |||
{| border="1" | {| border="1" | ||
− | + | | media_id | |
− | + | | The media identifier (those known are: cdrom, floppy, disk and usb). | |
|- | |- | ||
− | + | | file_context | |
− | + | | The context to be used for the device. Note that it does not have the MLS / MCS level). | |
|} | |} | ||
Line 893: | Line 1,010: | ||
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/files/media | |
− | + | # Note the same file is generated for all types of policy. | |
cdrom system_u:object_r:removable_device_t | cdrom system_u:object_r:removable_device_t | ||
Line 905: | Line 1,022: | ||
selinux_media_context_path | selinux_media_context_path | ||
</pre> | </pre> | ||
− | |||
== contexts/users/[seuser_id] File == | == contexts/users/[seuser_id] File == | ||
− | These optional files are named after the SELinux user they represent | + | These optional files are named after the SELinux user they represent. Each file has the same format as the [[#contexts/default_contexts | contexts/default_contexts]] file and is used to assign the correct context to the SELinux user (generally during login). The <tt>'''user_contexts'''(5)</tt> man page also decribes these entries. |
'''Example file contents:''' | '''Example file contents:''' | ||
<pre> | <pre> | ||
− | + | # contexts/users/unconfined_u - From the targeted policy. | |
− | system_r: | + | system_r:crond_t:s0 unconfined_r:unconfined_t:s0 |
− | + | system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 | |
− | system_r: | + | system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 |
− | + | system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 | |
− | + | system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 | |
− | + | system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 | |
− | + | system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 | |
− | + | system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 | |
− | + | unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 | |
− | system_r:local_login_t:s0 | + | system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 |
− | system_r:remote_login_t:s0 | + | |
− | system_r:sshd_t:s0 | + | |
− | system_r: | + | |
− | system_r: | + | |
− | + | ||
− | + | ||
</pre> | </pre> | ||
Line 937: | Line 1,047: | ||
selinux_users_path | selinux_users_path | ||
selinux_usersconf_path | selinux_usersconf_path | ||
+ | get_default_context | ||
+ | get_default_context_with_role | ||
+ | get_default_context_with_level | ||
+ | get_default_context_with_rolelevel | ||
+ | get_ordered_context_list | ||
+ | get_ordered_context_list_with_level | ||
</pre> | </pre> | ||
+ | |||
+ | == logins/<linuxuser_id> File == | ||
+ | These optional files are used by SELinux-aware login applications such as PAM (using the <tt>pam_selinux</tt> module) to obtain an SELinux user name and level based on the GNU / Linux login id and service name. It has been implemented for SELinux-aware applications such as FreeIPA (Identity, Policy Audit - see [http://freeipa.org/page/Main_Page)for http://freeipa.org/page/Main_Page] for details). The <tt>'''service_seusers'''(5)</tt> man page also decribes these entries. | ||
+ | |||
+ | The file name is based on the GNU/Linux user that is used at log in time (e.g. <tt>ipa</tt>). | ||
+ | |||
+ | If <tt>'''getseuser'''(3)</tt> fails to find an entry, then the <tt>seusers</tt> file is used to retrieve default information. | ||
+ | |||
+ | '''The file format is as follows:''' | ||
+ | <pre> | ||
+ | service_name:seuser_id:level | ||
+ | </pre> | ||
+ | |||
+ | '''Where:''' | ||
+ | |||
+ | {| border="1" | ||
+ | | service_name | ||
+ | | The name of the service. | ||
+ | |||
+ | |- | ||
+ | | seuser_id | ||
+ | | The SELinux user name. | ||
+ | |||
+ | |- | ||
+ | | level | ||
+ | | The run level | ||
+ | |||
+ | |} | ||
+ | |||
+ | |||
+ | '''Example file contents:''' | ||
+ | <pre> | ||
+ | # logins/ipa example entries | ||
+ | |||
+ | ipa_service:user_u:s0 | ||
+ | another_service:unconfined_u:s0 | ||
+ | </pre> | ||
+ | |||
+ | '''Supporting libselinux API functions are:''' | ||
+ | <pre> | ||
+ | getseuser | ||
+ | </pre> | ||
+ | |||
+ | == users/local.users File == | ||
+ | Generally the '''local.users'''(5) file is not present if <tt>'''semanage'''(8)</tt> is being used to manage users, however if <tt>'''semanage'''</tt> is not being used then this file may be present (it could also be present in older Reference or Example policies). | ||
+ | |||
+ | The file would contain local user definitions in the form of <tt>user</tt> statements as defined in the [[PolicyStoreConfigurationFiles#modules/active/users_extra, users_extra.local and users.local Files | modules/active/users.local]] section. | ||
+ | |||
+ | Note that if <tt>SETLOCALDEFS</tt> is set in the SELinux [[GlobalConfigurationFiles#/etc/selinux/config File | config]] file, then <tt>'''selinux_mkload_policy'''(3)</tt> will check for a <tt>local.users</tt> file in the <tt>'''selinux_users_path'''(3)</tt>, and a <tt>booleans.local</tt> file in the <tt>'''selinux_booleans_path'''(3)</tt>. | ||
+ | |||
+ | |||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[PolicyStoreConfigurationFiles | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[PolicyLanguage | '''Next''']]</center> | ||
+ | |} | ||
+ | |||
+ | |||
+ | ---- | ||
+ | <references/> | ||
+ | |||
+ | [[Category:Notebook]] |
Latest revision as of 16:47, 10 December 2014
Contents
- 1 Policy Configuration Files
- 1.1 seusers File
- 1.2 booleans and booleans.local File
- 1.3 booleans.subs_dist File
- 1.4 setrans.conf File
- 1.5 secolor.conf File
- 1.6 policy/policy.<ver> File
- 1.7 contexts/customizable_types File
- 1.8 contexts/default_contexts File
- 1.9 contexts/dbus_contexts File
- 1.10 contexts/default_type File
- 1.11 contexts/failsafe_context File
- 1.12 contexts/initrc_context File
- 1.13 contexts/lxc_contexts File
- 1.14 contexts/netfilter_contexts File
- 1.15 contexts/removable_context File
- 1.16 contexts/securetty_types File
- 1.17 contexts/sepgsql_contexts File
- 1.18 contexts/systemd_contexts File
- 1.19 contexts/userhelper_context File
- 1.20 contexts/virtual_domain_context File
- 1.21 contexts/virtual_image_context File
- 1.22 contexts/x_contexts File
- 1.23 contexts/files/file_contexts File
- 1.24 contexts/files/file_contexts.local File
- 1.25 contexts/files/file_contexts.homedirs File
- 1.26 contexts/files/file_contexts.subs and file_contexts.subs_dist File
- 1.27 contexts/files/media File
- 1.28 contexts/users/[seuser_id] File
- 1.29 logins/<linuxuser_id> File
- 1.30 users/local.users File
Policy Configuration Files
Each file discussed in this section is relative to the policy name as follows:
/etc/selinux/<policy_name>
The majority of files are installed by the Reference Policy, semanage(8) or semodule(8) commands. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example the simple monolithic policy described in the Notebook source tarball could run at init 3 (i.e. no X-Windows) and only require the following configuration files:
- policy/policy.29 - The binary policy loaded into the kernel.
- context/files/file_contexts - To allow the filesystem to be relabeled.
If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required:
- context/dbus_contexts - To allow the dbus messaging service to run under SELinux.
- context/x_contexts - To allow the X-Windows service to run under SELinux (or XSELinux could be disabled as discussed in the SELinux X-Windows Support section.
seusers File
The seusers(5) file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:
- Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
- To determine the remaining context to be used as the security context, read the contexts/users/[seuser_id] file file. If this file is not present, then:
- Check for a default context in the contexts/default_contexts file. If no default context is found, then:
- Read the contexts/failsafe_context file to allow a fail safe context to be set.
Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.
The format of the seusers file is the same as the files described in the modules/active/seusers.final section, where an example semanage user command is also shown.
Example seusers file contents:
# seusers file for non-MCS/MLS systems. system_u:system_u root:root fred:user_u __default__:user_u
# seusers file for an MLS system. Note that the system_u user # has access to all security levels and therefore should not be # configured as a valid GNU / Linux user. system_u:system_u:s0-s15:c0.c255 root:root:s0-s15:c0.c255 fred:user_u:s0 __default__:user_u:s0
Supporting libselinux API functions are:
getseuser getseuserbyname
booleans and booleans.local File
Generally these booleans(5) files are not present if semanage(8) is being used to manage booleans (see the modules/active/booleans.local File section). However if semanage is not being used or there is an SELinux-aware application that uses the libselinux functions listed below, then these files may be present (they could also be present in older Reference policies):
- security_set_boolean_list(3) - Writes a boolean.local file if flag permanent = '1'.
- security_load_booleans(3) - Will look for a booleans or booleans.local file here unless a specific path is specified.
Both files have the same format and contain one or more boolean names. The format is:
boolean_name value
Where:
boolean_name | The name of the boolean. |
value | The default setting for the boolean that can be one of the following:
true | false | 1 | 0 |
Note that if SETLOCALDEFS is set in the SELinux config file, then selinux_mkload_policy(3) will check for a booleans.local file in the selinux_booleans_path(3), and also a local.users file in the selinux_users_path(3).
booleans.subs_dist File
The booleans.subs_dist file (if present) will allow new boolean names to be allocated to those in the active policy. This file was added because many older booleans began with 'allow' that made it difficult to determine what they did. For example the boolean allow_console_login becomes more descriptive as login_console_enabled. If the booleans.subs_dist file is present, then either name maybe used. selinux_booleans_subs_path(3) will return the active policy path to this file and selinux_boolean_sub(3) will will return the translated name.
Each line within the substitution file booleans.subs_dist is:
policy_bool_name new_name
Where:
- policy_bool_name
- The policy boolean name.
- new_name
- The new boolean name.
Example:
# booleans.subs_dist # policy_bool_name new_name allow_auditadm_exec_content auditadm_exec_content allow_console_login login_console_enabled allow_cvs_read_shadow cvs_read_shadow allow_daemons_dump_core daemons_dump_core
When security_get_boolean_names(3) or security_set_boolean(3) is called with a boolean name and the booleans.subs_dist file is present, the name will be looked up and if using the new_name, then the policy_bool_name will be used (as that is what is defined in the active policy).
Supporting libselinux API functions are:
selinux_booleans_subs_path selinux_booleans_sub security_get_boolean_names security_set_boolean
setrans.conf File
The setrans.conf(8) file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.
There are a number of sample configuration files within the mcstrans package that describe the configuration options in detail that are located at /usr/share/mcstrans/examples.
The daemon will not load unless a valid MCS or MLS policy is active.
The translations can be disabled by added the following line to the file:
disable = 1
This file will also support the display of information in colour. The configuration file that controls this is called secolor.conf and is described in the secolor.conf section.
The file format is described in setrans.conf(8) with the following giving an overview:
# Syntax # A domain is a self consistent domain of translation (English, German, Paragraph Markings ...) Domain=NAME1 # Within a domain are a number of fixed translations # format is raw_range=trans_range s3:c200.c511=Confidential # repeat as required... # Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup Base=Sensitivity Levels # raw_range=name s1=Unclassified # Aliases have the same name but a different translation. # The first one is used to compute translations s1=U # inverse bits should appear in the base of any level that uses inverse bits s2:c200.c511=Restricted # repeat as required... # Modifier Groups should be in the order of appearance in the translated range. ModifierGroup=GROUP1 # Allowed white space can be defined Whitespace=- ,/ # Join defines the character between multiple members of this group Join=/ # A Prefix can be defined per group Prefix=Releasable to # Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup Default=c200.c511 # format is raw_categories=name # ~ turns off inverse bits ~c200.c511=EVERYBODY # Aruba - bit 201 ~c200,~c201=ABW ~c200,~c201=AA # Afghanistan - bit 202 ~c200,~c202=AFG ~c200,~c202=AF # repeat as required... # Another Modifier Group ModifierGroup=GROUP2 # With different white space Whitespace= # And different Join Join=, # A Suffix can be defined per group Suffix=Eyes only # Default categories need to be consistent Default=c200.c511 # New domain Domain=NAME2 # any text can be put in a separate file Include=PATH Include=PATH <pre> '''Example file contents:''' <pre> # setrans.conf # # Multi-Level Security translation table for SELinux # # Uncomment the following to disable translation library # disable=1 # # SystemLow and SystemHigh s0=SystemLow s15:c0.c1023=SystemHigh s0-s15:c0.c1023=SystemLow-SystemHigh # Unclassified level s1=Unclassified # Secret level with compartments s2=Secret s2:c0=A s2:c1=B # ranges for Unclassified s0-s1=SystemLow-Unclassified s1-s2=Unclassified-Secret s1-s15:c0.c1023=Unclassified-SystemHigh # ranges for Secret with compartments s0-s2=SystemLow-Secret s2:c1-s15:c0.c1023=Secret:B-SystemHigh s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
Supporting libselinux API functions are:
selinux_translations_path selinux_raw_to_trans_context selinux_trans_to_raw_context
secolor.conf File
The secolor.conf(5) file controls the colour to be associated to the components of a context when information is displayed by an SELinux colour-aware application (currently none, although there are two examples in the Notebook source tarball under the libselinux/examples directory). The file format is as follows:
color color_name = #color_mask context_component string fg_color_name bg_color_name
Where:
color | The color keyword. |
color_name | A descriptive name for the colour (e.g. red). |
color_mask | A colour mask starting with a hash (#) that describes the RGB colours with black being #000000 and white being #ffffff. |
context_component | The colour translation supports different colours on the context string components (user, role, type and range). Each component is on a separate line. |
string | This is the context_component string that will be matched with the raw context component passed by selinux_raw_context_to_color(3)
A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only. |
fg_color_name | The color_name string that will be used as the foreground colour.
A color_mask may also be used. |
bg_color_name | The color_name string that will be used as the background colour.
A color_mask may also be used. |
Example file contents:
color black = #000000 color green = #008000 color yellow = #ffff00 color blue = #0000ff color white = #ffffff color red = #ff0000 color orange = #ffa500 color tan = #D2B48C user * = black white role * = white black type * = tan orange range s0-s0:c0.c1023 = black green range s1-s1:c0.c1023 = white green range s3-s3:c0.c1023 = black tan range s5-s5:c0.c1023 = white blue range s7-s7:c0.c1023 = black red range s9-s9:c0.c1023 = black orange range s15:c0.c1023 = black yellow
Supporting libselinux API functions are:
selinux_colors_path selinux_raw_context_to_color - this call returns the foreground and background colours of the context string as the specified RGB 'color' hex digits as follows: user : role : type : range #000000 #ffffff #ffffff #000000 #d2b48c #ffa500 #000000 #008000 black white white black tan orange black green
policy/policy.<ver> File
This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the "SELinux Policy Module Primer" notes.
By convention the file name extension is the policy database version used to build the policy, however is is not mandatory as the true version is built into the policy file. The different policy versions are discussed in the Policy Versions section.
contexts/customizable_types File
The customizable_types(5) file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).
The file format is as follows:
type
Where:
type | The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work. |
Example file contents:
# contexts/customizable_types mount_loopback_t public_content_rw_t public_content_t swapfile_t sysadm_untrusted_content_t sysadm_untrusted_content_tmp_t
Supporting libselinux API functions are:
is_context_customizable selinux_customizable_types_path selinux_context_path
contexts/default_contexts File
The default_contexts(5) file is used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:
- The GNU / Linux user identity should be known by the application.
- If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section.
- The login applications will check the contexts/users/[seuser_id]] file first and if no valid entry, will then look in the [seuser_id] file for a default context to use.
The file format is as follows:
role:type[:range] role:type[:range] ...
Where:
role:type[:range] | The file contains one or more lines that consist of role:type[:range] pairs (including the MLS / MCS level or range if applicable).
The entry at the start of a new line corresponds to the partial role:type[:range] context of (generally) the login application. The other role:type[:range] entries on that line represent an ordered list of valid contexts that may be used to set the users context. |
Example file contents:
# contexts/default_contexts system_r:crond_t:s0 system_r:system_crond_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 system_r:xdm_t:s0 user_r:user_t:s0
Supporting libselinux API functions are:
# Note that the contexts/users/[seuser_id] file is also read # by some of these functions. selinux_contexts_path selinux_default_context_path get_default_context get_ordered_context_list get_ordered_context_list_with_level get_default_context_with_level get_default_context_with_role get_default_context_with_rolelevel query_user_context manual_user_enter_context
An example use in this Notebook (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was unconfined_u:unconfined_r:unconfined_t).
However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. unconfined_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to unconfined_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').
The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:
unconfined_r:unconfined_t unconfined_r:unconfined_t
The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/unconfined_u configuration file instead could also have achieved this.
contexts/dbus_contexts File
This file is for the dbus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon(1) man page details the contents and the Free Desktop web site has detailed information at:
Example file contents:
# contexts/dbus_contexts <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/ 1.0/busconfig.dtd"> <busconfig> <selinux> </selinux> </busconfig> <pre> '''Supporting libselinux API function is:''' <pre> selinux_context_path
contexts/default_type File
The default_type(5) file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied.
The file format is as follows:
role:type
Where:
role:type | The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy. |
Example file contents:
# contexts/default_type auditadm_r:auditadm_t secadm_r:secadm_t sysadm_r:sysadm_t staff_r:staff_t unconfined_r:unconfined_t user_r:user_t
Supporting libselinux API functions are:
selinux_default_type_path get_default_type
contexts/failsafe_context File
The failsafe_context(5) is used when a login process cannot determine a default context to use. The file contents will then be used to allow an administrator access to the system.
The file format is as follows:
role:type[:range]
Where:
role:type[:range] | A single line that has a valid context to allow an administrator access to the system, including the MLS / MCS level or range if applicable. |
Example file contents:
# contexts/failsafe_context - Taken from the targeted policy. unconfined_r:unconfined_t
# contexts/failsafe_context - Taken from the MLS policy. sysadm_r:sysadm_t:s0
Supporting libselinux API functions are:
selinux_context_path selinux_failsafe_context_path get_default_context get_default_context_with_role get_default_context_with_level get_default_context_with_rolelevel get_ordered_context_list get_ordered_context_list_with_level
contexts/initrc_context File
This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.
The file format is as follows:
user:role:type[:range]
Where:
user:role:type[:range] | The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable. |
Example file contents:
# contexts/initrc_context - Taken from the targeted policy. system_u:system_r:initrc_t:s0
# contexts/initrc_context - Taken from the MLS policy # Note that the init process has full access via the # range s0-s15:c0.c255. system_u:system_r:initrc_t:s0-s15:c0.c255
Supporting libselinux API functions are:
selinux_context_path
contexts/lxc_contexts File
This file supports labeling lxc containers within the libvirt library (see libvirt source src/security/security_selinux.c). This is similar to the virtual_domain_context and virtual_image_context files used by libvirt qemu services.
The file format is as follows:
process = "security_context" file = "security_context" content = "security_context" sandbox_kvm_process = "security_context" sandbox_lxc_process = "security_context"
Where:
process | A single process entry that contains the lxc domain security context, including the MLS / MCS level or range if applicable. |
file | A single file entry that contains the lxc file security context, including the MLS / MCS level or range if applicable. |
content | A single content entry that contains the lxc content security context, including the MLS / MCS level or range if applicable. |
sandbox_kvm_process
sandbox_lxc_process |
These entries may be present, however in F-20 they are not currently used. |
Example file contents:
# contexts/lxc_contexts process = "system_u:system_r:svirt_lxc_net_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" file = "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
Supporting libselinux API functions are:
selinux_context_path selinux_lxc_context_path
contexts/netfilter_contexts File
This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the modules/active/netfilter_contexts file section for further information).
Supporting libselinux API functions are:
selinux_context_path selinux_netfilter_context_path
contexts/removable_context File
The removable_context(5) file contains a single default label that should be used for removable devices that are not defined in the contexts/files/media file.
The file format is as follows:
user:role:type[:range]
Where:
user:role:type[:range] | The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable. |
Example file contents:
# contexts/removable_contexts system_u:object_r:removable_t:s0
Supporting libselinux API functions are:
selinux_removable_context_path
contexts/securetty_types File
The securetty_types(5) file is used by the newrole(1) command to find the type to use with tty devices when changing roles or levels.
The file format is as follows:
type
Where:
type | Zero or more type entries that are defined in the policy for tty devices. |
Example file contents:
# contexts/securetty_types sysadm_tty_device_t user_tty_device_t staff_tty_device_t
Supporting libselinux API functions are:
selinux_securetty_types_path
contexts/sepgsql_contexts File
This file contains the default security contexts for SE-PostgreSQL database objects and is descibed in selabel_db(5).
The file format is as follows:
Each line within the database contexts file is as follows:
object_type object_name context
Where:
object_type | This is the string representation of the object type. |
object_name | These are the object names of the specific database objects.
The entry can contain '*' for wildcard matching or '?' for substitution. Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the object_type block. |
context | The security context that will be applied to the object. |
Example file contents:
# contexts/sepgsql_contexts file # object_type object_name context db_database my_database system_u:object_r:my_sepgsql_db_t:s0 db_database * system_u:object_r:sepgsql_db_t:s0 db_schema *.* system_u:object_r:sepgsql_schema_t:s0
contexts/systemd_contexts File
This file is not currently used in F-20 but seems to contain file contexts to be used by tasks run via systemd(8) in a later release. There are some patches in the systemd mail archive that relate to this file.
The file format is as follows:
service_class = security_context
Where:
service_class | One or more entries that relate to the systemd service (e.g. runtime, transient). |
security_context | The security context, including the MLS / MCS level or range if applicable of the service to be run. |
Example file contents:
# contexts/systemd_contexts runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
Supporting libselinux API functions are:
selinux_context_path selinux_systemd_contexts_path
contexts/userhelper_context File
This file contains the default security context used by the system-config-* applications when running from root.
The file format is as follows:
security_context
Where:
security_context | The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable. |
Example file contents:
# /contexts/userhelper_context - Taken from the standard reference policy. system_u:sysadm_r:sysadm_t
# contexts/userhelper_context - Taken from the MLS/MCS reference policy. system_u:sysadm_r:sysadm_t:s0
Supporting libselinux API functions are:
selinux_context_path
contexts/virtual_domain_context File
The virtual_domain_context(5) file is used by the virtulization API (libvirt) and provides the qemu domain contexts available in the policy (see libvirt source src/security/security_selinux.c). There may be two entries in this file, with the second entry being an alternative domain context.
Example file contents:
# contexts/virtual_domain_context - From targeted policy. system_u:system_r:svirt_t:s0
Supporting libselinux API functions are:
selinux_virtual_domain_context_path
contexts/virtual_image_context File
The virtual_image_context(5) file is used by the virtulization API (libvirt) and provides the image contexts that are available in the policy (see libvirt source src/security/security_selinux.c). The first entry is the image file context and the second entry is the image content context.
Example file contents:
# contexts/virtual_image_context - From targeted policy. system_u:system_r:svirt_image_t:s0 system_u:system_r:svirtcontent_t:s0
Supporting libselinux API functions are:
selinux_virtual_image_context_path
contexts/x_contexts File
The x_contexts(5) file provides the default security contexts for the X-Windows SELinux security extension. The usage is discussed in the SELinux X-Windows Support section. The MCS / MLS version of the file has the appropriate level or range information added.
A typical entry is as follows:
# object_type object_name context selection PRIMARY system_u:object_r:clipboard_xselection_t
Where:
object_type | These are types of object supported and valid entries are: client, property, poly_property, extension, selection, poly_selection and events. |
object_name | These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package).
This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers). |
context | This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label. |
Example file contents:
# # Config file for XSELinux extension # ### Rules for X Clients # The default client rule defines a context to be used for all clients # connecting to the server from a remote host. # client*system_u:object_r:remote_t # ### Rules for X Properties # Property rules map a property name to a context. A default property # rule indicated by an asterisk should follow all other property rules. # # Properties that normal clients may only read property _SELINUX_*system_u:object_r:seclabel_xproperty_t # Clipboard and selection properties property CUT_BUFFER?system_u:object_r:clipboard_xproperty_t # Default fallback type property * system_u:object_r:xproperty_t # ### Rules for X Extensions # Extension rules map an extension name to a context. A default extension # rule indicated by an asterisk should follow all other extension rules. # # Restricted extensions extension SELinuxsystem_u:object_r:security_xextension_t # Standard extensions extension * system_u:object_r:xextension_t # ### Rules for X Selections # Selection rules map a selection name to a context. A default selection # rule indicated by an asterisk should follow all other selection rules. # # Standard selections selection PRIMARYsystem_u:object_r:clipboard_xselection_t selection CLIPBOARDsystem_u:object_r:clipboard_xselection_t # Default fallback type selection *system_u:object_r:xselection_t # ### Rules for X Events # Event rules map an event protocol name to a context. A default event # rule indicated by an asterisk should follow all other event rules. # # Input events event X11:KeyPresssystem_u:object_r:input_xevent_t event X11:KeyReleasesystem_u:object_r:input_xevent_t event X11:ButtonPresssystem_u:object_r:input_xevent_t event X11:ButtonReleasesystem_u:object_r:input_xevent_t event X11:MotionNotifysystem_u:object_r:input_xevent_t event XInputExtension:DeviceKeyPresssystem_u:object_r:input_xevent_t event XInputExtension:DeviceKeyReleasesystem_u:object_r:input_xevent_t event XInputExtension:DeviceButtonPresssystem_u:object_r:input_xevent_t event XInputExtension:DeviceButtonReleasesystem_u:object_r:input_xevent_t event XInputExtension:DeviceMotionNotifysystem_u:object_r:input_xevent_t event XInputExtension:DeviceValuatorsystem_u:object_r:input_xevent_t event XInputExtension:ProximityInsystem_u:object_r:input_xevent_t event XInputExtension:ProximityOutsystem_u:object_r:input_xevent_t # Client message events event X11:ClientMessagesystem_u:object_r:client_xevent_t event X11:SelectionNotifysystem_u:object_r:client_xevent_t event X11:UnmapNotifysystem_u:object_r:client_xevent_t event X11:ConfigureNotifysystem_u:object_r:client_xevent_t # Default fallback type event *system_u:object_r:xevent_t
Supporting libselinux API functions are:
selinux_x_context_path selabel_open selabel_close selabel_lookup selabel_stats
contexts/files/file_contexts File
The file_contexts(5) file is managed by the semodule(8) and semanage(8) commands[1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.
The file is used by a number of SELinux-aware commands (setfiles(8), fixfiles(8), matchpathcon(8), restorecon(8)) to relabel either part or all of the file system.
Note that users home directory file contexts are not present in this file as they are managed by the file_contexts.homedirs file as explained below.
The format of the file_contexts file is the same as the files described in the modules/active/file_contexts file section.
There may also be a file_contexts.bin present that is built and used by semanage(8). The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.
Supporting libselinux API functions are:
selinux_file_context_path selabel_open selabel_close selabel_lookup selabel_stats
contexts/files/file_contexts.local File
This file is added by the semanage fcontext command as described in the modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly. The file_contexts(5) man page also decribes this file.
Supporting libselinux API functions are:
selinux_file_context_local_path
contexts/files/file_contexts.homedirs File
This file is managed by the semodule(8) and semanage(8) commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.
It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.
It is fully described in the modules/active/file_contexts.homedirs file section. The file_contexts(5) man page also decribes this file.
There may also be a file_contexts.homedirs.bin present that is built and used by semanage(8). The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.
Supporting libselinux API functions are:
selinux_file_context_homedir_path selinux_homedir_context_path
contexts/files/file_contexts.subs and file_contexts.subs_dist File
These files allow substitution of file names (.subs for local use and .subs_dist for GNU / Linux distributions use) for the libselinux functions matchpatchcon(3) and selabel_lookup(3). The file_contexts(5) man page also decribes this file.
The subs files contain a list of space separated path names such as:
/myweb /var/www /myspool /var/spool/mail
Then (for example), when matchpatchcon(3) or selabel_lookup(3) is passed a path /myweb/index.html the functions will substitute the /myweb component with /var/www, with the final result being:
/var/www/index.html
Supporting libselinux API functions are:
selinux_file_context_subs_path selinux_file_context_subs_dist_path selabel_lookup matchpathcon matchpathcon_index
contexts/files/media File
The media(5) file is used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the contexts/removable_contexts is used instead.
The file format is as follows:
media_id file_context
Where:
media_id | The media identifier (those known are: cdrom, floppy, disk and usb). |
file_context | The context to be used for the device. Note that it does not have the MLS / MCS level). |
Example file contents:
# contexts/files/media # Note the same file is generated for all types of policy. cdrom system_u:object_r:removable_device_t floppy system_u:object_r:removable_device_t disk system_u:object_r:fixed_disk_device_t
Supporting libselinux API functions are:
selinux_media_context_path
contexts/users/[seuser_id] File
These optional files are named after the SELinux user they represent. Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user (generally during login). The user_contexts(5) man page also decribes these entries.
Example file contents:
# contexts/users/unconfined_u - From the targeted policy. system_r:crond_t:s0 unconfined_r:unconfined_t:s0 system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
Supporting libselinux API functions are:
selinux_user_contexts_path selinux_users_path selinux_usersconf_path get_default_context get_default_context_with_role get_default_context_with_level get_default_context_with_rolelevel get_ordered_context_list get_ordered_context_list_with_level
logins/<linuxuser_id> File
These optional files are used by SELinux-aware login applications such as PAM (using the pam_selinux module) to obtain an SELinux user name and level based on the GNU / Linux login id and service name. It has been implemented for SELinux-aware applications such as FreeIPA (Identity, Policy Audit - see http://freeipa.org/page/Main_Page for details). The service_seusers(5) man page also decribes these entries.
The file name is based on the GNU/Linux user that is used at log in time (e.g. ipa).
If getseuser(3) fails to find an entry, then the seusers file is used to retrieve default information.
The file format is as follows:
service_name:seuser_id:level
Where:
service_name | The name of the service. |
seuser_id | The SELinux user name. |
level | The run level |
Example file contents:
# logins/ipa example entries ipa_service:user_u:s0 another_service:unconfined_u:s0
Supporting libselinux API functions are:
getseuser
users/local.users File
Generally the local.users(5) file is not present if semanage(8) is being used to manage users, however if semanage is not being used then this file may be present (it could also be present in older Reference or Example policies).
The file would contain local user definitions in the form of user statements as defined in the modules/active/users.local section.
Note that if SETLOCALDEFS is set in the SELinux config file, then selinux_mkload_policy(3) will check for a local.users file in the selinux_users_path(3), and a booleans.local file in the selinux_booleans_path(3).
Previous | |
|
- ↑ As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/<policy_name>/contexts/ files/file_contexts file.