SELinux Security Policy – Part1: Is it magic?
For a long time I tried to explain SELinux with different techniques – nice pictures with houses, with animals, with animations and so on. Despite that, SELinux is still magic for some people who talk to me. So I was thinking about a new way (again) and I started to explain it step by step, without a magic and the first topic is SELinux security policy.
What is a SELinux Security Policy?
It is a core component of SELinux. It is a collection of SELinux policy rules in a binary form loaded into the kernel by SELinux userspace tools.
Picture 1: SELinux binary policy vs. SELinux kernel policy
Once the binary policy is built and loaded into the kernel then the policy is ENFORCED on your system by the kernel. Every request coming from a user level process to access a system resource on your system is confronted with SELinux security policy. This is done by LSM (Linux security modules) hooks in all significant system calls.
Picture 2: LSM hook architecture
By default EVERYTHING is denied and you define policy rules to allow certain requests.
What does SELinux policy RULE describe?
It describes an INTERACTION between processes and system resources.
How can I describe this kind of interaction for my apache server?
I have an apache process that needs to access its log file. I would like to add SELinux policy rule reflecting the following interaction
"APACHE process can READ own LOGGING FILE"
so that I am able to read important info from the apache logging file.
What is SELinux view of that interaction?
SELinux view of that interaction has the following form
ALLOW apache_process apache_log:FILE READ;
where apache_process and apache_log are LABELS. These labels are assigned to processes and system resources by SELinux security policy to map real system entities into the SELinux world.
Because the default SELinux policy says that everything is denied by default, we mostly define ALLOW rules to say which operations can be allowed between labeled processes and system resources. We define the following form of SELinux ALLOW rules
ALLOW LABEL1 LABEL2:OBJECT_CLASS PERMISSION;
With this knowledge we can try to respond to the following question in more detail. “What does SELinux policy rule describe?”
It describes an INTERACTION between processes and system resources in RULES. This interaction is specified between LABELS which are assigned by SELinux security policy and these labels map real system entities into the SELinux world.