2. Traditional UNIX DAC approach
● Owner controls access to object
● File owner/group
● Process with effective UID/GID
● File mode
● Almighty root user above the rules
3. SELinux MAC approach
● Policy controls access to objects
● Labeled objects (files, sockets, …)
● Labeled processes (domains)
● Policy rules
● Concept of “almighty” unconfined processes is
defined within policy
…
4. DAC and MAC at the same time
● Allows for tighter privilege control
UNIX SELinux
File owner/group: UID/GID File context (FC): label
Process effective user/group:
UID/GID
Process domain: label
File mode Type Enforcement (TE) rules
setuid() Domain transition
Setuid bit File context + implicit domain
transition rule
8. Type Enforcement rules
● Specified in custom DSL + M4
● Compiled & loaded into kernel at runtime
cron.te:
allow system_cronjob_t cron_log_t:file
manage_file_perms;
⋮
list_dirs_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)
9. Domains
● TE rules control domain transition
● Transitioned into upon execution of labeled file
● Remember the setuid bit?
● "unconfined" domains
cron.te:
init_daemon_domain(system_cronjob_t, anacron_exec_t)
13. Traditional UNIX DAC approach
● Owner controls access to object
● File owner/group
● Process with effective UID/GID
● File mode
● Almighty root user above the rules
14. SELinux MAC approach
● Policy controls access to objects
● Labeled objects (files, sockets, …)
● Labeled processes (domains)
● Policy rules
● Concept of “almighty” unconfined processes is
defined within policy
…
15. DAC and MAC at the same time
● Allows for tighter privilege control
UNIX SELinux
File owner/group: UID/GID File context (FC): label
Process effective user/group:
UID/GID
Process domain: label
File mode Type Enforcement (TE) rules
setuid() Domain transition
Setuid bit File context + implicit domain
transition rule
19. Type Enforcement rules
● Specified in custom DSL + M4
● Compiled & loaded into kernel at runtime
cron.te:
allow system_cronjob_t cron_log_t:file
manage_file_perms;
⋮
list_dirs_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t,
system_cron_spool_t)
20. Domains
● TE rules control domain transition
● Transitioned into upon execution of labeled file
● Remember the setuid bit?
● "unconfined" domains
cron.te:
init_daemon_domain(system_cronjob_t, anacron_exec_t)