~]$
ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
~]#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
Login Name
column lists Linux users.
SELinux User
column lists which SELinux user the Linux user is mapped to. For processes, the SELinux user limits which roles and levels are accessible.
MLS/MCS Range
column, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS).
Service
column determines the correct SELinux context, in which the Linux user is supposed to be logged in to the system. By default, the asterisk (*
) character is used, which stands for any service.
s0-s0
is the same as s0
). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity.
c0.c3
is the same as c0,c1,c2,c3
. The /etc/selinux/targeted/setrans.conf
file maps levels (s0:c0
) to human-readable form (that is CompanyConfidential
). In Fedora, targeted policy enforces MCS, and in MCS, there is just one sensitivity, s0
. MCS in Fedora supports 1024 different categories: c0
through to c1023
. s0-s0:c0.c1023
is sensitivity s0
and authorized for all categories.
entrypoint
type for the new domain. The entrypoint
permission is used in SELinux policy and controls which applications can be used to enter a domain. The following example demonstrates a domain transition:
Procedure 10.1. An Example of a Domain Transition
passwd
utility. The /usr/bin/passwd
executable is labeled with the passwd_exec_t
type:
~]$
ls -Z /usr/bin/passwd
-rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
passwd
utility accesses /etc/shadow
, which is labeled with the shadow_t
type:
~]$
ls -Z /etc/shadow
-r--------. root root system_u:object_r:shadow_t:s0 /etc/shadow
passwd_t
domain are allowed to read and write to files labeled with the shadow_t
type. The shadow_t
type is only applied to files that are required for a password change. This includes /etc/gshadow
, /etc/shadow
, and their backup files.
passwd_t
domain has entrypoint
permission to the passwd_exec_t
type.
passwd
utility, the user's shell process transitions to the passwd_t
domain. With SELinux, since the default action is to deny, and a rule exists that allows (among other things) applications running in the passwd_t
domain to access files labeled with the shadow_t
type, the passwd
application is allowed to access /etc/shadow
, and update the user's password.
passwd_t
domain to access objects labeled with the shadow_t
file type, other SELinux policy rules must be met before the subject can transition to a new domain. In this example, Type Enforcement ensures:
passwd_t
domain can only be entered by executing an application labeled with the passwd_exec_t
type; can only execute from authorized shared libraries, such as the lib_t
type; and cannot execute any other applications.
passwd_t
, can write to files labeled with the shadow_t
type. Even if other processes are running with superuser privileges, those processes cannot write to files labeled with the shadow_t
type, as they are not running in the passwd_t
domain.
passwd_t
domain. For example, the sendmail
process running in the sendmail_t
domain does not have a legitimate reason to execute passwd
; therefore, it can never transition to the passwd_t
domain.
passwd_t
domain can only read and write to authorized types, such as files labeled with the etc_t
or shadow_t
types. This prevents the passwd
application from being tricked into reading or writing arbitrary files.