Chapter 3. SELinux Contexts
Section 3.1. Domain Transitions
only authorized domains, such as passwd_t, can write to files labeled with the shadow_t type. Even if other processes are running with superuser privileges, those processes can not write to files labeled with the shadow_t type, as they are not running in the passwd_t domain.
Why can root run "vi /etc/shadow" and successfully write using ":w!"? The answer comes later in chapter 4.
Chapter 4. Targeted Policy
Section 4.2. Unconfined Processes
Processes running in unconfined domains fall back to using DAC rules exclusively.
"ps -eZ | grep bash" reveals that the root shell is running in an unconfined domain. That is why it can write to /etc/shadow.
What protection does SELinux offer to an interactive root user? The answer comes later in chapter 6.
Chapter 6. Confining users
Section 6.2. Confining New Linux Users
When Linux users run in the unconfined_t domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the unconfined_t domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the unconfined_t domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy.
Going back to the example in section 3.1, the passwd command has the passwd_exec_t type, which transitions the passwd process to the passwd_t domain so that it can write to files with the shadow_t type. How can I see the policy responsible for transitioning the passwd process to the passwd_t domain? Found the answer after asking questions on IRC and reading about Domain Transitions.
# id --context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls --context /usr/bin/passwd
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
The following rule states that when a process of type unconfined_t executes a file of type passwd_exec_t, the process type should be changed to passwd_t if allowed by the policy (i.e. Transition from the unconfined_t domain to the passwd_t domain).
# sesearch --type --source=unconfined_t --target=passwd_exec_t
Found 1 semantic te rules:
type_transition unconfined_t passwd_exec_t : process passwd_t;
File needs to be executable in the unconfined_t domain:
# sesearch --allow --source=unconfined_t --target=passwd_exec_t | grep -w unconfined_t
allow unconfined_t passwd_exec_t : file { read getattr execute open } ;
The executable file needs an entry point into the passwd_t domain:
# sesearch --allow --source=passwd_t --target=passwd_exec_t
Found 1 semantic av rules:
allow passwd_t passwd_exec_t : file { ioctl read getattr lock execute entrypoint open } ;
Process needs permission to transition into the passwd_t domain:
# sesearch --allow --source=unconfined_t --target=passwd_t | grep -w unconfined_t
allow unconfined_t passwd_t : process transition ;
0 comments:
Post a Comment