SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 7


(0 comments)

Adding constraints to the rules

We already know that root can read the temp files of the myapp program (or myapp_se)

That's because there are rules that allow the root user to read the files.
If you want, you can add a constraint condition to disable the rules, so that root cannot read the files.
When you do this, you have already interfered deeply with the policy, because constraints are only in the base module and you have to modify the base module.
Constraints that affect the security level have the following general form:

mlsconstrain class perm_set expression;

The default constraint in the base module involves reading files as follows

mlsconstrain file { read ioctl lock execute execute_no_trans }
        (( h1 dom h2 ) or ( t1 == mcsreadall ) or
        (( t1 != mcs_constrained_type ) and (t2 == domain)));

The expression reads as follow

  • h1 dom h2: The source high security level dominates the target high security level. That is, the sensitivity of the source high security level is higher or equal to the sensitivity of the high security level of the target, and the categories of the source high security level are the same or a superset of the categories of the target high security level.
  • t1 == mcsreadall: Type of source belongs to the mcsreadall group.
  • t1 != mcs_constrained_type: The type of source does not belong to the mcs_constrained_type group.
  • t2 == domain: The type of the target belongs to the domain group.

See security context.

Now we add a condition to the expression that must satisfy:

(( u1 == u2 ) or ( t2 != mcs_constrained_type ))

It reads as follows:
The source user and target user are the same, or
The target type does not belong to the mcs_constrained_type group.

The whole constraint becomes:

mlsconstrain file { read ioctl lock execute execute_no_trans }
        ((( h1 dom h2 ) or ( t1 == mcsreadall ) or
        (( t1 != mcs_constrained_type ) and (t2 == domain))) and
        (( u1 == u2 ) or ( t2 != mcs_constrained_type )));

Suppose the type mapp_tmp_t (or mapp_se_tmp_t) belongs to the mcs_constrained_type group. When root reads such a temp file, u1 is root, u2 is staff_u. So the new condition is not satisfied. Therefore root cannot read the temp files of the myapp program or myapp_se program even if it has permissions to read them.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 4 - 2?

required