Home> Schools> Penn State University> Computer Science and Engineering (CSE) > CSE 544> Type Enforcement
PSU CSE 544 - Type Enforcement
School name Penn State University
Course Cse 544- System Security
Pages 18

Unformatted text preview:

Type Enforcement Rules and Macros Security Policy Development Primer for Security Enhanced Linux Module 7 Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 2 Overview of Type Enforcement Rules Set of policy rules that specify relationships between types Several different rules i e the type enforcement policy somewhat evolved and changed over past year challenge for those working with older systems TE rules in a policy can be numerous for example in sample policy 27 000 type allow rules 1 000 type transition rules Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 3 A Primary Goal of a TE Policy Define access control for given programs i e a domain Some of the motivations reasons governing decisions program protection least privilege side effects of errors contained within the domain access rights all of which leads to greater security assurance limit program to minimal access rights necessary limit error propagation prevent interference modification of program s resources significantly less chance of exposure to vulnerability Roles associate users with domains not the TE policy some domain types designed for users rather than programs Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 4 Other Goals for a TE Policy Self protection Enforce other Mandatory policies kernel protects itself and its resources protect the policy itself information flow domain isolation guard applications controlled information flow All focused on domain program access not users Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 5 TE Access Vector Rules Syntax rule name src types tgt types classes permissions access vector AV rules allow neverallow auditallow dontaudit auditdeny grant access TE assertions log when access granted NEW don t log access denied replaced by dontaudit types source and target one or more type or type attribute identifiers or means all types keyword self in target same as source including multiples can be used for complement of specified type attrib set with more than one identifier list enclosed in braces type1 t type2 t typeN t attribute Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 6 TE Access Vector Rules Syntax rule name src types tgt types classes permissions classes one or more defined object classes and may be used multiple classes enclosed in braces permissions one or more permissions defined for the specified class es all permissions must be valid for all object classes specified and may be used multiple permissions enclosed in braces if multiple rules specify same source target class then allow auditallow dontaudit auditdeny old union of all permissions used Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 7 Type Allow Rule Grants source type s access to target type s no access granted by default granular access specification object classes permissions allow user t bin t file read getattr lock execute ioctl execute no trans allow user t domain type read and execute access to bin t files with or without a transition allow user t self process allow user t domain types all access to itself allow userdomain shell exec t file read getattr lock execute ioctl allow types with userdomain attribute read execute to shell exec t files but only with a domain transition i e no exec no trans access Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 8 Neverallow Rule States invariants for the policy no allow rule may violate any invariant if so policy will not compile Not included in running system enforced by checkpolicy when compiling policy neverallow passwd t bin t sbin t ld so t file execute no trans passwd t domain may never execute without a domain transition files of any types other than bin t sbin t and ld so t neverallow domain domain process transition no domain type domain is an attribute may transition to a new type unless the new type is also a domain type Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 9 Type Audit Rules auditallow log when access is TE allowed dontaudit new do not audit when access is denied default is to audit denies used to eliminate expected access denies auditdeny old replaced by dontaudit no longer supported Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 10 A Look at Macros Sample policy uses m4 macros provides easier to use abstractions not intrinsic to SE Linux policy language Global macros policy macros global macros te Object class macro examples file class set file lnk file sock file fifo file chr file blk file notdevfile class set file lnk file sock file fifo file be careful you might include objects not intended e g devices Permission macro examples rx file perms read getattr lock execute ioctl r dir perms read getattr lock search ioctl Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 11 Type Transition Rule Specified default type for new object two forms default process transition default type for new file objects Syntax type transition src types tgt types class default type src type tgt types may use and and sets of types default type single type class governs which rule form process domain transition file related object default object type Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 12 Type Transition Rule type transition src type tgt type process default type default transition form unless otherwise requested when process with src type executes file with tgt type the process will have default type domain if allowed by TE policy type transition src type tgt type file related default type default object type form unless otherwise requested when process with src type creates new file related object e g file dir in a directory of tgt type the new object will have default type if allowed by TE policy Copyright 2002 2003 Tresys Technology LLC www tresys com selinux selinux tresys com 13 Type Transition Rule Examples type transition userdomain passwd exec t process passwd t domain transition causes domains with userdomain attribute to transition to passwd t when executing passwd exec t programs by default type transition passwd t tmp t file lnk file sock file fifo file passwd tmp t default file type when passwd t process creates new file system objects in a tmp

View Full Document

Please select your school

Login

Join to view Type Enforcement and access 3M+ class-specific study document.

Continue
or
We will never post anything without your permission.
Don't have an account?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.

Sign Up

Join to view Type Enforcement and access 3M+ class-specific study document.

Continue
or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.