Access vectors
(AVs) are the rules that allow
domains to access various system objects. An AV is a set of permissions.
A basic AV rule is a subject and object pair of types, a class definition
for the object, and a permission for the subject. There is a general rule
syntax that covers all the kinds of AV rules:
<av_kind> <source_type(s)> <target_type(s)>:<class(es)> \
<permission(s)> |
All AV rules are considered by the policy enforcement engine as two types,
one class, and one access permission. However, rules are written using
attributes, sets, and macros to be more efficient. AV rules are
simplified during policy compilation.
The parts of the AV rule are defined elsewhere in this chapter. This
section describes the kinds of access vectors used in the AV rule at
av_kind.
av_kind is one of three rule types:
allow — permit a
subject to act in a specific way with an object. The rule here allows
named (in the domain of named_t) to
perform a search of a directory with the type
sbin_t (for example,
/sbin, /usr/sbin,
/opt/sbin, etc.):
allow named_t sbin_t:dir search; |
If the ruling results in a denial, the denial is audited (that is,
logged). Granted permission events are not logged.
auditallow — when the
permission is granted, log the access decision. In the targeted
policy, there is only one auditallow
rule. This rule logs usage of certain SELinux applications, for example
logging avc: granted { setenforce }
when allowing setenforce:
auditallow unconfined_t security_t : security { load_policy \
setenforce setbool }; |
dontaudit — never audit a
specific access denial. This is used when a program is attempting an
action that is not allowed by policy, and the resulting denials are
filling the log, but the denial is not affecting the application doing
its tasks. This AV lets you silently deny and ignore the access
violation. For example, this
dontaudit rule says to ignore when
the named_t domain attempts to read
or get attributes on a file with the
root_t type. Denial of this access
attempt does not effect named doing its job, so the denial is
ignored to keep the logs clean:
dontaudit named_t root_t:file { getattr read }; |
There is one additional AV rule,
neverallow. This AV assertion, defined
in $SELINUX_SRC/assert.te, is not part of the
regular permission checking. The purpose of this rule is to declare
access vectors that must never be allowed. These are used to protect
against policy writing mistakes, especially where macros can provide
unexpected rights. These assertions are checked by the policy compiler,
checkpolicy, when the policy is built, but after the
entire policy has been evaluated, and are not part of the runtime access
vector cache.
Here is the syntax and an example. In practice, a wildcard character
* is often used to cover all instances
possible in a rule field. The syntax is different in that it is possible
to use ifdef() statements as sources or
targets:
# Syntax for AV assertion
neverallow <source_name(s)> <target_name(s)> : \
<class(es)> <permission(s)> |
In this example from assert.te, the
neverallow rule verifies that every type
that a domain can enter into has the attribute
domain. This prevents a rule from
elsewhere in the policy allowing a domain to transition to a type that is
not a process type. The tilde in front,
~domain, means "anything that is not a
domain":
When SELinux disallows an operation, a denial message is generated for the
audit logs. In Red Hat Enterprise Linux, $AUDIT_LOG is
/var/log/messages. This section explains the
format of these log messages. For suggestions on using an
avc: denied message for
troubleshooting, refer to Section 5.2.11 Troubleshoot User Problems With SELinux.
Example 2-1 shows a denial generated
when a user's Web content residing in ~/public_html
does not have the correct label.
Jan 14 19:10:04 hostname kernel: audit(1105758604.519:420): \
avc: denied { getattr } for pid=5962 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=root:system_r:httpd_t \
tcontext=user_u:object_r:user_home_t tclass=dir |
Example 2-1. AVC Denial Message
This shows the message parts and an explanation of what the part means:
avc: denied Message
Explained
- Jan 14 19:10:04
Timestamp on the audit message.
- hostname
The hostname of the system.
- kernel: audit(1105758604.519:420):
This is the kernel audit log message pointer. The timestamp
consists of a long number, which is the unformatted current time,
and a short number, which is the milliseconds, that is,
<current_time>.<milliseconds_past_current_time>.
The third number is the serial number, which helps in stitching
together the full audit trail from multiple messages. Multiple
messages for the same event occur when full audit logging is
enabled using an audit daemon, which logs various kernel events.
- avc: denied
The operation was denied. A few operations have
auditallow set so they generate
granted messages instead.
- { getattr }
What was denied or granted. The brackets
{} contain the actual permission
that was attempted.
- for pid=5962
The process ID of the application that is the source of the
operation.
- exe=/usr/sbin/httpd
The application being denied.
- path=/home/auser/public_html
The path to the target file or directory the operation was
attempted on.
- dev=hdb2
The device node that holds the file system. The object of the
denied operation lives in this file system.
- ino=921135
The inode number of the target file or directory.
- scontext=root:system_r:httpd_t
The security context of the source, that is, the process being
denied access.
- tcontext=user_u:object_r:user_home_t
The security context of the target, that is, the file or
directory that is denied.
- tclass=dir
The object class of the target, indicating
that it was the directory
/home/auser/public_html/ that was being
blocked.
