PolicyStoreConfigurationFiles
Contents
- 1 Policy Store Configuration Files
- 1.1 modules/ Files
- 1.2 base.pp File
- 1.3 base.linked File
- 1.4 commit_num File
- 1.5 file_contexts.template File
- 1.6 file_contexts File
- 1.7 homedir_template File
- 1.8 file_contexts.homedirs File
- 1.9 netfilter_contexts & netfilter.local File
- 1.10 policy.kern File
- 1.11 seusers.final and seusers Files
- 1.12 users_extra, users_extra.local and users.local Files
- 1.13 booleans.local File
- 1.14 file_contexts.local File
- 1.15 interfaces.local File
- 1.16 nodes.local File
- 1.17 ports.local File
- 1.18 modules Directory Contents
Policy Store Configuration Files
Each file discussed in this section is relative to the policy name as follows:
/etc/selinux/<policy_name>
The Policy Store files in the /etc/selinux/<policy_name>/modules area are either installed, updated or built by the semodule and semanage commands, and as a part of their process, relevant files are then copied to the Policy Configuration files area.
The files present in each <policy_name> policy store will vary from policy to policy as different items could be configured for each one.
Generally if a file has the extension '.local', then it has been generated by semanage and used to update the binary policy located at /etc/selinux/<policy_name>/policy.
All files can have comments inserted where each line must have the '#' symbol to indicate the start of a comment.
modules/ Files
The policy store has two lock files that are used by libsemanage for managing the store. Their format is not relevant to policy construction:
semanage.read.LOCK semanage.trans.LOCK
base.pp File
This is the packaged base policy that contains the mandatory modules and policy components such as object classes and permission declarations, initial SIDs etc.
base.linked File
This is only present if the save-linked is set to TRUE as described in the /etc/selinux/semanage.conf section. It contains the modules that have been linked using the semodule_link(8) command.
commit_num File
This is a binary file used by libsemanage for managing updates to the store. The format is not relevant to policy construction.
file_contexts.template File
This contains a copy all the modules 'Labeling Policy File' entries (e.g. the <module_name>.fc files) that have been extracted from the base.pp and the loadable modules in the modules/active/modules directory.
The entries in the file_contexts.template file are then used to build the following files:
- homedir_template file that will be used to produce the file_contexts.homedirs file which will then become the policies ./contexts/files/file_contexts.homedirs file.
- file_contexts file that will become the policies ./contexts/files/file_contexts file.
The way these two files are built is as follows (and shown in Figure 1):
homedir_template - Any line in the file_contexts.template file that has the keywords HOME_ROOT or HOME_DIR are extracted and added to the homedir_template file. This is because these keywords are used to identify entries that are associated to a users home directory area. These lines can also have the ROLE keyword declared.
The homedir_template file will then be used by genhomedircon(8)(Note that the genhomedircon command has now been built into the libsepol library as a function to build the file_contexts.homedirs file via semanage) to generate individual SELinux user entries in the file_contexts.homedirs file as discussed in the ./modules/active/file_contexts.homedirs section.
file_contexts - All other lines are extracted and added to the file_contexts file as they are files not associated to a users home directory.
The format of the file_contexts.template file is as follows:
Each line within the file consists of either type of entry:
pathname_regexp opt_security_context
Or
pathname_regexp file_type opt_security_context
Where:
pathname_regexp | An entry that defines the pathname in the form of a regular expression.
The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example file_contexts files below). There are also keywords of HOME_ROOT, HOME_DIR, ROLE and USER that are used by file labeling commands (see the keyword definitions below and the ./modules/active/homedir_template file section for their usage). |
file_type | The file_type options are:
'-b' - Block Device '-c' - Character Device '-d' - Directory '-p' - Named Pipe '-l' - Symbolic Link '-s' - Socket '--' - Ordinary file |
opt_security_context | This entry can be either:
|
Keywords that can be in the file_contexts.template file are:
HOME_ROOT | This keyword is replaced by the GNU / Linux users root home directory, normally '/home'. |
HOME_DIR | This keyword is replaced by the GNU / Linux users home directory, normally '/home/'. |
ROLE | This keyword is replaced by the 'prefix' entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are:
user user_u prefix user; user staff_u prefix staff; user group1_u prefix group1; It is used for files and directories within the users home directory area when relabeling takes place to allow the domain context to be based on a specific role (or any identifier !!) to allow easier identification in log files. It can be added by the semanage user command as follows: # Add prefix for SELinux user: semanage user -a -R staff_r -P group1 group1_u # Add login user: semanage login -a -s group1_u rch The usage is similar to the Reference Policy 'per_role_template' (<param name="userdomain_prefix">) that is an optional component of the external interface file (see the ftp.if or ssh.if files in the Reference Policy source). This feature will probably be removed as the semanage user -P option is more flexible !!!. |
USER | This keyword will be replaced by the users GNU / Linux user id. |
Example file_contexts.template contents:
# ./modules/active/file_contexts.template - These sample entries # have been taken from the Reference Policy and show the # HOME_DIR, HOME_ROOT keywords whose lines will be extracted and # added to the homedir_template file that is used to manage # user home directory entries. The USER keyword will be replaced # by the file labeling utilities with the corresponding GNU / # Linux user id. The ROLE keyword will be replaced by the prefix # assigned to the SELinux seuser_id taken from the users_extra # file. /.* system_u:object_r:default_t /a?quota\.(user|group) -- system_u:object_r:quota_db_t /xen(/.*)? system_u:object_r:xen_image_t /dev/mcdx? -b system_u:object_r:removable_device_t HOME_DIR/.+ system_u:object_r:user_home_t /var/log/.* system_u:object_r:var_log_t /tmp/gconfd-USER/.* -- system_u:object_r:gconf_tmp_t /var/log/sxid\.log.* -- system_u:object_r:sxid_log_t /var/log/messages[^/]* system_u:object_r:var_log_t /var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t HOME_ROOT/lost\+found/.* <<none>> HOME_DIR/\.config/gtk-.* system_u:object_r:gnome_home_t
file_contexts File
This file becomes the policies ./contexts/files/file_contexts file and is built from entries in the ./modules/active/file_contexts.template file as explained above and shown in Figure 1. It is then used by the file labeling utilities to ensure that files and directories are labeled according to the policy.
The format of the file_contexts file is the same as the ./modules/active/file_contexts.template file.
The USER keyword is replaced by the users GNU / Linux user id when the file labeling utilities are run.
Example file_contexts contents:
# ./modules/active/file_contexts - These sample entries have been # taken from the Reference Policy and show the USER keyword # that will be replaced by the users GNU / Linux user id when the # file labeling utilities are run. # The other keywords HOME_DIR, HOME_ROOT and ROLE have been # extracted and put in the homedir_template file. /.* system_u:object_r:default_t /a?quota\.(user|group) -- system_u:object_r:quota_db_t /xen(/.*)? system_u:object_r:xen_image_t /dev/mcdx? -b system_u:object_r:removable_device_t /var/log/.* system_u:object_r:var_log_t /tmp/gconfd-USER/.* -- system_u:object_r:gconf_tmp_t /var/log/sxid\.log.* -- system_u:object_r:sxid_log_t /var/log/messages[^/]* system_u:object_r:var_log_t /var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t
# ./contexts/files/file_contexts - Sample entries taken from the # MLS reference policy. # Notes: # 1) The fixed_disk_device_t is labeled SystemHigh (s15:c0.c255) # as it needs to be trusted. Also some logs and configuration # files are labeled SystemHigh as they contain sensitive # information used by trusted applications. # # 2) Some directories (e.g. /tmp) are labeled # SystemLow-SystemHigh (s0-s15:c0.c255) as they will # support polyinstantiated directories. /.* system_u:object_r:default_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 /mnt/[^/]*/.* <<none>> /dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 /dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0 /dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 /var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t:s0 /dev/(raw/)?rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 /tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255 /var/log -d system_u:object_r:var_log_t:s0-s15:c0.c255 /var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 /var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255 /usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
homedir_template File
This file is built from entries in the file_contexts.template file (as shown in Figure 1) and explained in the ./modules/active/file_contexts.template section.
The file is used by genhomedircon, semanage login or semanage user to generate individual user entries in the file_contexts.homedirs file.
The homedir_template file has the same per line format as the ./modules/active/file_contexts.template file.
Example file contents:
# ./modules/active/homedir_template - These sample entries have # been taken from the Reference Policy and show the # HOME_DIR, HOME_ROOT and ROLE keywords that are used to manage # users home directories: HOME_DIR/.+ system_u:object_r:user_home_t HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t HOME_ROOT/lost\+found/.* <<none>> HOME_DIR/\.config/gtk-.* system_u:object_r:gnome_home_t
file_contexts.homedirs File
This file becomes the policies ./contexts/files/file_contexts.homedirs file when building policy as shown in Figure 1. It is then used by the file labeling utilities to ensure that users home directory areas are labeled according to the policy.
The file can be built by the genhomedircon command (in F-10 this just calls /usr/sin/semodule -Bn) or if using semanage with user or login options to manage users, where it is called automatically as it is now a libsepol library function.
The file_contexts.homedirs file has the same per line format as the ./modules/active/file_contexts.template file, however the HOME_DIR, ROOT_DIR and ROLE keywords will be replaced as explained in the keyword definitions section above. Note that the ROLE keyword will only be replaced for those valid types within the policy (for example if staff_irc_home_t cannot be found in the policy it will be silently dropped from the file_context.homedirs when being built True?.
Example file_contexts.homedirs contents:
# ./modules/active/file_contexts.homedirs - These sample entries # have been taken from the Reference Policy and show that # the HOME_DIR, HOME_ROOT and ROLE keywords have been replaced # by entries as explained above. # # User-specific file contexts, generated via libsemanage # use semanage command to manage system users to change the file_context # # Home Context for user user_u /home/.+ system_u:object_r:user_home_t /home/\.ircmotd -- system_u:object_r:user_irc_home_t /home/lost\+found/.* <<none>> /home/\.config/gtk-.* system_u:object_r:gnome_home_t # Home Context for user root /root/.+ system_u:object_r:user_home_t /root/\.ircmotd -- system_u:object_r:user_irc_home_t /root/lost\+found/.* <<none>> /root/\.config/gtk-.* system_u:object_r:gnome_home_t
netfilter_contexts & netfilter.local File
These files do not seem to be used at present. There is code to produce a netfilter_contexts file for use by the GNU/Linux iptables service (This uses SECMARK labeling that has been utilised by SELinux) in the Reference Policy that would generate a file similar to the example below, however there seems much debate on how they should be managed (see bug 201573 - Secmark iptables integration for details).
Example netfilter_contexts contents:
# This is an example that would be generated by the Reference # Policy, however seems on hold. # This is the standard iptables header: *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :selinux_input - [0:0] :selinux_output - [0:0] :selinux_new_input - [0:0] :selinux_new_output - [0:0] -A INPUT -j selinux_input -A OUTPUT -j selinux_output -A selinux_input -m state --state NEW -j selinux_new_input -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore -A selinux_output -m state --state NEW -j selinux_new_output -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore -A selinux_new_input -j SECMARK --selctx system_u:object_r:server_packet_t:s0 # These entries are built from the ports defined in the policy: -A selinux_new_input -p udp --dport 7007 -j SECMARK --selctx system_u:object_r:afs_bos_server_packet_t:s0 -A selinux_new_input -p tcp --dport 2040 -j SECMARK --selctx system_u:object_r:afs_fs_server_packet_t:s0 -A selinux_new_input -p udp --dport 7000 -j SECMARK --selctx system_u:object_r:afs_fs_server_packet_t:s0 -A selinux_new_input -p udp --dport 7005 -j SECMARK --selctx system_u:object_r:afs_fs_server_packet_t:s0 ..... ..... # This is the standard iptables trailer: -A selinux_new_input -j CONNSECMARK --save -A selinux_new_input -j RETURN -A selinux_new_output -j CONNSECMARK --save -A selinux_new_output -j RETURN COMMIT
policy.kern File
This is the binary policy file built by either the semanage or semodule process (depending on the configuration action), that is then copied as the ./policy/policy.[ver] binary policy that will be loaded into the kernel.
seusers.final and seusers Files
The seusers.final file maps GNU / Linux users to SELinux users and becomes the policies seusers file as discussed in the ./seusers section. (Many seusers make confusion: The ./modules/active/seusers file is used to hold initial seusers entries, the ./modules/active/seusers.final file holds the complete entries that then becomes the policy ./seusers file). The seusers.final file is built or modified when:
- Building a policy where an optional seusers file has been included in the base package via the semodule_package(8) command (signified by the -s flag) as follows (The Reference Policy Makefile 'Rules.modular' script uses this method to install the initial seusers file):
semodule_package -o base.pp -m base.mod -s seusers ...
The seusers file would be extracted by the subsequent semodule command when building the policy to produce the seusers.final file.
- The semanage login command is used to map GNU / Linux users to SELinux users as follows:
semanage login -a -s staff_u rch
This action will update the seusers file that would then be used to produce the seusers.final file with both policy and locally defined user mapping.
The format of the seusers.final & seusers files are as follows:
user_id:seuser_id [:range]
Where:
user_id | The GNU / Linux user identity. |
seuser_id | The SELinux user identity. |
range | The optional range as defined in the MLS range definition section. |
Example seusers.final file contents:
# ./modules/active/seusers.final system_u:system_u root:root __default__:user_u
Example semanage login command to add a GNU / Linux user mapping:
# This command will add the rch:user_u entry in the seusers file: semanage login -a -s user_u rch
The resulting seusers file would be:
# ./modules/active/seusers rch:user_u
The seusers.final file that will become the ./<policy_name>/seusers file is as follows:
# ./modules/active/seusers.final system_u:system_u root:root __default__:user_u rch:user_u
users_extra, users_extra.local and users.local Files
These three files work together to describe SELinux user information as follows:
- The users_extra and users_extra.local files are used to map a prefix to users home directories as discussed in the ./modules/active/file_contexts.template file section, where it is used to replace the ROLE keyword. The prefix is linked to an SELinux user id and should reflect the users role. The semanage user command will allow a prefix to be added via the -P flag.
The users_extra file contains all the policy prefix entries, and the users_extra.local file contains those generated by the semanage user command.
The users_extra file can optionally be included in the base package via the semodule_package(8) command (signified by the -u flag) as follows (The Reference Policy Makefile 'Rules.modular' script uses this method to install the initial users_extra file):
semodule_package -o base.pp -m base.mod -u users_extra ...
The users_extra file would then be extracted by a subsequent semodule command when building the policy.
- The users.local file is used to add new SELinux users to the policy without editing the policy source itself (with each line in the file following a user policy language statement). This is useful when only the Reference Policy headers are installed and additional users need to added. The semanage user command will allow a new SELinux user to be added that would generate the user.local file and if a -P flag has been specified, then a users_extra.local file is also generated (note: if this is a new SELinux user and a prefix is not specified a default prefix of user is generated).
The sections that follow will:
- Define the format and show example users_extra and users_extra.local files.
- Execute an semanage user command that will add a new SELinux user and associated prefix, and show the resulting users_extra, users_extra.local and users.local files.
Note that each line of the users.local file contains a user statement that is defined in the policy language user Statement section, and will be built into the policy via the semanage command.
The format of the users_extra & users_extra.local files are as follows:
user seuser_id prefix prefix_id;
Where:
user | The user keyword. |
seuser_id | The SELinux user identity. |
prefix | The prefix keyword. |
prefix_id | An identifier that will be used to replace the ROLE keyword within the ./modules/active/homedir_template file when building the ./modules/active/file_contexts.homedirs file for the relabeling utilities to set the security context on users home directories. |
Example users_extra file contents:
# ./modules/active/users_extra entries, note that the # users_extra.local file contents are similar and generated by # the semanage user command. user user_u prefix user; user staff_u prefix user; user sysadm_u prefix user; user root prefix user;
Example semanage user command to add a new SELinux user:
# This command will add the user test_u prefix staff entry in # the users_extra.local file: semanage user -a -R staff_r -P staff test_u
The resulting users_extra.local file is as follows:
# ./modules/active/users_extra.local user test_u prefix staff;
The resulting users_extra file is as follows:
# ./modules/active/users_extra user user_u prefix user; user staff_u prefix user; user sysadm_u prefix user; user root prefix user; user test_u prefix staff;
The resulting users.local file is as follows:
# ./modules/active/users.local file entry: user test_u roles { staff_r } level s0 range s0;
booleans.local File
This file is created and updated by the semanage boolean command and holds boolean value as requested. It should be noted that instead of using this file, the command allows a different file to be specified (see the semanage man page).
Example semanage boolean command to modify a boolean value:
# This command will add an entry in the booleans.local # file and set the boolean value to off: semanage boolean -m -0 ext_gateway_audit
The resulting booleans.local file would be:
# ./modules/active/booleans.local ext_gateway_audit=0
file_contexts.local File
This file is created and updated by the semanage fcontext command. It is used to hold file context information on files and directories that were not delivered by the core policy (i.e. they are not defined in any of the *.fc files delivered in the base and loadable modules).
The semanage command will add the information to the policy stores file_contexts.local file and then copy this file to the ./contexts/files/file_contexts.local file, where it will be used when the file context utilities are run.
The format of the file_contexts.local file is the same as the ./modules/active/file_contexts.template file.
Example semanage fcontext command to add a new entry:
# This command will add an entry in the file_contexts.local # file: semanage fcontext -a -t user_t /usr/move_file # Note that the type (-t flag) must exist in the policy # otherwise the command will fail.
The resulting file_contexts.local file would be:
# ./modules/active/file_contexts.local /usr/move_filesystem_u:object_r:user_t
interfaces.local File
This file is created and updated by the semanage interface command to hold network interface information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new interface information is then built into the policy by the semanage process.
Each line of the file contains a netifcon statement that is defined along with examples in the netifcon Statement section.
nodes.local File
This file is created and updated by the semanage node command to hold network address information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new node information is then built into the policy by the semanage process.
Each line of the file contains a nodecon statement that is defined along with examples in the policy language nodecon Statement section.
ports.local File
This file is created and updated by the semanage port command to hold network port information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new port information is then built into the policy by the semanage process.
Each line of the file contains a portcon statement that is defined along with examples in the policy language portcon Statement section.
modules Directory Contents
This directory contains the loadable modules (<module_name>.pp) that have been packaged by the semodule_package command and placed in the store by the semodule command as shown in the following example:
# Package the module ''move_file_c'': semodule_package -o move_file_c.pp -m move_file_c.mod -f move_file.fc # Then to install it in the store (at /etc/selinux/modular-test/ # modules/active/modules/move_file_c.pp) and build the binary # policy file, run the semodule command: semodule -v -s modular-test -i move_file_c.pp