This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label.
The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects.
Accidental Mislabeling
Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label. One example of this would be an administrator going into the /root
directory and creating the .ssh
directory. In previous versions of Red Hat Enterprise Linux, the directory would get created with a label of admin_home_t
, even though the policy requires it to be labeled ssh_home_t
. Later when the admin tries to use the content of the .ssh
directory to log in without a password, sshd
(sshd_t
) fails to read the directory's contents because sshd
is not allowed to read files labeled admin_home_t
. The administrator would need to run restorecon -R -v /home/.ssh
to fix the labels, and often they forget to do so.
Another example would be a user creating the public_html
directory in his home directory. The default label for content in the home directory is user_home_t
, but SELinux requires the public_html
directory to be labeled http_user_content_t
, which allows the Apache process (httpd_t
) to read the content. We block the Apache process from reading user_home_t
as valuable information like user secrets and credit-card data could be in the user's home directory.
File Transitions Policy
Policy writers have always be able to write a file transition rule that includes the type of the processes creating the file object (NetworkManger_t
), the type of the directory that will contain the file object (etc_t
), and the class of the file object (file
). They can also specify the type of the created object (net_conf_t
):
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
This policy line says that a process running as NetworkManager_t
creating any file in a directory labeled etc_t
will create it with the label net_conf_t
.
Named File Transitions Policy
Eric Paris added a cool feature to the kernel that allows the kernel to label a file based on four characteristics instead of just three. He added the base file name (not the path).
Now policy writers can write policy rules that state:
- If the
unconfined_t
user process creates the.ssh
directory in a directory labeledadmin_home_t
, then it will get created with the labelssh_home_t
: `filetrans_pattern(unconfined_t, admin_home_t, dir, ssh_home_t, ".ssh") - If the
staff_t
user process creates a directory namedpublic_html
in a directory labeleduser_home_dir_t
, it will get labeledhttp_user_content_t
: `filetrans_pattern(staff_t, user_home_dir_t, dir, http_user_content_t, "public_html")
Additionally, we have added rules to make sure that if the kernel creates content in /dev
, it will label it correctly rather than waiting for udev
to fix the label.
filetrans_pattern(kernel_t, device_t, chr_file, wireless_device_t, "rfkill")
Better Security
This can also be considered a security enhancement, since in Red Hat Enterprise Linux 6, policy writers could only write rules based on the the destination directory label. Consider the example above using NetworkManager_t
. In Red Hat Enterprise Linux 6, a policy writer would write filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t)
, which means the networkmanager
process could create any file in an etc_t
directory (/etc
) that did not exist. If for some reason the /etc/passwd
file did not exist, SELinux policy would not block NetworkManager_t
from creating /etc/passwd
. In Red Hat Enterprise Linux 7, we can write a tighter policy like this:
filetrans_pattern(NetworkManager_t, etc_t, file, net_conf_t, "resolv.conf")
This states that NetworkManger can only create files named resolv.conf
in directories labeled etc_t
. If it tries to create the passwd
file in an etc_t
directory, the policy would check if NetworkManager_t
is allowed to create an etc_t
file, which is not allowed.
Bottom Line
This feature should result in less occurrences of accidental mislabels by users and hopefully a more secure and better-running SELinux system.
About the author
Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Senior Distinguished Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years.
Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox back in RHEL6 an early desktop container tool. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit