b0ed365ed7
A deny rule is like a neverallow rule, except that permissions are
removed rather than an error reported.
(allow S1 T1 P1)
(deny S2 T2 P2)
First, write the allow rule with all of the permissions not in the deny rule
P3 = P1 and not P2
(allow S1 T1 P3)
Obviously, the rule is only written if P3 is not an empty list. This goes
for the rest of the rules as well--they are only written if the source and
target exist.
The remaining rules will only involve the common permissions
P4 = P1 and P2
Next, write the allow rule for any types in S1 that are not in S2
S3 = S1 and not S2
(allow S3 T1 P4)
Finally, write the allow rules needed to cover the types in T1 that are
not in T2. Since, T1 and T2 might be "self", "notself", or "other", this
requires more complicated handling. Any rule with "self" will not match
a rule with either "notself" or "other".
if (T1 is self and T2 is self) or (T1 is notself and T2 is notself) then
Nothing more needs to be done.
The rest of the rules will depend on the intersection of S1 and S2
which cannot be the empty set since the allow and deny rules match.
S4 = S1 and S2
if T1 is notself or T1 is other or T2 is notself or T2 is other then
if T1 is notself then
if T2 is other then
T = ALL and not S2
(allow S4 T P4)
else [T2 is not self, notself, or other]
S5 = S4 and not T2
S6 = S4 and T2
TA = ALL and not T2
TB = TA and not S4
(allow S6 TA P4)
(allow S5 TB P4)
if cardinality(S5) > 1 then
(allow S5 other P4)
else if T1 is other then
(allow S3 S4 P4)
if T2 is notself then
[Nothing else is needed]
else if T2 is other then
(allow S4 S3 P4)
else [T2 is not self, notself, or other]
S5 = S4 and not T2
S6 = S4 and T2
TC = S1 and not T2
TD = S3 and not T2
(allow S6 TC P4)
(allow S5 TD P4)
if cardinality(S5) > 1 then
(allow S5 other P4)
else [T1 is not self, notself, or other]
S8 = S4 and T1
(allow S8 self P4)
if T2 is notself then
[Nothing else is needed]
else [T2 is other]
T = T1 and not S2
(allow S4 T P4)
else [Neither T1 nor T2 are notself or other]
if T1 is self and T2 is not self then
S5 = S4 and not T2
(allow S5 self P4)
else if T1 is not self and T2 is self then
S7 = S4 and not T1
S8 = S4 and T1
T8 = T1 and not S4
(allow S7 T1 P4)
(allow S8 T8 P4)
if cardinality(S8) > 1 then
(allow S8 other P4)
else [Neither T1 nor T2 is self]
T3 = T1 and not T2
(allow S4 T3 P4)
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
|
||
|---|---|---|
| .circleci | ||
| .github/workflows | ||
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| CONTRIBUTING.md | ||
| lgtm.yml | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| SECURITY.md | ||
| VERSION | ||
SELinux Userspace
SELinux is a flexible Mandatory Access Control (MAC) system built into the Linux Kernel. SELinux provides administrators with a comprehensive access control mechanism that enables greater access granularity over the existing Linux Discretionary Access Controls (DAC) and is present in many major Linux distributions. This repository contains the sources for the SELinux utilities and system libraries which allow for the configuration and management of an SELinux-based system.
Please submit all bug reports and patches to the selinux@vger.kernel.org mailing list. You can subscribe by sending "subscribe selinux" in the body of an email to majordomo@vger.kernel.org. Archives of the mailing list are available at https://lore.kernel.org/selinux.
Installation
SELinux libraries and tools are packaged in several Linux distributions:
- Alpine Linux (https://pkgs.alpinelinux.org/package/edge/testing/x86/policycoreutils)
- Arch Linux User Repository (https://aur.archlinux.org/packages/policycoreutils/)
- Buildroot (https://git.buildroot.net/buildroot/tree/package/policycoreutils)
- Debian and Ubuntu (https://packages.debian.org/sid/policycoreutils)
- Gentoo (https://packages.gentoo.org/packages/sys-apps/policycoreutils)
- RHEL and Fedora (https://src.fedoraproject.org/rpms/policycoreutils)
- Yocto Project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)
- and many more (https://repology.org/project/policycoreutils/versions)
Building and testing
Build dependencies on Fedora:
# For C libraries and programs
dnf install \
audit-libs-devel \
bison \
bzip2-devel \
CUnit-devel \
diffutils \
flex \
gcc \
gettext \
glib2-devel \
make \
libcap-devel \
libcap-ng-devel \
pam-devel \
pcre2-devel \
xmlto
# For Python and Ruby bindings
dnf install \
python3-devel \
python3-pip \
python3-setuptools \
python3-wheel \
ruby-devel \
swig
Build dependencies on Debian:
# For C libraries and programs
apt-get install --no-install-recommends --no-install-suggests \
bison \
flex \
gawk \
gcc \
gettext \
make \
libaudit-dev \
libbz2-dev \
libcap-dev \
libcap-ng-dev \
libcunit1-dev \
libglib2.0-dev \
libpcre2-dev \
pkgconf \
python3 \
systemd \
xmlto
# For Python and Ruby bindings
apt-get install --no-install-recommends --no-install-suggests \
python3-dev \
python3-pip \
python3-setuptools \
python3-wheel \
ruby-dev \
swig
To build and install everything under a private directory, run:
make clean distclean
make DESTDIR=~/obj install install-rubywrap install-pywrap
On Debian PYTHON_SETUP_ARGS='--install-option "--install-layout=deb"' needs to be set when installing the python wrappers in order to create the correct python directory structure.
To run tests with the built libraries and programs, several paths (relative to $DESTDIR) need to be added to variables $LD_LIBRARY_PATH, $PATH and $PYTHONPATH.
This can be done using ./scripts/env_use_destdir:
DESTDIR=~/obj ./scripts/env_use_destdir make test
Some tests require the reference policy to be installed (for example in python/sepolgen).
In order to run these ones, instructions similar to the ones in section install of ./.travis.yml can be executed.
To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
or on x86 (32-bit), run:
make install install-pywrap relabel
This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces.
Setting CFLAGS
Setting CFLAGS during the make process will cause the omission of many defaults. While the project strives to provide a reasonable set of default flags, custom CFLAGS could break the build, or have other undesired changes on the build output. Thus, be very careful when setting CFLAGS. CFLAGS that are encouraged to be set when overriding are:
- -fno-semantic-interposition for gcc or compilers that do not do this. clang does this by default. clang-10 and up will support passing this flag, but ignore it. Previous clang versions fail.
macOS
To install libsepol on macOS (mainly for policy analysis):
cd libsepol; make PREFIX=/usr/local install
This requires GNU coreutils:
brew install coreutils