1 <html devsite> 2 <head> 3 <title>SELinux concepts</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Review this page to become familar with the concepts at play within SELinux.</p> 27 28 <h2 id=mandatory_access_control>Mandatory access control</h2> 29 30 <p>Security Enhanced Linux (SELinux), is a mandatory access control (MAC) system 31 for the Linux operating system. As a MAC system, it differs from Linuxs 32 familiar discretionary access control (DAC) system. In a DAC system, a concept 33 of ownership exists, whereby an owner of a particular resource controls access 34 permissions associated with it. This is generally coarse-grained and subject 35 to unintended privilege escalation. A MAC system, however, consults a central 36 authority for a decision on all access attempts.</p> 37 38 <p>SELinux has been implemented as part of the Linux Security Module (LSM) 39 framework, which recognizes various kernel objects, and sensitive actions 40 performed on them. At the point at which each of these actions would be 41 performed, an LSM hook function is called to determine whether or not the 42 action should be allowed based on the information for it stored in an opaque 43 security object. SELinux provides an implementation for these hooks and 44 management of these security objects, which combine with its own policy, to 45 determine the access decisions.</p> 46 47 <p>In conjunction with other Android security measures, Android's access control 48 policy greatly limits the potential damage of compromised machines and 49 accounts. Using tools like Android's discretionary and mandatory access 50 controls gives you a structure to ensure your software runs only at the minimum 51 privilege level. This mitigates the effects of attacks and reduces the 52 likelihood of errant processes overwriting or even transmitting data.</p> 53 54 <p>Starting in Android 4.3, SELinux provides a mandatory access control (MAC) 55 umbrella over traditional discretionary access control (DAC) environments. For 56 instance, software must typically run as the root user account to write to raw 57 block devices. In a traditional DAC-based Linux environment, if the root user 58 becomes compromised that user can write to every raw block device. However, 59 SELinux can be used to label these devices so the process assigned the root 60 privilege can write to only those specified in the associated policy. In this 61 way, the process cannot overwrite data and system settings outside of the 62 specific raw block device.</p> 63 64 <p>See <a href="implement.html#use_cases">Use Cases</a> for more examples of threats and ways to address them with SELinux.</p> 65 66 <h2 id=enforcement_levels>Enforcement levels</h2> 67 68 <p>Become familiar with the following terms to understand how SELinux can be 69 implemented to varying strengths.</p> 70 71 <ul> 72 <li><em>Permissive</em> - SELinux security policy is not enforced, only logged. 73 <li><em>Enforcing</em> - Security policy is enforced and logged. Failures appear as EPERM errors. 74 </ul> 75 76 <p>This choice is binary and determines whether your policy takes action or merely 77 allows you to gather potential failures. Permissive is especially useful during 78 implementation.</p> 79 80 <ul> 81 <li><em>Unconfined</em> - A very light policy that prohibits certain tasks and provides a temporary 82 stop-gap during development. Should not be used for anything outside of the 83 Android Open Source Project (AOSP). 84 <li><em>Confined</em> - A custom-written policy designed for the service. That policy should define 85 precisely what is allowed. 86 </ul> 87 88 <p>Unconfined policies are available to help implement SELinux in Android quickly. 89 They are suitable for most root-level applications. But they should be 90 converted to confined policies wherever possible over time to restrict each 91 application to precisely the resources it needs.</p> 92 93 <p>Ideally, your policy is both in enforcing mode and confined. Unconfined 94 policies in enforcement mode can mask potential violations that would have been 95 logged in permissive mode with a confined policy. Therefore, we strongly 96 recommend that device implementers implement true confined policies.</p> 97 98 <h2 id=labels_rules_and_domains>Labels, rules and domains</h2> 99 100 <p>SELinux depends upon <em>labels</em> to match actions and policies. Labels determine what is allowed. Sockets, 101 files, and processes all have labels in SELinux. SELinux decisions are based 102 fundamentally on labels assigned to these objects and the policy defining how 103 they may interact. In SELinux, a label takes the form: 104 user:role:type:mls_level, where the type is the primary component of the access 105 decisions, which may be modified by the other sections components which make up 106 the label. The objects are mapped to classes and the different types of access 107 for each class are represented by permissions. </p> 108 109 <p>The policy rules come in the form: allow <em>domains</em> <em>types</em>:<em>classes</em> <em>permissions</em>;, where:</p> 110 111 <ul> 112 <li><em>Domain</em> - A label for the process or set of processes. Also called a domain type as it is just a type for a process. 113 <li><em>Type</em> - A label for the object (e.g. file, socket) or set of objects. 114 <li><em>Class</em> - The kind of object (e.g. file, socket) being accessed. 115 <li><em>Permission</em> - The operation (e.g. read, write) being performed. 116 </ul> 117 118 <p>And so an example use of this would follow the structure:</p> 119 <pre class="devsite-click-to-copy"> 120 allow appdomain app_data_file:file rw_file_perms; 121 </pre> 122 123 <p>This says that all application domains are allowed to read and write files labeled 124 app_data_file. Note that this rule relies upon macros defined in the 125 global_macros file, and other helpful macros can also be found in the te_macros 126 file, both of which can be found in the <a href="https://android.googlesource.com/platform/system/sepolicy/">system/sepolicy</a> directory in the AOSP source tree. Macros are provided for common groupings of classes, permissions and 127 rules, and should be used whenever possible to help reduce the likelihood of 128 failures due to denials on related permissions.</p> 129 130 <p>In addition to individually listing domains or types in a rule, one can also refer to a set of domains or types via an <em>attribute</em>. An attribute is simply a name for a set of domains or types. Each domain or type can be associated with any number of attributes. When a rule is written that specifies an attribute name, that name is automatically expanded to the list of domains or types associated with the attribute. For example, the <em>domain</em> attribute is associated with all process domains, and the <em>file_type</em> attribute is associated with all file types.</p> 131 132 <p>Use the syntax above to create avc rules that comprise the essence of an 133 SELinux policy. A rule takes the form: 134 <pre class="devsite-click-to-copy"> 135 <var>RULE_VARIANT SOURCE_TYPES TARGET_TYPES</var> : <var>CLASSES PERMISSIONS</var> 136 </pre> 137 138 <p>The rule indicates what should happen when a subject labeled with any of the <em>source_types</em> attempts an action corresponding to any of the <em>permissions</em> on an object with any of the class <em>classes</em> which has any of the <em>target_types</em> label. The most common example of one of these rules is an allow rule, e.g.:</p> 139 140 <pre class="devsite-click-to-copy"> 141 allow domain null_device:chr_file { open }; 142 </pre> 143 144 145 <p> 146 This rule allows a process with any <em>domain</em> associated with the domain attribute to take the action described by the <em>permission</em> open on an object of <em>class</em> chr_file (character device file) that has the <em>target_type</em> label of null_device. In practice, this rule may be extended to include other permissions: </p> 147 148 <pre class="devsite-click-to-copy"> 149 allow domain null_device:chr_file { getattr open read ioctl lock append write}; 150 </pre> 151 152 <p>When combined with the knowledge that domain is an attribute assigned to 153 all process domains and 154 that null_device is the label for the character device /dev/null, this rule basically 155 permits reading and writing to <code>/dev/null</code>.</p> 156 157 <p>A <em>domain</em> generally corresponds to a process and will have a label associated with it.</p> 158 159 <p>For example, a typical Android app is running in its own process and has the 160 label of untrusted_app that grants it certain restricted permissions.</p> 161 162 <p>Platform apps built into the system run under a separate label and are granted 163 a distinct set of permissions. System UID apps that are part of the core Android 164 system run under the system_app label for yet another set of privileges.</p> 165 166 <p>Access to the following generic labels should never be directly allowed to domains; instead, a more specific type should be created for the object or objects:</p> 167 168 <ul> 169 <li> socket_device 170 <li> device 171 <li> block_device 172 <li> default_service 173 <li> system_data_file 174 <li> tmpfs 175 </ul> 176 177 </body> 178 </html> 179
