Seeing the
syntax of individual policy
declarations is not the same as seeing how they work together to
establish a useful policy. In this section, we’ll
look at the policy that governs the ping_t
domain,
and the related domain ping_exec_t
, as implemented
in Fedora Core 2. Like most policies, this policy resides in two
files:
The ping.fc
file has these contents:
# ping /bin/ping.* -- system_u:object_r:ping_exec_t /usr/sbin/hping2 -- system_u:object_r:ping_exec_t
When the filesystems are labeled, these specifications cause ordinary
files matching the first regular expression
/bin/ping.*
to be labeled with the security
context system_u:object_r:ping_exec_t
. Ordinary
files matching the second regular expression
/usr/sbin/hping2
are also labeled with that
security context. The ping.te
file is
considerably longer than the ping.fc
file, so
we’ll analyze it a few lines at a time. The first
several lines are merely comments:
#DESC Ping - Send ICMP messages to network hosts # # Author: David A. Wheeler <[email protected]> # X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 # ################################# # # Rules for the ping_t domain. # # ping_t is the domain for the ping program. # ping_exec_t is the type of the corresponding program. #
The comments point out that the domain has two associated types,
ping_t
and ping_exec_t
. Most
domains have at least two types such as these: a type synonymous with
the domain (ping_t
) and another type used for
programs that serve as entry points to the domain
(ping_exec_t
).
The next line identifies ping_t
as a type and
gives it the domain
and privlog
attributes,
marking the type as a domain that is authorized to communicate with
the system log process.
type ping_t, domain, privlog;
The next two lines identify two roles, sysadm_r
and
system_r
, authorized to access the
ping_t
domain:
role sysadm_r types ping_t; role system_r types ping_t;
The next line invokes an M4 macro:
in_user_role(ping_t)
The macro definition resides in
macros/
user_macros.te
. Its
expansion generates the declarations:
role user_r types ping_t; role staff_r types ping_t;
These declarations extend the list of roles privileged to access the
ping_t
domain. However, as we will see, the
role
statement is not enough to ensure that
ordinary users can execute a ping. A transition
must also be authorized.
The next line defines the ping_exec_t
type,
marking it as a file type rather than a domain:
type ping_exec_t, file_type, sysadmfile, exec_type;
The declaration also marks the type as related to an executable file that is accessible to the system administrator.
The next line initializes a policy Boolean with the value
false
:
bool user_ping false;
This Boolean controls whether ordinary users are permitted to use the ping command and related commands.
The next several lines compose a conditional declaration that affects
policy only if the policy Boolean user_ping
has
the value true
:
if (user_ping) { domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) # allow access to the terminal allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') }
The conditional declaration uses an M4 macro to generate declarations
authorizing processes in unprivileged domains to automatically enter
the ping_t
domain via execution of a
ping_exec_t
executable file. It also authorizes
access to the TTY or PTY and authorizes use of a file descriptor
marked with the
gphdomain
(Gnome
PTY helper) attribute.
Access to the TTY or PTY file is granted through the
ttyfile and
ptyfile type attributes. These
attributes, defined in the file attrib.te
, are
associated with the three types used to label all TTYs and PTYs:
sysadm_tty_device_t
,
staff_tty_device_t
, and
user_tty_device_t
. For instance, the
macros/admin_macros.te
file contains macros that
expand upon invocation to the following declaration:
type sysadm_tty_device_t, file_type, sysadmfile, ttyfile;
The declaration binds the type attribute ttyfile
to the type sysadm_tty_device_t
. Thus, the
allow
declaration within the
ping_t
domain permits processes within that domain
to permit read and write operations on device files labeled
sysadm_tty_device_t
.
The next several lines cause an automatic
transition to the ping_t
domain when a sysadm_t
or
initrc_t
process loads a
ping_exec_t
executable:
# Transition into this domain when you run this program. domain_auto_trans(sysadm_t, ping_exec_t, ping_t) domain_auto_trans(initrc_t, ping_exec_t, ping_t)
Because these declarations are specified unconditionally, system
administrators and processes running under init
can always ping.
The next several lines invoke M4 macros that generate declarations enabling access to shared libraries, network resources, and use Network Information Service (NIS) (also known as yp):
uses_shlib(ping_t) can_network(ping_t) can_ypbind(ping_t)
Most of the remaining lines extend specific
permissions to processes
in the ping_t
domain. First, such processes are
allowed to get the attributes of and read etc_t
files:
allow ping_t etc_t:file { getattr read };
Such processes are also allowed to create Unix stream sockets:
allow ping_t self:unix_stream_socket create_socket_perms;
Likewise, such processes can create and perform several other operations on raw IP sockets:
# Let ping create raw ICMP packets. allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
Processes in ping_t
can send and receive
raw IP packets using any
interface and node:
allow ping_t netif_type:netif { rawip_send rawip_recv }; allow ping_t node_type:node { rawip_send rawip_recv };
Likewise, they can use the
net_raw
and
setuid
capabilities.
# Use capabilities. allow ping_t self:capability { net_raw setuid };
Finally, they can access the terminal:
# Access the terminal. allow ping_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') allow ping_t { userdomain privfd kernel_t }:fd use;
Two additional declarations avoid cluttering the system log with
useless chatter resulting from failed attempts to get filesystem
attributes and search var_t
directories:
dontaudit ping_t fs_t:filesystem getattr; dontaudit ping_t var_t:dir search;
Exactly why ping wants to perform these operations isn’t clear; presumably study of its source code would disclose the reason. But ping seems to work fine even when it is prohibited from performing these operations, so, consistent with the principle of least privilege, we choose not to enable them.
ping isn’t alone in attempting unnecessary operations; quite a few programs do so. It’s best to determine experimentally whether failed operations are really needed, rather than give a program free rein by enabling every operation it attempts.
The ping.te
file, which contains 57 lines, is
actually a bit longer than the median TE file size of 54 lines. So if
you understand it, you’re likely to experience no
significant difficulty in understanding all but the most complex TE
files. In Chapter 9we move on to consider how to
modify existing policies and create policies of your
own.