1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
An overview of domain transition analysis
A key feature of Type Enforcement (TE) security is the ability to
define domain types with which programs run, use that domain type to
control access to objects (which are also typed), and strictly control
the ability of a process to change its domain type. This last ability
is known as domain transition.
Apol supports analysis of an SELinux policy to understand the domain
transitions it allows. As with all access in SELinux, the ability to
transition from one domain to another is controlled by 'allow' rules
in the policy. Below, we describe how apol performs a domain
transition analysis.
The three types of interest for domain transitions
--------------------------------------------------
When discussing domain transition access, there are three different
types we must consider:
+ SOURCE TYPE: This is the domain type associated with a process
that is trying to change (transition) its domain type to another
type.
+ TARGET TYPE: This is the domain type to which the source type is
trying to transition.
+ FILE TYPE (ENTRYPOINT TYPE): This is a type associated with an
executable file object that allows the target type to be entered
as part of an execve() system call.
Forward vs. reverse domain transition analysis
----------------------------------------------
Apol supports both forward and reverse domain transition analysis. A
forward analysis determines all the TARGET types to which the selected
SOURCE types may transition. The results may be further filtered by
selecting particular object classes, permissions, and object types to
find transitions to domains that have those specific privileges or
that have access to a particular object type(s). A reverse analysis
is the opposite; select a TARGET type and determine all the SOURCE
types that may transition to the target type.
In each case, apol creates a tree structure to show the result. Drill
down the tree to follow any given transition path.
Criteria for identifying allow domain transitions
-------------------------------------------------
In SELinux, three types of access (and hence at least three rules)
must be allowed by the policy for a domain transition to occur. These
three access types form the criteria used by apol to determine allowed
transitions.
Given an understanding of the three types of interest in a domain
transition, the criteria for an allowed domain transition are as
follows. In the examples below, assume 'user_t' is the source type,
'passwd_t' is the target type, and 'passwd_exec_t' is the file entry
point type.
1. A rule must exist that allows the SOURCE domain type 'transition'
access for 'process' object class for the TARGET domain type. For
example, the rule:
allow user_t passwd_t : process transition;
meets this criterion by allowing the source type (user_t) 'process
transition' permission to the target type (passwd_t).
2. A rule must exist that allows the SOURCE domain type 'execute'
access to the FILE ENTRYPOINT type. For example, the rule:
allow user_t passwd_exec_t : file {read getattr execute};
meets the criterion by allowing the source type (user_t) 'execute'
access to the file entrypoint type (passwd_exec_t).
3. A rule must exist that allows the TARGET domain type 'entrypoint'
access to the FILE ENTRYPOINT type for file objects. For
example, the rule:
allow passwd_t passwd_exec_t : file entrypoint;
meets this criterion by allowing the target type (passwd_t) 'file
entrypoint' access to the file entrypoint type (passwd_exec_t).
4. There must be a way for the transition to be specified. Typically
this is accomplished in the policy with a TYPE TRANSITION statement.
For example, the statement:
type_transition user_t password_exec_t : process passwd_t;
meets this criterion by specifying that when user_t executes
a program with the passwd_exec_t type, the default type of the
new process is passwd_t. This is the most common specifier because
it does not require the programs to be SELinux-aware. Alternatively,
the program can be made SELinux-aware and the program itself may
specify the type of the new process. For example, the statement:
allow user_t self : process setexec;
allows the source type (user_t) to specify the type of new processes
when executing programs. In both the type transition and setexec
cases, the types that the source domain may transition to are
limited by the previous three criterion.
In the analysis results for a reverse domain transition analysis, apol
will list all the types that meet the above four criteria. On the
other hand, results for a forward domain transition analysis will be
limited to types that meet the above four criteria and that have the
specified privileges or access to a particular object type(s). See
'General Help' for the Forward DTA Advanced Search Options feature in
apol.
Filtering domain transition results in apol
-------------------------------------------
The domain transition analysis interface in apol provides the ability
to further refine a domain transition query in order to find
transitions to a specific domain and/or transitions to domains that
are granted specific access to object types or classes. Filtering
results types using regular expressions is enabled for both forward
and reverse domain transition queries; however, the access filters are
only enabled for a forward domain transition query.
To enable and use the access filters, select the "Use access filters"
checkbox and display the Access Filters dialog. This dialog presents
listboxes for including object types, object classes, and permissions.
An access filter may be particulary useful to a user searching for
transitions to domains that have specific access to an object type
and/or class. For example, one could determine whether the type
user_t is allowed to transition to a domain that can write a file of
type shadow_t. To run this query from apol, specify the starting type
as user_t, go to the Access Filters dialog, select shadow_t in the
included object types listbox, select 'file' from the object classes
listbox and then select the 'write' permission. If multiple types,
classes, or permissions are selected, the results will include all
transitions to a domain with access to at least one of the selected
types for at least one of the selected classes with at least one of
the selected permissions.
|
