blob: 39f26c6b03fd0b859b7cbc85ee6fcc02fada4c24 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
An overview of direct file relabel analysis
Understanding file relabel analysis
-----------------------------------
The permission to relabel objects in a mandatory access control system
is an important privilege. In SELinux, this privilege is controlled
by the relabelto and relabelfrom permissions. Understanding the net
effect of these policy rules is complex because it requires the
examination of multiple rules potentially spanning dozens of files.
To be able to successfully relabel an object, a subject must be able
to:
- relabelfrom the starting type
- relabelto at least one other type
For example, consider the following rules:
allow sysadm_t filea_t : file relabelfrom;
allow sysadm_t { fileb_t filec_t } : file relabelto;
If these rules are the only relabel rules present in the policy,
sysadm_t would be allowed to relabel files of type filea_t to fileb_t
or filec_t. Both a relabelfrom and a relabelto rule for a single
subject must be present for a relabel to be possible.
Determining the potential ending types to which a starting type can be
relabeled requires examining all subjects for relabel rules from the
starting type to one or more ending types. Determining the relabel
privileges of a subject type requires examining all of the relabel
rules containing the subject type. The direct file relabel analysis
in apol automates both of these analyses.
Using direct file relabel analysis in apol
------------------------------------------
Direct file relabel analysis is designed to facilitate querying a
policy for both potential changes to object labels and relabel
privileges granted to a subject. These two modes are respectively
called Object Mode and Subject Mode.
Object Mode
-----------
In Object Mode, the user specifies a starting or ending type and
either to, from or both. When To is selected, all types to which the
starting type can be relabeled will be displayed. When From is
selected, all types from which the ending type can be relabeled will
be displayed. If both options are selected, the analysis performs
both.
Subject Mode
------------
In Subject Mode, the user specifies only a subject type. Two lists of
types will be displayed corresponding to all of the types to which the
subject can relabel and from which the subject can relabel.
Optional result filters
-----------------------
Results may be filtered in several ways. The end types resulting from
a query may be filtered by regular expression. Advanced Filters
provide the option of selecting which object classes to include in the
analysis and which types to include as subjects of relabeling
operations. The subject types filter is disabled in subject mode
because all types are excluded as subjects except the type specified as
the required parameter.
|
