From patchwork Wed Sep 9 13:30:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11767725 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A880C92C for ; Thu, 10 Sep 2020 12:16:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5897B2074B for ; Thu, 10 Sep 2020 12:16:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="fO8RbJ0p" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730252AbgIJMPq (ORCPT ); Thu, 10 Sep 2020 08:15:46 -0400 Received: from mailomta28-re.btinternet.com ([213.120.69.121]:54945 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730408AbgIJMNr (ORCPT ); Thu, 10 Sep 2020 08:13:47 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-043.btinternet.com with ESMTP id <20200909133048.EKJL29506.re-prd-fep-043.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 9 Sep 2020 14:30:48 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1599658248; bh=m/xLRItvvIlsfdKfksgXgc3A96SYWY3zUHvq/SS7128=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=fO8RbJ0pPD+i80zvmsKBzog03j2UoQAIMRX/jujr87ZBFhkyd16InI4o0dFcRppVuBNJ0AuC9CDac+EMRmmkQXwfcIkpUCGY6zykzGSjEIwq3UOLg99kIa4WHZjI/OazBFWbJksnTBmGbzWgED8May5K/GDhClS/BXjqy9Hm/zCWpg4vYBGumcgcP6R0fthSut/wsMcrGPFTynJGlWCRecvbTjGidt6n3KVLz7gA578Ww5plmVpBjc0zL0jnJXK26AtzBwIY8YAw0b/Ocky9zOtcKBDAjIJf2bkGhgZZn7Yv2zJ6Bwd6zc3A4uUUXKQtTeiO7Tz5QM1QLpdHh/jEYQ== Authentication-Results: btinternet.com; none X-Originating-IP: [86.154.154.133] X-OWM-Source-IP: 86.154.154.133 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=70/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgiedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecugfgrrhhlhicushhprhhinhhgucdljedtmdenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnheptdehheehvdfhfefgffduhffgffeltdehgffghffhudekkefhteekfeduveetieegnecuffhomhgrihhnpehgohhoghhlvggtohguvgdrtghomhenucfkphepkeeirdduheegrdduheegrddufeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudehgedrudehgedrudeffedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdp rhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 70 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.154.154.133) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C2FD10134E24; Wed, 9 Sep 2020 14:30:48 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 15/22] types_of_policy: Convert to markdown Date: Wed, 9 Sep 2020 14:30:32 +0100 Message-Id: <20200909133039.44498-16-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200909133039.44498-1-richard_c_haines@btinternet.com> References: <20200909133039.44498-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/types_of_policy.md | 359 +++++++++++++++++++++-------------------- 1 file changed, 184 insertions(+), 175 deletions(-) diff --git a/src/types_of_policy.md b/src/types_of_policy.md index a55fdd0..b9ae190 100644 --- a/src/types_of_policy.md +++ b/src/types_of_policy.md @@ -1,32 +1,42 @@ # Types of SELinux Policy +- [Reference Policy](#reference-policy) +- [Policy Functionality Based on Name or Type](#policy-functionality-based-on-name-or-type) +- [Custom Policy](#custom-policy) +- [Monolithic Policy](#monolithic-policy) +- [Loadable Module Policy](#loadable-module-policy) + - [Optional Policy](#optional-policy) +- [Conditional Policy](#conditional-policy) +- [Binary Policy](#binary-policy) +- [Policy Versions](#policy-versions) + This section describes the different type of policy descriptions and versions that can be found within SELinux. The type of SELinux policy can described in a number of ways: -1. Source code - These can be described as: - [**Reference Policy**](types_of_policy.md#reference-policy) or - [**Custom**](types_of_policy.md#custom-policy). - They are generally written using - [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language), - [**Reference Policy Support Macros**](reference_policy.md#reference-policy-support-macros), - or using [**CIL**](cil_overview.md#cil-overview) -2. They can also be classified as: [**Monolithic**](types_of_policy.md#monolithic-policy), - [**Base Module or Loadable Module**](types_of_policy.md#reference-policy). -3. Policies can also be described by the - [**type of policy functionality**](types_of_policy.md#policy-functionality-based-on-name-or-type) they - provide such as: targeted, mls, mcs, standard, strict or minimum. -4. Classified using language statements - These can be described as - [**Modular, Optional**](types_of_policy.md#reference-policy) or - [**Conditional**](types_of_policy.md#conditional-policy). -5. Binary or Kernel policy. These are the compiled policy used by the kernel. -6. Classification can also be on the '[**policy version**](types_of_policy.md#policy-versions)' - used (examples are version 22, 23 and 24). -7. Policy can also be generated depending on the target platform of - either 'selinux' (the default) or 'xen' (see the SELinux policy - generation tools ***checkpolicy**(8)*, ***secilc**(8)* and ***semanage**(8)* - *target_platform* options). +1. Source code - These can be described as: + [**Reference Policy**](types_of_policy.md#reference-policy) or + [**Custom**](types_of_policy.md#custom-policy). + They are generally written using + [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language), + [**Reference Policy Support Macros**](reference_policy.md#reference-policy-support-macros), + or using [**CIL**](cil_overview.md#cil-overview) +2. They can also be classified as: [**Monolithic**](types_of_policy.md#monolithic-policy), + [**Base Module or Loadable Module**](types_of_policy.md#reference-policy). +3. Policies can also be described by the + [**type of policy functionality**](types_of_policy.md#policy-functionality-based-on-name-or-type) they + provide such as: targeted, mls, mcs, standard, strict or minimum. +4. Classified using language statements - These can be described as + [**Modular, Optional**](types_of_policy.md#reference-policy) or + [**Conditional**](types_of_policy.md#conditional-policy). +5. Binary or Kernel policy. These are the compiled policy used by the kernel. +6. Classification can also be on the '[**policy version**](types_of_policy.md#policy-versions)' + used (examples are version 22, 23 and 24). +7. Policy can also be generated depending on the target platform of + either 'selinux' (the default) or 'xen' (see the SELinux policy + generation tools ***checkpolicy**(8)*, ***secilc**(8)* and ***semanage**(8)* + *target_platform* options). As can be seen the description of a policy can vary depending on the context. @@ -61,30 +71,32 @@ Generally a policy is installed with a given name such as *targeted*, *mls*, *refpolicy* or *minimum* that attempts to describes its functionality. This name then becomes the entry in: -1. The directory pointing to the policy location (e.g. if the name is - *targeted*, then the policy will be installed in - */etc/selinux/targeted*). -2. The *SELINUXTYPE* entry in the */etc/selinux/config* file when it is - the active policy (e.g. if the name is *targeted*, then a - *SELINUXTYPE=targeted* entry would be in the */etc/selinux/config* - file). +1. The directory pointing to the policy location (e.g. if the name is + *targeted*, then the policy will be installed in + */etc/selinux/targeted*). +2. The *SELINUXTYPE* entry in the */etc/selinux/config* file when it is + the active policy (e.g. if the name is *targeted*, then a + *SELINUXTYPE=targeted* entry would be in the */etc/selinux/config* + file). This is how the reference policies distributed with Fedora are named, where: -- minimum - supports a minimal set of confined daemons within their own - domains. The remainder run in the unconfined_t space. Red Hat - pre-configure MCS support within this policy. -- targeted - supports a greater number of confined daemons and can also - confine other areas and users. Red Hat pre-configure MCS support within - this policy. -- mls - supports server based MLS systems. + +- minimum - supports a minimal set of confined daemons within their own + domains. The remainder run in the unconfined_t space. Red Hat + pre-configure MCS support within this policy. +- targeted - supports a greater number of confined daemons and can also + confine other areas and users. Red Hat pre-configure MCS support within + this policy. +- mls - supports server based MLS systems. The Reference Policy also has a *TYPE* description that describes the type of policy being built by the build process, these are: -- standard - supports confined daemons and can also confine other areas - and users. -- mcs - As standard but supports MCS labels. -- mls - supports server based MLS systems. + +- standard - supports confined daemons and can also confine other areas + and users. +- mcs - As standard but supports MCS labels. +- mls - supports server based MLS systems. The *NAME* and *TYPE* entries are defined in the reference policy *build.conf* file that is described in the Reference Policy @@ -95,14 +107,14 @@ section. This generally refers to a policy source that is either: -1. A customised version of the Reference Policy (i.e. not the standard - distribution version e.g. Red Hat policies). -2. A policy that has been built using policy language statements - (CIL or Kernel) to build a specific policy such as the basic policy built - in the Notebook *notebook-examples/selinux-policy* there are following - policies: -- [**Kernel Policy Language**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt) -- [**CIL Policy Language**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt) +1. A customised version of the Reference Policy (i.e. not the standard + distribution version e.g. Red Hat policies). +2. A policy that has been built using policy language statements + (CIL or Kernel) to build a specific policy such as the basic policy built + in the Notebook *notebook-examples/selinux-policy* there are following + policies: + - [**Kernel Policy Language**](./notebook-examples/selinux-policy/kernel/kern-nb-policy.txt) + - [**CIL Policy Language**](./notebook-examples/selinux-policy/cil/cil-nb-policy.txt) These examples were built using the Notebook 'build-sepolicy' command that is described in @@ -140,12 +152,12 @@ but ftp is not used, then that module could be unloaded). There are number of components that form the infrastructure: -1. Policy source code that is constructed for a modular policy with a - base module and optional loadable modules. -2. Utilities to compile and link modules and place them into a 'policy - store'. -3. Utilities to manage the modules and associated configuration files - within the 'policy store'. +1. Policy source code that is constructed for a modular policy with a + base module and optional loadable modules. +2. Utilities to compile and link modules and place them into a 'policy + store'. +3. Utilities to manage the modules and associated configuration files + within the 'policy store'. [**Figure 2: High Level SELinux Architecture**](core_components.md#core-selinux-components) shows these components along the top of the diagram. The files contained in @@ -196,9 +208,9 @@ section. This is also know as the kernel policy and is the policy file that is loaded into the kernel and is located at -/etc/selinux/<SELINUXTYPE>/policy/policy.<version>. Where -*<SELINUXTYPE>* is the policy name specified in the SELinux -configuration file /etc/selinux/config and <version> is the +/etc/selinux/\/policy/policy.\. Where +*\* is the policy name specified in the SELinux +configuration file /etc/selinux/config and \ is the SELinux [**policy version**](#policy-versions). The binary policy can be built from source files supplied by the @@ -245,124 +257,121 @@ Max kernel policy version: 32 ``` -**Table 1: Policy version descriptions** describes the different versions, although note -that there is also another version that applies to the modular policy, -however the main policy database version is the one that is generally -quoted (some SELinux utilities give both version numbers). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
policy db Versionmodular db VersionDescription
154The base version when SELinux was merged into the kernel.
16-Added Conditional Policy support (the bool feature).
17-Added support for IPv6.
18-Added Netlink support.
195Added MLS support, plus the validatetrans Statement.
20-Reduced the size of the access vector table.
216Added support for the MLS range_transition Statement.
227Added policycap Statement that allows various kernel options to be enabled as described in the Policy Configuration Statements section.
238Added support for the permissive statement. This allows a domain to run in permissive mode while the others are still confined (instead of the all or nothing set by the SELINUX entry in the /etc/selinux/config file).
249 / 10Add support for the typebounds statement. This was added to support a hierarchical relationship between two domains in multi-threaded web servers as described in "A secure web application platform powered by SELinux".
2511Add support for file name transition in the type_transition rule. Requires kernel 2.6.39 minimum.
2612/13

Add support for a class parameter in the role_transition rule.

-

Add support for the attribute_role and roleattribute statements.

-

These require kernel 2.6.39 minimum.

-14Separate tunables.
2715Support setting object defaults for the user, role and range components when computing a new context. Requires kernel 3.5 minimum.
2816Support setting object defaults for the type component when computing a new context. Requires kernel 3.5 minimum.
2917Support attribute names within constraints. This allows attributes as well as the types to be retrieved from a kernel policy to assist audit2allow(8) etc. to determine what attribute needs to be updated. Note that the attribute does not determine the constraint outcome, it is still the list of types associated to the constraint. Requires kernel 3.14 minimum.
3018

For the 'selinux' target platform adds new 'xperm' rules as explained in the Extended Access Vector Rules section. This is to support 'ioctl whitelisting' as explained in the ioctl Operation Rules section. Requires kernel 4.3 minimum. For modular support, requires libsepol 2.7 minimum.

30For the 'xen' target platform support the devicetreecon statement and also expand the existing I/O memory range to 64 bits as explained in the Xen Statements section.
3119InfiniBand (IB) partition key (Pkey) and IB end port object labeling that requires kernel 4.13 minimum. See the InfiniBand Labeling Statements section.
3220Specify glblub as a default_range default and the computed transition will be the intersection of the MLS range of the two contexts. See default_range for details. Requires kernel 5.5 minimum. See the Default Rules section.
- -**Table 1: Policy version descriptions** +The following table describes the features added for each policy version and +its corresponding modular policy version. When these features are implemented +there may also be functionality added to the kernel, libselinux and/or libsepol. +If known, these version requirements are also listed. + +**Policy: 15 Module: 4** + +The base version when SELinux was merged into the kernel. + +**Policy: 16** + +Added [**Conditional Policy**](#conditional-policy) support (the bool feature). + +**Policy: 17** + +Added support for IPv6. + +**Policy: 18** + +Added Netlink support. + +**Policy: 19 Module: 5** + +Added MLS support, plus the *validatetrans* Statement. + +**Policy: 20** + +Reduced the size of the access vector table. + +**Policy: 21 Module: 6** + +Added support for the MLS *range_transition* Statement. + +**Policy: 22 Module: 7** + +Added *policycap* Statement that allows various kernel options to be +enabled as described in the +[**Policy Configuration Statements**](policy_config_statements.md#policy-configuration-statements) +section. + +**Policy: 23 Module: 8** + +Added support for the *permissive* statement. This allows a domain to run +in permissive mode while the others are still confined (instead of the all +or nothing set by the *SELINUX* entry in the */etc/selinux/config* file). + +**Policy: 24 Module: 9 / 10** + +Add support for the *typebounds* statement. This was added to support a +hierarchical relationship between two domains in multi-threaded web servers +as described in +[**A secure web application platform powered by SELinux**](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf). + +**Policy: 25 Module: 11** + +Add support for file name transition in the *type_transition* rule. +Requires kernel 2.6.39 minimum. + +**Policy: 26 Module: 12 / 13** + +Add support for a class parameter in the *role_transition* rule and +support for the *attribute_role* and *roleattribute* statements. +These require kernel 2.6.39 minimum. + +**Module: 14** + +Separate tunables. + +**Policy: 27 Module: 15** + +Support setting object defaults for the user, role and range components +when computing a new context. Requires kernel 3.5 minimum. + +**Policy: 28 Module: 16** + +Support setting object defaults for the type component when computing a +new context. Requires kernel 3.5 minimum. + +**Policy: 29 Module: 17** + +Support attribute names within constraints. This allows attributes as well +as the types to be retrieved from a kernel policy to assist +***audit2allow**(8)* etc. to determine what attribute needs to be updated. +Note that the attribute does not determine the constraint outcome, it is +still the list of types associated to the constraint. +Requires kernel 3.14 minimum. + +**Policy: 30 Module: 18** + +For the *selinux* target platform adds new *xperm* rules as explained in the +[**Extended Access Vector Rules**](xperm_rules.md#extended-access-vector-rules) +section. This is to support 'ioctl whitelisting' as explained in the +[***ioctl* Operation Rules**](xperm_rules.md#ioctl-operation-rules) section. +Requires kernel 4.3 minimum. +For modular policy support requires libsepol 2.7 minimum. + +**Policy: 30** + +For the '*xen*' target platform support the *devicetreecon* statement and +also expand the existing I/O memory range to 64 bits as explained in the +[**Xen Statements**](xen_statements.md#xen-statements) section. + +**Policy: 31 Module: 19** + +Add InfiniBand (IB) partition key (Pkey) and IB end port object labeling +as explained in the +[**InfiniBand Labeling Statements**](infiniband_statements.md#infiniband-labeling-statements) +section. Requires kernel 4.13 minimum. + +**Policy: 32 Module: 20** + +Specify *glblub* as a *default_range* default and the computed transition +will be the intersection of the MLS range of the two contexts. +See the [**default_range**](default_rules.md#default_range) for details. +Requires kernel 5.5 minimum.