SELinux Programming Documentation
- Links to HOWTO's and other useful sites
Related Books
1) SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty, O'REILLY
My Notes
The following example configuration details exactly how to programatically achieve dynamic context transitions using the setcon() feature and also using the ability to write to "/proc/pid/attr/current". In the following networking example there is a client and a server. The server waits to get the message from the client and then changes to the domain of the server. This allows the server to do all that is allowed in the client domain after transition. The most important thing is that, the server can't do the operations permitted in the server domain after transition and to do so it has to return back to its domain. This could be a security issue as discussed in sections above. The little box below shows the core functions/sequence that is needed to change domains.
1: rcc = getcon(&scon);
if (rcc < 0)
{
perror("getcon");
return -1;
}
printf("mycon = %s\n",scon);
2: con = context_new(scon);
freecon(scon);
3: rcc = context_type_set(con, "server-changing-to-client-type_t");
if (rcc)
{
perror("context_type_set");
return -1;
}
4: scon = context_str(con);
if (!scon)
{
perror("context_str");
return -1;
}
5: if (security_check_context(scon) < 0)
{
fprintf(stderr, "%s is not a valid context in the policy\n",scon);
return -1;
}
6: rcc = setcon(scon);
if (rcc < 0)
{
perror("setcon");
return -1;
}
7: context_free(con);
scon = NULL;
8: rcc = getcon(&scon);
if (rcc < 0)
{
perror("getcon");
return -1;
}
printf("Changed to %s\n", scon);
The getcon() function in point 1 is used to get the current context of a running process. we need to compile the program with the latest libselinux library. This must actually be freed with freecon() that is being done in point 2. freecon() frees the memory allocated with a security context. In point 2 context_new() returns a new security context initialized to the string that we are passing. The context_type_set() function in the point 3 allows an application to manipulate the fields of a security context string without requiring it to know the format of the string.
The context_str() function in line 4 returns a context string based on the return value of context_new().
The security_check_context() function computes the validity of the input security context. A context is valid only if it is pre-defined and explicitly allowed in a policy file. This also has to be compiled and loaded into the selinux security engine to be applicable.
The function setcon() in line 6 sets the current security context of the process to a new value. Note that the use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via setexec-con(3). Whenever possible, one should decompose the applicaiton and use setexeccon() and execve() instead. This function requires explicit "allow" statement in the corresponding .te file.
The above is a very specific order by which one can achieve dynamic context transitions by using the setcon() in the program itself. The following lines show the "allow" statements that must be there in the policy file.
1) allow user_t security_t:security check_context;
2) allow user_t self:process setcurrent;
3) allow user_t test_libselinux_t:process dyntransition;
Line 1 needed to give the program the ability to check the validity of the new security context that is computed. Line 2 is needed to give the program the capability to write to the /proc/pid/attr/current interface. "pid" will be replaced by the actual pid of the process. Thus it can set its security status by simple writes to it. Line 3 is needed to give the program the ability to dynamically transition to a new domain.
.
.
.
.
.
.
.
.
.