Significance of SELinux user and roles on objects.

Significance of SELinux user and roles on objects.

[dE]

I've read that the roles on objects (like files) are in reality of no 
use and are filled up just for the sake of filling. That's why every 
file has role object_r.

Which prompts me a question -- do the user and role of objects (like 
files) have any significance? Or can access be allowed/denied based on 
the object's role and user?

Re: Significance of SELinux user and roles on objects.

[Christopher J. PeBenito]

On 05/20/2014 01:01 AM, dE wrote:
> I've read that the roles on objects (like files) are in reality of no use and are filled up just for the sake of filling. That's why every file has role object_r.
> 
> Which prompts me a question -- do the user and role of objects (like files) have any significance? Or can access be allowed/denied based on the object's role and user?

Roles on objects typically don't have any use.  The kernel will create files with object_r regardless, so putting a role on a file can't easily be made useful right now.  For example, I added user_tmp_t to the user_r so I could label a directory:

$ chcon user_u:user_r:user_tmp_t .
$ ls -laZ
total 12K
drwxr-xr-x.   2 pebenito users user_u:user_r:user_tmp_t    6 May 20 09:25 .
drwxrwxrwt. 127 root     root  system_u:object_r:tmp_t  8.0K May 20 09:25 ..

And then I touch a file:

$ touch test
$ ls -laZ
total 12K
drwxr-xr-x.   2 pebenito users user_u:user_r:user_tmp_t     17 May 20 09:27 .
drwxrwxrwt. 127 root     root  system_u:object_r:tmp_t    8.0K May 20 09:25 ..
-rw-r--r--.   1 pebenito users user_u:object_r:user_tmp_t    0 May 20 09:27 test

So the new file still gets object_r instead of user_r.  If you do have a role on an object, you can write constraints in the policy based on the role of the object.  If the role was correctly set on objects, I would use the role on objects to enforce role separations in refpolicy.

The user is useful on some objects, as the basic constraints in refpolicy will deny creating or relabeling a file if the user of the process doesn't match the user of the file.  If you have UBAC turned on in refpolicy, then the user separations will be enforced across all relevant object classes.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: Significance of SELinux user and roles on objects.

[dE]

On 05/20/14 19:12, Christopher J. PeBenito wrote:
> The kernel will create files with object_r regardless

Is this defined in the policy or is hard coded in the kernel?

If it's defined in the policy, can't the role on a newly created file be 
defined such that it's value depends on the SELinux user creating the file?

Re: Significance of SELinux user and roles on objects.

[Dominick Grift]

On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
> On 05/20/14 19:12, Christopher J. PeBenito wrote:
> > The kernel will create files with object_r regardless
> 
> Is this defined in the policy or is hard coded in the kernel?

Hard coded into the kernel

> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: Significance of SELinux user and roles on objects.

[dE]

On 05/22/14 13:02, Dominick Grift wrote:
> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>> The kernel will create files with object_r regardless
>> Is this defined in the policy or is hard coded in the kernel?
> Hard coded into the kernel
>
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>

Ok. Thanks for clarifying all this.

Re: Significance of SELinux user and roles on objects.

[Stephen Smalley]

On 05/22/2014 03:32 AM, Dominick Grift wrote:
> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>> The kernel will create files with object_r regardless
>>
>> Is this defined in the policy or is hard coded in the kernel?
> 
> Hard coded into the kernel

Unless the policy specifies to default from source or target for the
file class...

Re: Significance of SELinux user and roles on objects.

[dE]

On 05/23/14 19:12, Stephen Smalley wrote:
> On 05/22/2014 03:32 AM, Dominick Grift wrote:
>> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>>> The kernel will create files with object_r regardless
>>> Is this defined in the policy or is hard coded in the kernel?
>> Hard coded into the kernel
> Unless the policy specifies to default from source or target for the
> file class...
>
>

So you can define the default object in the policy file as per the 
object class.

Re: Significance of SELinux user and roles on objects.

[Stephen Smalley]

On 05/23/2014 11:45 AM, dE wrote:
> On 05/23/14 19:12, Stephen Smalley wrote:
>> On 05/22/2014 03:32 AM, Dominick Grift wrote:
>>> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>>>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>>>> The kernel will create files with object_r regardless
>>>> Is this defined in the policy or is hard coded in the kernel?
>>> Hard coded into the kernel
>> Unless the policy specifies to default from source or target for the
>> file class...
>>
>>
> 
> So you can define the default object in the policy file as per the
> object class.

See:
http://selinuxproject.org/page/DefaultRules

Re: Significance of SELinux user and roles on objects.

[dE]

On 05/23/14 21:25, Stephen Smalley wrote:
> On 05/23/2014 11:45 AM, dE wrote:
>> On 05/23/14 19:12, Stephen Smalley wrote:
>>> On 05/22/2014 03:32 AM, Dominick Grift wrote:
>>>> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>>>>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>>>>> The kernel will create files with object_r regardless
>>>>> Is this defined in the policy or is hard coded in the kernel?
>>>> Hard coded into the kernel
>>> Unless the policy specifies to default from source or target for the
>>> file class...
>>>
>>>
>> So you can define the default object in the policy file as per the
>> object class.
> See:
> http://selinuxproject.org/page/DefaultRules
>

Ok. So this's comparatively a new feature. Thanks for sharing.

Re: Significance of SELinux user and roles on objects.

[Christopher J. PeBenito]

On 05/23/2014 09:42 AM, Stephen Smalley wrote:
> On 05/22/2014 03:32 AM, Dominick Grift wrote:
>> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>>> The kernel will create files with object_r regardless
>>>
>>> Is this defined in the policy or is hard coded in the kernel?
>>
>> Hard coded into the kernel
> 
> Unless the policy specifies to default from source or target for the
> file class...

So if I explicitly put default_role from target it will start inheriting the directory's role?  If so, did that change also fix role_transition to work on file creation? i.e. can I write a rule like:

role_transition user_r tmp_t:file user_r;

So I can get the default_role from source-like behavior on certain types (I'd like to bring back role separations in refpolicy)?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: Significance of SELinux user and roles on objects.

[Stephen Smalley]

On 05/27/2014 08:36 AM, Christopher J. PeBenito wrote:
> On 05/23/2014 09:42 AM, Stephen Smalley wrote:
>> On 05/22/2014 03:32 AM, Dominick Grift wrote:
>>> On Thu, 2014-05-22 at 12:25 +0530, dE wrote:
>>>> On 05/20/14 19:12, Christopher J. PeBenito wrote:
>>>>> The kernel will create files with object_r regardless
>>>>
>>>> Is this defined in the policy or is hard coded in the kernel?
>>>
>>> Hard coded into the kernel
>>
>> Unless the policy specifies to default from source or target for the
>> file class...
> 
> So if I explicitly put default_role from target it will start inheriting the directory's role?  If so, did that change also fix role_transition to work on file creation? i.e. can I write a rule like:
> 
> role_transition user_r tmp_t:file user_r;
> 
> So I can get the default_role from source-like behavior on certain types (I'd like to bring back role separations in refpolicy)?

policy.26 added support for role transitions on object classes.
policy.27 added support for default rules for user/role/range
inheritance (and policy.28 did the same for type inheritance).