selinux equivalent of umask or setuid bit

Dominick Grift dominick.grift at gmail.com
Thu Feb 9 14:27:06 UTC 2012 

On Thu, 2012-02-09 at 07:59 -0500, Edward Ned Harvey wrote:

> 
> If there is a directory in your system, and you want all new files
> created in that directory to inherit the context type of the parent
> folder, is there a way to do that?  Something like the selinux
> equivalent of the setgid bit?


Yes, This is the default behaviour:

[dominick at x220 ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[dominick at x220 ~]$ mkdir test
[dominick at x220 ~]$ ls -dZ test
drwxrwxr-x. dominick dominick unconfined_u:object_r:user_home_t:s0 test
[dominick at x220 ~]$ touch test/test
[dominick at x220 ~]$ ls -alZ test
drwxrwxr-x. dominick dominick unconfined_u:object_r:user_home_t:s0 .
drwx------. dominick dominick
unconfined_u:object_r:user_home_dir_t:s0 ..
-rw-rw-r--. dominick dominick unconfined_u:object_r:user_home_t:s0 test
[dominick at x220 ~]$ 

Note that when a process with type unconfined_t creates a file (test) in
a directory with type user_home_t, that this file inherits the type of
the parent directory (user_home_t)

> or...
> 
> If you are going to do something a moment from now which will create
> some files, and you want them to be created with a specific context
> type, is there a way to do that?  Something like the selinux
> equivalent of umask?

Yes, It is called a "type_transition". This behavior needs to be
specified and it depends on the process type creating the object, the
type of the directory where this object is created in.

Examples:

default behavior:

allow a process with type myprocess1_t to create a file in a directory
with type user_home_t:

# Add a directory entry to directories with type user_home_t
allow process1_t user_home_t:dir { getattr search open lock ioctl write
add_name };

# Create a file with type user_home_t
allow process1_t user_home_t:file { getattr create open };

allow a process with type myprocess2_t to create a file in a directory
with type myfile_t in a directory with type user_home_t using a type
transition.

# Add a directory entry to directories with type user_home_t.
allow process2_t user_home_t:dir { getattr search open lock ioctl write
add_name };

# When a process with type process2_t creates a file in a directory with
type user_home_t, then create that file with type myfile_t using a type
transition.
type_transition process2_t user_home_t:file myfile_t;

# Create a file with type myfile_t.
allow process2_t myfile_t:file { getattr create open };

> 
>  
> 
> The situation is this:  I'm supporting a web hosting company who uses
> drupal, and they're constantly adding & removing plugins via drush.
> Since this is a non-OS-specific application, it doesn't know anything
> about how it should set the context on files it creates.  Fortunately,
> (!) my client has been hacked before, so they're extremely cautious
> when it comes to ignoring selinux practices.  They are manually
> changing the context of all these files, which is tedious.  But at
> least they're doing it.

So these rules depend on they type of the source (the process creating
the file) and the type of the directory where the target object is
created in.

If you have a single process type that needs to be able to create both
files with a type that is inherited from its parent and files with a
private tyoe using a type transition in a single directory then there is
a conflict in older SELinux configurations.

A possible solution for this is to create a separate directory with a
separate type for content that needs to be created with a type
transition. Although if you are able to do that then you may not need a
type transition rule anymore.

In recent SELinux configurations this is not needed because it supports
a thing called "named file transitions". This is the same as type
transitions except that it also takes a name of the object to be
created.

This allows you to specify for example that:

1. if a process with type myprocess1_t creates a file with name "file1"
in a directory with user_home_t, then create the file with type myfile_t
using a type transition.

2. if a process with type myprocess1_t creates a file with name "file2"
in a directory with user_home_t, then create the file with type
yourfile_t using a type transition.

Would look something like this:

# Add a directory entry to directories with type user_home_t.
allow process1_t user_home_t:dir { getattr search open lock ioctl write
add_name };

# When a process with type process1_t creates a file with name "file1"
in a directory with type user_home_t, then create that file with type
myfile_t using a type transition.
type_transition process1_t user_home_t:file myfile_t "file1";

# Create a file with type myfile_t.
allow process1_t myfile_t:file { getattr create open };

# When a process with type process1_t creates a file with name "file2"
in a directory with type user_home_t, then create that file with type
yourfile_t using a type transition.
type_transition process1_t user_home_t:file yourfile_t "file2";

# Create a file with type yourfile_t.
allow process1_t yourfile_t:file { getattr create open };

>  
> 
> I'm hoping for a better way, and since my knowledge is pretty much
> limited to the light saber book, I don't recall any mention of
> anything like this.
> 
>  
> 
> Thanks for any suggestions...

Your options depend on the properties of your environment.

> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list