Software: Apache/2.0.54 (Fedora). PHP/5.0.4 uname -a: Linux mina-info.me 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/setools/ drwxr-xr-x | |
| Viewing file: Select action/file-type: AN OVERVIEW OF DOMAIN TRANSITION ANALYSIS
apol, version 2.1
August 31, 2005
selinux@tresys.com
A key feature of Type Enforcement (TE) security is the ability to
define domain types with which programs run, use that domain type to
control access to objects (which are also typed), and strictly control
the ability of a process to change its domain type. This last ability
is known as "domain transition".
Apol allows one to analyze an SELinux policy and understand the domain
transitions allowed by the policy. As with all access in SELinux, the
ability to transition from one domain to another is controlled by
'allow' rules in the policy. Below, we describe how the apol tool
performs a domain transition analysis.
THE THREE TYPES OF INTEREST FOR DOMAIN TRANSITIONS
When discussing domain transition access, there are three different types
we must consider:
SOURCE TYPE: This is the domain type associated with a process
that is trying to change (transition) its domain type to another
type.
TARGET TYPE: This is the domain type to which the source type is
trying to transition.
FILE TYPE (ENTRYPOINT TYPE): This is a type associated with an
executable file object that allows the target type to be entered
as part of an execve() system call.
FORWARD VS. REVERSE DOMAIN TRANSITION ANALYSIS
Apol allows you to perform both forward and reverse domain transition
analysis. A forward analysis allows you to select a SOURCE type and
determine all the TARGET types to which the source may transition.
You may also select object classes, permissions, and object types to
find transitions to domains that have specific privileges or that have
access to a particular object type(s). A reverse analysis is the opposite;
you select a TARGET type and determine all the SOURCE types that may
transition to the target type.
In each case, apol creates a tree structure to show the result. You can
drill down the tree to follow any given transition path.
CRITERIA FOR IDENTIFYING ALLOW DOMAIN TRANSITIONS
In SELinux, there are three types of access (and hence at least three
rules) that must be allowed by the policy if a domain transition is to
occur. These three access types form the criteria used by apol to
determine allowed transitions.
Given an understanding of the three types of interest in a domain
transition, the criteria for an allowed domain transition are as
follows. (In the examples below, assume 'user_t' is the source type,
'passwd_t' is the target type, and 'passwd_exec_t' is the file entry
point type).
1. There must be a rule that allows the SOURCE domain type 'transition'
access for 'process' object class for the TARGET domain type. As an
example, the rule:
allow user_t passwd_t : process transition;
meets this criterion by allowing the source type (user_t) 'process
transition' permission to the target type (passwd_t).
2. There must be a rule that allows the SOURCE domain type 'execute'
access to the FILE ENTRYPOINT type. As an example, the rule:
allow user_t passwd_exec_t: file {read getattr execute};
meets the criterion by allowing the source type (user_t) 'execute'
access to the file entrypoint type (passwd_exec_t).
3. There must be a rule that allows the TARGET domain type 'entrypoint'
access to the FILE ENTRYPOINT type for file objects. As an example,
the rule:
allow passwd_t passwd_exec_t : file entrypoint;
meets this criterion by allowing the target type (passwd_t)
'file entrypoint' access to the file entrypoint type (pass_exec_t).
In the analysis results for a reverse domain transition analysis, apol
will list all the types that meet the above three criteria. On the other
hand, results for a forward domain transition analysis will be limited
to types that meet the above three criteria and that have the specified
privileges or access to a particular object type(s). See 'General Help'
for the Forward DTA Advanced Search Options feature in apol.
FILTERING DOMAIN TRANSITION RESULTS IN APOL
The domain transition analysis interface in apol provides the user with
the ability to further refine a domain transition query in order to find
transitions to a specific domain and/or transitions to domains which are
granted specific access to object types or classes. Filtering results types
using regular expression is enabled for both forward and reverse domain
transition queries, however, the access filters are only enabled for a
forward domain transition query. To enable and use the access filters, the
user needs to select the "Use access filters" checkbutton at which point, he
can display the Access Filters dialog. This dialog presents listboxes for
including object types in the access filter and also a textview where the
user can specify particular object class access. The object class/permissions
section is only enabled if an object type has been included. An access filter
may be particulary useful to a user if he or she is searching for transitions
to domains that have specific access to an object type and/or class. For
example, one could determine whether the type user_t is allowed to transition
to a domain that can write a file of type shadow_t. To run this query from
apol, the user simply needs to specify the starting type as user_t, go to the
Access Filters dialog, add shadow_t to the included object types listbox,
select 'file' from the Object Classes listbox and make sure that 'write'
permission has been included. |
:: Command execute :: | |
--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0032 ]-- |