selinux Notes
Table of Contents
Resources
SELinux Overview
- A Mandatory Access Control (MAC) mechanism in the Linux Kernel (originally developed by the NSA)
- SELinux has no concept of user ids or process ids, instead it uses labels for everything
- Checks to see if initiators are allowed to perform actions explicitly
- If there is no explicit permission then the action is denied
- When writing rules it is best to start with making a label for the initiator
- For example:
/path/to/initiator/ u:object_r:context_name_you_want:s0
- Note that periods in file names should be escaped with a
\
- For example:
genfscon
is a label used for creating labels for file contexts- The formula is
genfscon filesystem_name <PATH> u:object_r:<LABEL_NAME>:s0
- They should go into a file called
genfs_contexts
- The formula is
- To grant an initiator access to an action you use an allow statement
- The formula is
allow <SOURCE CONTEXT> <TARGET CONTEXT>:<TARGET CLASS> <ACTION (s)>
- The formula is
- neverallow is the opposite of allow
- at compile time if a rule that violates a neverallow is encountered the compilation will fail
- You can view the label of a file using
ls -Z
SELinux on AOSP
- The AOSP base platform sepolicy is in the
platform/system/sepolicy
folder from the root of the AOSP tree - Vendors can customize the sepolicy by placing it the
device/<VENDOR>/sepolicy
folder - Properties used by the init system will need an selinux label defined in
property_contexts
- Android defines several system neverallows in
system/sepolicy
- Android defines several global macros for sepolicies in the
platform/system/sepolicy/global_macros
file