selinux Notes
<2024-02-15 Thu>
SELinux Overview
- A Mandatory Access Control (MAC) mechanism in the Linux Kernel (originally developed by the NSA)
- SELinux has no concept of user ids or process ids, instead it uses labels for everything
- Checks to see if initiators are allowed to perform actions explicitly
- If there is no explicit permission then the action is denied
- When writing rules it is best to start with making a label for the initiator
- For example:
/path/to/initiator/ u:object_r:context_name_you_want:s0
- Note that periods in file names should be escaped with a
\
genfscon is a label used for creating labels for file contexts
- The formula is
genfscon filesystem_name <PATH> u:object_r:<LABEL_NAME>:s0
- They should go into a file called
genfs_contexts
- To grant an initiator access to an action you use an allow statement
- The formula is
allow <SOURCE CONTEXT> <TARGET CONTEXT>:<TARGET CLASS> <ACTION (s)>
- neverallow is the opposite of allow
- at compile time if a rule that violates a neverallow is encountered the compilation will fail
- You can view the label of a file using
ls -Z
SELinux on AOSP
- The AOSP base platform sepolicy is in the
platform/system/sepolicy folder from the root of the AOSP tree
- Vendors can customize the sepolicy by placing it the
device/<VENDOR>/sepolicy folder
- Properties used by the init system will need an selinux label defined in
property_contexts
- Android defines several system neverallows in
system/sepolicy
- Android defines several global macros for sepolicies in the
platform/system/sepolicy/global_macros file