Adam Richardson's Site

selinux Notes

Table of Contents

<2024-02-15 Thu>

Resources

SELinux Overview

  • A Mandatory Access Control (MAC) mechanism in the Linux Kernel (originally developed by the NSA)
  • SELinux has no concept of user ids or process ids, instead it uses labels for everything
  • Checks to see if initiators are allowed to perform actions explicitly
  • If there is no explicit permission then the action is denied
  • When writing rules it is best to start with making a label for the initiator
    • For example: /path/to/initiator/ u:object_r:context_name_you_want:s0
    • Note that periods in file names should be escaped with a \
  • genfscon is a label used for creating labels for file contexts
    • The formula is genfscon filesystem_name <PATH> u:object_r:<LABEL_NAME>:s0
    • They should go into a file called genfs_contexts
  • To grant an initiator access to an action you use an allow statement
    • The formula is allow <SOURCE CONTEXT> <TARGET CONTEXT>:<TARGET CLASS> <ACTION (s)>
  • neverallow is the opposite of allow
    • at compile time if a rule that violates a neverallow is encountered the compilation will fail
  • You can view the label of a file using ls -Z

SELinux on AOSP

  • The AOSP base platform sepolicy is in the platform/system/sepolicy folder from the root of the AOSP tree
  • Vendors can customize the sepolicy by placing it the device/<VENDOR>/sepolicy folder
  • Properties used by the init system will need an selinux label defined in property_contexts
  • Android defines several system neverallows in system/sepolicy
  • Android defines several global macros for sepolicies in the platform/system/sepolicy/global_macros file