Limiting Raw Access to Data

Access controls for individual processes and files are of little use if an attacker can directly access raw data. Hence, the policy configuration must carefully limit raw access to data. The example configuration defines a set of types for objects that can be used to access raw data. Access to these types is only granted to a small set of privileged domains, and entry to these domains is carefully controlled.

Since fsck and related utilities must access the raw disk, a fsadm_t domain is defined for such utilities. A fsadm_exec_t type is assigned to the program files for these utilities. The following excerpt shows a portion of the configuration relevant to this domain:

allow fsadm_t fsadm_exec_t:process 
      { entrypoint execute };
allow fsadm_t fixed_disk_device_t:blk_file 
      { read write };
allow initrc_t fsadm_t:process transition;
allow sysadm_t fsadm_t:process transition;

The first statement in this excerpt allows the fsadm_t domain to be entered by executing a program labeled with the fsadm_exec_t type. The second statement allows the fsadm_t domain to read and write block special files with the fixed_disk_device_t type. The third statement allows the rc scripts to transition to this domain (e.g. so that fsck can be run automatically during initialization). The last statement allows an authorized system administrator to transition to this domain (e.g. so that fsck can be explicitly run by an administrator). Access to the raw disk device is controlled both with respect to the particular program and to the context in which the program is called.

Since klogd must access the kernel memory devices, a klogd_t domain is defined for this daemon. A klogd_exec_t type is assigned to the program file for the daemon. The following excerpt shows a portion of the configuration relevant to this domain:

allow klogd_t klogd_exec_t:process 
      { entrypoint execute };
allow klogd_t memory_device_t:chr_file read;
allow initrc_t klogd_t:process transition;

This excerpt is very similar to the excerpt for fsadm_t. The klogd_t domain can only be entered by executing a program labeled with the klogd_exec_t type. The klogd_t domain can read character special files with the memory_device_t type. The rc scripts can transition to the klogd_t domain when the daemon is executed.