Protecting Kernel Integrity

A second goal of the example policy configuration is to prevent attackers from tampering with the kernel. An example of how the configuration protects the integrity of the kernel can be seen through its protections on the /boot files. Most of the /boot files are labeled with a boot_t type and can only be modified by an administrator. Since certain files in /boot are automatically updated during initialization, a separate boot_runtime_t type is defined for such files, and the domain for rc scripts is authorized to update these files. The following excerpt shows a portion of the configuration for these boot files:

allow initrc_t boot_t:dir 
      { read search add_name remove_name };
allow initrc_t boot_runtime_t:file 
      { create write unlink };
type_transition initrc_t boot_t:file boot_runtime_t;

The first statement allows the rc scripts to modify the /boot directory. The individual controls over each file ensure that this does not allow the rc scripts to remove or rename the existing files in /boot in order to replace them. The second statement allows the scripts to create or delete a file with the boot_runtime_t type. The last statement causes files created in /boot by the scripts to automatically default to the boot_runtime_t type.

A second example of how the policy configuration protects the integrity of the kernel can be seen in its handling of kernel modules. Distinct types are assigned to the module utilities and module object files to prevent unauthorized modification. The following excerpt shows a portion of the configuration for controlling the ability to insert kernel modules into a running kernel:

allow insmod_t insmod_exec_t:process 
      { entrypoint execute };
allow insmod_t self:capability sys_module;
allow sysadm_t insmod_t:process transition;

The first statement allows the insmod_t domain to be entered by executing a program with the insmod_exec_t type. This type is assigned to the insmod utility. The second statement allows the insmod_t domain to use the CAP_SYS_MODULE capability to insert modules. The last statement allows system administrators to transition to this domain when they run the utility.