Protecting System File Integrity

Just as the integrity of the kernel must be protected, the integrity of other critical system files must also be protected. Separate types are defined and assigned to system software, system configuration information, and system logs to protect their integrity. The dynamic linker is labeled with the ld_so_t type. Many domains must be granted execute access to this type, since many programs are dynamically linked. System programs are labeled with types such as bin_t for ordinary programs or sbin_t for system administration programs. System shared libraries are labeled with the shlib_t type. Write access to these types is limited to administrators.

The protections applied to the /etc directory are an example of protecting system configuration files. Most files in /etc are labeled with the etc_t type and write access to this type is strictly limited. Since the /etc/aliases and /etc/aliases.db files and the /etc/mail directory must be modified by the sendmail program, separate types are defined for this file and directory, and the sendmail_t domain is granted write access to these types, as shown below:

allow sendmail_t etc_aliases_t:file 
      { read write };
allow sendmail_t etc_mail_t:dir 
      { read search add_name remove_name };
allow sendmail_t etc_mail_t:file 
      { create read write unlink };

An example of protecting the integrity of system log files is the wtmp file, which stores login records. The policy configuration defines a wtmp_t type for this file. Separate domains are defined for programs (e.g. login, utempter, gnome-pty-helper) which must update this file, and write access is only granted for these domains. The following excerpt shows permissions granted to this type for several domains:

allow local_login_t wtmp_t:file { read write };
allow remote_login_t wtmp_t:file { read write };
allow utempter_t wtmp_t:file { read write };