next up previous contents
Next: Prototype Implementation Up: Policy Configuration Language Previous: Constraints configuration   Contents

Security context configuration

Figure: Security contexts for initial SIDs.
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}sid kernel s...
...stem_u:system_r:kmod_t:u\end{verbatim}\end{footnotesize}\end{center}\end{figure}

The initial_sid_contexts file, or the initial_sid_contexts.mls file if the MLS policy is enabled, contains the security context for each SID that was predefined for system initialization. Each security context consists of a user, a role, a type and, if the MLS policy is enabled, a MLS range, as shown in Figure 12. Since the initial SIDs do not correspond to authenticated users, they use a system_u user identity.

Figure: Security contexts for unlabeled filesystems.
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}3 2 system_u...
...em_u:object_r:public_t:u\end{verbatim}\end{footnotesize}\end{center}\end{figure}

The fs_contexts file, or the fs_contexts.mls file if the MLS policy is enabled, contains the security contexts to use when an unlabeled file system is mounted from a device, as shown in Figure 13. For each file system, the major and minor device numbers of the device are specified, followed by the file system security context and the security context for existing files in the file system. If no entry is specified for a device, then the security contexts associated with the initial SIDs fs and file are used. These initial SIDs are also used for the root file system if it is unlabeled, since the security server is not yet initialized when the root file system is mounted.

Figure: Security contexts for network objects.
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}tcp 21 syste...
...object_r:nfs_clipper_t:u\end{verbatim}\end{footnotesize}\end{center}\end{figure}

The net_contexts file, or the net_contexts.mls file if the MLS policy is enabled, contains the security contexts for port numbers, network interfaces nodes, and NFS servers, as shown in Figure 14. The current policy configuration language only supports ports and addresses in the AF_INET address family, although the security server interfaces are more general. For each port, the protocol (tcp or udp) and port range are specified followed by the port security context. If no entry is specified for a port, then the security context associated with the initial SID port is used.

For each network interface, the interface name is specified followed by the interface security context and the security context for any unlabeled messages received on the interface. If no entry is specified for a network interface, then the security contexts associated with the initial SIDs netif and netmsg are used. For each node, a network address and a network mask are specified, followed by the node security context. The mask is applied to the node address passed to the security_node_sid interface, and the result is then compared to the network address. In the current implementation, the entries are checked for a match in the same order that they are specified in the configuration. If no matching entry is specified for a node, then the security context associated with the initial SID node is used.

For each NFS server, a network address and a network mask are specified, followed by the file system security context and file security context. The mask is applied to the node address passed to the security_nfs_sid interface, and the result is then compared to the network address. In the current implementation, the entries are checked for a match in the same order that they are specified in the configuration. If no matching entry is specified for a node, then the security context associated with the initial SID nfs is used.


next up previous contents
Next: Prototype Implementation Up: Policy Configuration Language Previous: Constraints configuration   Contents