HomeWhat We DoResearchSE LinuxPolicy Objectives

SELinux Example Policy Objectives

Included with the release is a general-purpose security policy configuration. It is not a complete security configuration. Its purpose is to provide a concrete example of how the security mechanisms in the system can be used. It provides a good starting point and should be customized to meet the specific needs of any site. Some of its objectives are outlined here.

The example configuration controls access to various forms of raw data and protects the integrity of the kernel. It defines distinct types for the boot files, module object files, module utilities, module configuration files and sysctl parameters, and it defines separate domains for processes that require write access to these files. It defines separate domains for the module utilities, and it restricts the use of the module capability to these domains. It only allows a small set of privileged domains to transition to the module utility domains.

The example configuration protects the integrity of system software, system configuration information and system logs. It defines distinct types for system libraries and binaries to control access to these files. It only allows administrators to modify system software. It defines separate types for system configuration files and system logs and defines separate domains for programs that require write access.

The example configuration seeks to confine the potential damage that can be caused through the exploitation of a flaw in a process that requires privileges, whether a system process or privilege-enhancing (setuid or setgid) program. The policy configuration places these privileged system processes and programs into separate domains, with each domain limited to only those permissions it requires. Separate types for objects are defined in the policy configuration as needed to support least privilege for these domains. The configuration also attempts to protect privileged processes from executing malicious code. The policy configuration defines an executable type for the program executed by each privileged process and only allows transitions to the privileged domain by executing that type. When possible, it limits privileged process domains to executing the initial program for the domain, the system dynamic linker, and the system shared libraries. The administrator domain is allowed to execute programs created by administrators as well as system software, but not programs created by ordinary users or system processes.

Other objectives of the example configuration include protecting the administrator role and domain from being entered without user authentication, and preventing ordinary user processes from interfering with system processes or administrator processes by controlling the use of procfs, ptrace and signaling.

The example configuration is more completely described in the policy documentation.

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.