Configuring Selinux Permissions on (Svs-V) Ipc Semaphores

Configuring SELinux permissions on (SVS-V) IPC Semaphores

The basic steps to get SELinux working with the changes you need are:

  1. Enable permissive mode
  2. Capture denials
  3. Add a new policy module or modify an existing policy module
  4. Enable enforcing mode and test

Exactly how to do these steps depends on what Linux distribution you are using; here are references for CentOS, Debian, Gentoo, RedHat and Ubuntu. You can also find SELinux information from NSA. The best documentation I found is from Gentoo: step 1, step 2, step 3, step 4.

As @smassey noted, you most probably need to modify some IPC permission.

Is there a simple C or C++ API to modify selinux contexts?


#include <selinux/selinux.h>

typedef char *security_context_t;

int setfilecon(const char *path, security_context_t con);

is probably the function you are looking for. You have to link against libselinux.

unconfined_t vs unlabeled_t in SELinux

unlabeled_t is a special type (isid type). Initial security identifiers (isid) are a special way to label entities. It is used to label entities in scenarios that could not otherwise be addressed. For example the scenario of fail-over, initialization and fixed objects.

The unlabeled_t type is associated with both the "unlabeled" as well as the "file" isid. The unlabeled isid is used to automatically associate the type (in this case unlabeled_t) with entities that have an invalid context, and the file isid is used to automatically associate the type associated with it (in this case unlabeled_t) with entities that have no label at all.

These two common (fail over) scenario's can happen for various reasons:

  1. SELinux is mutable at runtime in GNU/Linux, this means that one can add and remove contexts at runtime, and therefore validate and invalidate contexts. So if there is an entity in your system with a given context, and you decide to remove that context at runtime, then it gets invalidated and the unlabeled isid will automatically associate unlabeled_t with it.

  2. When you format a new partition, or when you share a partition with a system that does not use SELinux, then that filesystem has no labels by default. The file initial sid kicks in and associates unlabeled_t with objects that have no label.

The isid contexts are associated in memory.
SELinux enforces integrity by default. So everything always needs a valid label.
Initial security identifiers are used to address labeling challenges that can't otherwise be addressed.

If you see unlabeled_t, then the entity either has an invalid label or no label at all. You would want to address that by associating a valid label with the entity.

unconfined_t is a "normal" type that just has a very broad set of permissions associated with it. Entities associated with the unconfined_t type are virtually unconfined by SELinux.


Related Topics

Core Dump in Linux

Go Http Server Testing Ab VS Wrk So Much Difference in Result

Is It Safe to Issue Blocking Write() Calls on the Same Tcp Socket from Multiple Threads

Bluetooth Low Energy in C - Using Bluez to Create a Gatt Server

Rename Multiple Directories Matching Pattern

How to Repeat a Dash (Hyphen) in Shell

How to Get Debugging Symbols Working in Linux Perf Tool Inside Docker Containers

Add Column to End of CSV File Using 'Awk' in Bash Script

Is Clock_Gettime() Adequate for Submicrosecond Timing

Avrdude: Ser_Open(): Can't Open Device "/Dev/Ttyacm0": Device or Resource Busy

Ssh Command Execution Hangs, Although Interactive Shell Functions Fine

How to Remove Warning About Storing Unencrypted Password After Committing File in Svn

Can't Run Uwsgi as Root, "Bind(): Permission Denied"

Determine Tsc Frequency on Linux

Differencebetween Module_Init and Init_Module in a Linux Kernel Module

How to Stop 'Uninterruptible' Process on Linux

A Way to Determine a Process'S "Real" Memory Usage, I.E. Private Dirty Rss

Can an Interrupt Handler Be Preempted


Leave a reply



Submit