1
I am studying SELinux.
Using SELinux, can a binary be allowed to access files opened by its parent process, and no other files?
If it cannot, then we should enhance it.
1
I am studying SELinux.
Using SELinux, can a binary be allowed to access files opened by its parent process, and no other files?
If it cannot, then we should enhance it.
2
Yes, this can be done.
SELinux is a labeling system, and access to perform different operations on files (but also users, processes, ...) is granted based on the security context of the originating process.
The reference policy defines is the security context of a process:
# ps -defZ | grep httpd
system_u:system_r:httpd_t:s0 root 1085 1 0 21:22 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
In this example, the security context has the following elements:
system_u
: the SELinux usersystem_r
: the SELinux rolehttpd_t
: the SELinux type enforcement attribute.s0
: the MLS/MCS range, relevant in policies other than the default targeted one.And also defines what security contexts a process can have access to:
# ll -dZ /srv/www/html/
drwxr-s---. root apache system_u:object_r:httpd_sys_content_t:s0 /srv/www/html/
# sesearch -s httpd_t -t httpd_sys_content_t -c file -p read -Ad
Found 1 semantic av rules:
allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
In the example above, given the security context of the directory /srv/www/html
, you can find using sesearch(1)
if it is defined in the policy that a process labeled httpd_t
can have read access to a directory labeled httpd_sys_content_t
.
Check the manpage of sesearch
for more options.
So, for a forked process to be restricted to access files opened by its parent, you should ensure that there's policy in place that permits that operation.