Why is SELINUXTYPE policy specific?

Why is SELINUXTYPE policy specific?

[dE]

There are 3 security models in which SELinux can work -- TE, RBAC and MLS.

And there are 6 types of SELinux policies --

targeted, mls, mcs, standard, strict or minimum.

Each security model requires it's own set of policies and the policies 
can be 1 of the 6 types. So can all the 3 security modles and 6 types be 
intermixed? Won't there be conflicts like with MLS and RBAC?

Re: Why is SELINUXTYPE policy specific?

[Sven Vermeulen]

On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@gmail.com> wrote:
> There are 3 security models in which SELinux can work -- TE, RBAC and MLS.
>
> And there are 6 types of SELinux policies --
>
> targeted, mls, mcs, standard, strict or minimum.
>
> Each security model requires it's own set of policies and the policies can
> be 1 of the 6 types. So can all the 3 security modles and 6 types be
> intermixed? Won't there be conflicts like with MLS and RBAC?

The SELINUXTYPE value should be seen as the name given to a policy
store. The contents (the actual policy, the features it supports, the
fact that it is MLS-enabled or not) have nothing to do with the name
of the store per se. It is just a matter of convenience that policy
stores are named in a particular way so that, cross-distributions,
security administrators can deduce the type and features of the policy
based on the name.

For instance, on RHEL6, "targeted" is the name given to the policy
store that contains an MCS policy with support for unconfined domains.
On Gentoo, this name is rather used for non-MCS policy with support
for unconfined domains.

Afaik, there is no conflict between RBAC and MLS. With MLS, the
SELinux subsystem allows or denies access based on the dominance rules
between the domains' security clearance and the resource sensitivity
level. RBAC instead allows or denies a SELinux role to be associated
with a particular domain.

Wkr,
  Sven Vermeulen

Re: Why is SELINUXTYPE policy specific?

[Stephen Smalley]

On 04/20/2014 08:23 AM, dE wrote:
> There are 3 security models in which SELinux can work -- TE, RBAC and MLS.
> 
> And there are 6 types of SELinux policies --
> 
> targeted, mls, mcs, standard, strict or minimum.
> 
> Each security model requires it's own set of policies and the policies
> can be 1 of the 6 types. So can all the 3 security modles and 6 types be
> intermixed? Won't there be conflicts like with MLS and RBAC?

The SELinux security server implements a hybrid RBAC/TE model (not
optional, always present) and an optional MLS model (can be enabled
alongside the RBAC/TE model, not as a substitute for it).  The MLS model
in fact relies upon the RBAC/TE model to serve certain functions such as
identifying, protecting, and limiting MLS trusted subjects (based on
their domain).

SELINUXTYPE in /etc/selinux/config is just a means of specifying the
name/location of the policy to be loaded.  It was originally for Red Hat
to allow them to support selection among multiple policy packages that
could all potentially be installed on the filesystem.  An alternate
implementation could have just used a symlink or just make the policy
packages conflict with each other so that only one could be installed at
a time.  The name conventionally suggests the kind of policy but there
is no intrinsic meaning to it.

Modern refpolicy build.conf has a TYPE that selects the kind of policy
to be built (standard == RBAC/TE only, mls == enable MLS and use the MLS
configuration, mcs == enable MLS and use the MCS configuration), and a
NAME that names the install location for the policy (which can be
anything and corresponds to the SELINUXTYPE of /etc/selinux/config).

The optional MLS model in the security server is in fact enabled in all
of the policy types in Fedora (any supported version) and RHEL 5 or
later, but used to implement Red Hat's MCS model in the targeted policy
(or any other policy type other than the mls one).  So targeted policy
in Fedora or RHEL corresponds to TYPE=mcs NAME=targeted in refpolicy
build.conf, while mls policy in Fedora or RHEL corresponds to TYPE=mls
NAME=mls in refpolicy build.conf.  standard is not used in Fedora or
RHEL AFAIK.  strict is no longer a separate policy in modern Fedora or
RHEL (>= 6?) because targeted and strict policies converged together and
strict policy can be achieved by mapping users to confined roles via
semanage on targeted policy and optionally by removing unconfined
entirely.  minimum is TYPE=mcs NAME=minimum and just differs in that it
has a different set of policy modules included in it.

Re: Why is SELINUXTYPE policy specific?

[dE]

On 04/21/14 13:31, Sven Vermeulen wrote:
> On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@gmail.com> wrote:
>> There are 3 security models in which SELinux can work -- TE, RBAC and MLS.
>>
>> And there are 6 types of SELinux policies --
>>
>> targeted, mls, mcs, standard, strict or minimum.
>>
>> Each security model requires it's own set of policies and the policies can
>> be 1 of the 6 types. So can all the 3 security modles and 6 types be
>> intermixed? Won't there be conflicts like with MLS and RBAC?
> The SELINUXTYPE value should be seen as the name given to a policy
> store. The contents (the actual policy, the features it supports, the
> fact that it is MLS-enabled or not) have nothing to do with the name
> of the store per se. It is just a matter of convenience that policy
> stores are named in a particular way so that, cross-distributions,
> security administrators can deduce the type and features of the policy
> based on the name.
>
> For instance, on RHEL6, "targeted" is the name given to the policy
> store that contains an MCS policy with support for unconfined domains.
> On Gentoo, this name is rather used for non-MCS policy with support
> for unconfined domains.
>
> Afaik, there is no conflict between RBAC and MLS. With MLS, the
> SELinux subsystem allows or denies access based on the dominance rules
> between the domains' security clearance and the resource sensitivity
> level. RBAC instead allows or denies a SELinux role to be associated
> with a particular domain.
>
> Wkr,
>    Sven Vermeulen

So can policies which support RBAC can be made to have a different 
SELINUXTYPE?

Can targeted, mls, mcs, standard, strict or minimum also be considered 
as different security models? Since all these are made based on the TE 
model, can we make a custom security model based on TE and give it a 
different SELINUXTYPE.

Thanks for the response.

Re: Why is SELINUXTYPE policy specific?

[dE]

On 04/21/14 20:23, Stephen Smalley wrote:
> On 04/20/2014 08:23 AM, dE wrote:
>> There are 3 security models in which SELinux can work -- TE, RBAC and MLS.
>>
>> And there are 6 types of SELinux policies --
>>
>> targeted, mls, mcs, standard, strict or minimum.
>>
>> Each security model requires it's own set of policies and the policies
>> can be 1 of the 6 types. So can all the 3 security modles and 6 types be
>> intermixed? Won't there be conflicts like with MLS and RBAC?
> The SELinux security server implements a hybrid RBAC/TE model (not
> optional, always present) and an optional MLS model (can be enabled
> alongside the RBAC/TE model, not as a substitute for it).  The MLS model
> in fact relies upon the RBAC/TE model to serve certain functions such as
> identifying, protecting, and limiting MLS trusted subjects (based on
> their domain).
>
> SELINUXTYPE in /etc/selinux/config is just a means of specifying the
> name/location of the policy to be loaded.  It was originally for Red Hat
> to allow them to support selection among multiple policy packages that
> could all potentially be installed on the filesystem.  An alternate
> implementation could have just used a symlink or just make the policy
> packages conflict with each other so that only one could be installed at
> a time.  The name conventionally suggests the kind of policy but there
> is no intrinsic meaning to it.
>
> Modern refpolicy build.conf has a TYPE that selects the kind of policy
> to be built (standard == RBAC/TE only, mls == enable MLS and use the MLS
> configuration, mcs == enable MLS and use the MCS configuration), and a
> NAME that names the install location for the policy (which can be
> anything and corresponds to the SELINUXTYPE of /etc/selinux/config).
>
> The optional MLS model in the security server is in fact enabled in all
> of the policy types in Fedora (any supported version) and RHEL 5 or
> later, but used to implement Red Hat's MCS model in the targeted policy
> (or any other policy type other than the mls one).  So targeted policy
> in Fedora or RHEL corresponds to TYPE=mcs NAME=targeted in refpolicy
> build.conf, while mls policy in Fedora or RHEL corresponds to TYPE=mls
> NAME=mls in refpolicy build.conf.  standard is not used in Fedora or
> RHEL AFAIK.  strict is no longer a separate policy in modern Fedora or
> RHEL (>= 6?) because targeted and strict policies converged together and
> strict policy can be achieved by mapping users to confined roles via
> semanage on targeted policy and optionally by removing unconfined
> entirely.  minimum is TYPE=mcs NAME=minimum and just differs in that it
> has a different set of policy modules included in it.

So in most distros, SELINUXTYPE specifies the security model.

Re: Why is SELINUXTYPE policy specific?

[Stephen Smalley]

On 04/22/2014 01:03 AM, dE wrote:
> On 04/21/14 20:23, Stephen Smalley wrote:
>> On 04/20/2014 08:23 AM, dE wrote:
>>> There are 3 security models in which SELinux can work -- TE, RBAC and
>>> MLS.
>>>
>>> And there are 6 types of SELinux policies --
>>>
>>> targeted, mls, mcs, standard, strict or minimum.
>>>
>>> Each security model requires it's own set of policies and the policies
>>> can be 1 of the 6 types. So can all the 3 security modles and 6 types be
>>> intermixed? Won't there be conflicts like with MLS and RBAC?
>> The SELinux security server implements a hybrid RBAC/TE model (not
>> optional, always present) and an optional MLS model (can be enabled
>> alongside the RBAC/TE model, not as a substitute for it).  The MLS model
>> in fact relies upon the RBAC/TE model to serve certain functions such as
>> identifying, protecting, and limiting MLS trusted subjects (based on
>> their domain).
>>
>> SELINUXTYPE in /etc/selinux/config is just a means of specifying the
>> name/location of the policy to be loaded.  It was originally for Red Hat
>> to allow them to support selection among multiple policy packages that
>> could all potentially be installed on the filesystem.  An alternate
>> implementation could have just used a symlink or just make the policy
>> packages conflict with each other so that only one could be installed at
>> a time.  The name conventionally suggests the kind of policy but there
>> is no intrinsic meaning to it.
>>
>> Modern refpolicy build.conf has a TYPE that selects the kind of policy
>> to be built (standard == RBAC/TE only, mls == enable MLS and use the MLS
>> configuration, mcs == enable MLS and use the MCS configuration), and a
>> NAME that names the install location for the policy (which can be
>> anything and corresponds to the SELINUXTYPE of /etc/selinux/config).
>>
>> The optional MLS model in the security server is in fact enabled in all
>> of the policy types in Fedora (any supported version) and RHEL 5 or
>> later, but used to implement Red Hat's MCS model in the targeted policy
>> (or any other policy type other than the mls one).  So targeted policy
>> in Fedora or RHEL corresponds to TYPE=mcs NAME=targeted in refpolicy
>> build.conf, while mls policy in Fedora or RHEL corresponds to TYPE=mls
>> NAME=mls in refpolicy build.conf.  standard is not used in Fedora or
>> RHEL AFAIK.  strict is no longer a separate policy in modern Fedora or
>> RHEL (>= 6?) because targeted and strict policies converged together and
>> strict policy can be achieved by mapping users to confined roles via
>> semanage on targeted policy and optionally by removing unconfined
>> entirely.  minimum is TYPE=mcs NAME=minimum and just differs in that it
>> has a different set of policy modules included in it.
> 
> So in most distros, SELINUXTYPE specifies the security model.

Not really, no.  The model (i.e. RBAC/TE + MLS) is in fact the same for
all values of SELINUXTYPE in Fedora and RHEL; only the configuration
differs.  SELINUXTYPE is just a name for the policy (hence refpolicy's
use of NAME=).

Re: Why is SELINUXTYPE policy specific?

[Stephen Smalley]

On 04/22/2014 12:59 AM, dE wrote:
> On 04/21/14 13:31, Sven Vermeulen wrote:
>> On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@gmail.com> wrote:
>>> There are 3 security models in which SELinux can work -- TE, RBAC and
>>> MLS.
>>>
>>> And there are 6 types of SELinux policies --
>>>
>>> targeted, mls, mcs, standard, strict or minimum.
>>>
>>> Each security model requires it's own set of policies and the
>>> policies can
>>> be 1 of the 6 types. So can all the 3 security modles and 6 types be
>>> intermixed? Won't there be conflicts like with MLS and RBAC?
>> The SELINUXTYPE value should be seen as the name given to a policy
>> store. The contents (the actual policy, the features it supports, the
>> fact that it is MLS-enabled or not) have nothing to do with the name
>> of the store per se. It is just a matter of convenience that policy
>> stores are named in a particular way so that, cross-distributions,
>> security administrators can deduce the type and features of the policy
>> based on the name.
>>
>> For instance, on RHEL6, "targeted" is the name given to the policy
>> store that contains an MCS policy with support for unconfined domains.
>> On Gentoo, this name is rather used for non-MCS policy with support
>> for unconfined domains.
>>
>> Afaik, there is no conflict between RBAC and MLS. With MLS, the
>> SELinux subsystem allows or denies access based on the dominance rules
>> between the domains' security clearance and the resource sensitivity
>> level. RBAC instead allows or denies a SELinux role to be associated
>> with a particular domain.
>>
>> Wkr,
>>    Sven Vermeulen
> 
> So can policies which support RBAC can be made to have a different
> SELINUXTYPE?

You can use any SELINUXTYPE value you want; it is just an arbitrary name
for the policy.  No inherent relationship to the underlying model or
configuration.

> Can targeted, mls, mcs, standard, strict or minimum also be considered
> as different security models? Since all these are made based on the TE
> model, can we make a custom security model based on TE and give it a
> different SELINUXTYPE.

No, they are not different security models, just different
configurations of the same model, and you are mixing the notions of
SELINUXTYPE, TYPE and NAME.  At most, you might say that mcs and mls are
different "models" since they use different sets of constraint
definitions but that's all just configuration data for SELinux...

Re: Why is SELINUXTYPE policy specific?

[dE]

On 04/22/14 18:23, Stephen Smalley wrote:
> On 04/22/2014 12:59 AM, dE wrote:
>> On 04/21/14 13:31, Sven Vermeulen wrote:
>>> On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@gmail.com> wrote:
>>>> There are 3 security models in which SELinux can work -- TE, RBAC and
>>>> MLS.
>>>>
>>>> And there are 6 types of SELinux policies --
>>>>
>>>> targeted, mls, mcs, standard, strict or minimum.
>>>>
>>>> Each security model requires it's own set of policies and the
>>>> policies can
>>>> be 1 of the 6 types. So can all the 3 security modles and 6 types be
>>>> intermixed? Won't there be conflicts like with MLS and RBAC?
>>> The SELINUXTYPE value should be seen as the name given to a policy
>>> store. The contents (the actual policy, the features it supports, the
>>> fact that it is MLS-enabled or not) have nothing to do with the name
>>> of the store per se. It is just a matter of convenience that policy
>>> stores are named in a particular way so that, cross-distributions,
>>> security administrators can deduce the type and features of the policy
>>> based on the name.
>>>
>>> For instance, on RHEL6, "targeted" is the name given to the policy
>>> store that contains an MCS policy with support for unconfined domains.
>>> On Gentoo, this name is rather used for non-MCS policy with support
>>> for unconfined domains.
>>>
>>> Afaik, there is no conflict between RBAC and MLS. With MLS, the
>>> SELinux subsystem allows or denies access based on the dominance rules
>>> between the domains' security clearance and the resource sensitivity
>>> level. RBAC instead allows or denies a SELinux role to be associated
>>> with a particular domain.
>>>
>>> Wkr,
>>>     Sven Vermeulen
>> So can policies which support RBAC can be made to have a different
>> SELINUXTYPE?
> You can use any SELINUXTYPE value you want; it is just an arbitrary name
> for the policy.  No inherent relationship to the underlying model or
> configuration.
>
>> Can targeted, mls, mcs, standard, strict or minimum also be considered
>> as different security models? Since all these are made based on the TE
>> model, can we make a custom security model based on TE and give it a
>> different SELINUXTYPE.
> No, they are not different security models, just different
> configurations of the same model, and you are mixing the notions of
> SELINUXTYPE, TYPE and NAME.  At most, you might say that mcs and mls are
> different "models" since they use different sets of constraint
> definitions but that's all just configuration data for SELinux...

Sorry for the late response -- I was really busy setting up that 
graphics card.

So I dont understand the purpose of SELINUXTYPE. Can someone please explain?

Re: Why is SELINUXTYPE policy specific?

[Dominick Grift]

On Sat, 2014-04-26 at 12:36 +0530, dE wrote:

> 
> So I dont understand the purpose of SELINUXTYPE. Can someone please explain?

It allows one to have more than a single policy installed at any given
time, which in turn enables one to relatively easily switch between
policies.

Re: Why is SELINUXTYPE policy specific?

[dE]

On 04/26/14 19:47, Dominick Grift wrote:
> On Sat, 2014-04-26 at 12:36 +0530, dE wrote:
>
>> So I dont understand the purpose of SELINUXTYPE. Can someone please explain?
> It allows one to have more than a single policy installed at any given
> time, which in turn enables one to relatively easily switch between
> policies.
>
>
>
>
>

Thanks for clearing that up everyone!