An SElinux module (2): file contexts and labelling

Having created a number of file types in part (1), we need to specify which parts of the filesystem are labelled with these types. The file types created were lighttpd_exec_t, lighttpd_config_t, lighttpd_modules_t, lighttpd_log_t and lighttpd_var_run_t. All of these types belong to files in very specific locations. For example, the lighttpd_exec_t type should label only the lighttpd executable (at /usr/sbin/lighttpd).

Labelling of the file system works on ever increasing granularity. For example, /usr and everything below it is labelled with the type usr_t. In particular the security context for /usr and everything below it is:


Then /usr gets labelled with more granularity, so for example, /usr/sbin and everything below it gets the sbin_t type (replacing the usr_t type). Under /usr/sbin our module will increase labelling granularity even more by replacing the default sbin_t type for lighttpd with the new lighttpd_exec_t type.

File context file

Labelling of the file system with the file types created in the lighttpd module is specified in the file context file (lighttpd.fc). In this file each line that isn't blank or a comment consists of three fields. Each field is separated by white space (spaces or tabs):

  • The first part is a regular expression that specifies part of the filesystem. For example, the regular expression that specifies the configuration directory /etc/lighttpd and all files and subdirectories under it is "/etc/lighttpd(/.*)?".
  • The second field is optional. If it is present it has the form of a dash "-" followed by a file type as given by the first field in the output of the ls -l command (i.e. "d" for directory, "-" for normal file, "c" for character special file etc.). So a second field of "-d" would mean this context applies only to directories.
  • The third field is the specification of the security context to be applied. As there are some security models that have more than 3 elements to a context (namely MLS), to make the module more widely usable, we can use the macro "gen_context" that clips the context to the correct number of elements for the current type of active policy

The line for labelling the lighttpd executable is simple, as we use the literal location of the program as the regular expression:

/usr/sbin/lighttpd    --    gen_context(system_u:object_r:lighttpd_exec_t,s0)

Note, we are also specifying that this label only applies to normal files.

The configuration files for lighttpd reside under the /etc/lighttpd directory. We label that directory and everything under it with the lighttpd_config_t type:

/etc/lighttpd(/.*)?          gen_context(system_u:object_r:lighttpd_config_t,s0)

Labelling parts of the filesystem for the remaining three types is similarly straight forward:

/var/run/lighttpd.* -- gen_context(system_u:object_r:lighttpd_var_run_t,s0) /usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:lighttpd_modules_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:lighttpd_log_t,s0)

This completes the context labelling for the module as it is so far. An example lighttpd.fc source file is available. As with the example type enforcement source file, this is just a demonstration, it does not comprise a full module protecting the lighttpd web service at this stage.