SELinux concepts

Review this page to become familiar with SELinux concepts.

Mandatory access control

Security Enhanced Linux (SELinux), is a mandatory access control (MAC) system for the Linux operating system. As a MAC system, it differs from Linux’s familiar discretionary access control (DAC) system. In a DAC system, a concept of ownership exists, whereby an owner of a particular resource controls access permissions associated with it. This is generally coarse-grained and subject to unintended privilege escalation. A MAC system, however, consults a central authority for a decision on all access attempts.

SELinux has been implemented as part of the Linux Security Module (LSM) framework, which recognizes various kernel objects, and sensitive actions performed on them. At the point at which each of these actions would be performed, an LSM hook function is called to determine whether or not the action should be allowed based on the information for it stored in an opaque security object. SELinux provides an implementation for these hooks and management of these security objects, which combine with its own policy, to determine the access decisions.

Along with other Android security measures, Android's access control policy greatly limits the potential damage of compromised machines and accounts. Using tools like Android's discretionary and mandatory access controls gives you a structure to ensure your software runs only at the minimum privilege level. This mitigates the effects of attacks and reduces the likelihood of errant processes overwriting or even transmitting data.

In Android 4.3 and higher, SELinux provides a mandatory access control (MAC) umbrella over traditional discretionary access control (DAC) environments. For instance, software must typically run as the root user account to write to raw block devices. In a traditional DAC-based Linux environment, if the root user becomes compromised that user can write to every raw block device. However, SELinux can be used to label these devices so the process assigned the root privilege can write to only those specified in the associated policy. In this way, the process cannot overwrite data and system settings outside of the specific raw block device.

See Use Cases for more examples of threats and ways to address them with SELinux.

Enforcement levels

SELinux can be implemented in varying modes:

  • Permissive - SELinux security policy is not enforced, only logged.
  • Enforcing - Security policy is enforced and logged. Failures appear as EPERM errors.

This choice is binary and determines whether your policy takes action or merely allows you to gather potential failures. Permissive is especially useful during implementation.

Labels, rules, and domains

SELinux depends upon labels to match actions and policies. Labels determine what is allowed. Sockets, files, and processes all have labels in SELinux. SELinux decisions are based on labels assigned to these objects and the policy defining how they may interact.

In SELinux, a label takes the form: user:role:type:mls_level, where the type is the primary component of the access decisions, which may be modified by the other sections components that make up the label. The objects are mapped to classes and the different types of access for each class are represented by permissions.

The policy rules come in the form: allow domains types:classes permissions;, where:

  • Domain - A label for the process or set of processes. Also called a domain type as it is just a type for a process.
  • Type - A label for the object (e.g. file, socket) or set of objects.
  • Class - The kind of object (e.g. file, socket) being accessed.
  • Permission - The operation (e.g. read, write) being performed.

And so an example use of this would follow the structure:

allow appdomain app_data_file:file rw_file_perms;

This says that all application domains are allowed to read and write files labeled app_data_file. Note that this rule relies upon macros defined in the global_macros file, and other helpful macros can also be found in the te_macros file. Macros are provided for common groupings of classes, permissions and rules, and should be used whenever possible to help reduce the likelihood of failures due to denials on related permissions. These macros files are located in the system/sepolicy directory. In Android 8.0 and higher, they are in the public subdirectory with other supported public sepolicy.

In addition to individually listing domains or types in a rule, one can also refer to a set of domains or types via an attribute. An attribute is simply a name for a set of domains or types. Each domain or type can be associated with any number of attributes. When a rule is written that specifies an attribute name, that name is automatically expanded to the list of domains or types associated with the attribute. For example, the domain attribute is associated with all process domains, and the file_type attribute is associated with all file types.

Use the syntax above to create avc rules that comprise the essence of an SELinux policy. A rule takes the form:

RULE_VARIANT SOURCE_TYPES TARGET_TYPES : CLASSES PERMISSIONS

The rule indicates what should happen when a subject labeled with any of the source_types attempts an action corresponding to any of the permissions on an object with any of the class classes that has any of the target_types label. The most common example of one of these rules is an allow rule, such as:

allow domain null_device:chr_file { open };

This rule allows a process with any domain associated with the domain attribute to take the action described by the permission open on an object of class chr_file (character device file) that has the target_type label of null_device. In practice, this rule may be extended to include other permissions:

allow domain null_device:chr_file { getattr open read ioctl lock append write};

When combined with the knowledge that domain is an attribute assigned to all process domains and that null_device is the label for the character device /dev/null, this rule basically permits reading and writing to /dev/null.

A domain generally corresponds to a process and has a label associated with it.

For example, a typical Android app is running in its own process and has the label of untrusted_app that grants it certain restricted permissions.

Platform apps built into the system run under a separate label and are granted a distinct set of permissions. System UID apps that are part of the core Android system run under the system_app label for yet another set of privileges.

Access to the following generic labels should never be directly allowed to domains; instead, a more specific type should be created for the object or objects:

  • socket_device
  • device
  • block_device
  • default_service
  • system_data_file
  • tmpfs