2

I have a vanilla CentOS 7 box with SELinux enforcing with the targeted policy:

$ ls -lZ /etc/resolv.conf
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf

$ sudo id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ sudo semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

$ sudo semanage user -l
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
user_u          user       s0         s0                             user_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
guest_u         user       s0         s0                             guest_r

Given the above, root is an unconfined_u SELinux user which has SELinux roles system_r and unconfined_r. Also, the file /etc/resolv.conf has a system_u user context and object_r role, which is not one of the roles of unconfined_u. Why doesn't SELinux prevent root from reading/writing this file?

Anthony Kraft
  • 1,179
  • 1
  • 9
  • 18

1 Answers1

1

Disclaimer: I am not an selinux expert. I am learning like you.

But, on my CentOS 7,

sesearch --allow -s unconfined_t | grep net_conf
   allow nsswitch_domain net_conf_t : file { ioctl read getattr lock open } ;
seinfo -ansswitch_domain -x | grep unconfined_t
      unconfined_t

Looks like unconfined_t type (which has the nsswitch_domain attribute) processes are allowed to access net_conf_t, which the file /etc/resolv.conf has.

xyz
  • 387
  • 2
  • 8
  • So at what point does the user/role context come into play if all that has to match is the type? i.e. why does a file even have a user/role context? – Anthony Kraft Apr 08 '16 at 13:29
  • This page explains role quite well. https://wiki.gentoo.org/wiki/SELinux/Tutorials/The_purpose_of_SELinux_roles – xyz Apr 11 '16 at 00:12