SELinux System Administration - Third Edition by Sven Vermeulen
Author:Sven Vermeulen [Sven Vermeulen]
Language: eng
Format: epub
Publisher: Packt Publishing
Published: 2020-12-04T00:00:00+00:00
Governing unit operation access
Until now, we've looked at configuration settings related to systemd's SELinux support. systemd also uses SELinux to control access to services defined through unit files. When a user wants to perform an operation against a unit (such as starting a service or checking the state of a running service), systemd queries the SELinux policy to see whether it will allow this operation.
The systemd daemon uses the service class to validate the permissions of the client's domain toward the requested operation. For instance, to validate whether a user context, sysadm_t, can view the status of the service associated with the sshd.service unit file, it checks the context of this file (being sshd_unit_file_t) and then validates whether the status permission is granted:
# sesearch -s sysadm_t -t sshd_unit_file_t -c service -p status -A
Other supported permissions are disable, enable, reload, start, and stop. When a permission is not granted, a USER_AVC denial message will be visible in the audit logs (rather than an AVC message) as the message is not generated by the Linux kernel, but by systemd. So, while the rules themselves are part of the SELinux policy, it is systemd that enforces the access.
systemd, or the client through which systemd is queried, might also provide additional error messages to reflect that the SELinux policy prevents the action. For instance, if we attempt to query systemd over D-Bus (which we cover in the D-Bus communication section) from an unprivileged user domain, then we get the following error:
Error: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access
To facilitate troubleshooting any systemd-triggered failures, systemd also has an extensive logging component, called systemd-journald, which we'll cover next.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7806)
Grails in Action by Glen Smith Peter Ledbrook(7719)
Azure Containers Explained by Wesley Haakman & Richard Hooper(6802)
Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 by Chris Gill(6797)
Running Windows Containers on AWS by Marcio Morales(6318)
Kotlin in Action by Dmitry Jemerov(5089)
Microsoft 365 Identity and Services Exam Guide MS-100 by Aaron Guilmette(5046)
Combating Crime on the Dark Web by Nearchos Nearchou(4620)
Microsoft Cybersecurity Architect Exam Ref SC-100 by Dwayne Natwick(4571)
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4437)
The Ruby Workshop by Akshat Paul Peter Philips Dániel Szabó and Cheyne Wallace(4311)
The Age of Surveillance Capitalism by Shoshana Zuboff(3977)
Python for Security and Networking - Third Edition by José Manuel Ortega(3873)
The Ultimate Docker Container Book by Schenker Gabriel N.;(3532)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3528)
Learn Wireshark by Lisa Bock(3489)
Mastering Python for Networking and Security by José Manuel Ortega(3376)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3353)
Blockchain Basics by Daniel Drescher(3322)
