1# selinux_adapter
2
3## Introduction
4
5Security-Enhanced Linux (SELinux) is an outstanding security module in the history of Linux with a set of kernel modifications and user-space tools supporting mandatory access control (MAC) based on security rules.SELinux has been added to various Linux distributions. The software architecture of SELinux attempts to separate enforcement of security decisions from the security policy and streamlines the amount of software involved with security policy enforcement.This component provide MAC protect for system object like file, parameter, service and so on. Providing neverallow rules to limit high-risk operations in the system and reduce system security risks.
6
7The flow of access control shown in following figure:
8
9![Overall architecture](docs/images/SELinux.png)
10
11## Directory Structure
12
13```
14.
15├── config                  # Third-party library configuration file of the board.
16├── docs                    # Documents.
17│   └── images
18├── interfaces
19│   ├── policycoreutils     # libload_policy.so and librestorecon.so of the board.
20│   │   ├── include
21│   │   └── src
22│   └── tools               # load_policy and restorecon of the board.
23│       ├── load_policy
24│       └── restorecon
25├── scripts                 # Security policy compilation scripts.
26├── sepolicy                # Security policy files.
27└── test                    # Test program.
28```
29
30## Constraints
31
32Currently, SELinux supports only the RK3568 device.
33
34## Usage
35
36### Building the Image
37
38Run the following command to build the image that supports SELinux:
39
40```
41Independent build command of this module:
42./build.sh --product-name=rk3568 -T selinux_adapter --ccache
43```
44### Verifying Basic Functions
45
46Burn the image to the development board, start the board, run **shell** through the serial port, and run the following commands:
47
48```
49ls -lZ /          # View the file label.
50ls -lLZ /         # View the link source file label.
51ps -eZ            # View the process label.
52setenforce 1      # Enable the enforcing mode.
53setenforce 0      # Enable the permissive mode, which is the default mode.
54getenforce        # Obtain the SELinux working mode.
55```
56Policy file: **/etc/selinux/targeted/policy/policy.31**
57
58File labeling rule: **/etc/selinux/targeted/policy/file_contexts**
59
60SELinux mode switch: **/etc/selinux/config**
61
62During the verification, you can replace the preceding files separately.
63
64### Log
65
66```
67audit: type=1400 audit(1502458430.566:4): avc:  denied  { open } for  pid=1658 comm="setenforce" path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:hdcd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
68
69The log information is interpreted as follows:
70open                                # The operation is open.
71pid=1658                            # The process ID is 1658.
72comm="setenforce"                   # The process name is setenforce.
73path="/sys/fs/selinux/enforce"      # The path accessed by the process is /sys/fs/selinux/enforce.
74dev="selinuxfs"                     # The file accessed belongs to the SELinux filesystem (selinuxfs).
75ino=4                               # The file node No. is 4.
76scontext=u:r:hdcd:s0                # The SELinux label of the process is u:r:hdcd:s0.
77tcontext=u:object_r:selinuxfs:s0    # The SELinux label of the accessed file is u:object_r:selinuxfs:s0.
78tclass=file                         # The current alarm is about a file operation.
79permissive=1                        # The SELinux is running in permissive mode, that is, the system does not deny any operation but only logs Access Vector Cache (AVC) message for troubleshooting or debugging. If permissive is set to 0, the SELinux is running in enforcing mode and denies access based on SELinux policy rules.
80```
81
82### Writing a Policy Rule
83
84```
85Obtain the access information based on the AVC message.
86Example:
87audit: type=1400 audit(1502458430.566:4): avc:  denied  { open } for  pid=1658 comm="setenforce" path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:hdcd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
88The rule is as follows:
89allow hdcd selinuxfs:file open;
90```
91
92## Repositories
93
94The table below lists the repositories involved.
95
96| Repository| Source Code| Description|
97| --- | --- | --- |
98| [selinux_adapter](https://gitee.com/openharmony/security_selinux_adapter.git) | `base/security/selinux_adapter/` | Provides policies and self-developed APIs.|
99| [third_party_selinux](https://gitee.com/openharmony/third_party_selinux.git) | `third_party/selinux/` | SELinux main repository.|
100| [productdefine_common](https://gitee.com/openharmony/productdefine_common.git) | `productdefine/common/` | Provides SELinux component definitions.|
101| [third_party_toybox](https://gitee.com/openharmony/third_party_toybox.git) | `third_party/toybox/` | Provides the support for SELinux of `ls`.|
102| [startup_init_lite](https://gitee.com/openharmony/startup_init_lite.git) | `base/startup/init_lite/` | Provides the init_lite module, which starts the first application.|
103| [third_party_FreeBSD](https://gitee.com/openharmony/third_party_FreeBSD.git) | `third_party/FreeBSD/` | Provides the fts library.|
104| [third_party_pcre](https://gitee.com/openharmony/third_party_pcre2.git) | `third_party/pcre/` | Provides the pcre2 library.|
105| [build](https://gitee.com/openharmony/build.git) | `build/` | Provides the code for build.|
106
107