[Linux, SELinux, OpenVMS, HP-UX and ACLs] A concepts comparative study

SYMPTOM/SOLUTION:
PRODUCT: SELinux Version 3.10.0 (Linux)
OP/SYS: Linux Fedora 17 OpenVMS IA64 Version 8.3-1H1 HP-UX IA64 B.11.31
COMPONENT: File Accesses Security
SOURCE: Philippe Vouters Fontainebleau/France
HIGH QUALITY SUPPORT: http://vouters.dyndns.org
SYMPTOM(S) or PROBLEM(S): This document presents a concepts comparative study about file accesses security. It considers the approach available on the Linux, OpenVMS and HP-UX operating systems. Later on, the author intends to add a quick approach for the Windows concepts which keyword where to look after ought to also be ACL.
DOCUMENT OBJECTIVES: This document purposely enables the reader a first factual approach to quickly start and cope with the concepts which prevail on each operating system. In no case, this document wishes to exhaust the subject. The intent is only to aim at introducing the topic.
LINUX APPROACH WITH SELINUX: Consider this entry in Fedora 17 /var/log/messages reproduced below: Nov 15 16:50:33 victor kernel: [56308.168812] type=1400 audit(1352994633.053:59) : avc: denied { write } for pid=22174 comm="perl" name="Linux-Apache-SELinux-Apache_and_Linux_permissions.html" dev="sda4" ino=7799213 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file This denotes that the perl utility access to Linux-Apache-SELinux-Apache_and_Linux_permissions.html would have been denied write access provided the SELinux policy was set to Enforcing. The perl access ought to be with a user_u access right for a file only granted httpd_sys_content_t access (in short Apache). Because, on this system, SELinux security is set to Permissive, perl is granted write access to the above file.
OPENVMS APPROACH WITH ACL: Consider this Oracle/RDB file below. For the Oracle/RDB unaware reader, Oracle/RDB is an Oracle's relational database software exclusively designed for the OpenVMS world. Before it was sold to Oracle, RDB has been developed from scratch by Digital Equipment Corporation, also known as DEC. $ run SQL$ SQL> attach 'alias test1 filename personnel'; SQL> sho protection on database test1; Protection on Alias TEST1 (IDENTIFIER=[AP_HTTPD,*],ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ ALTER+DROP+DBCTRL+OPERATOR+DBADM+SECURITY+DISTRIBTRAN) (IDENTIFIER=[AP_HTTPD,DEFAULT],ACCESS=NONE) (IDENTIFIER=[PHV],ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ALTER+DROP+ DBCTRL+OPERATOR+DBADM+SECURITY+DISTRIBTRAN) (IDENTIFIER=[*,*],ACCESS=NONE) SQL> This is performed by Oracle/RDB using the OpenVMS notion of ACLs. This simply means that the user AP_HTTPD (Apache User Identification Code [UIC]) in any group ID (*) is selectively granted the allowed SQL query rights (ACCESS=xxx). The user with the UIC PHV is also granted the same SQL query rights. All other users are denied access for any SQL query operation.
HP-UX APPROACH WITH ACL:
First terminal:
aps39-69-root# whoami root aps39-69-root# touch /tmp/tested_file aps39-69-root# ls -l /tmp/tested_file -rw-r--r-- 1 root sys 0 Jul 22 23:18 /tmp/tested_file
Second terminal:
$ whoami philippe $ cat /tmp/tested_file $
First terminal:
aps39-69-root# chmod go-r /tmp/tested_file aps39-69-root# ls -l /tmp/tested_file -rw------- 1 root sys 0 Jul 22 23:18 /tmp/tested_file
Second terminal:
$ cat /tmp/tested_file cat: Cannot open /tmp/tested_file: Permission denied $
First terminal:
aps39-69-root# getacl /tmp/tested_file # file: /tmp/tested_file # owner: root # group: sys user::rw- group::--- class:--- other:--- aps39-69-root# setacl -m user:philippe:rw /tmp/tested_file aps39-69-root# getacl /tmp/tested_file # file: /tmp/tested_file # owner: root # group: sys user::rw- user:philippe:rw- group::--- class:rw- other:--- aps39-69-root# ls -l /tmp/tested_file -rw-rw----+ 1 root sys 0 Jul 22 23:18 /tmp/tested_file aps39-69-root#
Second terminal:
$ cat /tmp/tested_file $ For HP-UX, do notice the '+' sign on the last ls -l command. It denotes an ACL placed on the file. File access authorized users along with their access rights onto is given by the getacl command.
CONCLUSION: HP-UX ACLs is merely an extension of the Unix file permissions. Authorized users are granted read (and/or write and/or execute) permission to a file or directory. SELinux grants access rights to files like the OpenVMS ACLs. The OpenVMS ACLs allow for more granularity, restricting the access rights to specific runtime operation. In short, SELinux would be less selective than OpenVMS on the allowed operations on a file. However and according to: http://www.nsa.gov/research/_files/selinux/papers/freenix01/node9.shtml SELinux would enable to only grant some C operations to a ressource such as a file by a program. SELinux also looks to enable the administrator to select which program is allowed some accurate C operation onto a ressource. On the other hand, OpenVMS would selectively limit the allowed operations on a disk ressource such as a file whichever the program is. The allowed operations on a file are considered with a set of authorized users. The OpenVMS ACLs are stored inside the file attributes and handled by RMS (the VMS filesystem handler). The SELinux access rights access right identifiers also referred to as SELinux labels, are stored inside the disk filesystem. It is yet unclear to the author whether the SELinux labels are part of the directories/files inodes. Any Unix/Unix-like such as Linux can be viewed as handling an entire filesystem. In consequence, SELinux and likely HP-UX do not limit their scope to only disks and their directories/files content. The scope is extented to non disk devices such as sockets, pipes and so on. This is unlike on the OpenVMS operating system where RMS limits its scope to disks content management. In summary and on OpenVMS, you are unable to place an ACL on a socket device.
RELATED LINUX DOCUMENT: ../tima/Linux-Apache-SELinux-Apache_and_Linux_permissions.html
REFERENCES: SELinux information provided by the SELinux co-developer entity with Red Hat: http://www.nsa.gov/research/_files/selinux/papers/freenix01/node9.shtml SELinux related interesting ideas exchange at: http://forums.fedoraforum.org/archive/index.php/t-276028.html HP OpenVMS and ACLs; an introduction: http://h71000.www7.hp.com/doc/84final/ba554_90015/ch04s08.html French speaking document simply summarizing operations using HP-UX ACLs: http://www.admin-sys.com/spip.php?article141
Did you find this helpful?