AN OVERVIEW OF DOMAIN TRANSITION ANALYSIS
apol, version 1.4
June 02, 2004
selinux@tresys.com

A key feature of Type Enforcement (TE) security is the ability to 
define domain types with which programs run, use that domain type to 
control access to objects (which are also typed), and strictly control 
the ability of a process to change its domain type.  This last ability 
is known as "domain transition".

Apol allows one to analyze an SELinux policy and understand the domain 
transitions allowed by the policy.  As with all access in SELinux, the 
ability to transition from one domain to another is controlled by 
'allow' rules in the policy.  Below, we describe how the apol tool 
performs a domain transition analysis.


THE THREE TYPES OF INTEREST FOR DOMAIN TRANSITIONS

When discussing domain transition access, there are three different types
we must consider:

	SOURCE TYPE: This is the domain type associated with a process
	that is trying to change (transition) its domain type to another
	type.
	
	TARGET TYPE: This is the domain type to which the source type is 
	trying to transition.
	
	FILE TYPE (ENTRYPOINT TYPE): This is a type associated with an 
	executable file object that allows the target type to be entered 
	as part of an execve() system call.
	
	
FORWARD VS. REVERSE DOMAIN TRANSITION ANALYSIS

Apol allows you to perform both forward and reverse domain transition 
analysis.  A forward analysis allows you to select a SOURCE type and 
determine all the TARGET types to which the source may transition. 
You may also select object classes, permissions, and object types to 
find transitions to domains that have specific privileges or that have
access to a particular object type(s).A reverse analysis is the opposite; 
you select a TARGET type and determine all the SOURCE types that may 
transition to the target type.

In each case, apol creates a tree structure to show the result.  You can 
drill down the tree to follow any given transition path.


CRITERIA FOR IDENTIFYING ALLOW DOMAIN TRANSITIONS

In SELinux, there are three types of access (and hence at least three 
rules) that must be allowed by the policy if a domain transition is to 
occur.  These three access types form the criteria used by apol to 
determine allowed transitions.

Given an understanding of the three types of interest in a domain 
transition, the criteria for an allowed domain transition are as 
follows.  (In the examples below, assume 'user_t' is the source type, 
'passwd_t' is the target type, and 'passwd_exec_t' is the file 	entry 
point type).


1. There must be a rule that allows the SOURCE domain type 'transition' 
   access for 'process' object class for the TARGET domain type. As an 
   example, the rule:
   
   	allow user_t passwd_t : process transition;
   	
   meets this criterion by allowing the source type (user_t) 'process 
   transition' permission to the target type (passwd_t).

2. There must be a rule that allows the SOURCE domain type 'execute' 
   access to the FILE ENTRYPOINT type. As an example, the rule:

	allow user_t passwd_exec_t: file {read getattr execute};
	
   meets the criterion by allowing the source type (user_t) 'execute' 
   access to the file entrypoint type (passwd_exec_t).


3. There must be a rule that allows the TARGET domain type 'entrypoint' 
   access to the FILE ENTRYPOINT type for file objects.  As an example, 
   the rule:
   
   	allow passwd_t passwd_exec_t : file entrypoint;
   	
   meets this criterion by allowing the target type (passwd_t) 
   'file entrypoint' access to the file entrypoint type (pass_exec_t).  
   


In the analysis results, apol will list all the types that meet the above 
three criteria.



