46 customizing se linux policy


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

46 customizing se linux policy

  1. 1. 777 Customizing SELinux Policy 46.1. Introduction In earlier releases of Red Hat Enterprise Linux it was necessary to install the selinux-policy- targeted-sources packages and then to create a local.te file in the /etc/selinux/ targeted/src/policy/domains/misc directory. You could use the audit2allow utility to translate the AVC messages into allow rules, and then rebuild and reload the policy. The problem with this was that every time a new policy package was released it would have to execute the Makefile in order to try to keep the local policy. In Red Hat Enterprise Linux 5, this process has been completely revised. The "sources" rpm packages have been completely removed, and policy packages are treated more like the kernel. To look at the sources used to build the policy, you need to install the source rpm, selinux-policy- XYZ.src.rpm. A further package, selinux-policy-devel, has also been added, which provides further customization functionality. 46.1.1. Modular Policy Red Hat Enterprise Linux introduces the concept of modular policy. This allows vendors to ship SELinux policy separately from the operating system policy. It also allows administrators to make local changes to policy without worrying about the next policy install. The most important command that was added was semodule. semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. You can also use semodule to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way. Listing Policy Modules To list the policy modules on a system, use the semodule -l command: [root@host2a ~]# semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smart mon 1.1.0
  2. 2. 778 Capítulo 46. Customizing SELinux Policy Note This command does not list the base policy module, which is also installed. The /usr/share/selinux/targeted/ directory contains a number of policy package (*.pp) files. These files are included in the selinux-policy rpm and are used to build the policy file. 46.2. Building a Local Policy Module The following section uses an actual example to demonstrate building a local policy module to address an issue with the current policy. This issue involves the ypbind init script, which executes the setsebool command, which in turn tries to use the terminal. This is generating the following denial: type=AVC msg=audit(1164222416.269:22): avc: denied { use } for pid=1940 comm="setsebool" name="0" dev=devpts ino=2 scontext=system_u:system_r:semanage_t:s0 tc onte xt=syste m_u:syste m_r:init_t:s0 tc lass=fd Even though everything still works correctly (that is, it is not preventing any applications form running as intended), it does interrupt the normal work flow of the user. Creating a local policy module addresses this issue. 46.2.1. Using audit2allow to Build a Local Policy Module The audit2allow utility now has the ability to build policy modules. Use the following command to build a policy module based on specific contents of the audit.log file: ausearch -m AVC --comm setsebool | audit2allow -M mysemanage The audit2allow utility has built a type enforcement file (mysemanage.te). It then executed the check module command to compile a module file (mysemanage.mod). Lastly, it uses the semodule_package command to create a policy package (mysemanage.pp). The semodule_package command combines different policy files (usually just the module and potentially a file context file) into a policy package. 46.2.2. Analyzing the Type Enforcement (TE) File Use the cat command to inspect the contents of the TE file: [root@host2a ~]# cat mysemanag.te module mysemanage 1.0; require { cla ss fd use ; type init_t; type semanage_t; role syste m_r; }; allow semanage_t init_t:fd use;
  3. 3. 779 Loading the Policy Package The TE file is comprised of three sections. The first section is the module command, which identifies the module name and version. The module name must be unique. If you create an semanage module using the name of a pre-existing module, the system would try to replace the existing module package with the newly-created version. The last part of the module line is the version. semodule can update module packages and checks the update version against the currently installed version. The next block of the TE file is the require block. This informs the policy loader which types, classes and roles are required in the system policy before this module can be installed. If any of these fields are undefined, the semodule command will fail. Lastly are the allow rules. In this example, you could modify this line to dontaudit, because semodule does not need to access the file descriptor. 46.2.3. Loading the Policy Package The last step in the process of creating a local policy module is to load the policy package into the kernel. Use the semodule command to load the policy package: [root@host2a ~]# semodule -i mysemana ge.pp This command recompiles the policy file and regenerates the file context file. The changes are permanent and will survive a reboot. You can also copy the policy package file (mysemanage.pp) to other machines and install it using semodule. The audit2allow command outputs the commands it executed to create the policy package so that you can edit the TE file. This means you can add new rules as required or change the allow rule to dontaudit. You could then recompile and repackage the policy package to be installed again. There is no limit to the number of policy packages, so you could create one for each local modification you want to make. Alternatively, you could continue to edit a single package, but you need to ensure that the "require" statements match all of the allow rules.
  4. 4. 780
  5. 5. 781 Referencias Las siguientes referencias apuntan a información adicional que es relevante a SELinux y Red Hat Enterprise Linux pero que va más allá del propósito de este manual. Tenga en cuenta que debido al rápido desarrollo de SELinux, este material podría ser aplicable únicamente a un lanzamiento específico de Red Hat Enterprise Linux. Libros SELinux by Example Mayer, MacMillan, and Caplan Prentice Hall, 2007 Tutoriales y ayuda Understanding and Customizing the Apache HTTP SELinux Policy http://docs.fedoraproject.org/selinux-apache-fc3/ Tutorials and talks from Russell Coker http://www.coker.com.au/selinux/talks/ibmtu-2004/ Generic Writing SELinux policy HOWTO https://sourceforge.net/docman/display_doc.php?docid=21959[amp ]group_id=21266 1 Red Hat Knowledgebase http://kbase.redhat.com/ Información general Sitio web principal de NSA SELinux http://www.nsa.gov/research/selinux/index.shtml NSA SELinux, Preguntas frecuentes http://www.nsa.gov/research/selinux/faqs.shtml Fedora SELinux, Preguntas frecuentes http://docs.fedoraproject.org/selinux-faq/ SELinux NSA's Open Source Security Enhanced Linux http://www.oreilly.com/catalog/selinux/ Tecnologías An Overview of Object Classes and Permissions http://www.tresys.com/selinux/obj_perms_help.html Integrating Flexible Support for Security Policies into the Linux Operating System (una historia de la implementación de Flask en Linux, artículo en inglés) http://www.nsa.gov/research/_files/selinux/papers/freenix01/freenix01.shtml 1 https://sourceforge.net/docman/display_doc.php?docid=21959[amp ]group_id=21266
  6. 6. Capítulo 47. Referencias 782 Implementing SELinux as a Linux Security Module http://www.nsa.gov/research/selinux/index.shtmlpapers/module-abs.cfm A Security Policy Configuration for the Security-Enhanced Linux http://www.nsa.gov/research/_files/selinux/papers/policy/policy.shtml Comunidad Página de la comunidad SELinux http://selinux.sourceforge.net IRC irc.freenode.net, #rhel-selinux
  7. 7. Capítulo 47. Referencias 783 Historia Quick history of Flask http://www.cs.utah.edu/flux/fluke/html/flask.html Full background on Fluke http://www.cs.utah.edu/flux/fluke/html/index.html