• Like


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

46 customizing se linux policy

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Customizing SELinux Policy 46.1. Introduction In earlier releases of Red Hat Enterpris e Linux it was necessary to install the selinux-policy- targeted-sources pac kages and then to create a local.te file in the /etc/selinux/ targeted/src/policy/domains/misc directory. You could use the audi t2all ow utility to trans late the AVC messages into allow rules, and then rebuild and reload the policy. The problem with this was that every time a new policy pac kage was released it would have to exec ute the Makefile in order to try to keep the local policy. In Red Hat Enterpris e Linux 5, this proc ess has been completely revis ed. The "sources " rpm pac kages have been completely removed, and policy pac kages are treated more like the kernel. To look at the sources used to build the policy, you need to install the sourc e rpm, selinux-policy- XY Z. s rc. rpm. A further pac kage, selinux-policy-devel, has also been added, which provides further customization functionality. 46.1.1. Modular Policy Red Hat Enterpris e Linux introduc es the conc ept of modular policy. This allows vendors to ship SELinux policy separately from the operating sys tem policy. It also allows administrators to make local changes to policy without worrying about the next policy install. The most important command that was added was semodule. semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. You can also use semodule to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other trans action. semodule acts on module pac kages c reated by semodule_package. Conventionally, thes e files have a .pp suffix (policy pac kage), although this is not mandated in any way. Listing Po licy Mo dules To list the policy modules on a system, use the semodule -l c ommand: [root@host2a ~]# semodule -l amavis 1.1.0 ccs 1.0.0 c la m a v 1.1.0 dcc 1.1.0 evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 sm a rt m on 1.1.0 777
  • 2. Capítulo 46. Customizing SELinux Policy No te This command does not list the base policy module, which is also installed. The /usr/share/selinux/targeted/ directory contains a number of policy pac kage (*.pp) files. T hes e files are included in the selinux-policy rpm and are used to build the policy file. 46.2. Building a Local Policy Module The following s ection us es an actual example to demonstrate building a local policy module to address an iss ue with the current policy. This iss ue involves the ypbind init script, which exec utes the setsebool c ommand, which in turn tries to use the terminal. This is generating the following denial: type=AVC msg=au dit(1 16 422 24 16.2 69: 22): avc: denied { use } for pid=19 40 comm="setsebool" name="0" dev=devpts ino=2 scon text=s ystem _u:s ystem_r :semana ge_t:s 0 tc o nt e xt =s ys te m _ u :s ys te m _ r: i nit _ t:s 0 tc las s = f d Even though everything still works correctly (that is, it is not preventing any applic ations form running as intended), it does interrupt the normal work flow of the user. Creating a local policy module addresses this iss ue. 46.2.1. Using audit2allow to Build a Local Policy Mo dule The audi t2all ow utility now has the ability to build policy modules. Use the following command to build a policy module based on specific contents of the audit.log file: ausearch -m AVC --comm setsebool | audi t2all ow -M mysemanage The audi t2all ow utility has built a type enforcement file (myse manage.te). It then executed the che ck module c ommand to compile a module file (mysemanage.mod). Lastly, it uses the semodule_package c ommand to create a policy package (myse manage. pp). T he semodule_package c ommand combines different policy files (usually just the module and potentially a file context file) into a policy pac kage. 46.2.2. Analyzing the Type Enforce ment (TE) File Use the cat c ommand to ins pect the contents of the TE file: [root@host2a ~]# cat mysemanag.te m o dule my se m an a ge 1.0; requi re { cla ss f d u se ; ty pe init_t; type semanage_t; r ole s yst e m _ r; }; allow semanage_t init_t:f d use; 778
  • 3. Loading the Policy Pac kage The TE file is comprised of three sections. The first section is the module command, which identifies the module name and version. The module name must be unique. If you create an semanage module using the name of a pre-exis ting module, the system would try to replac e the existing module pac kage with the newly-created version. The last part of the module line is the version. semodule can update module pac kages and c hec ks the update version against the currently installed vers ion. The next block of the TE file is the requi re block. This informs the policy loader which types, classes and roles are required in the system policy before this module can be installed. If any of these fields are undefined, the semodule c ommand will fail. Lastly are the allow rules. In this example, you could modify this line to dontaudi t, because semodule does not need to access the file descriptor. 46.2.3. Loading the Policy Package The last step in the proc ess of creating a local policy module is to load the policy pac kage into the kernel. Use the semodule c ommand to load the policy pac kage: [root@host2a ~]# semodule -i m y se m an a ge.p p This command rec ompiles the policy file and regenerates the file context file. The changes are permanent and will survive a reboot. You can also copy the policy pac kage file (mysemanage. pp) to other mac hines and install it using semodule. The audi t2all ow c ommand outputs the commands it exec uted to create the policy pac kage so that you can edit the TE file. This means you can add new rules as required or change the all ow rule to dontaudit. You could then recompile and repac kage the policy pac kage to be installed again. There is no limit to the number of policy pac kages, so you could create one for each local modification you want to make. Alternatively, you could continue to edit a single pac kage, but you need to ensure that the "require" statements match all of the allow rules. 779
  • 4. 780
  • 5. Referencias Las siguientes referenc ias apuntan a información adicional que es relevante a SELinux y Red Hat Enterpris e Linux pero que va más allá del propós ito de este manual. Tenga en cuenta que debido al rápido des arrollo de SELinux, este material podría ser aplic able únic amente a un lanzamiento es pec ífico de Red Hat Enterprise Linux. Libros SELinux by Example Mayer, MacMillan, and Caplan Prentic e Hall, 2007 Tutoriales y ayuda Understanding and Customizing the Apac he HTTP SELinux Policy http://docs.fedoraproject. org/selinux-apache-fc3/ Tutorials and talks from Russell Coker http://www. cok er. com. au/selinux/talk s/ibmtu-2004/ Generic Writing SELinux policy HOWTO 1 https://sourceforge.net/docman/display_doc. php?docid=21959[amp ]group_id=21266 Red Hat Know ledgebas e http://kbase. redhat.com/ Información general Sitio web principal de NSA SELinux http://www.nsa. gov/research/selinux/index. shtml NSA SELinux, Preguntas frec uentes http://www.nsa. gov/research/selinux/faqs. shtml Fedora SELinux, Preguntas frec uentes http://docs.fedoraproject.org/selinux-faq/ SELinux NSA's Open Sourc e Security Enhanc ed Linux http://www.oreilly. com/catalog/selinux/ Tec nologías An Overview of Object Classes and Permiss ions http://www.tresys. com/selinux/obj_perms_help.html Integrating Flexible Support for Security Policies into the Linux Operating System (una historia de la implementac ión de Flask en Linux, artículo en inglés) http://www.nsa.gov/research/_files/selinux/papers/freenix01/freenix01. shtml 1 https://so urcefor ge.net/do cman /display_ doc.php ?docid=2 1959[am p ] gro up_id=21266 781
  • 6. Capítulo 47. Refe rencias Implementing SELinux as a Linux Security Module http://www. nsa. gov/research/selinux/index. shtmlpapers/module-abs. cfm A Security Policy Configuration for the Security-Enhanced Linux http://www.nsa.gov/research/_files/selinux/papers/policy/policy. shtml Comunidad Página de la comunidad SELinux http://selinux. sourceforge.net IRC irc.freenode.net, #rhel-s elinux 782
  • 7. Capítulo 47. Refe rencias Historia Quick history of Flask http://www.cs.utah.edu/flux/fluke/html/flask.html Full bac kground on Fluke http://www.cs.utah.edu/flux/fluke/html/index. html 783