The document discusses customizing SELinux policy in Red Hat Enterprise Linux 5. It introduces the concept of modular policy and the new semodule tool for managing policy modules. It then provides an example of using audit2allow to build a local policy module to address a denial involving the ypbind init script. The steps shown are using audit2allow to generate the module files, analyzing the generated type enforcement file, and loading the policy package.

1. 777
Customizing SELinux Policy
46.1. Introduction
In earlier releases of Red Hat Enterprise Linux it was necessary to install the selinux-policy-
targeted-sources packages and then to create a local.te file in the /etc/selinux/
targeted/src/policy/domains/misc directory. You could use the audit2allow utility to
translate the AVC messages into allow rules, and then rebuild and reload the policy.
The problem with this was that every time a new policy package was released it would have to
execute the Makefile in order to try to keep the local policy.
In Red Hat Enterprise Linux 5, this process has been completely revised. The "sources" rpm packages
have been completely removed, and policy packages are treated more like the kernel. To look
at the sources used to build the policy, you need to install the source rpm, selinux-policy-
XYZ.src.rpm. A further package, selinux-policy-devel, has also been added, which provides
further customization functionality.
46.1.1. Modular Policy
Red Hat Enterprise Linux introduces the concept of modular policy. This allows vendors to ship
SELinux policy separately from the operating system policy. It also allows administrators to make local
changes to policy without worrying about the next policy install. The most important command that was
added was semodule.
semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing
and removing modules. You can also use semodule to force a rebuild of policy from the module
store and/or to force a reload of policy without performing any other transaction. semodule acts
on module packages created by semodule_package. Conventionally, these files have a .pp suffix
(policy package), although this is not mandated in any way.
46.1.1.1. Listing Policy Modules
To list the policy modules on a system, use the semodule -l command:
[root@host2a ~]# semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smart mon 1.1.0

2. 778
Capítulo 46. Customizing SELinux Policy
Note
This command does not list the base policy module, which is also installed.
The /usr/share/selinux/targeted/ directory contains a number of policy
package (*.pp) files. These files are included in the selinux-policy rpm and are
used to build the policy file.
46.2. Building a Local Policy Module
The following section uses an actual example to demonstrate building a local policy module to address
an issue with the current policy. This issue involves the ypbind init script, which executes the
setsebool command, which in turn tries to use the terminal. This is generating the following denial:
type=AVC msg=audit(1164222416.269:22): avc: denied { use } for pid=1940 comm="setsebool"
name="0" dev=devpts ino=2
scontext=system_u:system_r:semanage_t:s0 tc onte xt=syste m_u:syste m_r:init_t:s0 tc lass=fd
Even though everything still works correctly (that is, it is not preventing any applications form running
as intended), it does interrupt the normal work flow of the user. Creating a local policy module
addresses this issue.
46.2.1. Using audit2allow to Build a Local Policy Module
The audit2allow utility now has the ability to build policy modules. Use the following command to
build a policy module based on specific contents of the audit.log file:
ausearch -m AVC --comm setsebool | audit2allow -M mysemanage
The audit2allow utility has built a type enforcement file (mysemanage.te). It then executed
the check module command to compile a module file (mysemanage.mod). Lastly, it uses
the semodule_package command to create a policy package (mysemanage.pp). The
semodule_package command combines different policy files (usually just the module and potentially
a file context file) into a policy package.
46.2.2. Analyzing the Type Enforcement (TE) File
Use the cat command to inspect the contents of the TE file:
[root@host2a ~]# cat mysemanag.te
module mysemanage 1.0;
require {
cla ss fd use ;
type init_t;
type semanage_t;
role syste m_r;
};
allow semanage_t init_t:fd use;

3. 779
Loading the Policy Package
The TE file is comprised of three sections. The first section is the module command, which identifies
the module name and version. The module name must be unique. If you create an semanage module
using the name of a pre-existing module, the system would try to replace the existing module package
with the newly-created version. The last part of the module line is the version. semodule can update
module packages and checks the update version against the currently installed version.
The next block of the TE file is the require block. This informs the policy loader which types, classes
and roles are required in the system policy before this module can be installed. If any of these fields
are undefined, the semodule command will fail.
Lastly are the allow rules. In this example, you could modify this line to dontaudit, because
semodule does not need to access the file descriptor.
46.2.3. Loading the Policy Package
The last step in the process of creating a local policy module is to load the policy package into the
kernel.
Use the semodule command to load the policy package:
[root@host2a ~]# semodule -i mysemana ge.pp
This command recompiles the policy file and regenerates the file context file. The changes are
permanent and will survive a reboot. You can also copy the policy package file (mysemanage.pp) to
other machines and install it using semodule.
The audit2allow command outputs the commands it executed to create the policy package so that
you can edit the TE file. This means you can add new rules as required or change the allow rule to
dontaudit. You could then recompile and repackage the policy package to be installed again.
There is no limit to the number of policy packages, so you could create one for each local modification
you want to make. Alternatively, you could continue to edit a single package, but you need to ensure
that the "require" statements match all of the allow rules.

4. 780

5. 781
Referencias
Las siguientes referencias apuntan a información adicional que es relevante a SELinux y Red Hat
Enterprise Linux pero que va más allá del propósito de este manual. Tenga en cuenta que debido
al rápido desarrollo de SELinux, este material podría ser aplicable únicamente a un lanzamiento
específico de Red Hat Enterprise Linux.
Libros
SELinux by Example
Mayer, MacMillan, and Caplan
Prentice Hall, 2007
Tutoriales y ayuda
Understanding and Customizing the Apache HTTP SELinux Policy
http://docs.fedoraproject.org/selinux-apache-fc3/
Tutorials and talks from Russell Coker
http://www.coker.com.au/selinux/talks/ibmtu-2004/
Generic Writing SELinux policy HOWTO
https://sourceforge.net/docman/display_doc.php?docid=21959[amp ]group_id=21266
1
Red Hat Knowledgebase
http://kbase.redhat.com/
Información general
Sitio web principal de NSA SELinux
http://www.nsa.gov/research/selinux/index.shtml
NSA SELinux, Preguntas frecuentes
http://www.nsa.gov/research/selinux/faqs.shtml
Fedora SELinux, Preguntas frecuentes
http://docs.fedoraproject.org/selinux-faq/
SELinux NSA's Open Source Security Enhanced Linux
http://www.oreilly.com/catalog/selinux/
Tecnologías
An Overview of Object Classes and Permissions
http://www.tresys.com/selinux/obj_perms_help.html
Integrating Flexible Support for Security Policies into the Linux Operating System (una historia de la
implementación de Flask en Linux, artículo en inglés)
http://www.nsa.gov/research/_files/selinux/papers/freenix01/freenix01.shtml
1
https://sourceforge.net/docman/display_doc.php?docid=21959[amp ]group_id=21266

6. Capítulo 47. Referencias
782
Implementing SELinux as a Linux Security Module
http://www.nsa.gov/research/selinux/index.shtmlpapers/module-abs.cfm
A Security Policy Configuration for the Security-Enhanced Linux
http://www.nsa.gov/research/_files/selinux/papers/policy/policy.shtml
Comunidad
Página de la comunidad SELinux
http://selinux.sourceforge.net
IRC
irc.freenode.net, #rhel-selinux

7. Capítulo 47. Referencias
783
Historia
Quick history of Flask
http://www.cs.utah.edu/flux/fluke/html/flask.html
Full background on Fluke
http://www.cs.utah.edu/flux/fluke/html/index.html