Monday, April 19, 2010

Changing the policies on SeLinux

Extension
File type
Notes

.te
Type enforcement

.fc
File contexts
Default file contexts

.mod
Policy module
Binary of compiled type enforcment policy

.pp
Policy package
The module and optional additonal files (contexts, users, etc)

In order to change the customise the running policy you can either: 

  1. (Recommended) Generate a module policy and load the new module. The selinux sources are not required. This can be done via new versions of audit2allow
    $ cat /var/log/audit/audit.log | audit2allow -M local
    Generating type enforcment file: local.te
    Compiling policy: checkmodule -M -m -o local.mod local.te
    Building package: semodule_package -o local.pp -m local.mod
    
    ******************** IMPORTANT ***********************
    
    In order to load this newly created policy package into the kernel,
    you are required to execute
    
    semodule -i local.pp
    $ semodule -i local.pp
    The policy module will be stored in /etc/selinux/targeted/modules/active/modules and should still work after reboots. It can also be done manually
    $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
    $ cat local.te
    module local 1.0;
    
    require {
    role system_r;
    
    class fifo_file {  getattr ioctl };
    
    type cupsd_config_t;
    type unconfined_t;
    };
    
    allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
    
    
    Building module policy manually
    
    # Compile the module
    $ checkmodule -M -m -o local.mod local.te
    # Create the package
    $ semodule_package -o local.pp -m local.mod
    # Load the module into the kernel
    $ semodule -i local.pp

  2. Generate a new monolithic policy: You will need to load the selinux sources, e.g. selinux-policy-targeted-sources (or selinux-policy-devel). This allows you to make changes, roll them out and activate the new policy straight away. They will be located in /etc/selinux/targeted/src. The audit2allow program reads the dmesg output and creates exceptions for any avc denied messages it finds. It can be run without any parameters, but it is best if you copy and paste the few entries into a temporary file and run audit2allow over it:
    cd /etc/selinux/targeted/src/policy/domains/misc/
    less /var/log/messages
    vi temp
    audit2allow -i temp -o local.te
    The local.te file will be integrated into the policy when you build it:
    cd /etc/selinux/targeted/src/policy
    make
    make load
The new customised policy will now be active. Try to start the daemon, and again follow an iterative process to eliminate deny messages. Customising the running policy should only be used as a last resort measure, it is not a good idea generally to create a lot of policy exceptions.

No comments :

Post a Comment