SELinux Policy Writing

From Linux User Group at WUR
Jump to: navigation, search

n order to convince SElinux that what you're already doing is right, you need to feed it packaged policy (.pp) files. To generate these, you have to compile them from type enforcement (.te) files, and any other defnition files depending on the appropriate requirements: e.g. files (.fc) , sockets (.nc). This guide covers writing custom TE definitions.

Firstly to construct the .te file you must work out what rules must be defined. You can get the system to construct this one using audit2allow, e.g.:

# grep 'rstudio' /var/log/audit/audit.log | audit2allow -m rstudio

A mode modern technique would be to use ausearch for this. ausearch has many options for finding relevant logs:

# ausearch -m avc -c rstudio --raw | audit2allow -m rstudio

or, for example:

# ausearch -m avc -se var_log_t --raw | audit2allow -m policy

By using -m rather than -M, we get an example .te file as a result, rather than a compiled module. Be advised that audit2allow will simply generate a policy to allow an error present in your log file, but will not check whether the decision to give the access the program requested is wise. You will need to verify the policy is sane yourself.

Here's an example for allowing logrotate access to everything in /var/log/:

module logrotatepol 1.0;
require {
    type var_t;
    type logrotate_t;
    class file { rename setattr read create ioctl write getattr unlink open };
    class dir { read write add_name remove_name };
#============= logrotate_t ==============
allow logrotate_t var_t:dir { read write add_name remove_name };
allow logrotate_t var_t:file { rename setattr read create getattr write ioctl unlink open };

The Puppet module selinux will automatically compile and install selinux modules when the .te files are supplied. Best to keep the .te files in the puppet file directory for documentation purposes.

Otherwise, this must be converted into a binary format (.mod) to then be compiled into the final policy file (.pp). If you don't like keeping intermediates about, these two steps can be chained, but be aware that you must call the final file the same name as is defined in the module file. So, with the line:

module logrotatepol 1.0;

You must call the file logrotatepol.te, and execute:

# checkmodule -M -m -o - logrotatepol.te | semodule_package -o logrotatepol.pp -m -

To produce the packaged policy file.

Then all that is required is:

# semodule -i logrotate.pp

To inject it.