danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Writing SELinux policy just got easier.
danwalsh
Fedora 12 adds a command line interface to polgengui.

I wrote up polgengui a couple of years ago to make writing SELinux policy a little easier.  polgengui is a template based policy framework,  that ask the user a few questions, and then generate initial policy files to allow the policy writer to get started.

Polgengui is not a policy editor, slide is available for that.

polgengui asks questions like:

What is the name of the application?  What kind of application is it?  What files/directories does your app need write access?  Does it your app use Syslog?  Etc.

polgengui takes these answers and applies templates from /usr/share/system-config-selinux/templates to generate policy.  These templates write policy that generates the types necessary to use with SELinux, and the common rules for interaction with these types.  These templates allow you to write policy that can easily be massaged into something acceptable by upstream.

When I start writing policy, usually I don't know that much about how the application runs or what files/directories it needs to write.   I install the tool and run rpm -ql package on it to see what directories the package maintainer includes with the tool.  I run the tool and look for files it created for example in /var/run if it is a daemon or /tmp.  If the package has a directory like /var/run/package or /var/lib/package I add these directories  as writing directories.  Similarly If the rpm includes an initscript I add that to the policy.  I also use tools like nm to see which functions the application calls.  I look for common functions like syslog, and I know to check the syslog button.

Being  lazy, I did not like all the button clicking, I figured I can script all of this.  So I have added sepolgen to Fedora 12.

It is simply a command line tool used to generate the same policy as polgengui, but the policy writer does not need to answer any questions.

sepolgen /usr/sbin/mydaemon

Sepolgen does the following:
  • rpm -qlf /usr/sbin/mydaemon
    • sepolgen scans for paths like /var/lib, /var/run, /etc/init.d/rc.d/mydaemon and selects the appropriate templates.
  • nm -D /usr/sbin/mydaemon
    • sepolgen scans for syslog, setuid, setgid, ... and adds the appropriate access.
  • generate 4 files
    • mydaemon.te                       # All types and allow rules discovered for this daemon
    • mydaemon.if                        # Interfaces to be used with the types generated for this daemon
    • mydaemon.fc                       # File context mapping between types and paths on disk 
    • mydaemon.sh                      # Helper shell script used to compile/install policy and then label the paths correctly
The policy writer then only needs to execute mydaemon.sh and the policy will be compiled installed and the daemon will be ready to start testing. 

begin:
service mydaemon start
run tests against mydaemon
check for avc's
if None
    Break;
audit2allow -R >> mydaemon.te
Verify the policy is good or fix it.                # THis is the hard part :^(
./mydaemon.sh
goto begin

Try it out.


Re: How to get sepolgen on CentOS 5?

danwalsh

2013-05-09 06:05 pm (UTC)

Well sadly you can't. It was first built for RHEL 6. You could use it to build a policy framework on RHEL 6 and then attempt to compile the policy on RHEL5. It would probably work with minor adjustments.

Re: How to get sepolgen on CentOS 5?

Artem Blagodarenko

2013-09-27 10:54 am (UTC)

Thanks for this software. Dan, where can I find sepolgen for RHEL6? I can't find rpm for this OS.

Re: How to get sepolgen on CentOS 5?

danwalsh

2013-09-27 12:50 pm (UTC)

Does not exist on RHEL5 or CentOS 5.


You are viewing danwalsh