danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
New Security Feature in Fedora 18 Part 8: Introducing sepolicy generate
danwalsh
sepolgen

sepolgen is the tool that I recommend people use to start generating policy.  We have decided to merge this tool into the sepolicy suite

sepolicy generate

man sepolicy-generate

sepolicy-generate(8)                                                                                                                                            sepolicy-generate(8)

NAME
       sepolicy-generate - Generate an initial SELinux policy module template.

SYNOPSIS
       sepolicy generate [-h] [-t TYPE] [-n NAME] [-T TEST] [ command | confineduser ]

DESCRIPTION
       Use sepolicy generate to generate an SELinux policy Module.  sepolicy generate will generate 4 files.

       Type Enforcing File NAME.te
       This file can be used to define all the types rules for a particular domain.

       Interface File NAME.if
       This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.

       File Context NAME.fc
       This  file defines the default file context for the system, it takes the file types created in the te file and associates file paths to the types.  Tools like restorecon and RPM will use these paths to put down labels.

       RPM Spec File NAME_selinux.spec
       This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labelling. The spec file also installs the interface file  and  a  man page describing the policy.  You can use sepolicy manpage -d NAME to generate the man page.

       Shell File NAME.sh
       This  is a helper shell script to compile, install and fix the labelling on your test system.  It will also generate a man page based on the installed policy, and compile and
       build an RPM suitable to be installed on other machines

       If a generate is possible, this tool will print out all generate paths from the source domain to the target domain

OPTIONS
       -h, --help
              Display help message

       -t, --type
              Specify the type of policy you want to create.
              Valid Options:
              0 : Standard Init Daemon (Default)
              1 : DBUS System Daemon
              2 : Internet Services Daemon
              3 : Web Application/Script (CGI)
              4 : User Application
              5 : Sandbox
              6 : Minimal Terminal User Role
              7 : Minimal X Windows User Role
              8 : User Role
              9 : Admin User Role
              10 : Root Admin User Role
       -n, --name
              Specify alternate name of policy. The policy will default to the executable or name specified.

EXAMPLE
       sepolicy generate /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files in:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file
       rwhod.sh # Setup Script


sepolicy generate has some nice new features over sepolgen.
  1. sepolicy generate does not to be run as root.
  2. sepolicy generate now generates a RPM spec file. This spec file can be used to build and RPM package that will install the policy package file (pp) and interface file (if) in the correct location, install it into the kernel and fix the labelling.
  3. The sepolicy generated setup script continues to install the policy and setup the labelling, and also generates a man page based on the installed policy using sepolicy manpage, finally it build and compiles the policy and man page into an rpm ready to be installed on other machines.
selinux-polgengui no longer needs to be run as root either, since it is using the sepolicy generate python bindings to generate the policy files. sepolgen command will now just execute sepolicy generate as a shell script.

It's a nice tool and makes it easy to customise one's policies. However, there is a minor issue: the generated shell script that compiles the policy module and then packages it into an RPM package has a block of code that demands root powers. It's kind of strange to see such a block in a tool designed to support a system that avoids going superuser as much as possible. Moreover, there is no reason to require root: the module can be compiled as a non-privileged account and rpmbuild is supposed to be executed under non-root also.

You are viewing danwalsh