danwalsh (danwalsh) wrote,
danwalsh
danwalsh

Writing SELinux policy just got easier.

Fedora 12 adds a command line interface to polgengui.

I wrote up polgengui a couple of years ago to make writing SELinux policy a little easier.  polgengui is a template based policy framework,  that ask the user a few questions, and then generate initial policy files to allow the policy writer to get started.

Polgengui is not a policy editor, slide is available for that.

polgengui asks questions like:

What is the name of the application?  What kind of application is it?  What files/directories does your app need write access?  Does it your app use Syslog?  Etc.

polgengui takes these answers and applies templates from /usr/share/system-config-selinux/templates to generate policy.  These templates write policy that generates the types necessary to use with SELinux, and the common rules for interaction with these types.  These templates allow you to write policy that can easily be massaged into something acceptable by upstream.

When I start writing policy, usually I don't know that much about how the application runs or what files/directories it needs to write.   I install the tool and run rpm -ql package on it to see what directories the package maintainer includes with the tool.  I run the tool and look for files it created for example in /var/run if it is a daemon or /tmp.  If the package has a directory like /var/run/package or /var/lib/package I add these directories  as writing directories.  Similarly If the rpm includes an initscript I add that to the policy.  I also use tools like nm to see which functions the application calls.  I look for common functions like syslog, and I know to check the syslog button.

Being  lazy, I did not like all the button clicking, I figured I can script all of this.  So I have added sepolgen to Fedora 12.

It is simply a command line tool used to generate the same policy as polgengui, but the policy writer does not need to answer any questions.

sepolgen /usr/sbin/mydaemon

Sepolgen does the following:
  • rpm -qlf /usr/sbin/mydaemon
    • sepolgen scans for paths like /var/lib, /var/run, /etc/init.d/rc.d/mydaemon and selects the appropriate templates.
  • nm -D /usr/sbin/mydaemon
    • sepolgen scans for syslog, setuid, setgid, ... and adds the appropriate access.
  • generate 4 files
    • mydaemon.te                       # All types and allow rules discovered for this daemon
    • mydaemon.if                        # Interfaces to be used with the types generated for this daemon
    • mydaemon.fc                       # File context mapping between types and paths on disk 
    • mydaemon.sh                      # Helper shell script used to compile/install policy and then label the paths correctly
The policy writer then only needs to execute mydaemon.sh and the policy will be compiled installed and the daemon will be ready to start testing. 

begin:
service mydaemon start
run tests against mydaemon
check for avc's
if None
    Break;
audit2allow -R >> mydaemon.te
Verify the policy is good or fix it.                # THis is the hard part :^(
./mydaemon.sh
goto begin

Try it out.

Subscribe

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    switch
    default userpic

    Your reply will be screened

    Help
  • 8 comments