I wrote up polgengui a couple of years ago to make writing SELinux policy a little easier. polgengui is a template based policy framework, that ask the user a few questions, and then generate initial policy files to allow the policy writer to get started.
Polgengui is not a policy editor, slide is available for that.
polgengui asks questions like:
What is the name of the application? What kind of application is it? What files/directories does your app need write access? Does it your app use Syslog? Etc.
polgengui takes these answers and applies templates from /usr/share/system-config-selinux/templat
When I start writing policy, usually I don't know that much about how the application runs or what files/directories it needs to write. I install the tool and run rpm -ql package on it to see what directories the package maintainer includes with the tool. I run the tool and look for files it created for example in /var/run if it is a daemon or /tmp. If the package has a directory like /var/run/package or /var/lib/package I add these directories as writing directories. Similarly If the rpm includes an initscript I add that to the policy. I also use tools like nm to see which functions the application calls. I look for common functions like syslog, and I know to check the syslog button.
Being lazy, I did not like all the button clicking, I figured I can script all of this. So I have added sepolgen to Fedora 12.
It is simply a command line tool used to generate the same policy as polgengui, but the policy writer does not need to answer any questions.
sepolgen /usr/sbin/mydaemon
Sepolgen does the following:
- rpm -qlf /usr/sbin/mydaemon
- sepolgen scans for paths like /var/lib, /var/run, /etc/init.d/rc.d/mydaemon and selects the appropriate templates.
- nm -D /usr/sbin/mydaemon
- sepolgen scans for syslog, setuid, setgid, ... and adds the appropriate access.
- generate 4 files
- mydaemon.te # All types and allow rules discovered for this daemon
- mydaemon.if # Interfaces to be used with the types generated for this daemon
- mydaemon.fc # File context mapping between types and paths on disk
- mydaemon.sh # Helper shell script used to compile/install policy and then label the paths correctly
begin:
service mydaemon start
run tests against mydaemon
check for avc's
if None
Break;
audit2allow -R >> mydaemon.te
Verify the policy is good or fix it. # THis is the hard part :^(
./mydaemon.sh
goto begin
Try it out.