danwalsh (danwalsh) wrote,


I am working on preparing a course for Writing Policy with SELinux for the Red Hat Summit.  I gave the first version of the talk at FudCon 2011 in Tempe.  I noticed the selinux-polgengui was getting a little old looking.  This is the tool I advise people to use in order to start writing policy.  It generates a group of policy files for you based on you answering a series of questions.  Once you have your initial policy you can go use audit2allow or slide to continue writing the policy.

Any ways here is what the latest tool looks like in Fedora 15.  I will demonstrate writing a policy for sandbox.  I thought about writing policy to run thunderbird within a sandbox.

# selinux-polgengui

Select Sandbox, Hit Forward

You need to name the policy, In this case I called it sandbox_mail.  Click Forward

Since the sandbox_mail app will not be binding to any network ports, I click Forward again.

I add ports 25, 143, 993 as ports the sandbox will be allowed to connect to.  Forward.

I decide I want to create a boolean called sandbox_mail_connect_all, with the goal of allowing the domain to connect to the entire network.

Click forward.

I tell the tool to create the policy files in the /tmp directory and click Apply.

The selinux-polgengui tool creates the the policy files and a script to install them.

Now you execute the sandbox_mail.sh install script.

# sh sandbox_mail.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted sandbox_mail module
/usr/bin/checkmodule:  loading policy configuration from tmp/sandbox_mail.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/sandbox_mail.mod
Creating targeted sandbox_mail.pp policy package
rm tmp/sandbox_mail.mod tmp/sandbox_mail.mod.fc
+ /usr/sbin/semodule -i sandbox_mail.pp

Now you can test out your policy in a different terminal

> sandbox -X -t sandbox_mail_t thunderbird

Thunderbird should run fine, since selinux-polgengui defined the SELinux types as permissive.  You might want to use a permanent Home and Tmp since you will need to configure the thunderbird setup. 

After running some test with thunderbird, you can use the audit2allow tool to generate more rules for your sandbox_mail sandbox.

# grep sandbox_mail_t /var/log/audit/audit.log | audit2allow -R >> sandbox_mail.te

Examine the generated rules to see if they make sense.

# shell sandbox_mail.sh

Try the sandbox again and see if you eliminated all of the AVC's.  When you are satisfied the policy works the way you want, you can remove the permissive lines from the te file.

Please send any Ideas on improving the GUI to me.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened