| View previous topic :: View next topic |
| Author |
Message |
dad0n
n00b
Joined: 25 Dec 2009
Posts: 1
|
 Posted: Fri Dec 25, 2009 6:55 pm Post subject: [HowTo] Creating SELinux policies for lazy people |
 |
|
WARNING: Using SELinux without knowing what you are doing may turn your system inoperable. So please do yourself a big favor and test everything on a non productive system.
I assume that you already got SELinux up and running. There are several good documentations out there to manage this. This How To just explains how you can easily use your SELinux in the so called "strict mode". This means, that every operation is forbidden by default. You have to allow everything through policies. I will teach you how to create such policies quite fast. I think this isn't the way it was meant to be used but for me it worked perfectly. So let's start.
Step 1: Running SELinux in permissive mode
Running SELinux in this mode enables your system to work normally. No action will be forbidden by SELinux but policy violations will be logged at different places. We will use these logs later to create our policies.
To check, if SELinux is already running in permissive mode you have to type this command
This should reply with
If this is the case you can jump to Step 2. If it is not you have to edit your
| Code: | | /etc/selinux/config |
and edit this section to look like this:
If you had to change your config make sure to restart your system so that the changes will apply.
After reboot getenforce should result in Permissive.
Step 2: Let your SELinux learn!
Now you have to let your SELinux learn how your system behaves on different situations. The machine on which I installed SELinux was planned to be an FTP-Server soon. So i connected to it with Filezilla and tested everything I expected my users to do. So I created directories, renamed them etc. Every action you do like renaming is logged in the background by SELinux as a policy violation. Like I said before we will use these violations later to create our policies. This step took me about one week. But be careful! If an attacker breaks into your system through an exploit we would later permit this action! So be sure to check your /var/log/messages etc for suspicious entries.
Step 3: Creating our policies
Now we are ready to create our first policy. Policies are used to tell SELinux which actions should be allowed. We will use the tool audit2allow to create our policies. Like I said SELinux logs everything what happens on different places. In my case SELinux didn't save these messages in any logfile. So I had to grab everything directly from dmesg. This is done through the following command:
| Code: | | audit2allow -d -l >> ~/a2a |
This creates a file called a2a in your current home directory. This file can be viewed or edited with an editor like vi or nano.
Now you will see several entries which look like this on. We will create a policy for dmesg. Creating rules for other daemons or tools isn't harder 
| Code: | #============= dmesg_t ==============
allow dmesg_t etc_t:file { read getattr };
allow dmesg_t file_t:file { write getattr }; |
I personally preferred to create a directory under / called selinux-policies. For every daemon or tool I created a subfolder called for example "dmesg_t". This will help you later not to get confused. Just copy/paste this section above to a file called dmesg_t.te in the directory dmesg_t you just created. I'm sure you now will see how a policy looks like. Here you go:
policy_module(dmesg,1.0.0)
require {
type dmesg_t;
type file_t;
}
#============= dmesg_t ==============
allow dmesg_t etc_t:file { read getattr };
allow dmesg_t file_t:file { write getattr };
Now I will explain the most important things to you.
dmesg
This is the name of your new policy. You should give it a meaningful name to make administration easier.
1.0.0
This is the version of your policy. Everytime I change something on my policy I increase the number by 1 (For example 1.0.1)
require {
type dmesg_t;
type file_t;
}
In this section you tell SELinux which types are used in this policy. It's not that hard to figure our which types are used. Just look down in the "#========"-Section. There you see for example dmesg_t and etc_t and file_t. Guess what... These are your types
#============= dmesg_t ==============
allow dmesg_t etc_t:file { read getattr };
allow dmesg_t file_t:file { write getattr };
This is your actual policy. Here you tell SELinux that it has to allow a file or process with the type dmesg_t to read or getattr(ibute) for files of the type etc_t. Most files in /etc are from this type.
Congratulations! You just created your first SELinux policy! Save it. Now it is time to compile it so that SELinux can use it.
Step 4: Compiling your policy
I assume that you are in the dmesg_t directory we created sooner in this How To. There your dmesg_t.te should be located. So let's compile it with the following command:
| Code: | | make -f /usr/share/selinux/strict/include/Makefile |
If everything worked well there should now be a file called "dmesg.pp" in this directory. If your compiler threw out some errors just look at them. Mostly you just forgot a ";" or something like this. Now we can load our newly created policy with this command:
| Code: | | semodule -i dmesg.pp |
Repeat Step 3 and 4 for every section in your a2a file we created.
Step 5: Test everything
Now you compiled every of your policies it is time to take it to the ultimate test. We now will set our SELinux in enforcing mode. This means that everything which wasn't allowed is not just logged but really forbidden. THIS MAY TURN YOUR SYSTEM TEMPORARLY INOPERABLE!
To turn your SELinux to enforcing mode just type
Step 6: Troubleshooting
Hopefully everything will still work. If it is not don't get frustrated. You still can switch back to permissive mode.
To do this we first have to switch our role to sysadm_r.
| Code: | | newrole -r sysadm_r |
You now will be asked for your root password. After doing this you can either just unload one of your policies or completely switch back to permissive mode.
Remove a policy:
This removes the policy named "dmesg" from SELinux.
Switch back to permissive mode:
If these two solutions didn't help you out you just have to reboot your system. Maybe you have to turn power off and on again to do so because it is possible, that rebooting is not yet allowed.
I hope this guide helped you. I can't stress enough that you have to test all this not on an productive system! The author of this How To cannot be held responsible for malfunction of your system. You do everything on your own risk!
If you look for a german version of this How To visit my Blog at
http://dad0n.blogspot.com/ |
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
