4. Creating a Desktop Application Policy | SELinux Cookbook

Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

SELinux Cookbook

By : Sven Vermeulen

4.3 (7)

SELinux Cookbook

4.3 (7)

By: Sven Vermeulen

Overview of this book

If you are a Linux system administrator or a Linux-based service administrator and want to fine-tune SELinux to implement a supported, mature, and proven access control system, then this book is for you. Basic experience with SELinux enabled distributions is expected.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

1. The SELinux Development Environment

1. The SELinux Development Environment

Introduction

Creating the development environment

Building a simple SELinux module

Calling refpolicy interfaces

Creating our own interface

Using the refpolicy naming convention

Distributing SELinux policy modules

2. Dealing with File Labels

2. Dealing with File Labels

Introduction

Defining file contexts through patterns

Using substitution definitions

Enhancing an SELinux policy with file transitions

Setting resource-sensitivity labels

Configuring sensitivity categories

3. Confining Web Applications

3. Confining Web Applications

Introduction

Listing conditional policy support

Enabling user directory support

Assigning web content types

Using different web server ports

Using custom content types

Creating a custom CGI domain

Setting up mod_selinux

Starting Apache with limited clearance

Mapping HTTP users to contexts

Using source address mapping to decide on contexts

Separating virtual hosts with mod_selinux

4. Creating a Desktop Application Policy

4. Creating a Desktop Application Policy

Introduction

Researching the application's logical design

Creating a skeleton policy

Setting context definitions

Defining application role interfaces

Testing and enhancing the policy

Ignoring permissions we don't need

Creating application resource interfaces

Adding conditional policy rules

Adding build-time policy decisions

5. Creating a Server Policy

5. Creating a Server Policy

Introduction

Understanding the service

Choosing resource types wisely

Differentiating policies based on use cases

Creating resource-access interfaces

Creating exec, run, and transition interfaces

Creating a stream-connect interface

Creating the administrative interface

6. Setting Up Separate Roles

6. Setting Up Separate Roles

Introduction

Managing SELinux users

Mapping Linux users to SELinux users

Running commands in a specified role with sudo

Running commands in a specified role with runcon

Switching roles

Creating a new role

Initial role based on entry

Defining role transitions

Looking into access privileges

7. Choosing the Confinement Level

7. Choosing the Confinement Level

Introduction

Finding common resources

Defining common helper domains

Documenting common privileges

Granting privileges to all clients

Creating a generic application domain

Building application-specific domains using templates

Using fine-grained application domain definitions

8. Debugging SELinux

8. Debugging SELinux

Introduction

Identifying whether SELinux is to blame

Analyzing SELINUX_ERR messages

Logging positive policy decisions

Looking through SELinux constraints

Ensuring an SELinux rule is never allowed

Using strace to clarify permission issues

Using strace against daemons

Auditing system behavior

9. Aligning SELinux with DAC

9. Aligning SELinux with DAC

Introduction

Assigning a different root location to regular services

Using a different root location for SELinux-aware applications

Sharing user content with file ACLs

Enabling polyinstantiated directories

Configuring capabilities instead of setuid binaries

Using group membership for role-based access

Backing up and restoring files

Governing application network access

10. Handling SELinux-aware Applications

10. Handling SELinux-aware Applications

Introduction

Controlling D-Bus message flows

Restricting service ownership

Understanding udev's SELinux integration

Using cron with SELinux

Checking the SELinux state programmatically

Querying SELinux userland configuration in C

Interrogating the SELinux subsystem code-wise

Running new processes in a new context

Reading the context of a resource

Index

Index

Ignoring permissions we don't need

After repeated testing, we will have a policy that works, even though denials might still show up in the audit logs. In order not to alarm any administrator, we might want to disable auditing of those specific denials (while, of course, ensuring that critical access vectors are still logged by the audit daemon).

How to do it…

In order to disable logging of certain denials that do not influence an application's behavior, trigger the denial and then register the dontaudit statements as explained in the following steps:

For each denial shown in the audit logs, we need to find the corresponding dontaudit rule set. Consider the following instance:

type=AVC msg=audit(1398936489.877:2464): avc: denied { search } for pid=8241 comm="skype" name="modules" dev="dm-0" ino=1322041 scontext=user_u:user_r:skype_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir

Search through the SELinux policies for dontaudit statements on this matter:
```
~$ sefindif dontaudit.*user_home_t...
```

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

SELinux Cookbook

Search

Your notes and bookmarks