Book Image

SELinux Cookbook

By : Sven Vermeulen
Book Image

SELinux Cookbook

By: Sven Vermeulen

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
SELinux Cookbook
Sven Vermeulen
Sep, 2014 | 240 pages
No titles found
Table of Contents (17 chapters)
SELinux Cookbook
SELinux Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The SELinux Development Environment
The SELinux Development Environment
Introduction
Creating the development environment
Building a simple SELinux module
Calling refpolicy interfaces
Creating our own interface
Using the refpolicy naming convention
Distributing SELinux policy modules
2
Dealing with File Labels
Dealing with File Labels
Introduction
Defining file contexts through patterns
Using substitution definitions
Enhancing an SELinux policy with file transitions
Setting resource-sensitivity labels
Configuring sensitivity categories
3
Confining Web Applications
Confining Web Applications
Introduction
Listing conditional policy support
Enabling user directory support
Assigning web content types
Using different web server ports
Using custom content types
Creating a custom CGI domain
Setting up mod_selinux
Starting Apache with limited clearance
Mapping HTTP users to contexts
Using source address mapping to decide on contexts
Separating virtual hosts with mod_selinux
4
Creating a Desktop Application Policy
Creating a Desktop Application Policy
Introduction
Researching the application's logical design
Creating a skeleton policy
Setting context definitions
Defining application role interfaces
Testing and enhancing the policy
Ignoring permissions we don't need
Creating application resource interfaces
Adding conditional policy rules
Adding build-time policy decisions
5
Creating a Server Policy
Creating a Server Policy
Introduction
Understanding the service
Choosing resource types wisely
Differentiating policies based on use cases
Creating resource-access interfaces
Creating exec, run, and transition interfaces
Creating a stream-connect interface
Creating the administrative interface
6
Setting Up Separate Roles
Setting Up Separate Roles
Introduction
Managing SELinux users
Mapping Linux users to SELinux users
Running commands in a specified role with sudo
Running commands in a specified role with runcon
Switching roles
Creating a new role
Initial role based on entry
Defining role transitions
Looking into access privileges
7
Choosing the Confinement Level
Choosing the Confinement Level
Introduction
Finding common resources
Defining common helper domains
Documenting common privileges
Granting privileges to all clients
Creating a generic application domain
Building application-specific domains using templates
Using fine-grained application domain definitions
8
Debugging SELinux
Debugging SELinux
Introduction
Identifying whether SELinux is to blame
Analyzing SELINUX_ERR messages
Logging positive policy decisions
Looking through SELinux constraints
Ensuring an SELinux rule is never allowed
Using strace to clarify permission issues
Using strace against daemons
Auditing system behavior
9
Aligning SELinux with DAC
Aligning SELinux with DAC
Introduction
Assigning a different root location to regular services
Using a different root location for SELinux-aware applications
Sharing user content with file ACLs
Enabling polyinstantiated directories
Configuring capabilities instead of setuid binaries
Using group membership for role-based access
Backing up and restoring files
Governing application network access
10
Handling SELinux-aware Applications
Handling SELinux-aware Applications
Introduction
Controlling D-Bus message flows
Restricting service ownership
Understanding udev's SELinux integration
Using cron with SELinux
Checking the SELinux state programmatically
Querying SELinux userland configuration in C
Interrogating the SELinux subsystem code-wise
Running new processes in a new context
Reading the context of a resource
Index
Index

Distributing SELinux policy modules

We finish this chapter by explaining how SELinux policy modules can be distributed across multiple systems.

How to do it…

To distribute SELinux policies, complete the following steps:

  1. Take into account the different system configurations to which the SELinux policies need to be distributed:

    • If multiple systems have different SELinux policy releases to be active, then build the SELinux policy module against each of these implementations. This is heavily distribution specific. For instance, on Gentoo, this is the version of the sec-policy/selinux-base package. On Red Hat and derived distributions, this is the version of the selinux-policy package.

    • If multiple SELinux policy types are active (such as mcs, targeted, and strict) and there are both MLS-enabled as well as MLS-disabled policies, then the SELinux policy module will need to be built against both an MLS-enabled policy as well as an MLS-disabled policy. The output of sestatus will tell us whether MLS is enabled on an active policy or not:

      ~$ sestatus | grep MLS
Policy MLS status:    enabled

  2. Package the resulting .pp files and distribute them to the various systems. It is a common best practice to place the .pp files inside /usr/share/selinux/mcs/ (this is for an SELinux policy store named mcs, you can adjust it where needed).

  3. On each system, make sure that the .pp file is loaded through semodule –I policyfile.pp.

How it works…

SELinux policy modules (the files ending with .pp) contain everything SELinux needs to activate the policy. By distributing these files across many systems (and loading it through the semodule command), these systems receive the wanted updates against their current SELinux policy.

Once loaded (and this only needs to happen once, as a loaded module is retained even after the system reboots), one does not really need the .pp files anymore (loaded modules are copied inside /etc/selinux). However, it is recommended that you keep the policies there so that administrators can reload policies as needed; this might help in troubleshooting the SELinux policy and system permission issues.

There are a few caveats to take into account though:

  • Changes in interfaces

  • Kernel version changes

  • MLS-enabled or MLS-disabled policies

Changes in interfaces

The .pp files contain all rules that SELinux needs to enforce the additional policy rules. This includes the (expanded) rules that were part of the interface definition files (the .if files) of the module itself as well as the interfaces referred to by the policy module.

When an update against an interface occurs, then all SELinux policy modules that might be affected by the change need to be rebuilt. As there is no simple way to know if a module needs to be rebuilt or not, it is recommended that you rebuild all policy modules every time a change has occurred to at least one interface.

Distributions will handle the rebuilding of the policies and the distribution of the rebuilt policies themselves, but for custom policy modules, we need to do this ourselves.

Kernel version changes

New kernel releases might include updates against the SELinux subsystem. When these updates provide additional features, the binary representation of a policy might be updated. This is then reflected in the binary version of the policy that the kernel supports.

Binary versions are backward compatible, so a system that supports a maximum version of 28 (SELinux's binary versions are integers that are incremented with every change) will also support loading policy modules of a lower binary version:

~# sestatus
SELinux status:      enabled
SELinuxfs mount:      /sys/fs/selinux
SELinux root directory:    /etc/selinux
Loaded policy name:    mcs
Current mode:      enforcing
Mode from config file:    enforcing
Policy MLS status:      enabled
Policy deny_unknown status:  denied
Max kernel policy version:  28

Note

When the binary version of an SELinux policy module is higher than the maximum kernel policy version, this SELinux policy module will not load on the target system. A higher version means that the policy uses features that are only available in kernels that support this version, so the administrator will need to update the kernels on those systems to support the higher version or update the SELinux policy module to not use these features so that a rebuild creates a lower-versioned binary SELinux policy module.

MLS or not

SELinux policy modules might contain sensitivity-related information. When a policy module is built, information is added to reflect whether it is built against an MLS-enabled system or not.

Therefore, if we have hosts that have diverse policy usages (some policy stores are MLS-enabled and some are MLS-disabled), then the SELinux policy module will need to be built against both and distributed separately.

Usually, this is done by providing SELinux policy modules for each particular SELinux policy type (be it mcs, strict, or targeted).

Previous Section
End of Chapter 1
Next Chapter