Book Image

SELinux Cookbook

By : Sven Vermeulen
Book Image

SELinux Cookbook

By: Sven Vermeulen

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
SELinux Cookbook
Sven Vermeulen
Sep, 2014 | 240 pages
No titles found
Table of Contents (17 chapters)
SELinux Cookbook
SELinux Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The SELinux Development Environment
The SELinux Development Environment
Introduction
Creating the development environment
Building a simple SELinux module
Calling refpolicy interfaces
Creating our own interface
Using the refpolicy naming convention
Distributing SELinux policy modules
2
Dealing with File Labels
Dealing with File Labels
Introduction
Defining file contexts through patterns
Using substitution definitions
Enhancing an SELinux policy with file transitions
Setting resource-sensitivity labels
Configuring sensitivity categories
3
Confining Web Applications
Confining Web Applications
Introduction
Listing conditional policy support
Enabling user directory support
Assigning web content types
Using different web server ports
Using custom content types
Creating a custom CGI domain
Setting up mod_selinux
Starting Apache with limited clearance
Mapping HTTP users to contexts
Using source address mapping to decide on contexts
Separating virtual hosts with mod_selinux
4
Creating a Desktop Application Policy
Creating a Desktop Application Policy
Introduction
Researching the application's logical design
Creating a skeleton policy
Setting context definitions
Defining application role interfaces
Testing and enhancing the policy
Ignoring permissions we don't need
Creating application resource interfaces
Adding conditional policy rules
Adding build-time policy decisions
5
Creating a Server Policy
Creating a Server Policy
Introduction
Understanding the service
Choosing resource types wisely
Differentiating policies based on use cases
Creating resource-access interfaces
Creating exec, run, and transition interfaces
Creating a stream-connect interface
Creating the administrative interface
6
Setting Up Separate Roles
Setting Up Separate Roles
Introduction
Managing SELinux users
Mapping Linux users to SELinux users
Running commands in a specified role with sudo
Running commands in a specified role with runcon
Switching roles
Creating a new role
Initial role based on entry
Defining role transitions
Looking into access privileges
7
Choosing the Confinement Level
Choosing the Confinement Level
Introduction
Finding common resources
Defining common helper domains
Documenting common privileges
Granting privileges to all clients
Creating a generic application domain
Building application-specific domains using templates
Using fine-grained application domain definitions
8
Debugging SELinux
Debugging SELinux
Introduction
Identifying whether SELinux is to blame
Analyzing SELINUX_ERR messages
Logging positive policy decisions
Looking through SELinux constraints
Ensuring an SELinux rule is never allowed
Using strace to clarify permission issues
Using strace against daemons
Auditing system behavior
9
Aligning SELinux with DAC
Aligning SELinux with DAC
Introduction
Assigning a different root location to regular services
Using a different root location for SELinux-aware applications
Sharing user content with file ACLs
Enabling polyinstantiated directories
Configuring capabilities instead of setuid binaries
Using group membership for role-based access
Backing up and restoring files
Governing application network access
10
Handling SELinux-aware Applications
Handling SELinux-aware Applications
Introduction
Controlling D-Bus message flows
Restricting service ownership
Understanding udev's SELinux integration
Using cron with SELinux
Checking the SELinux state programmatically
Querying SELinux userland configuration in C
Interrogating the SELinux subsystem code-wise
Running new processes in a new context
Reading the context of a resource
Index
Index

Creating our own interface

Being able to call interfaces is nice, but when we develop SELinux policies, we will run into situations where we need to create our own interface for the SELinux module we are developing. This is done through a file with an .if extension.

In this recipe, we are going to extend the mylogging policy with an interface that allows other domains to execute the system log daemon binary (but without running this binary with the privileges of the system logger itself; this would be called a domain transition in SELinux).

How to do it…

  1. If our current context is an unprivileged user domain (as unconfined domains are highly privileged and can do almost everything), we can try executing the system logger daemon (syslog-ng or rsyslog) directly and have it fail as follows:

    ~$ /usr/sbin/syslog-ng --help
bash: /usr/sbin/syslog-ng: Permission denied

  2. Now, create the mylogging.if file (in the same location where mylogging.te is) with the following content, granting all permissions needed to execute the binary:

    ## <summary>Local adaptation to the system logging SELinux policy</summary>
 
##########################################
## <summary>
##    Execute the system logging daemon in the caller domain
## </summary>
## <desc>
##   <p>
##     This does not include a transition.
##   </p>
## </desc>
## <param name="domain">
##    <summary>
##      Domain allowed access.
##    </summary>
## </param>
#
interface(`logging_exec_syslog',`
  gen_require(`
    type syslogd_exec_t;
  ')
  can_exec($1, syslogd_exec_t)
')

  3. Create a new SELinux policy module for the user domain; this policy should be able to execute the system logger directly. For instance, for the sysadm_t domain, we would create a mysysadm.te file with the following content:

    policy_module(mysysadm, 0.1)
gen_require(`
  type sysadm_t;
')
logging_exec_syslog(sysadm_t)

  4. Build the mysysadm policy module and load it. Then, test to see if the daemon binary can now be executed directly:

    ~$ /usr/sbin/syslog-ng --help

How it works…

Let's first look at how the build system knows where the interface definitions are. Then, we'll cover the in-line comment system used in the example.

The location of the interface definitions

Whenever an SELinux policy module is built, the build system sources all interface files it finds at the following locations:

  • /usr/share/selinux/mcs/include/* or /usr/share/selinux/devel/include/* (depending on the Linux distribution)

  • The current working directory

The first location is where the interface files of all the SELinux modules provided by the Linux distribution are stored. The files are inside subdirectories named after particular categories (the reference policy calls these layers, but this is only used to make some structure amongst the definitions, nothing else) such as contrib/, system/, and roles/.

For local development of SELinux policies, this location is usually not writable. If we develop our own policy modules, then this would mean that none of the locally managed SELinux policy files can use interfaces of the other local interface files. The Makefile file, therefore, also sources all interface files it finds in the current working directory.

The in-line documentation

Inside the interface file created, we notice a few XML-like structures as comments. These comments are prefixed by a double hash sign (##) and are used by the reference policy build system to generate the API documentation (which can be found at /usr/share/doc/selinux-*).

For local policies, this in-line documentation is not used and, thus, not mandatory. However, writing the documentation even for local policies helps us in documenting the rules better. Also, if we ever want to push our changes upstream, this in-line documentation will be requested anyway.

The comment system uses the following constructs:

  • Right before an interface definition, we encounter a <summary> element, which provides a one-sentence description of the interface

  • Additional information can then be provided through a <desc> element under which the HTML code can be placed for documenting the interface further

  • Every parameter to an interface is documented through a <param> entity, which again contains a <summary> line

See also

Previous Section
End of Section 6
Next Section