SELinux Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 42: Line 42:
</pre>
</pre>


This will generate two files: a binary .pp file and a text .te file.
This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:


Apply the policy with:
<pre>
semodule -i mysepolicy.pp
</pre>
 
The policy such applies survives a reboot.
 
The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:
 
<pre>
 
module mysepolicy 1.0;
 
require {
        type httpd_log_t;
        type httpd_t;
        type unreserved_port_t;
        class tcp_socket name_bind;
        class dir remove_name;
        class file { write unlink };
        class udp_socket name_bind;
}
 
#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;
</pre>
 
The policy can be compiled:
 
<pre>
checkmodule -M -m -o mysepolicy.mod mysepolicy.te
</pre>
 
Create the module package:
 
<pre>
semodule_package -o  mysepolicy.pp -m mysepolicy.mod
</pre>
 
Install the policy:


<pre>
<pre>
Line 50: Line 92:
</pre>
</pre>


The policy such applies survives a reboot.
Verify that the policy was installed:
 
<pre>
semodule -l | grep mysepolicy
</pre>


=Compile and Apply a Policy=
=Compile and Apply a Policy=

Revision as of 09:24, 9 January 2016

Internal

Get the SELinux Security Context for a Directory

ls -lZ <dir>

Diagnosing and Fixing SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run:

sealert -a /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem:

[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]

Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.

grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

After you see it, you can write the policy in a file:

grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy

This will generate two files: a binary .pp file and a text .te file. The binary file thus generated can be installed as follows:

semodule -i mysepolicy.pp

The policy such applies survives a reboot.

The text (.te) file can be manually modified, compiled and installed, as follows. Assuming the text file is similar to:


module mysepolicy 1.0;

require {
        type httpd_log_t;
        type httpd_t;
        type unreserved_port_t;
        class tcp_socket name_bind;
        class dir remove_name;
        class file { write unlink };
        class udp_socket name_bind;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file unlink;
allow httpd_t httpd_log_t:file write;
allow httpd_t unreserved_port_t:udp_socket name_bind;
allow httpd_t unreserved_port_t:tcp_socket name_bind;

The policy can be compiled:

checkmodule -M -m -o mysepolicy.mod mysepolicy.te

Create the module package:

semodule_package -o  mysepolicy.pp -m mysepolicy.mod 

Install the policy:

semodule -i mysepolicy.pp

Verify that the policy was installed:

semodule -l | grep mysepolicy

Compile and Apply a Policy

Start from the text policy file. In our case mypolicy.te:


module mypolicy 1.0;

require {
        type httpd_log_t;
        type httpd_t;
        class file write;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

Compile the policy:

checkmodule -M -m -o mypolicy.mod mypolicy.te

Create the SELinux policy module package:

semodule_package -o  mypolicy.pp -m mypolicy.mod

Install the policy module package:

semodule -i mypolicy.pp