-
Work with a proper daemon under Red Hat Enterprise Linux. This
means it has an initscript in /etc/init.d/ and can be managed using chkconfig. For example, this procedure assumes you
are going to use the service command to
control starting and stopping the daemon.
For this procedure, you are writing policy for the fictional
foo package and it's associated
foo daemon. Use a real daemon name in this
place when developing your own policy.
-
Create a file at $SELINUX_SRC/domains/program/foo.te.
-
Put the daemon domain macro call in the file:
-
Create the file contexts file, $SELINUX_SRC/file_contexts/program/foo.fc.
-
Put the first list of file contexts in file.fc. You may need to add to this later,
depending on the needs of the foo
daemon.
/usr/bin/foo -- system_u:object_r:foo_exec_t
/var/run/foo.pid -- system_u:object_r:foo_var_run_t
/etc/foo.conf -- system_u:object_r:foo_conf_t
|
-
Load the new policy with make load.
-
Label the foo files:
restorecon /usr/bin/foo /var/run/foo.pid /etc/foo.conf
|
-
Start the daemon, service foo
start.
-
Examine your audit log for denial messages:
grep "avc: denied" /var/log/messages > /tmp/avc_denials
cat /tmp/avc_denials
|
Familiarize yourself with the errors the daemon is generating.
You are writing policy with the help of audit2allow, but you need to understand the nature
of the denials. You can also use seaudit
for viewing the log messages, as explained in Section 6.2 Using seaudit for Audit Log Analysis.
-
Use audit2allow to start the first
round of policy rules.
audit2allow -l -i /var/log/messages -o \
/etc/selinux/targeted/src/policy/domains/program/foo.te
|
When looking at the generated rules, if you see a rule that
gives the foo_t domain
read access to a file or
directory, change the permission to read { read gettatr }. The domain is likely to
need that permission if it already wants to read a file.
-
Look to see if the foo_t
domain tries to create a network socket, that is, udp_socket or tcp_socket as the object class in the AVC
denial:
avc: denied { create } for pid=7279 exe=/usr/bin/foo \
scontext=root:system_r:foo_t tcontext=root:system_r:foo_t\
tclass=udp_socket
|
If this is the case, then add the can_network() macro to foo.te:
-
Continue to iterate through the basic steps to generate all the
rules you need. Each set of rules added to the policy may reveal
additional permission needs from the foo_t domain.
-
Start the daemon.
-
Read the AVC messages.
-
Write policy from the AVC messages, using audit2allow and your own knowledge, looking for
chances to use macros.
-
Load new policy.
-
Go back to beginning, starting the daemon ...
-
If the domain tries to access port_t, which relates to tclass=tcp_socket or tclass=udp_socket in the AVC log message,
you need to determine what port number foo
needs to use. To diagnose, put these rules in foo.te:
allow foo_t port_t:tcp_socket name_bind;
auditallow foo_t port_t:tcp_socket name_bind;
|
The auditallow rule helps
you determine the nature of the port connection attempt.
-
Iterate through the remaining AVC denials. When they are
resolved with new policy, you can configure the unique port
requirements for the foo_t domain.
-
With the daemon started, determine which port foo is using. Look at the AVC allowed message and
see what port the daemon is connected to:
lsof | grep foo.*TCP
foo 2283 root 3u IPv6 3192 TCP *:4242 (LISTEN)
|
The foo daemon is listening on port
4242.
-
Remove the generic port_t
rule, replacing it with a specific rule for a new port type based
on the foo_t domain.
type foo_port_t, port_type;
allow foo_t foo_port_t:tcp_socket name_bind;
|
Add this line to $SELINUX_SRC/file_contexts. This reserves the port
4242 for the domain foo_t:
ifdef(`foo.te', `portcon tcp 4242 system_u:object_r:foo_port_t')
|
