Skip to content

How to confine a new service using an available policy

March 8, 2012

Sometimes new services, which are a part of a project, are added. For example we could talk about cluster, cloudform, MRG services and so on. Yesterday I got a new bug with the following description

“matahari-qmf-rpcd runs as initrc_t”

It means that our policy does not cover the matahari-qmf-rpcd service which probably has been shipped recently. I know nothing about this service and I want to confine it. I am not sure if we have a policy for Matahari project so I use the selinux-policy-doc package to check it.

$ rpm -q selinux-policy-doc

The package is installed and I am able to find whether a policy exists

$ grep -r matahari /usr/share/selinux/devel/include/ |wc -l

There is a policy which I could use. We are interested in the /usr/share/selinux/devel/include/services/matahari.if policy file and the matahari_domain_template() interface. A template interface is a special interface to create a basic set of rules for services – template interfaces generate domain, executable and file types for a service.

In our case I declare the following local policy.

$ cat mymatahari.te


Then I load and install it.

$ make -f /usr/share/selinux/devel/Makefile mymatahari.pp
$ semodule -i mymatahari.pp

You can see what types were added.

$ seinfo -t |grep matahari_rpc

These three types were created by the matahari_domain_template() interface and we use them for an initial confinement. Now we need to tell SELinux that the matahari-qmf-rpcd service started by systemd should end up in the matahari_rpcd_t domain.

$ chcon -t matahari_rpcd_exec_t `which matahari-qmf-rpcd`
$ systemctl restart matahari-rpc.service
$ ps -eZ |grep matahari
system_u:system_r:matahari_rpcd_t:s0 3338 ? 00:00:00 matahari-qmf-rp

You are done and you have this new service running in the proper domain. Now you can use ausearch/audit2allow tools to check AVC messages

$ ausearch -m avc -ts recent |audit2allow
#============= matahari_rpcd_t ==============
allow matahari_rpcd_t bin_t:file getattr;
allow matahari_rpcd_t passwd_file_t:file { read getattr open };
allow matahari_rpcd_t usr_t:file { read getattr open };

The next step would be either file a new bug with these AVC messages and with the local policy or use the audit2allow tool to generate rules for the mymatahari.te policy file.

$ ausearch -m avc -ts recent |audit2allow -R |grep \(matahari >> mymatahari.te
$ make -f /usr/share/selinux/devel/Makefile mymatahari.pp
$ semodule -i mymatahari.pp

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: