How to create a new initial policy using sepolicy-generate tool?
I have a service running without own SELinux domain and I would like to create a new initial policy for it.
How can I create a new initial policy? Is there a tool for it?
We get these questions very often. And my answer is pretty easy. Yes, there is a tool which can help you with this task.
Let’s use a real example to demonstrate how to create own initial policy for the running lttng-sessiond service on my system.
I see
$ ps -efZ |grep lttng-sessiond
system_u:system_r:unconfined_service_t:s0 root 29186 1 0 12:31 ? 00:00:00 /usr/bin/lttng-sessiond -d
unconfined_service_t tells us the lttng-sessiond service runs without SELinux confinement.
Basically there is no problem with a service running as unconfined_service_t if this service does “everything” or this service is a third party software. A problem occurs if there are another services with own SELinux domains and they want to access objects created by your service.
Then you can see AVCs like
type=AVC msg=audit(1431724248.950:1003): avc: denied { getattr } for pid=768 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=25832 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
In that case, you want to create SELinux policy from the scratch to get objects created by your service with the specific SELinux labeling to see if you can get a proper SELinux confinement.
Let’s start.
1. You need to identify an executable file which is used to start a service. From
system_u:system_r:unconfined_service_t
$:s0 root 29186 1 0 12:31 ? 00:00:00 /usr/bin/lttng-sessiond -d
you can see /usr/bin/lttng-sessiond is used. Also
$ grep ExecStart /usr/lib/systemd/system/lttng-sessiond.service
ExecStart=/usr/bin/lttng-sessiond -d
is useful.
2. Run sepolicy-generate to create initial policy files.
sepolicy generate --init -n lttng /usr/bin/lttng-sessiond
Created the following files:
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.te # Type Enforcement file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.if # Interface file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.fc # File Contexts file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng_selinux.spec # Spec file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.sh # Setup Script
3. Run
# sh lttng.sh
4. YOU ARE DONE. CHECK YOUR RESULTS.
# ls -Z /usr/bin/lttng-sessiond
system_u:object_r:lttng_exec_t:s0 /usr/bin/lttng-sessiond
# systemctl restart lttng-sessiond
# ps -eZ |grep lttng-sessiond
system_u:system_r:lttng_t:s0 root 29850 1 0 12:50 ? 00:00:00 /usr/bin/lttng-sessiond -d
# auseaarch -m avc -ts recent
... probably you see a lot of AVCs ...
Now you have created/loaded own initial policy for your service. In this point, you can work on AVCs, you can ask us to help you with these AVCs.
These steps above are valid for the latest Fedoras and RHEL7. Let’s show a reminder how it looks on RHEL6.
# ps -eZ |grep certmongerunconfined_u:system_r:initrc_t:s0 8560 ? 00:00:00 certmonger
where initrc_t means you have a running service without SELinux confinement.
# yum install policycoreutils-gui# sepolgen -n certmonger -t 0 /usr/sbin/certmonger
Created the following files in:
./
certmonger.te # Type Enforcement file
certmonger.if # Interface file
certmonger.fc # File Contexts file
certmonger.sh # Setup Script
# sh certmonger.sh# ls -lZ /usr/sbin/certmonger
-rwxr-xr-x. root root system_u:object_r:certmonger_exec_t:s0 /usr/sbin/certmonger
# service certmonger restart
# ps -eZ |grep certmonger
unconfined_u:system_r:certmonger_t:s0 8695 ? 00:00:00 certmonger
and YOU ARE DONE on RHEL6.
Now just catch AVCs
# ausearch -m avc -ts recent, add additional labeling for state, pid, config files if needed and repeat testing steps to finish your initial SELinux policy.