Skip to content

How to create a new initial policy using sepolicy-generate tool?

May 20, 2015

I have a service running without own SELinux domain and I would like to create a new initial policy for it.

How can I create a new initial policy? Is there a tool for it?

We get these questions very often. And my answer is pretty easy. Yes, there is a tool which can help you with this task.

Let’s use a real example to demonstrate how to create own initial policy for the running lttng-sessiond service on my system.

I see

$ ps -efZ |grep lttng-sessiond
system_u:system_r:unconfined_service_t:s0 root 29186 1 0 12:31 ? 00:00:00 /usr/bin/lttng-sessiond -d

unconfined_service_t tells us the lttng-sessiond service runs without SELinux confinement.

Basically there is no problem with a service running as unconfined_service_t if this service does “everything” or this service is a third party software. A problem occurs if there are another services with own SELinux domains and they want to access objects created by your service.

Then you can see AVCs like

type=AVC msg=audit(1431724248.950:1003): avc: denied { getattr } for pid=768 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=25832 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

In that case, you want to create  SELinux policy from the scratch to get objects created by your service with the specific SELinux labeling to see if you can get a proper SELinux confinement.

Let’s start.

1. You need to identify an executable file which is used to start a service. From

system_u:system_r:unconfined_service_t
$:s0 root 29186 1 0 12:31 ? 00:00:00 /usr/bin/lttng-sessiond -d

you can see /usr/bin/lttng-sessiond is used. Also

$ grep ExecStart /usr/lib/systemd/system/lttng-sessiond.service
ExecStart=/usr/bin/lttng-sessiond -d

is useful.

2. Run sepolicy-generate to create initial policy files.

sepolicy generate --init -n lttng /usr/bin/lttng-sessiond
Created the following files:
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.te # Type Enforcement file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.if # Interface file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.fc # File Contexts file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng_selinux.spec # Spec file
/home/mgrepl/Devel/RHEL/selinux-policy/lttng.sh # Setup Script

3. Run

# sh lttng.sh

4. YOU ARE DONE. CHECK YOUR RESULTS.

# ls -Z /usr/bin/lttng-sessiond
system_u:object_r:lttng_exec_t:s0 /usr/bin/lttng-sessiond
# systemctl restart lttng-sessiond
# ps -eZ |grep lttng-sessiond
system_u:system_r:lttng_t:s0 root 29850 1 0 12:50 ? 00:00:00 /usr/bin/lttng-sessiond -d
# auseaarch -m avc -ts recent
... probably you see a lot of AVCs ...

Now you have created/loaded own initial policy for your service. In this point, you can work on AVCs, you can ask us to help you with these AVCs.

Advertisements

From → Uncategorized

2 Comments
  1. These steps above are valid for the latest Fedoras and RHEL7. Let’s show a reminder how it looks on RHEL6.

    # ps -eZ |grep certmonger
    unconfined_u:system_r:initrc_t:s0 8560 ? 00:00:00 certmonger

    where initrc_t means you have a running service without SELinux confinement.

    # yum install policycoreutils-gui
    # sepolgen -n certmonger -t 0 /usr/sbin/certmonger
    Created the following files in:
    ./
    certmonger.te # Type Enforcement file
    certmonger.if # Interface file
    certmonger.fc # File Contexts file
    certmonger.sh # Setup Script

    # sh certmonger.sh
    # ls -lZ /usr/sbin/certmonger
    -rwxr-xr-x. root root system_u:object_r:certmonger_exec_t:s0 /usr/sbin/certmonger
    # service certmonger restart
    # ps -eZ |grep certmonger
    unconfined_u:system_r:certmonger_t:s0 8695 ? 00:00:00 certmonger

    and YOU ARE DONE on RHEL6.

    Now just catch AVCs

    # ausearch -m avc -ts recent

    , add additional labeling for state, pid, config files if needed and repeat testing steps to finish your initial SELinux policy.

Trackbacks & Pingbacks

  1. SELinux insides – Part1: Policy module store, policy modules and kernel policy. | mgrepl

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: