SELinux insides – Part1: Policy module store, policy modules and kernel policy.
As you probably know, we are working to get the latest SELinux userspace which supports a new location for a policy store together with CIL support to Fedora 23.
There is a Fedora feature page about this change. We talk about a policy store, policy modules and about a binary policy (or kernel policy).
“SELinux security policy is located in /etc/selinux directory together with configuration files. In Fedora, we use a modular policy. It means the policy is not one large source policy but it can be built from modules. These modules together with a base policy (contains the mandatory information) are compiled, linked and located in a policy store where can be built into a binary format and then loaded into the security server. This binary policy is located in /etc/selinux/<SELINUXTYPE>/policy/policy.29 for example.”
But how are these compiled policy modules created?
If a policy writer starts with a new policy, he creates source policy files (.te, .if, .fc). These files are compiled using checkmodule into an intermediate format .mod. This policy object file contains Type Enforcement (TE) rules together with expanded rules defined by interface files (*.if). Then semodule_package is called (with a file context file) to create a SELinux policy module .pp.
In this phase, semodule is used to manage the policy store (installing, loading, updating, removing modules) and also builds the binary policy file – policy.29 for example.
How does CIL come into the game?
As you can see, the current compiled *.pp policy modules are converted to CIL code using /usr/libexec/selinux/hll/pp binary. And all these CIL files are compiled into a binary policy file – policy.29. With the userspace (v2.4), we call .pp file as a High Level Language (HLL) file. So we could define own HLLs to convert these HLL files to CIL format.
Where are these policy modules located?
With installed SELinux, we describe the following directory locations
|/sys/fs/selinux||The SELinux filesystem.|
|/etc/selinux||Location for SELinux configuration files and policies.|
|/etc/selinux/<SELINUXTYPE>/module||Location for policy module store and additional configuration files.|
The default location for policy modules is changed from /etc/selinux/<SELINUXTYPE>/module to /var/lib/selinux/<SELINUXTYPE>/module with the 2.4 userspace. Also the following options are added by libsepol (v2.4) with CIL support to semanage.conf.
store-root = <path>
compiler-directory = <path>
ignore-module-cache = true|false
target-platform = selinux | xen
“store-root” option can be changed from the default /var/lib/selinux to a custom location according to distribution requirements.