Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing SELinux Policy Daniel Walsh Red Hat. Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)

Published bySilvia Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Writing SELinux Policy Daniel Walsh Red Hat. Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)"— Presentation transcript:

1 Writing SELinux Policy Daniel Walsh Red Hat

2 Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)

3 Type Field ● type rwhod_t; # Process Type (Domain) ● type rwhod_exec_t; # File Type gen_require(` type shadow_t; ')

4 Policy Rules COMMAND SOURCETYPE TARGETTYPE:CLASS PERMS; COMMANDS ● allow - Most common ● Dontaudit – Deny Access, but do not log ● auditallow – Allow access but log a message ● neverallow – Stop policy from building if allow rule added allow user_t etc_t:file { open read getattr ioctl lock}; allow sudo_t self:process setuid; dontaudit httpd_t krb5_conf_t:file write; auditallow user_t shadow_t:file write;

5 Policy Rules ➔ class ➔ file, dir, sock_file, tcp_socket, process, capability ➔ Permissions – Per Class ➔ read write ioctl ➔ setuid chown ➔ Macro definitions ➔ read_file_perms, manage_sock_file_perms; /usr/share/selinux/devel/include/support/obj_perm_sets.spt

6 Policy Rules ➔ attribute ➔ group types ➔ attribute file_type ➔ type etc_t, file_type ➔ typeattribute etc_t, file_type ➔ allow rpm_t file_type:file manage_file_perms;

7 Interfaces ➔ Policy Function Calls ➔ Stored in if files /usr/share/selinux/devel/include/kernel/files.if ➔ files_type(shadow_t) ➔ init_system_domain(rwhod_t, rwhod_exec_t) ➔ corenet_tcp_connect_mssql_port(httpd_php_t)

8 SELinux Policy Modules Allows users to easily customize policy Allows third parties to ship policy with their rpms Similar to kernel Modules ● Recompile and reload

9 Policy Modules Three Components ● Type Enforcement (TE) File ● Contains all the rules used to confine your application ● File Context (FC) File ● Contains the regular expression mappings for on disk file contexts ● Interface (if) Files ● Contains the interfaces defined for other confined applications, to interact with your confined application Policy Package (pp) ● Compiler/packager roles generates policy package to be installed on systems.

10 Building Policy Packages Makefile ● # make -f /usr/share/selinux/devel/Makefile Install ● # semodule -i rwhod.pp Setup file context ● # restorecon -R /var/run/rwhod

11 Building Policy Packages Lather Rince Repeat ● Test application ● Generate avc messages audit2allow ● Examines /var/log/audit/audit.log and /var/log/messages for AVC messages ● Searches Interface files for correct interface ● If no interface found generates allow rules

12 Audit2allow time->Thu Apr 12 05:12:01 2007 type=PATH msg=audit(1176369121.794:1514): item=0 name="/usr/games/vultureseye/vultureseye.#prelink#.m8SXxq" inode=11960540 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 type=CWD msg=audit(1176369121.794:1514): cwd="/" type=SYSCALL msg=audit(1176369121.794:1514): arch=40000003 syscall=5 success=no exit=-13 a0=bfe58b40 a1=80c2 a2=180 a3=180 items=1 ppid=1443 pid=1452 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=user_u:system_r:prelink_t:s0 key=(null) type=AVC msg=audit(1176369121.794:1514): avc: denied { add_name } for pid=1452 comm="prelink" name="vultureseye.#prelink#.m8SXxq" scontext=user_u:system_r:prelink_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir # audit2allow -i /var/log/audit/audit.log allow prelink_t usr_t:dir add_name; # audit2allow -R -i /var/log/audit/audit.log require { type prelink_t; } files_rw_usr_dirs(prelink_t)

13 MOST IMPORTANT THING TO LEARN TODAY audit2allow – Just MAKE IT WORK????? # audit2allow -M myprelink -R -i /var/log/audit/audit.log ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myprelink.pp # ls myprelink* myprelink.fc myprelink.if myprelink.pp myprelink.te

14 selinux-polgengui

15 Generates 4 files ● te, fc, if file ● sh file used to compile/load/set file context selinux-polgengui is not an editor. Required Fields ● Name ● Executable ● Application Type Important Fields ● What files/directories does application modify?

16 sepolgen > sepolgen /usr/sbin/rwhod Created the following files: Type Enforcement file./rwhod.te Interface file./rwhod.if File Contexts file./rwhod.fc Setup Script./rwhod.sh # sh rwhod.sh

17 TreSys Slide – Eclipse Policy Editor

18 Lets Start Generating Policy

Download ppt "Writing SELinux Policy Daniel Walsh Red Hat. Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)"

Similar presentations

The Linux Audit Framework

The Linux Audit Framework
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Controlling Processes & Periodic Processes WeeSan Lee

Controlling Processes & Periodic Processes WeeSan Lee
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
1 Case Study 1: UNIX and LINUX Chapter 10 10.1 History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.

1 Case Study 1: UNIX and LINUX Chapter History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.

Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.
LERSAIS.  Access Control in Unix  Access Control in Windows  Port Redirection 2.

LERSAIS.  Access Control in Unix  Access Control in Windows  Port Redirection 2.
SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Implementing SELinux as a Linux Security Module By Stephen Smalley Chris Vance & Wayne Salamon Presentation by: KASHIF HASAN

Implementing SELinux as a Linux Security Module By Stephen Smalley Chris Vance & Wayne Salamon Presentation by: KASHIF HASAN
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.

Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
Secure Operating Systems

Secure Operating Systems
1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
Security-Enhanced Linux. References  Implementation of Security-Enhanced Linux by Yue Cui, Xiang Sha, Li Song  Security Enhanced Linux by David Quigley.

Security-Enhanced Linux. References  Implementation of Security-Enhanced Linux by Yue Cui, Xiang Sha, Li Song  Security Enhanced Linux by David Quigley.

Similar presentations

Ads by Google