alpha645
2007-02-07, 07:48 AM CST
Selinux howto
In this howto we are doing the following:
- Learning how to use Selinux
- Creating our own targeted policy
- Editing our own policy by adding self-made modules
- Creating our own modules for daemons
This guide allows you to use selinux policy's without knowing all about contexts, modules (a little about modules) and all that. That is handled by a program called audit2allow. It will translate the denied errors to a rule that would allow the same code that was blocked before. Then you put these 'translated' rules into a seperate module and insert that into selinux. So, things that were denied by the standard policy are now allowed by the extra module you added. In that way, you don't directly edit the policy, which allows you to quickly change the rules by simply adding and removing modules instead of editing the policy.
Note that this howto only works for Fedora Core 5 and higher. Fedora Core 4 and lower have no support for modules (Selinux is monolithic (google that)).
Selinux can be seen as some sort of extra security layer that provides flexible acces-control for programs inside Linux. Since we are using the 'targeted' policy, only certain deamons (programs that nearly always run in the background and other vulnerable programs) are monitored. Selinux uses so called labels and rights and stuff. Learning this is a good thing, but one hell of a job.
First, we are going to recompile the entire selinux policy. Why? The standard policy has most modules included in the base. So they cannot be modified or removed. If you read correctly you should notice that we are not editing the policy directly, but we are still going to put them in modules. That is because you can remove these modules after the compilation. This has the advantage that it can save you a lot of memory. First, we are starting the compilation of the new policy.
su -
yum -y install checkpolicy m4 policycoreutils fedora-rpmdevtools m4 gcc make rpmdevtools; wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/SRPMS/selinux-policy-2.4.6-35.fc6.src.rpm; cp -a /usr/src/redhat/ rpmbuild; fedora-buildrpmtree; rpm -Uvh selinux-policy-2.4.6-35.fc6.src.rpm; gedit /root/rpmbuild/SOURCES/modules-targeted.conf
Important note: The policy I download here is the most recent for now. The link could get outdated and is meant for FC6 users.
With the command above, wget downloads the source, then some stuff to prepare the build. And finally I open up a file in gedit (use another editor if you don't have one). This file specifies which modules need to be build in (not editable and not removable) and which ones need to be used as a module. I suggest you use the one I attached. This one builds everything as module, except for the ones that can only be build as base. It also set setrans = off, because it gave me problems.
gedit /root/rpmbuild/SPECS/selinux-policy.spec
You should see something like (edit it according to the instructions and the current policy):
%define distro redhat
%define polyinstatiate n
%define monolithic n
%if %{?BUILD_STRICT:0}%{!?BUILD_STRICT:1}
%define BUILD_STRICT 1 # set this to 0 you don't need it (recommended)
%endif
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
%define BUILD_TARGETED 1
%endif
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1 # set this to 0 you don't need it (recommended)
%endif
%define POLICYVER 21
%define libsepolver 1.12.26-1
%define POLICYCOREUTILSVER 1.33.6-3
%define CHECKPOLICYVER 1.30.11-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
Release: 36%{?dist} # Make this: '36.fc6' . 36 do this so that yum won't overwrite your policy with the current version. (Alway +1) (recommended)
<<<other non relevant stuff>>>
>>>If your policy is still on yums updatelist (which means you did something wrong above). Simply update but exclude these packages with this:
yum update -x selinux--policy-targeted -x selinux-policy -x selinux-policy-devel<<<
Now, let's build the package with your customisations.
rpmbuild -bb /root/rpmbuild/SPECS/selinux-policy.spec
This process ends with something like
Wrote: /root/rpmbuild/RPMS/noarch/selinux-policy-2.4.6-36.fc6.noarch.rpm
Wrote: /root/rpmbuild/RPMS/noarch/selinux-policy-devel-2.4.6-36.fc6.noarch.rpm
Wrote: /root/rpmbuild/RPMS/noarch/selinux-policy-targeted-2.4.6-36.fc6.noarch.rpm
Then you just have to remove the older packages, set selinux to permissive and install the new packages:
yum -y remove selinux-policy selinux-policy-targeted selinux-policy-devel; setenforce 0; cd /root/rpmbuild/RPMS/noarch/; rpm -i *.*; gedit /etc/selinux/config
In the file that opens make sure that:
SELINUX=permissive
and NOT
SELINUX=enforcing . Because you changed the policy your way, you might get some violations during boot. But these violations would only be blocked if selinux=enforcing. That could cause your machine not to boot. If your machine doesn't boot anymore because of this add selinux=0 as bootparameter.
Reboot.
Once you are back in:
dmesg -c
Now, 'misbehave', do everything Selinux would block or deny. Everything that selinux blocked should work now. After you are done, do this:
dmesg; audit2allow -d -M dummy; semodule -i dummy.pp; setenforce 1
This will load all the denied messages from dmesg. Translate them to the rules that would allow them into a module called 'dummy'. Then semodule inserts them into Selinux. And finally, we enable selinux to block everything that would violate it's policy. That's basically it, do this per program so you can edit things a lot faster. Down below, I'll give some more info.
To enable 'setenforce 1' at boot simply:
system-config-securitylevel go to the selinux tab and in the dropdown menu, click 'enforcing'. This will determine in what state Selinux will boot at start. Enforcing means blocking when violating the policy. 'Permissive' will allow everything and only prints AVC (the denied) messages.
Semodule is the manager for the modules. 'Semodule -l' lists all loaded modules. 'Semodule -r <modulename>' Removes a module. 'Semodule -i <path to .pp file>' installs a module.
You can also create your own policy's for a deamon:
Policy's
1. Use the policygentool command to generate your own te, fc and if files. The policygentool command takes two parameters: the name of the policy module and the full path to the executable. The following command gives a usage example:
/usr/share/selinux/devel/policygentool <modulename.pp (bittorrent.pp)> <path do deamon (/usr/bin/bittorrent)>
It will prompt you for a few common domain characteristics, and will create three files: mydaemon.te, mydaemon.fc and mydaemon.if.
2. After you generate the policy files, use the supplied Makefile, /usr/share/selinux/devel/Makefile, to build a policy package (mydaemon.pp):
make /usr/share/selinux/devel/Makefile
3. Now you can load the policy module, using semodule, and relabel the executable using restorecon:
semodule -i modulename.pp (bittorrent.pp)
restorecon -v <again the same path to module (/usr/bin/bittorrent)>
4. Since you have very limited policy for your executable, SELinux will prevent it from doing much. Turn on permissive mode and then use the init script to start your daemon:
setenforce 0
Now, start the deamon, collect any AVC messages and insert those as a seperate module. After you did that, reënable Selinux (setenforce 1). You are done :) .
Note: system-config-securtylevel contains some extra options (below like admin, samba, ppp etc) these are booleans use those too. Allowing the process with these booleans is a lot easier, so you better try that before (plus, they can also 'override' custom rules). Well, that's all I know for now :) .
In this howto we are doing the following:
- Learning how to use Selinux
- Creating our own targeted policy
- Editing our own policy by adding self-made modules
- Creating our own modules for daemons
This guide allows you to use selinux policy's without knowing all about contexts, modules (a little about modules) and all that. That is handled by a program called audit2allow. It will translate the denied errors to a rule that would allow the same code that was blocked before. Then you put these 'translated' rules into a seperate module and insert that into selinux. So, things that were denied by the standard policy are now allowed by the extra module you added. In that way, you don't directly edit the policy, which allows you to quickly change the rules by simply adding and removing modules instead of editing the policy.
Note that this howto only works for Fedora Core 5 and higher. Fedora Core 4 and lower have no support for modules (Selinux is monolithic (google that)).
Selinux can be seen as some sort of extra security layer that provides flexible acces-control for programs inside Linux. Since we are using the 'targeted' policy, only certain deamons (programs that nearly always run in the background and other vulnerable programs) are monitored. Selinux uses so called labels and rights and stuff. Learning this is a good thing, but one hell of a job.
First, we are going to recompile the entire selinux policy. Why? The standard policy has most modules included in the base. So they cannot be modified or removed. If you read correctly you should notice that we are not editing the policy directly, but we are still going to put them in modules. That is because you can remove these modules after the compilation. This has the advantage that it can save you a lot of memory. First, we are starting the compilation of the new policy.
su -
yum -y install checkpolicy m4 policycoreutils fedora-rpmdevtools m4 gcc make rpmdevtools; wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/SRPMS/selinux-policy-2.4.6-35.fc6.src.rpm; cp -a /usr/src/redhat/ rpmbuild; fedora-buildrpmtree; rpm -Uvh selinux-policy-2.4.6-35.fc6.src.rpm; gedit /root/rpmbuild/SOURCES/modules-targeted.conf
Important note: The policy I download here is the most recent for now. The link could get outdated and is meant for FC6 users.
With the command above, wget downloads the source, then some stuff to prepare the build. And finally I open up a file in gedit (use another editor if you don't have one). This file specifies which modules need to be build in (not editable and not removable) and which ones need to be used as a module. I suggest you use the one I attached. This one builds everything as module, except for the ones that can only be build as base. It also set setrans = off, because it gave me problems.
gedit /root/rpmbuild/SPECS/selinux-policy.spec
You should see something like (edit it according to the instructions and the current policy):
%define distro redhat
%define polyinstatiate n
%define monolithic n
%if %{?BUILD_STRICT:0}%{!?BUILD_STRICT:1}
%define BUILD_STRICT 1 # set this to 0 you don't need it (recommended)
%endif
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
%define BUILD_TARGETED 1
%endif
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1 # set this to 0 you don't need it (recommended)
%endif
%define POLICYVER 21
%define libsepolver 1.12.26-1
%define POLICYCOREUTILSVER 1.33.6-3
%define CHECKPOLICYVER 1.30.11-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
Release: 36%{?dist} # Make this: '36.fc6' . 36 do this so that yum won't overwrite your policy with the current version. (Alway +1) (recommended)
<<<other non relevant stuff>>>
>>>If your policy is still on yums updatelist (which means you did something wrong above). Simply update but exclude these packages with this:
yum update -x selinux--policy-targeted -x selinux-policy -x selinux-policy-devel<<<
Now, let's build the package with your customisations.
rpmbuild -bb /root/rpmbuild/SPECS/selinux-policy.spec
This process ends with something like
Wrote: /root/rpmbuild/RPMS/noarch/selinux-policy-2.4.6-36.fc6.noarch.rpm
Wrote: /root/rpmbuild/RPMS/noarch/selinux-policy-devel-2.4.6-36.fc6.noarch.rpm
Wrote: /root/rpmbuild/RPMS/noarch/selinux-policy-targeted-2.4.6-36.fc6.noarch.rpm
Then you just have to remove the older packages, set selinux to permissive and install the new packages:
yum -y remove selinux-policy selinux-policy-targeted selinux-policy-devel; setenforce 0; cd /root/rpmbuild/RPMS/noarch/; rpm -i *.*; gedit /etc/selinux/config
In the file that opens make sure that:
SELINUX=permissive
and NOT
SELINUX=enforcing . Because you changed the policy your way, you might get some violations during boot. But these violations would only be blocked if selinux=enforcing. That could cause your machine not to boot. If your machine doesn't boot anymore because of this add selinux=0 as bootparameter.
Reboot.
Once you are back in:
dmesg -c
Now, 'misbehave', do everything Selinux would block or deny. Everything that selinux blocked should work now. After you are done, do this:
dmesg; audit2allow -d -M dummy; semodule -i dummy.pp; setenforce 1
This will load all the denied messages from dmesg. Translate them to the rules that would allow them into a module called 'dummy'. Then semodule inserts them into Selinux. And finally, we enable selinux to block everything that would violate it's policy. That's basically it, do this per program so you can edit things a lot faster. Down below, I'll give some more info.
To enable 'setenforce 1' at boot simply:
system-config-securitylevel go to the selinux tab and in the dropdown menu, click 'enforcing'. This will determine in what state Selinux will boot at start. Enforcing means blocking when violating the policy. 'Permissive' will allow everything and only prints AVC (the denied) messages.
Semodule is the manager for the modules. 'Semodule -l' lists all loaded modules. 'Semodule -r <modulename>' Removes a module. 'Semodule -i <path to .pp file>' installs a module.
You can also create your own policy's for a deamon:
Policy's
1. Use the policygentool command to generate your own te, fc and if files. The policygentool command takes two parameters: the name of the policy module and the full path to the executable. The following command gives a usage example:
/usr/share/selinux/devel/policygentool <modulename.pp (bittorrent.pp)> <path do deamon (/usr/bin/bittorrent)>
It will prompt you for a few common domain characteristics, and will create three files: mydaemon.te, mydaemon.fc and mydaemon.if.
2. After you generate the policy files, use the supplied Makefile, /usr/share/selinux/devel/Makefile, to build a policy package (mydaemon.pp):
make /usr/share/selinux/devel/Makefile
3. Now you can load the policy module, using semodule, and relabel the executable using restorecon:
semodule -i modulename.pp (bittorrent.pp)
restorecon -v <again the same path to module (/usr/bin/bittorrent)>
4. Since you have very limited policy for your executable, SELinux will prevent it from doing much. Turn on permissive mode and then use the init script to start your daemon:
setenforce 0
Now, start the deamon, collect any AVC messages and insert those as a seperate module. After you did that, reënable Selinux (setenforce 1). You are done :) .
Note: system-config-securtylevel contains some extra options (below like admin, samba, ppp etc) these are booleans use those too. Allowing the process with these booleans is a lot easier, so you better try that before (plus, they can also 'override' custom rules). Well, that's all I know for now :) .