Red Hat SummitChapter 8. Writing a custom SELinux policy
To run your applications confined by SELinux, you must write and use a custom policy.
8.2. Creating and enforcing an SELinux policy for a custom application
You can confine applications by SELinux to increase the security of host systems and users' data. Because each application has specific requirements, modify this example procedure for creating an SELinux policy that confines a simple daemon according to your use case.
Prerequisites
-
The
selinux-policy-develpackage and its dependencies are installed on your system.
Procedure
For this example procedure, prepare a simple daemon that opens the
/var/log/messagesfile for writing:Create a new file, and open it in a text editor of your choice:
vi mydaemon.c
$ vi mydaemon.cCopy to Clipboard Copied! Insert the following code:
#include <unistd.h> #include <stdio.h> FILE *f; int main(void) { while(1) { f = fopen("/var/log/messages","w"); sleep(5); fclose(f); } }#include <unistd.h> #include <stdio.h> FILE *f; int main(void) { while(1) { f = fopen("/var/log/messages","w"); sleep(5); fclose(f); } }Copy to Clipboard Copied! Compile the file:
gcc -o mydaemon mydaemon.c
$ gcc -o mydaemon mydaemon.cCopy to Clipboard Copied! Create a
systemdunit file for your daemon:vi mydaemon.service
$ vi mydaemon.service [Unit] Description=Simple testing daemon [Service] Type=simple ExecStart=/usr/local/bin/mydaemon [Install] WantedBy=multi-user.targetCopy to Clipboard Copied! Install and start the daemon:
cp mydaemon /usr/local/bin/ cp mydaemon.service /usr/lib/systemd/system systemctl start mydaemon systemctl status mydaemon
# cp mydaemon /usr/local/bin/ # cp mydaemon.service /usr/lib/systemd/system # systemctl start mydaemon # systemctl status mydaemon ● mydaemon.service - Simple testing daemon Loaded: loaded (/usr/lib/systemd/system/mydaemon.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-05-23 16:56:01 CEST; 19s ago Main PID: 4117 (mydaemon) Tasks: 1 Memory: 148.0K CGroup: /system.slice/mydaemon.service └─4117 /usr/local/bin/mydaemon May 23 16:56:01 localhost.localdomain systemd[1]: Started Simple testing daemon.Copy to Clipboard Copied! Check that the new daemon is not confined by SELinux:
ps -efZ | grep mydaemon
$ ps -efZ | grep mydaemon system_u:system_r:unconfined_service_t:s0 root 4117 1 0 16:56 ? 00:00:00 /usr/local/bin/mydaemonCopy to Clipboard Copied!
Generate a custom policy for the daemon:
sepolicy generate --init /usr/local/bin/mydaemon
$ sepolicy generate --init /usr/local/bin/mydaemon Created the following files: /home/example.user/mysepol/mydaemon.te # Type Enforcement file /home/example.user/mysepol/mydaemon.if # Interface file /home/example.user/mysepol/mydaemon.fc # File Contexts file /home/example.user/mysepol/mydaemon_selinux.spec # Spec file /home/example.user/mysepol/mydaemon.sh # Setup ScriptCopy to Clipboard Copied! Rebuild the system policy with the new policy module using the setup script created by the previous command:
./mydaemon.sh
# ./mydaemon.sh Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile mydaemon.pp Compiling targeted mydaemon module Creating targeted mydaemon.pp policy package rm tmp/mydaemon.mod.fc tmp/mydaemon.mod + /usr/sbin/semodule -i mydaemon.pp ...Copy to Clipboard Copied! Note that the setup script relabels the corresponding part of the file system using the
restoreconcommand:restorecon -v /usr/local/bin/mydaemon /usr/lib/systemd/system
restorecon -v /usr/local/bin/mydaemon /usr/lib/systemd/systemCopy to Clipboard Copied! Restart the daemon, and check that it now runs confined by SELinux:
systemctl restart mydaemon ps -efZ | grep mydaemon
# systemctl restart mydaemon $ ps -efZ | grep mydaemon system_u:system_r:mydaemon_t:s0 root 8150 1 0 17:18 ? 00:00:00 /usr/local/bin/mydaemonCopy to Clipboard Copied! Because the daemon is now confined by SELinux, SELinux also prevents it from accessing
/var/log/messages. Display the corresponding denial message:ausearch -m AVC -ts recent
# ausearch -m AVC -ts recent ... type=AVC msg=audit(1590247112.719:5935): avc: denied { open } for pid=8150 comm="mydaemon" path="/var/log/messages" dev="dm-0" ino=2430831 scontext=system_u:system_r:mydaemon_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1 ...Copy to Clipboard Copied! You can get additional information also using the
sealerttool:sealert -l "*" ausearch -c 'mydaemon' --raw | audit2allow -M my-mydaemon semodule -X 300 -i my-mydaemon.pp
$ sealert -l "*" SELinux is preventing mydaemon from open access on the file /var/log/messages. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mydaemon should be allowed open access on the messages file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mydaemon' --raw | audit2allow -M my-mydaemon # semodule -X 300 -i my-mydaemon.pp Additional Information: Source Context system_u:system_r:mydaemon_t:s0 Target Context unconfined_u:object_r:var_log_t:s0 Target Objects /var/log/messages [ file ] Source mydaemon …Copy to Clipboard Copied! Use the
audit2allowtool to suggest changes:ausearch -m AVC -ts recent | audit2allow -R
$ ausearch -m AVC -ts recent | audit2allow -R require { type mydaemon_t; } #============= mydaemon_t ============== logging_write_generic_logs(mydaemon_t)Copy to Clipboard Copied! Because rules suggested by
audit2allowcan be incorrect for certain cases, use only a part of its output to find the corresponding policy interface. Inspect thelogging_write_generic_logs(mydaemon_t)macro with themacro-expandertool, to see all allow rules the macro provides:macro-expander "logging_write_generic_logs(mydaemon_t)"
$ macro-expander "logging_write_generic_logs(mydaemon_t)" allow mydaemon_t var_t:dir { getattr search open }; allow mydaemon_t var_log_t:dir { getattr search open read lock ioctl }; allow mydaemon_t var_log_t:dir { getattr search open }; allow mydaemon_t var_log_t:file { open { getattr write append lock ioctl } }; allow mydaemon_t var_log_t:dir { getattr search open }; allow mydaemon_t var_log_t:lnk_file { getattr read };Copy to Clipboard Copied! In this case, you can use the suggested interface, because it only provides read and write access to log files and their parent directories. Add the corresponding rule to your type enforcement file:
echo "logging_write_generic_logs(mydaemon_t)" >> mydaemon.te
$ echo "logging_write_generic_logs(mydaemon_t)" >> mydaemon.teCopy to Clipboard Copied! Alternatively, you can add this rule instead of using the interface:
echo "allow mydaemon_t var_log_t:file { open write getattr };" >> mydaemon.te$ echo "allow mydaemon_t var_log_t:file { open write getattr };" >> mydaemon.teCopy to Clipboard Copied! Reinstall the policy:
./mydaemon.sh
# ./mydaemon.sh Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile mydaemon.pp Compiling targeted mydaemon module Creating targeted mydaemon.pp policy package rm tmp/mydaemon.mod.fc tmp/mydaemon.mod + /usr/sbin/semodule -i mydaemon.pp ...Copy to Clipboard Copied!
Verification
Check that your application runs confined by SELinux, for example:
ps -efZ | grep mydaemon
$ ps -efZ | grep mydaemon system_u:system_r:mydaemon_t:s0 root 8150 1 0 17:18 ? 00:00:00 /usr/local/bin/mydaemonCopy to Clipboard Copied! Verify that your custom application does not cause any SELinux denials:
ausearch -m AVC -ts recent
# ausearch -m AVC -ts recent <no matches>Copy to Clipboard Copied!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}