Understanding SELinux, Part 5

For those of us inclined to use the GUI, sealert can be initiated in the GUI mode, by giving the following command:

[root@vbg selinux]# sealert -b &

Please refer to Figure 2 below, which shows the output for the same error graphically in the browser.

Figure 2: sealert can also show errors in a graphical window

Figure 2: sealert can also show errors in a graphical window

The setroubleshoot RPM also includes an init script called setroubleshoot. By enabling the setroubleshoot script on startup using the chkconfig utility, setroubleshoot runs as a daemon in the background.

Every time an AVC denial occurs, a pop-up appears in the system tray (assuming you are working in the GUI mode). This helps systems administrators to troubleshoot SELinux errors on-the-fly.

At times, you might not be willing to choose the solution suggested by the sealert tool and would rather create your own allow rules in the SELinux policy. For example, I would want my Web server httpd to be able to read files of type tmp_t rather than restrict it to read only files of type httpd_sys_content_t.

In such situations, a new Allow Rule will have to be added to the Security Policy. This Allow Rule will permit a subject of httpd_t to read object files of type tmp_t.

The above would give you great flexibility in creating your own security environment and not just follow the standard policies that came with the system. At other times, you would require to create security policies for other applications that you may have installed on your system, for example, an Oracle database.

Do you need to build the entire SELinux policy for this?

That would appear to be an uphill task for most systems administrators. Therefore, SELinux allows sysadmins to create their own modules.

Instead of modifying the core policy, you can build modules of your own that can be loaded on top of the core policy. In these modules, you can declare your own types and rules.

In the next article in the series, we will look at creating SELinux modules, compiling them and loading them.

Pages: 1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *