Understanding SELinux, Part 7

This has successfully created our upgraded policy package. Thus the important points to remember while creating the code for a policy module are:

  1. Specify all existing types of the policy in a required section in the source file.
  2. Specify all new types to be created outside the required section.

Let us now upgrade the version in the policy and check:

[root@vbg test-selinux]# semodule -u test.pp
[root@vbg test-selinux]# semodule -u test.pp
[root@vbg test-selinux]# semodule -l | grep test
test	1.1

That shows that our latest version is now loaded.

Let us now try to re-label /var/www/html/index.html from httpd_sys_content_t to lfy_t:

[root@vbg test-selinux]# setenforce 1
[root@vbg test-selinux]# chcon -t lfy_t /var/www/html/index.html
chcon: cannot access `/var/www/html/index.html': Permission denied

Again, there are some more errors! Is it that SELinux is too cumbersome to troubleshoot? Till when do we need to keep on looking at these errors and generate rules? This would be a very demotivating and time-consuming task. Fortunately, a splendid tool called audit2allow comes to our rescue.

audit2allow generates SELinux policy allow rules from the logs of denied operations. It parses the log file and creates corresponding allow rules.

Let us repeat the above steps to generate AVC Denial logs in the audit log file.

[root@vbg test-selinux]# setenforce 0
[root@vbg test-selinux]# > /var/log/audit/audit.log
[root@vbg test-selinux]# cat /var/log/audit/audit.log | audit2allow

#============= unconfined_t ==============
allow unconfined_t lfy_t:file getattr;

audit2allow has many helpful options. Do ensure that you go through the man page in detail. To generate the “required” section for already existing system types and classes, use the option -r with audit2allow:

[root@vbg test-selinux]# cat /var/log/audit/audit.log | audit2allow -r

require {
	type unconfined_t;
	type lfy_t;
	class file getattr;
}

#============= unconfined_t ==============
allow unconfined_t lfy_t:file getattr;

We can redirect these required statements to our policy module source file:

[root@vbg test-selinux]# cat /var/log/audit/audit.log | audit2allow -r >> /home/vbg/test-selinux/test.te

All we need to do now is edit the resulting test.te file, remove the declaration of type lfy_t from the required section and keep a single required section. Finally, our test.te should look like the one below:

[vbg@vbg test-selinux]$ cat test.te
policy_module(test, 1.1.1)

require {
	type unconfined_t;
	type fs_t;
	class file getattr;
}

type lfy_t;

allow unconfined_t lfy_t : file { relabelto };
allow lfy_t fs_t : filesystem { associate };
allow unconfined_t lfy_t:file getattr;

All we need to do is to compile and load this policy module:

[vbg@vbg test-selinux]$ make test.pp
Compiling targeted test module
/usr/bin/checkmodule:  loading policy configuration from tmp/test.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/test.mod
Creating targeted test.pp policy package
rm tmp/test.mod.fc tmp/test.mod

[root@vbg test-selinux]# semodule -u test.pp
[root@vbg test-selinux]# semodule -l | grep test
test	1.1.1

[root@vbg test-selinux]# setenforce 1
[root@vbg test-selinux]# chcon -t lfy_t /var/www/html/index.html
[root@vbg test-selinux]# ls -lZ /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:lfy_t:s0       /var/www/html/index.html

Finally, with the help of the wonderful audit2allow tool, we have been able to re-label the /var/www/html/index.html file to the type lfy_t. Can we now view the output of this file?

[root@vbg ~]# elinks --dump http://localhost
                                   Forbidden

   You don't have permission to access / on this server.

   --------------------------------------------------------------------------

    Apache/2.2.13 (Fedora) Server at localhost Port 80

Changing the Security Context type from httpd_sys_content_t to lfy_t has caused this SELinux denial. The setroubleshoot daemon popped up and recommended running restorecon on /var/www/html/index.html to restore its context to the original one.

As a simple exercise, it is left to you to modify the policy module to permit the httpd service read access to the files of type lfy_t. Please remember the rules covered above and also use the audit2allow command to generate the desired source.

In the next article of this series, we will look at how to set default security contexts for files using policy modules. We will also use policy modules to set rules that will automatically assign the type lfy_t to all files created in the Apache DocumentRoot folder.

Pages: 1 2

Leave a Reply

Your email address will not be published. Required fields are marked *