/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsOur last month's article on SE Linux (Enhancing Security in Linux, page 102) would have given you a basic idea about it. In this article we will see how you can create and implement your own SE Linux policies.
As the name suggests, a policy is a set of rules that defines which user can enter which role and access which applications. A policy can also define how an application will act with other applications and users. The default policy is set in SE Linux to 'Deny all', which means you have to explicitly give permission to each operation.
How policies are created
In the last month's article, you would have noticed that for adding a role to a newly created user, we first edited the '/etc/security/
selinux/src/policies/users' file and then ran the 'make' command to compile the policy.
|
The different files in '/etc/security/selinux/src/ policies' are the components of the SE Linux policies. When we passed some values to them and started compiling, first of all, the m4 macro processor was applied and the policy.conf file was created, and finally the checkpolicy compiler compiled it to a binary file, which was named policy.version (.version is the auto-generated version number of the policy file). These policy files got loaded in the next reboot to enforce the policy roles.
Understanding and creating new policies is quite complicated and needs an in-depth knowledge of SE
Linux. But, we will go through some simple examples that will give an idea of modifying an SE Linux policy.
Let's do it
We assume that you have a thorough understanding of SE Linux terminologies. Now, let's start with changing some access rights on some directories. For example, let's take the /boot folder. By default this folder should not be accessed by a user who is a member of user_t domain.
/pcq/media/post_attachments/f8b028bc88c9873ee50f3a2c848307f31eec6aebfca8a349c21dcbc643de25c9.jpg)
So, check the type of the folder /boot by running the following command.
#ls -Z /
This command will show you the context of all files and folders in the / directory. The last part of the context is the type of the file/folder. So /boot folder will show a context like
system_u:object_r:boot_t
This means the type of the /boot folder is 'boot_t'. Now create a new domain file under the
folder/etc/security/selinux/src/policy/domains/misc and give it any custom name, let's say test.te and add the following line in the file.
#My first policy rule (any comment you want)
r_dir_file(user_t,boot_t)
In the above lines we are passing three arguments. 'r_dir_file' describes that the folder should be read-only and
browsable, 'user_t' is the name of the type of user for which the rule will take effect and
'boot_t' is the type of the folder.
To test the above single-line configuration, compile and load the profile by running the following commands.
#cd /etc/security/selinux/ src/policy/
#make load
Then su as any user, who is the member of user_t domain.
If you remember, we created such a user in our last article and called it
seuser. So, su in as seuser and try to run the ls command on the /boot folder. And see the magic of the single line. You can also give write access to any directory by just changing the r_dir_file to
rw_dir_file.
But, just remember that if the standard Linux security doesn't allow the access, which you have given with SE
Linux, you will still not be able to access it as in any case the least rights are given to
the user.
This was a small example of creating your own rule in SE Linux. For more details you can refer to
www.nsa.gov/selinux/info/
docs.cfm'.
Anindya Roy
Some third-party tools
As SE Linux gains popularity among the Linux developer community, new tools are getting added in the list of SE
Linux. So, we decided to carry some GUI and command-line tools, on this month's PCQEssential CD. You will find a source tar ball, which contains a set of SE Linux utilities for graphically creating
SE Linux users, auditing logs and analyzing and compiling policies graphically. The tar ball contains the following
tools:
- Apol: Analyze an SE Linux policy (GUI)
- SeAudit: Analyze audit messages from SE Linux (GUI)
- SeCmds: Analyze an SE Linux policy and search/replace file contexts
- SeUser: GUI and command-line 'user manager' for SE Linux
- SePCuT: Customize an SE Linux policy (GUI)