100
Chapter 8. Customizing and Writing Policy
New Policy Writing Procedure
1. Work with a proper daemon under Red Hat Enterprise Linux. This means it has an initscript in
/etc/init.d/
and can be managed using
chkconfig
. For example, this procedure assumes
you are going to use the
service
command to control starting and stopping the daemon.
For this procedure, you are writing policy for the fictional
foo
package and it's associated
foo
daemon. Use a real daemon name in this place when developing your own policy.
2. Create a file at
$SELINUX_SRC/domains/program/foo.te
.
3. Put the daemon domain macro call in the file:
daemon_domain(foo)
4. Create the file contexts file,
$SELINUX_SRC/file_contexts/program/foo.fc
.
5. Put the first list of file contexts in
file.fc
. You may need to add to this later, depending on the
needs of the
foo
daemon.
/usr/bin/foo
  
system_u:object_r:foo_exec_t
/var/run/foo.pid
  
system_u:object_r:foo_var_run_t
/etc/foo.conf
  
system_u:object_r:foo_conf_t
6. Load the new policy with
make load
.
7. Label the
foo
files:
restorecon /usr/bin/foo /var/run/foo.pid /etc/foo.conf
8. Start the daemon,
service foo start
.
9. Examine your audit log for denial messages:
grep "avc:
denied" /var/log/messages > /tmp/avc_denials
cat /tmp/avc_denials
Familiarize yourself with the errors the daemon is generating. You are writing policy with the help
of
audit2allow
, but you need to understand the nature of the denials. You can also use seaudit
for viewing the log messages, as explained in Section 6.2 Using seaudit for Audit Log Analysis.
10. Use
audit2allow
to start the first round of policy rules.
audit2allow  l  i /var/log/messages  o \
/etc/selinux/targeted/src/policy/domains/program/foo.te
When looking at the generated rules, if you see a rule that gives the
foo_t
domain
read
access
to a file or directory, change the permission to read
{ read gettatr }
. The domain is likely to
need that permission if it already wants to read a file.
11. Look to see if the
foo_t
domain tries to create a network socket, that is,
udp_socket
or
tcp_socket
as the object class in the AVC denial:
avc:
denied
{ create } for
pid=7279 exe=/usr/bin/foo \
scontext=root:system_r:foo_t tcontext=root:system_r:foo_t\
tclass=udp_socket
If this is the case, then add the
can_network()
macro to
foo.te
:
can_network(foo_t)
12. Continue to iterate through the basic steps to generate all the rules you need. Each set of rules
added to the policy may reveal additional permission needs from the
foo_t
domain.
a. Start the daemon.
b. Read the AVC messages.
c. Write policy from the AVC messages, using
audit2allow
and your own knowledge,
looking for chances to use macros.
d. Load new policy.
e. Go back to beginning, starting the daemon ...






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved