Chapter 8. Customizing and Writing Policy
101
13. If the domain tries to access
port_t
, which relates to
tclass=tcp_socket
or
tclass=udp_socket
in the AVC log message, you need to determine what port number
foo
needs to use. To diagnose, put these rules in
foo.te
:
allow foo_t port_t:tcp_socket name_bind;
auditallow foo_t port_t:tcp_socket name_bind;
The
auditallow
rule helps you determine the nature of the port connection attempt.
14. Iterate through the remaining AVC denials. When they are resolved with new policy, you can
configure the unique port requirements for the
foo_t
domain.
15. With the daemon started, determine which port
foo
is using. Look at the AVC allowed message
and see what port the daemon is connected to:
lsof | grep foo.*TCP
foo
2283
root
3u
IPv6
3192
TCP *:4242 (LISTEN)
The
foo
daemon is listening on port 4242.
16. Remove the generic
port_t
rule, replacing it with a specific rule for a new port type based on the
foo_t
domain.
type foo_port_t, port_type;
allow foo_t foo_port_t:tcp_socket name_bind;
Add this line to
$SELINUX_SRC/file_contexts
. This reserves the port 4242 for the domain
foo_t
:
ifdef(`foo.te', `portcon tcp 4242 system_u:object_r:foo_port_t')
8.4. Deploying Customized Binary Policy
Building custom binary policy requires the policy source, but there are security risks to having the
full policy source on a production server. Should an attacker gain root control, they could rebuild
the policy to weaken or neutralize SELinux. For this reason, you want to use only binary policy on
production servers.
If you are using binary policy provided by Red Hat, this is not an issue. You can manage the policy
packages as you do any other software packages, such as through Red Hat Network. If you do cus 
tomize your policy, you may want to manage it using RPM packages, either manually or as part of
custom channels in Red Hat Network. Even if you manage the policy files by hand, as this procedure
demonstrates, the underlying principles are the same.
Unlike software source code, SELinux policy is independent of the architecture of the system it is
built on. You can have multiple development trees with vastly different policy needs expressed, all
residing and built in a single development environment. In fact, it is recommended to use software
version control, such as CVS, if you are going to be doing any measurable level of customization.
This short procedure demonstrates how to build and deploy policy from a development environment
into a production environment.
Building and Deploying Policy
1. In your development environment, make a copy of the source tree for the policy you are work 
ing from. If you want to add a single daemon to confinement under the targeted policy, use
/etc/selinux/targeted/src/policy/
. If you want to work from a fully confined SELinux
environment, obtain and use the strict source, which is usually at
/etc/selinux/strict/
.
# Copy the entire tree to a custom/ directory:
cp  r /etc/selinux/targeted/ /etc/selinux/custom/






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved