How to manually create SElinux modules


I’ve shown you in a previous article how to create and install SElinux modules automatically using audit2allow -a. Usually, any needed policies can be configured using audit2allow command or by enabling a SElinux Boolean module. You can check out the status of boolean modules by typing:

getsebool -a

seli1

Configure new SElinux module

You can try to generate a SElinux module using audit2allow -a -M module_name. This command will parse the /var/log/audit/audit.log file and determine what actions are denied by SElinux. If you use the audit2allow -a -M zabbixdiamond command it will automatically create a SElinux module (.pp extension) and a SElinux configuration file (.te extension). Note that I’ve encountered situations in which this method was inefficient because not all permissions were added correctly by SElinux.

I’ve seen situations in which after importing a SElinux a module that was generated using audit2allow command, the following command would be logged in the audit log file:

“Unknown – would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones”

This error occurs because SElinux does not create the module with all the needed permissions .

If you receive this error, you’ll need to edit the .te file and add the missing permissions:

Edit the .te file (zabbixdiamond.te) using vim:

module zabbixdiamond 1.0;

require {
type unconfined_t;
type semanage_t;
type init_t;
type system_cronjob_t;
type syslogd_t;
type rpm_t;
type postfix_smtpd_t;
type system_dbusd_t;
type snmpd_t;
type smtp_port_t;
type proc_net_t;
type http_port_t;
type ntpd_t;
type kernel_t;
type postfix_master_t;
type auditd_t;
type httpd_t;
type audisp_t;
type irqbalance_t;
type inetd_t;
type udev_t;
type postfix_pickup_t;
type sshd_t;
type crond_t;
type getty_t;
type nrpe_t;
type postfix_qmgr_t;
type zabbix_agent_t;
class tcp_socket name_connect;
class file { read getattr open ioctl };
}

#============= zabbix_agent_t ======================
allow zabbix_agent_t audisp_t:file { read getattr open };
allow zabbix_agent_t auditd_t:file { read getattr open };
allow zabbix_agent_t crond_t:file { read getattr open };
allow zabbix_agent_t getty_t:file { read getattr open };
allow zabbix_agent_t http_port_t:tcp_socket name_connect;
allow zabbix_agent_t httpd_t:file { read getattr open };
allow zabbix_agent_t inetd_t:file { read getattr open };
allow zabbix_agent_t init_t:file { read getattr open };
allow zabbix_agent_t irqbalance_t:file { read getattr open };
allow zabbix_agent_t kernel_t:file { read getattr open };
allow zabbix_agent_t nrpe_t:file { read getattr open };
allow zabbix_agent_t ntpd_t:file { read getattr open };
allow zabbix_agent_t postfix_master_t:file { read getattr open };
allow zabbix_agent_t postfix_pickup_t:file { read getattr open };
allow zabbix_agent_t postfix_qmgr_t:file { read getattr open };
allow zabbix_agent_t postfix_smtpd_t:file { read getattr open };
allow zabbix_agent_t proc_net_t:file { read getattr open ioctl };
allow zabbix_agent_t rpm_t:file { read getattr open };
allow zabbix_agent_t semanage_t:file {read getattr open };
allow zabbix_agent_t smtp_port_t:tcp_socket name_connect;
allow zabbix_agent_t snmpd_t:file { read getattr open };
allow zabbix_agent_t sshd_t:file { read getattr open };
allow zabbix_agent_t syslogd_t:file { read getattr open };
allow zabbix_agent_t system_cronjob_t:file { getattr open };
allow zabbix_agent_t system_dbusd_t:file { read getattr open };
allow zabbix_agent_t udev_t:file { read getattr open };
allow zabbix_agent_t unconfined_t:file { read getattr open };

#==================================================

Once all permissions have been added, save and close the file.

Use the following command to verify if the module syntax is correct

checkmodule  -M -m -o zabbixdiamond.mod zabbixdiamond.te

Any syntax error will be reported by the checkmodule command, just like in the following example:

checkmodule: loading policy configuration from zabbixdiamond.te
zabbixdiamond.te:55:ERROR ‘syntax error’ at token ‘{‘ on line 55:
allow zabbix_agent_t proc_net_t:file { read getattr open ioctl};
allow zabbix_agent_t rpm_t:file getattr { read getattr open };

Note that all permissions must be defined in the class file { read getattr open ioctl }; section, elsewhere you will receive an error something similar with:

checkmodule: loading policy configuration from zabbixdiamond.te
zabbixdiamond.te:54:ERROR ‘permission ioctl is not defined for class file’ at token ‘;’ on line 54:
allow zabbix_agent_t proc_net_t:file { read getattr open ioctl};
allow zabbix_agent_t postfix_smtpd_t:file { read getattr open };

If the module verification has been successfully completed, you will be informed that the policy configuration has been loaded:

checkmodule: loading policy configuration from zabbixdiamond.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to zabbixdiamond.mod

The module .pp file will be created in the location the where the checkmodule command was executed.

Now it’s time to package the module file using the following command:

semodule_package -o zabbixdiamond.pp -m zabbixdiamond.mod

Finally you have to execute semodule -i zabbixdiamond.pp command to install the newly created SElinux module.

Once the module has been created, execute audit2allow -a and see if all missing policies are allowed by SElinux. Using the semodule -l command you can view all installed SElinux modules, check out if the newly created module is listed here. You can also verify the audit file to see if any other denies are seen.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s