How to create SElinux policy


SElinux is a security mechanism introduced in Linux OS as an extra security layer. There are probably many things to be mentioned about selinux so I’m not going to discuss about the main concepts that make up selinux such as labeling and targeting. I’ll show you in this article how to create a new selinux policy (also known as module) and install it on a machine.

You can check the selinux status by typing getenforce without any parameters. You can then use setenforce 0 command to change it to permissive or setenforce 1 again to enforce it:

selinux

selinux status

All SElinux messages are logged in /var/log/audit/audit.log, you can inspect this file to determine what applications are blocked from interacting with the Operating System. /var/log/messages is another location in which you can find useful information about selinux logs. As you will probably see, the log file contains a bunch of information that is hard to read, you can use the audit2allow -w -a command to display a more friendlier output. This command will parse the audit.log file ( -a parameter) and then will create a friendlier output (-w parameter) that looks something like:

SElinux

selinux policy

In SElinux context all log messages are named AVC so you will see them everywhere in the audit log file.

You can view all SElinux  rejected accesses using the audit2allow -a command:

SElinux

How to create SElinux policy

This command can also be used to parse the log file then create a module that can be imported by SElinux to allow access. Execute audit2allow -a -M module_name to create a new SElinux module. I’ve named mine zabbixdiamond and placed it in my home directory. The command will create two files, one with .pp and another one with .te extension:

audit2allow -a -M zabbixdiamond

SElinux module

selinux policy files

You can view the content of the selinux module by executing cat zabbixdiamond.te command. As you can see from the image below, the module contains all the rules that are needed by SElinux to allow this particular AVC :

How to create SElinux policy

how to create selinux module

All that’s left now is to install the module using the following command: semodule -i zabbixdiamond.pp. If you encounter an error saying something that “global requirements are not met” it means that SElinux already has a module with a similar name installed on the machine so you’ll need to change its name:

How to create SElinux policy

how to install selinux module

In this case you will have to restart the procedure and create a new SElinux module with a different name. To check what modules are installed on the server use semodule -l. You can expand this command and search for a particular SElinux module with semodule -l | grep zabbixdiamond . In this way you also verify if a SElinux module has been successfully loaded in the OS.

Execute again audit2allow -a and see if the AVCs are now allowed in SElinux:

How to create SElinux policy

audit2allow command with selinux

That’s about it for this article folks, hope it will serve you well in creating SElinux policies. Wish you all the best!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s