creating a new SE Linux policy module
Creating a simple SE Linux policy module is not difficult.
audit(1173571340.836:12855): avc: denied { execute } for pid=5678 comm="spf-policy.pl" name="hostname" dev=hda ino=1234 scontext=root:system_r:postfix_master_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
For example I had a server with the above messages in the kernel message log from the spf-policy program (run from Postfix) trying to run the "hostnme" program. So I ran the following command to generate a .te file (SE Linux policy source):
dmesg|grep spf.policy|audit2allow -m local > local.te
The -m option to audit2allow instructs it to create a policy module. The local.te file is below:
Then I used the following commands to create a policy module and package it:
module local 1.0;
require {
class file execute;
type hostname_exec_t;
type postfix_master_t;
role system_r;
};
allow postfix_master_t hostname_exec_t:file execute;
checkmodule -M -m -o local.mod local.teThe result was the object file local.pp and in intermediate file local.mod (which incidentally can be removed once the build is finished).
semodule_package -o local.pp -m local.mod
After creating the module I used the following command to link it with the running policy and load it into the kernel:
semodule -i ./local.pp
1 comment:
Thanks for this short howto. I was struggeling with getting syslog-ng running on RHEL5, and with the help of your short howto, I fixed it by this small module:
###################################
module local 1.0;
require {
class sock_file { getattr unlink };
type device_t;
type syslogd_t;
role system_r;
};
allow syslogd_t device_t:sock_file { getattr unlink };
#############################
I don't understand why it wants to unlink, but I guess I can live with it...
Post a Comment