Sunday, March 11, 2007

creating a new SE Linux policy module

Creating a simple SE Linux policy module is not difficult.

audit(1173571340.836:12855): avc: denied { execute } for pid=5678 comm="spf-policy.pl" name="hostname" dev=hda ino=1234 scontext=root:system_r:postfix_master_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

For example I had a server with the above messages in the kernel message log from the spf-policy program (run from Postfix) trying to run the "hostnme" program. So I ran the following command to generate a .te file (SE Linux policy source):

dmesg|grep spf.policy|audit2allow -m local > local.te

The -m option to audit2allow instructs it to create a policy module. The local.te file is below:


module local 1.0;

require {
      class file execute;
      type hostname_exec_t;
      type postfix_master_t;
      role system_r;
};

allow postfix_master_t hostname_exec_t:file execute;
Then I used the following commands to create a policy module and package it:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
The result was the object file local.pp and in intermediate file local.mod (which incidentally can be removed once the build is finished).

After creating the module I used the following command to link it with the running policy and load it into the kernel:

semodule -i ./local.pp

at 3/11/2007 11:22:00 AM

Labels:

Submit to del.icio.us Submit to digg.com Submit to reddit.com

1 comment:

janfrode said...

Thanks for this short howto. I was struggeling with getting syslog-ng running on RHEL5, and with the help of your short howto, I fixed it by this small module:

###################################
module local 1.0;

require {
class sock_file { getattr unlink };
type device_t;
type syslogd_t;
role system_r;
};

allow syslogd_t device_t:sock_file { getattr unlink };
#############################

I don't understand why it wants to unlink, but I guess I can live with it...

05:10

Post a Comment