File Alan_Rouse-Policy_Development_Process.txt of Package selinux-policy
Policy Development Process
(At least, the way I do it!)
1. Build an openSUSE environment according to openSUSE_with_SELinux.txt
2. Create a git repository for policy source development
3. Boot that system to runlevel 3 and login as root
(you should be in the /root home directory).
* tar xzvf /usr/src/packages/SOURCES/serefpolicy-05042010-1.tgz
* cd serefpolicy-05042010
* git init
* git add .
* git commit
* git config --global user.name "<your name>"
* git config --global user.email "<your email>"
* git branch opensuse
* git checkout opensuse
* cp -R /usr/src/packages/BUILD/serefpolicy-05042010/. .
* rm *.pp
* git add .
* git commit
* git status <should be no outstanding commits>
* git checkout master
* git status <should be no outstanding commits>
* git branch <should be master>
* git diff fedora
* git checkout opensuse
* make sure there is no .git folder in /usr/src/packages/BUILD/serefpolicy-3.6.32
* if there is, delete it (and all its contents)
* cp -R /usr/src/packages/BUILD/serefpolicy-3.6.32/. .
* git add .
* git commit
* git status <should be in opensuse, with no outstanding commits>
* cd ..
* mv serefpolicy-05042010 git
* tar czvf git-refpolicy-opensuse.tgz git
* initial backup of git repository. Backup to a safe place.
4. Working with the policy source
The most interesting part of the source code is under git/policy/modules.
You will see seven folders under modules, including one named "suse"
which was created for this project. Each of these folders contains
a collection of m4 source files containing selinux policy source code.
Each policy module has three source files:
* <module>.te - Type enforcement rules (mainly, allow rules)
* <module>.fc - File context declarations (for labeling the filesystem)
* <module>.if - Interface definitions for access to the module from other modules
Strategy: First, get the file labels right (.fc). I compared the labeling
on openSUSE system with a Fedora 12 system, paying particular attention
to the files that are located in different directories on the two systems.
I would grep the .fc source files for the label found on FC 12, and make
an entry applying that label to the file in its location on OpenSUSE.
Wrap each OpenSUSE-specific entry in "ifdef('distro_suse','...')".
For an example, see services/apm.fc
Once the filesystem is labeled correctly, I iterated the following process
identifying AVC's and seeking a proper solution to them:
* rm /var/log/messages
* rm /var/log/audit/audit.log
* reboot login as root
* grep avc /var/log/messages > avc.txt
* audit2allow -i avc.txt -M <module>
- I used "a2a" as the prefix for modules generated from audit2allow
- Examine the resulting <module>.te and the corresponding AVC in avc.txt
- Decide whether that access is appropriate, and remove from .te if not
- Ignore the message instructing you to run "semodule -i <module>.pp"
- We want to build and manage all the changes from source code
* copy the .te to git/policy/src/suse/. Create a stub .if and .te
(see existing stubs in the suse directory for examples. Do it exactly
like the examples)
* Note: you could either add the new module in the suse folder, or edit
an existing .te file and add the allow rules (and "requires" declaration)
to the existing file. If you add a new module, you also need to edit
/usr/src/packages/SOURCES/modules-targeted.conf and add the new module
*exactly* like the existing ones (including the associated comments.)
* Now cd into the git folder and execute
* git commit -a
* git diff master opensuse > /usr/src/packages/SOURCES/policy-opensuse-11.3.patch
* cd /usr/src/packages/SPECS
* rpmbuild -ba selinux-policy.spec
* When the build completes successfully, you'll have a SRPM and two new RPMS
(not counting the .doc rpm)
SRPMS/selinux-policy-05042010-1.src.rpm
RPMS/noarch/selinux-policy-05042010-1.noarch.rpm
RPMS/noarch/selinux-policy-targeted-050420100-1.noarch.rpm
* Do this:
cd /usr/src/packages/RPMS/noarch/
rpm -e selinux-policy-targeted
rpm -i selinux-policy-targeted-05042010-1.noarch.rpm
* When that finishes
* rm /var/log/messages
* rm /var/log/audit/audit.log
* Reboot and repeat
Note: Be careful that you do not accidentally create allow rules for the steps
you are using in this development process, since those actions probably
are not appropriate in a production environment.
* To avoid that, try this process:
* remove /var/log/messages and /var/log/audit/audit.log
* boot to desktop
* login and execute the processes you are trying to allow
* reboot to runlevel 3 and login as root
* do all your examination of AVC's, audit2allow etc in runlevel 3 as root
* Periodically, at interesting milestones, tar up your git folder and back
it up to a safe place. Copy your binary and source rpm's to the same place
Making decisions about policy
When an AVC tells you that a certain access was denied from a "scontext"
(source context) to a "tcontext" (target context), there are several ways
to resolve that situation.
* Do nothing. It may be appropriate to deny that access. After all, the whole point of selinux is to deny things.
* Add the "allow" rule generated by audit2allow. But before you do that, consider all the other options.
* Change the target context (for example, relabel a file).
* Change the source context (for example, add a domain transition, or relabel an executable file and possibly add a domain transition)
It can be tempting to allow whatever audit2allow generates. But that may not be appropriate.
For example, a user trying to execute a file labeled sbin_exec_t may be denied.
audit2allow might suggest that you just allow that user to execute files labeled sbin_exec_t.
But that means he can execute every file on the system which is labeled sbin_exec_t -
- probably not what you want! Instead you might consider creating a new label,
labeling only that executable, and granting the user the right to execute files of the new label.
Good resource for learning more about selinux:
[http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html]
In the opensuse branch, iterate the following until all desired label changes are made
------------------------------------------------------------------------
Identify files that are mislabled
Find corresponding .fc file in policy/modules/<dir> and change label
------------------------------------------------------------------------
git commit
git diff fedora > policy-opensuse.patch
place patchfile in SOURCES dir and proceed to next step to build rpm
Creating a selinux-policy-targeted RPM including the modules created by audit2allow:
cd /usr/src/packages/SOURCES/
tar xzvf serefpolicy-3.6.32.tgz
mv serefpolicy-3.6.32 serefpolicy-3.6.32.suse.a2a
cd serefpolicy-3.6.32 serefpolicy-3.6.32.suse.a2a/policy/modules/
mkdir a2a
cd a2a
--copy all the .pp modules you created via audit2allow into the current directory
Cd /usr/src/packages/SOURCES
tar -czvf serefpolicy-3.6.32.suse.a2a.tgz serefpolicy-3.6.32.suse.a2a
cd /usr/src/packages/SOURCES
vi modules-targeted.conf
-- for all the modules you copied into the a2a directory, add an entry at the end of this file.
cd /usr/src/packages/SPECS
-- edit selinux-policy.spec and change Version: to "3.6.32.suse.a2a"
In the SPECS directory:
rpmbuild -bb selinux-policy.spec
-- your RPMs will be in /user/src/packages/RPMS/noarch/*
-- You'll need to install these two:
selinux-policy.3.6.32-suse.a2a-106.noarch.rpm
selinux-policy-targeted-3.6.32.suse.a2a-106.noarch.rpm
Note, the minimal and mls packages have not been modified to contain the a2a modules.
These are the RPM versions which were installed in the above process:
checkpolicy-2.0.21-16.4.i586.rpm
eclipse-setools-3.3.5.1-1.2.i586.rpm
findutils-4.4.2-9.2.i586.rpm
libcap-ng0-0.6.3-3.3.i586.rpm
libcap-ng-devel-0.6.3-3.3.i586.rpm
libcap-ng-utils-0.6.3-3.3.i586.rpm
libselinux1-2.0.91-32.3.i586.rpm
libselinux-devel-2.0.91-32.3.i586.rpm
libselinux-devel-static-2.0.91-32.3.i586.rpm
libsemanage1-2.0.43-14.4.i586.rpm
libsemanage-devel-2.0.43-14.4.i586.rpm
libsemanage-devel-static-2.0.43-14.4.i586.rpm
libsepol1-2.0.41-22.3.i586.rpm
libsepol-devel-2.0.41-22.3.i586.rpm
libsepol-devel-static-2.0.41-22.3.i586.rpm
libuser-0.56.14-1.5.i586.rpm
libuser-devel-0.56.14-1.5.i586.rpm
libuser-python-0.56.14-1.5.i586.rpm
libustr-1_0-1-1.0.4-16.2.i586.rpm
libustr-devel-1.0.4-16.2.i586.rpm
libustr-devel-static-1.0.4-16.2.i586.rpm
mcstrans-0.3.1-8.2.i586.rpm
policycoreutils-2.0.79-30.1.i586.rpm
policycoreutils-gui-2.0.79-30.1.i586.rpm
policycoreutils-newrole-2.0.79-30.1.i586.rpm
policycoreutils-python-2.0.79-30.1.i586.rpm
policycoreutils-sandbox-2.0.79-30.1.i586.rpm
python-capng-0.6.3-3.3.i586.rpm
python-selinux-2.0.91-40.3.i586.rpm
python-semanage-2.0.43-14.4.i586.rpm
python-setools-3.3.6-5.3.i586.rpm
ruby-selinux-2.0.91-40.3.i586.rpm
selinux-policy-3.6.32.suse.a2a-106.noarch.rpm
selinux-policy-targeted-3.6.32.suse.a2a-106.noarch.rpm
selinux-tools-2.0.91-32.3.i586.rpm
setools-console-3.3.6-5.3.i586.rpm
setools-devel-3.3.6-5.3.i586.rpm
setools-gui-3.3.6-5.3.i586.rpm
setools-java-3.3.6-5.3.i586.rpm
setools-libs-3.3.6-5.3.i586.rpm
setools-tcl-3.3.6-5.3.i586.rpm
setroubleshoot-2.2.64-11.1.i586.rpm
setroubleshoot-doc-2.2.64-11.1.i586.rpm
setroubleshoot-server-2.2.64-11.1.i586.rpm
usermode-1.103-2.5.i586.rpm
usermode-gtk-1.103-2.5.i586.rpm
