Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:13.1
selinux-policy
Alan_Rouse-Policy_Development_Process.txt
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Alan_Rouse-Policy_Development_Process.txt of Package selinux-policy
Policy Development Process (At least, the way I do it!) 1. Build an openSUSE environment according to openSUSE_with_SELinux.txt 2. Create a git repository for policy source development 3. Boot that system to runlevel 3 and login as root (you should be in the /root home directory). * tar xzvf /usr/src/packages/SOURCES/serefpolicy-05042010-1.tgz * cd serefpolicy-05042010 * git init * git add . * git commit * git config --global user.name "<your name>" * git config --global user.email "<your email>" * git branch opensuse * git checkout opensuse * cp -R /usr/src/packages/BUILD/serefpolicy-05042010/. . * rm *.pp * git add . * git commit * git status <should be no outstanding commits> * git checkout master * git status <should be no outstanding commits> * git branch <should be master> * git diff fedora * git checkout opensuse * make sure there is no .git folder in /usr/src/packages/BUILD/serefpolicy-3.6.32 * if there is, delete it (and all its contents) * cp -R /usr/src/packages/BUILD/serefpolicy-3.6.32/. . * git add . * git commit * git status <should be in opensuse, with no outstanding commits> * cd .. * mv serefpolicy-05042010 git * tar czvf git-refpolicy-opensuse.tgz git * initial backup of git repository. Backup to a safe place. 4. Working with the policy source The most interesting part of the source code is under git/policy/modules. You will see seven folders under modules, including one named "suse" which was created for this project. Each of these folders contains a collection of m4 source files containing selinux policy source code. Each policy module has three source files: * <module>.te - Type enforcement rules (mainly, allow rules) * <module>.fc - File context declarations (for labeling the filesystem) * <module>.if - Interface definitions for access to the module from other modules Strategy: First, get the file labels right (.fc). I compared the labeling on openSUSE system with a Fedora 12 system, paying particular attention to the files that are located in different directories on the two systems. I would grep the .fc source files for the label found on FC 12, and make an entry applying that label to the file in its location on OpenSUSE. Wrap each OpenSUSE-specific entry in "ifdef('distro_suse','...')". For an example, see services/apm.fc Once the filesystem is labeled correctly, I iterated the following process identifying AVC's and seeking a proper solution to them: * rm /var/log/messages * rm /var/log/audit/audit.log * reboot login as root * grep avc /var/log/messages > avc.txt * audit2allow -i avc.txt -M <module> - I used "a2a" as the prefix for modules generated from audit2allow - Examine the resulting <module>.te and the corresponding AVC in avc.txt - Decide whether that access is appropriate, and remove from .te if not - Ignore the message instructing you to run "semodule -i <module>.pp" - We want to build and manage all the changes from source code * copy the .te to git/policy/src/suse/. Create a stub .if and .te (see existing stubs in the suse directory for examples. Do it exactly like the examples) * Note: you could either add the new module in the suse folder, or edit an existing .te file and add the allow rules (and "requires" declaration) to the existing file. If you add a new module, you also need to edit /usr/src/packages/SOURCES/modules-targeted.conf and add the new module *exactly* like the existing ones (including the associated comments.) * Now cd into the git folder and execute * git commit -a * git diff master opensuse > /usr/src/packages/SOURCES/policy-opensuse-11.3.patch * cd /usr/src/packages/SPECS * rpmbuild -ba selinux-policy.spec * When the build completes successfully, you'll have a SRPM and two new RPMS (not counting the .doc rpm) SRPMS/selinux-policy-05042010-1.src.rpm RPMS/noarch/selinux-policy-05042010-1.noarch.rpm RPMS/noarch/selinux-policy-targeted-050420100-1.noarch.rpm * Do this: cd /usr/src/packages/RPMS/noarch/ rpm -e selinux-policy-targeted rpm -i selinux-policy-targeted-05042010-1.noarch.rpm * When that finishes * rm /var/log/messages * rm /var/log/audit/audit.log * Reboot and repeat Note: Be careful that you do not accidentally create allow rules for the steps you are using in this development process, since those actions probably are not appropriate in a production environment. * To avoid that, try this process: * remove /var/log/messages and /var/log/audit/audit.log * boot to desktop * login and execute the processes you are trying to allow * reboot to runlevel 3 and login as root * do all your examination of AVC's, audit2allow etc in runlevel 3 as root * Periodically, at interesting milestones, tar up your git folder and back it up to a safe place. Copy your binary and source rpm's to the same place Making decisions about policy When an AVC tells you that a certain access was denied from a "scontext" (source context) to a "tcontext" (target context), there are several ways to resolve that situation. * Do nothing. It may be appropriate to deny that access. After all, the whole point of selinux is to deny things. * Add the "allow" rule generated by audit2allow. But before you do that, consider all the other options. * Change the target context (for example, relabel a file). * Change the source context (for example, add a domain transition, or relabel an executable file and possibly add a domain transition) It can be tempting to allow whatever audit2allow generates. But that may not be appropriate. For example, a user trying to execute a file labeled sbin_exec_t may be denied. audit2allow might suggest that you just allow that user to execute files labeled sbin_exec_t. But that means he can execute every file on the system which is labeled sbin_exec_t - - probably not what you want! Instead you might consider creating a new label, labeling only that executable, and granting the user the right to execute files of the new label. Good resource for learning more about selinux: [http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html] In the opensuse branch, iterate the following until all desired label changes are made ------------------------------------------------------------------------ Identify files that are mislabled Find corresponding .fc file in policy/modules/<dir> and change label ------------------------------------------------------------------------ git commit git diff fedora > policy-opensuse.patch place patchfile in SOURCES dir and proceed to next step to build rpm Creating a selinux-policy-targeted RPM including the modules created by audit2allow: cd /usr/src/packages/SOURCES/ tar xzvf serefpolicy-3.6.32.tgz mv serefpolicy-3.6.32 serefpolicy-3.6.32.suse.a2a cd serefpolicy-3.6.32 serefpolicy-3.6.32.suse.a2a/policy/modules/ mkdir a2a cd a2a --copy all the .pp modules you created via audit2allow into the current directory Cd /usr/src/packages/SOURCES tar -czvf serefpolicy-3.6.32.suse.a2a.tgz serefpolicy-3.6.32.suse.a2a cd /usr/src/packages/SOURCES vi modules-targeted.conf -- for all the modules you copied into the a2a directory, add an entry at the end of this file. cd /usr/src/packages/SPECS -- edit selinux-policy.spec and change Version: to "3.6.32.suse.a2a" In the SPECS directory: rpmbuild -bb selinux-policy.spec -- your RPMs will be in /user/src/packages/RPMS/noarch/* -- You'll need to install these two: selinux-policy.3.6.32-suse.a2a-106.noarch.rpm selinux-policy-targeted-3.6.32.suse.a2a-106.noarch.rpm Note, the minimal and mls packages have not been modified to contain the a2a modules. These are the RPM versions which were installed in the above process: checkpolicy-2.0.21-16.4.i586.rpm eclipse-setools-3.3.5.1-1.2.i586.rpm findutils-4.4.2-9.2.i586.rpm libcap-ng0-0.6.3-3.3.i586.rpm libcap-ng-devel-0.6.3-3.3.i586.rpm libcap-ng-utils-0.6.3-3.3.i586.rpm libselinux1-2.0.91-32.3.i586.rpm libselinux-devel-2.0.91-32.3.i586.rpm libselinux-devel-static-2.0.91-32.3.i586.rpm libsemanage1-2.0.43-14.4.i586.rpm libsemanage-devel-2.0.43-14.4.i586.rpm libsemanage-devel-static-2.0.43-14.4.i586.rpm libsepol1-2.0.41-22.3.i586.rpm libsepol-devel-2.0.41-22.3.i586.rpm libsepol-devel-static-2.0.41-22.3.i586.rpm libuser-0.56.14-1.5.i586.rpm libuser-devel-0.56.14-1.5.i586.rpm libuser-python-0.56.14-1.5.i586.rpm libustr-1_0-1-1.0.4-16.2.i586.rpm libustr-devel-1.0.4-16.2.i586.rpm libustr-devel-static-1.0.4-16.2.i586.rpm mcstrans-0.3.1-8.2.i586.rpm policycoreutils-2.0.79-30.1.i586.rpm policycoreutils-gui-2.0.79-30.1.i586.rpm policycoreutils-newrole-2.0.79-30.1.i586.rpm policycoreutils-python-2.0.79-30.1.i586.rpm policycoreutils-sandbox-2.0.79-30.1.i586.rpm python-capng-0.6.3-3.3.i586.rpm python-selinux-2.0.91-40.3.i586.rpm python-semanage-2.0.43-14.4.i586.rpm python-setools-3.3.6-5.3.i586.rpm ruby-selinux-2.0.91-40.3.i586.rpm selinux-policy-3.6.32.suse.a2a-106.noarch.rpm selinux-policy-targeted-3.6.32.suse.a2a-106.noarch.rpm selinux-tools-2.0.91-32.3.i586.rpm setools-console-3.3.6-5.3.i586.rpm setools-devel-3.3.6-5.3.i586.rpm setools-gui-3.3.6-5.3.i586.rpm setools-java-3.3.6-5.3.i586.rpm setools-libs-3.3.6-5.3.i586.rpm setools-tcl-3.3.6-5.3.i586.rpm setroubleshoot-2.2.64-11.1.i586.rpm setroubleshoot-doc-2.2.64-11.1.i586.rpm setroubleshoot-server-2.2.64-11.1.i586.rpm usermode-1.103-2.5.i586.rpm usermode-gtk-1.103-2.5.i586.rpm
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor