Understanding SELinux policies

 

  • Check the active policy on the system using

    sestatus

    :
 

 # sestatus | grep "Loaded policy name"

  • Get an overview of SELinux booleans using the semanage command with the boolean option:
 

# semanage boolean -l | grep policyload
secure_mode_policyload   (off, off)

  • Use getsebool for same purpose:
 

# getsebool secure_mode_policyload
secure_mode_policyload --> off

  • If the name of the boolean is not exactly known, get booleans using filter :
 

# getsebool -a | grep policy
secure_mode_policyload --> off

  • Use the

    sepolicy

    booleans command:
 

 # sepolicy booleans -b secure_mode_policyload

This command does not show the current value of the boolean.

  • Navigate

    /sys/fs/selinux

    file system to fetch the value of a boolean:
 

# cat /sys/fs/selinux/booleans/secure_mode_policyload
0

  • Change the value of a boolean using the

    setsebool

    command:
 

# setsebool httpd_can_sendmail on

  • In order to keep the changes permanently, add the -P option to setsebool:
 

# setsebool -P httpd_can_sendmail on

  • Another way to change and persist the boolean settings is to use

    semanage boolean

    :
 

# semanage boolean -m --on httpd_can_sendmail

 

Inspecting the impact of a boolean

 

  • To show information in detail, we use the -b option (for the boolean), -A option (show allow rules), and -C option (to show conditional rules):
 

[root@localhost ~]# sesearch -b httpd_can_sendmail -AC

 

Found 50 semantic av rules:

 

DT allow httpd_sys_script_t bin_t : lnk_file { read getattr } ; [ httpd_can_sendmail ]

 

DT allow mta_user_agent httpd_suexec_t : fd use ; [ httpd_can_sendmail ]

 

...

 

DT - state of the boolean in the policy (first character) and when the SELinux rule is enabled (second character).

[the_ad id="2469"]

 

  • Check the rules applicable between the web server domain (httpd_t) and user content type (user_home_t):
 

[root@localhost ~]# sesearch -s httpd_t -t user_home_t –AC

 

Found 9 semantic av rules:  

 

allow daemon user_home_t : file { getattr append } ;  

 

allow httpd_t file_type : filesystem getattr ;  

 

DT allow httpd_t user_home_type : dir { getattr search open } ; [ httpd_read_user_content ]

 

 

  • List currently loaded SELinux policy modules:
 

# semodule -l
abrt       1.4.1
accountsd  1.1.0
...

  • Modules can be loaded with a higher priority, overriding previous modules, or with lower priority:
 

# semodule --list-modules=full
400 also        pp
400 android     pp
...

  • Generate SELinux policy allow rules by piping the denials through the audit2allow application (investigate audit.log to find a policy denial before attempting this command. This is sample output):
 

# grep setkey /var/log/audit/audit.log | audit2allow
 
#============= setkey_t ==============
allow setkey_t newrole_t:fd use;
allow setkey_t var_t:dir search;

  • Based on the denials, two allow rules are prepared. We can also ask audit2allow to create a SELinux module:
 

# grep setkey /var/log/audit/audit.log | audit2allow -M localpolicy
 
********** IMPORTANT **********
To make this policy package active, execute:
semodule -i localpolicy.pp