Understanding SELinux policies

  • Check the active policy on the system using

    sestatus

    :

 # sestatus | grep "Loaded policy name"

  • Get an overview of SELinux booleans using the semanage command with the boolean option:

# semanage boolean -l | grep policyload
secure_mode_policyload   (off, off)

  • Use getsebool for same purpose:

# getsebool secure_mode_policyload
secure_mode_policyload --> off

  • If the name of the boolean is not exactly known, get booleans using filter :

# getsebool -a | grep policy
secure_mode_policyload --> off

  • Use the

    sepolicy

    booleans command:

 # sepolicy booleans -b secure_mode_policyload

This command does not show the current value of the boolean.

  • Navigate

    /sys/fs/selinux

    file system to fetch the value of a boolean:

# cat /sys/fs/selinux/booleans/secure_mode_policyload
0

  • Change the value of a boolean using the

    setsebool

    command:

# setsebool httpd_can_sendmail on

  • In order to keep the changes permanently, add the -P option to setsebool:

# setsebool -P httpd_can_sendmail on

  • Another way to change and persist the boolean settings is to use

    semanage boolean

    :

# semanage boolean -m --on httpd_can_sendmail

Inspecting the impact of a boolean

  • To show information in detail, we use the -b option (for the boolean), -A option (show allow rules), and -C option (to show conditional rules):

[root@localhost ~]# sesearch -b httpd_can_sendmail -AC

Found 50 semantic av rules:

DT allow httpd_sys_script_t bin_t : lnk_file { read getattr } ; [ httpd_can_sendmail ]

DT allow mta_user_agent httpd_suexec_t : fd use ; [ httpd_can_sendmail ]

...

DT - state of the boolean in the policy
(first character) and when the SELinux rule is enabled (second character).

[the_ad id="2469"]

  • Check the rules applicable between the web server domain (httpd_t) and user content type (user_home_t):

[root@localhost ~]# sesearch -s httpd_t -t user_home_t –AC

Found 9 semantic av rules:  

allow daemon user_home_t : file { getattr append } ;  

allow httpd_t file_type : filesystem getattr ;  

DT allow httpd_t user_home_type : dir { getattr search open } ; [ httpd_read_user_content ]

  • List currently loaded SELinux policy modules:

# semodule -l
abrt       1.4.1
accountsd  1.1.0
...

  • Modules can be loaded with a higher priority, overriding previous modules, or with lower priority:

# semodule --list-modules=full
400 also        pp
400 android     pp
...

  • Generate SELinux policy allow rules by piping the denials through the audit2allow application (investigate audit.log to find a policy denial before attempting this command. This is sample output):

# grep setkey /var/log/audit/audit.log | audit2allow
 
#============= setkey_t ==============
allow setkey_t newrole_t:fd use;
allow setkey_t var_t:dir search;

  • Based on the denials, two allow rules are prepared. We can also ask audit2allow to create a SELinux module:

# grep setkey /var/log/audit/audit.log | audit2allow -M localpolicy
 
********** IMPORTANT **********
To make this policy package active, execute:
semodule -i localpolicy.pp