SELinux Policies

Understanding SELinux policies

  • Check the active policy on the system using sestatus:
 # sestatus | grep
"Loaded policy name" 
  • Get
    an overview of SELinux booleans using the semanage command with the boolean
    option:
# semanage boolean -l |
grep policyload
secure_mode_policyload   (off, off)
  • Use getsebool for same purpose:
# getsebool
secure_mode_policyload
secure_mode_policyload --> off
  • If
    the name of the boolean is not exactly known, get booleans using filter :
# getsebool -a | grep
policy
secure_mode_policyload --> off
  • Use
    the sepolicy
    booleans command:
 # sepolicy booleans -b secure_mode_policyload

This command does
not show the current value of the boolean.

  • Navigate
    /sys/fs/selinux file system to fetch
    the value of a boolean:
# cat /sys/fs/selinux/booleans/secure_mode_policyload
0
  • Change the value of a boolean using the setsebool command:
# setsebool
httpd_can_sendmail on
  • In order to keep the changes permanently, add the -P option to setsebool:
# setsebool -P httpd_can_sendmail
on
  • Another
    way to change and persist the boolean settings is to use semanage boolean:
# semanage boolean -m --on
httpd_can_sendmail

Inspecting the impact of a boolean

  • To show information in detail, we use the -b option (for the boolean), -A option (show allow rules), and -C option (to show conditional rules):
[root@localhost ~]#
sesearch -b httpd_can_sendmail -AC
Found 50 semantic av rules:
DT allow httpd_sys_script_t bin_t : lnk_file { read
getattr } ; [ httpd_can_sendmail ]
DT allow mta_user_agent httpd_suexec_t : fd use ; [
httpd_can_sendmail ]

DT - state of the boolean in the policy
(first character) and when the SELinux rule is enabled (second character).

  • Check the rules applicable between the web server domain (httpd_t) and user content type (user_home_t):
[root@localhost ~]# sesearch -s httpd_t -t user_home_t
–AC
Found 9 semantic av rules:   
allow daemon user_home_t : file { getattr
append } ;   
allow httpd_t file_type : filesystem getattr
;   
DT allow httpd_t user_home_type : dir {
getattr search open } ; [ httpd_read_user_content ] 

  • List currently loaded SELinux policy modules:
# semodule -l
abrt       1.4.1
accountsd  1.1.0
...
  • Modules can be loaded with a higher priority, overriding previous modules, or with lower priority:
# semodule
--list-modules=full
400 also        pp
400 android     pp
...
  • Generate SELinux policy allow rules by piping the denials through the audit2allow application (investigate audit.log to find a policy denial before attempting this command. This is sample output):
# grep setkey
/var/log/audit/audit.log | audit2allow
 
#============= setkey_t ==============
allow setkey_t newrole_t:fd use;
allow setkey_t var_t:dir search;
  • Based on the denials, two allow rules are prepared. We can also ask audit2allow to create a SELinux module:
# grep setkey
/var/log/audit/audit.log | audit2allow -M localpolicy
 
********** IMPORTANT **********
To make this policy package active, execute:
semodule -i localpolicy.pp
September 21, 2019

0 responses on "SELinux Policies"

Leave a Message

Featured Testimonial

I would like to mention a new feature "Interactive Video". You can't simply watch the video. You have to actually get involved. It will pause suddenly and ask question. If you are not able to answer the question you have to watch it all over again. Hence a real learning is guaranteed.Read more

Indiana Jones

Co-Founder Director

Certificate Code

Become an Instructor

top
Designed by  © Alliance Softech Pvt Ltd. All rights reserved.
WhatsApp chat
X