Monthly Archives: February 2011

Create a non-base policy template for SELinux

Posted on by

Those who use SELinux sometimes come across with application with a specific security context type, try to access a resource that belongs to another security context type, this will result in SELinux denying access to the resource even if permissions are set to 777 and you change the owner:group of the resource.

Lets have the following example, the vsftd daemon needs to read index.html that belongs to httpd daemon and is marked as httpd_sys_content_t security context.

root# ls -Z
-rw-r--r-- userA userA user_u:object_r:httpd_sys_content_t index.html

Doing if you look into the audit log you will find something similar to the following:

root# tail audit.log
type=AVC msg=audit(1297255596.902:49856): avc: denied { search } for pid=4830 comm="vsftpd" name="html" dev=dm-0 ino=13668059 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir

At this stage you can use audit2allow to help you creating the vsftpd.te file

root# audit2allow > audit.log
#============= ftpd_t ==============
allow ftpd_t httpd_sys_content_t:dir search;

Below is a more complete vsftd.te file, to allow ftpd read, write etc on files and directories, system wide, that belong to the httpd_sys_content_t type.

module vsftpd 1.0;

require {
type ftpd_t;
type httpd_sys_content_t;
class dir { read write search getattr add_name remove_name create rmdir};
class file { lock read write getattr create append unlink rename};
}

#============= ftpd_t ==============
allow ftpd_t httpd_sys_content_t:dir { read write search getattr add_name remove_name create rmdir};
allow ftpd_t httpd_sys_content_t:file { lock read write getattr create append unlink rename};

now that we have our vsftpd.te file we need to transform it into a module(.mod) then into a policy packet(.pp) and finaly load it

root# checkmodule -M -m -o vsftpd.mod vsftpd.te
checkmodule: loading policy configuration from vsftpd.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to vsftpd.mod
root# semodule_package -o vsftpd.pp -m vsftpd.mod
root# semodule -i vsftpd.pp

Or if you’re a lazy admin as myself you can use the follwing script, you just need to create the vsftpd.te file and run it passing the name of the module

#!/bin/bash
MODNAME= $1
if [ ! -f ${MODNAME}.te ];
then
        echo Couldn't find the ${MODNAME}.te, non-base policy module
        exit 1
fi
checkmodule -M -m -o ${MODNAME}.mod ${MODNAME}.te
if [ $? -gt 0 ];
then
        echo Error processing ${MODNAME}.te
        exit 1
fi
semodule_package -o ${MODNAME}.pp -m ${MODNAME}.mod
if [ $? -gt 0 ];
then
        echo Error creating policy module packet ${MODNAME}.pp
        exit 1
fi
semodule -i ${MODNAME}.pp
if [ $? -gt 0 ];
then
        echo Error installing policy module ${MODNAME}.pp
        exit 1
fi