From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RF8Ii-0002fr-8L for garchives@archives.gentoo.org; Sat, 15 Oct 2011 17:45:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 416EC21C206; Sat, 15 Oct 2011 17:43:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 0300921C203 for ; Sat, 15 Oct 2011 17:43:13 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 645461B4015 for ; Sat, 15 Oct 2011 17:43:13 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 7C48B80042 for ; Sat, 15 Oct 2011 17:43:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <77a5cb36d533f0b6d1d34563bc59b5d523ad1c41.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-using-policies.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 77a5cb36d533f0b6d1d34563bc59b5d523ad1c41 Date: Sat, 15 Oct 2011 17:43:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: bcc2edfec4f1f84f4ec3137c0b81a9b7 commit: 77a5cb36d533f0b6d1d34563bc59b5d523ad1c41 Author: Sven Vermeulen siphos be> AuthorDate: Sat Oct 15 17:42:58 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 15 17:42:58 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D77a5cb36 Finishing on policy chapter --- xml/selinux/hb-using-policies.xml | 159 +++++++++++++++++++++++++++++++= +++++- 1 files changed, 157 insertions(+), 2 deletions(-) diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-pol= icies.xml index 44d7b1f..5d5f008 100644 --- a/xml/selinux/hb-using-policies.xml +++ b/xml/selinux/hb-using-policies.xml @@ -177,11 +177,166 @@ Needless to say, we do not recommend to grant this= to a regular user ;-) =20
-Building a SELinux Policy Module +Full SELinux Policy Modules -Creating an Isolated Module +Checking Out an Isolated Module =20 +

+With the above in mind, we can now go one step further and investigate a= full +policy module, with both the type enforcement rules (.te fi= le), +file contexts (.fc) and interfaces (.if). +

+ +

+You should know that writing a module requires you to get intimate with = the +application. It isn't a matter of just hoping for the best: as a securit= y +administrator, you will be responsible for defining what accesses are al= lowed +and which not. If you forget one, the application might break under the = users' +hands. But if you add too much, you might grant privileges that can be a= bused +later on. And it will be a lot more difficult to track and remove privil= eges +later as you will be hesitating if the privilege is needed or not. +

+ +

+In this section, we will not divulge in how to write one. We have an exc= ellent +Gentoo Hardened = SELinux +Development resource that guides you in that. However, we will loo= k into +such a full module to explain the other aspects of policy development. +

+ + + + +Type Enforcement File + + +

+The .te file we wrote earlier is a type enforcement file= . +Its purpose is to define the access rules related to the module that you= are +building, but also - and more importantly - define new types (or even ro= les). +

+ +

+The example below is a snippet from a module for the skype application. +

+ +
+policy_module(skype, 1.0.0)
+
+type skype_t;
+type skype_exec_t;
+application_domain(skype_t, skype_exec_t)
+
+type skype_home_t;
+userdom_user_home_content(skype_home_t)
+
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
+manage_files_pattern(skype_t, skype_home_t, skype_home_t)
+
+ +

+In the above example, three new types are declared: skype_t (whic= h will +be used for the application), skype_exec_t (which is the label gi= ven to +the application binary) and skype_home_t (which will be used for = the +users' ~/.Skype location). Also, the skype_t domain = is given +some privileges with respect to the skype_home_t label (manage +directories and files). +

+ + + + +File Context File + + +

+In the .fc file (which stands for file context file)= the +module's resources (files, directories, sockets, ...) are defined. Once = the +module is loaded, these rules are added so that file system relabeling w= ill put +the correct context on the files. +

+ +

+The example below is a snippet from the skype modules' file context file= . +

+ +
+HOME_DIR/\.Skype(/.*)?    gen_context(system_u:object_r:skype_home_t,s0)
+/opt/skype/skype       -- gen_context(system_u:object_r:skype_exec_t,s0)
+/usr/bin/skype         -- gen_context(system_u:object_r:skype_exec_t,s0)
+
+ +

+The format of the file context file has the following syntax: +

+ +
    +
  1. + The regular expression that matches the file(s) and directorie(s) af= fected + by that line +
    2. +
  2. + An optional identifier to differentiate the type of files (file, dir= ectory, + socket, symbolic link, ...) +
    3. +
  3. + A gen_context line that contains the context to assign to the= file(s) + and directorie(s) +
    4. +
+ + + + +Interface File + + +

+In the .if file (for interface file) interfaces are = declared +which can be used by other modules. It is through interfaces that a nice= ly +defined policy can be built on top of other, existing policy modules. +

+ +

+One interface could be to allow users to call and execute an application= . For +instance, the following interface can be found in the skype module. +

+ +
+interface(`skype_role',`
+        gen_require(`
+                type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
+        ')
+
+        role $1 types skype_t;
+
+        domtrans_pattern($2, skype_exec_t, skype_t)
+
+        allow $2 skype_t:process { ptrace signal_perms };
+
+        manage_dirs_pattern($2, skype_home_t, skype_home_t)
+        manage_files_pattern($2, skype_home_t, skype_home_t)
+        manage_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+        relabel_dirs_pattern($2, skype_home_t, skype_home_t)
+        relabel_files_pattern($2, skype_home_t, skype_home_t)
+        relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+        ps_process_pattern($2, skype_t)
+')
+
+ +

+Through this skype_role, we can then allow users to call skype, a= s can be +found in the unprivuser.te file (which defines the user_t d= omain): +

+ +
+optional_policy(`
+	skype_role(user_r, user_t)
+')
+
=20