[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     8ef9da11964e1f4bf473695e1852882f7179f8d2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 17:12:40 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 17:12:40 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8ef9da11

Update on policy documentation

---
 xml/selinux/hb-using-policies.xml |  189 +++++++++++++++++++++++++++++++++++++
 1 files changed, 189 insertions(+), 0 deletions(-)

diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
new file mode 100644
index 0000000..44d7b1f
--- /dev/null
+++ b/xml/selinux/hb-using-policies.xml
@@ -0,0 +1,189 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
+
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
+
+<sections>
+<version>1</version>
+<date>2011-10-15</date>
+
+<section>
+<title>SELinux Policy Language</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+By default, Gentoo provides a generic, yet tightly controlled policy which is
+deemed a good start policy for the majority of users. However, the purpose
+behind a Mandatory Access Control system is to put the security administrator in
+control. As such, a handbook on SELinux without information on how to write
+policies wouldn't be complete.
+</p>
+
+<p>
+In this chapter, we'll talk a bit about the language behind SELinux policies and
+give some pointers on how to create your own policies, roles, etc.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Building a SELinux Module</title>
+<body>
+
+<p>
+First, before we go into the art of SELinux policy writing, let's first make a
+small SELinux module with a rule we can test, build the module and see if things
+work. Although these steps are fairly easy, they are important nonetheless.
+Modifying the SELinux policy as offered by Gentoo is best done through
+additional SELinux policy modules. Only when the core policy (the base policy)
+is not to your liking should you see on using a totally different policy.
+</p>
+
+<p>
+Let's start with a skeleton for a policy module we'll call <e>testmod</e>.
+</p>
+
+<pre caption="Policy module skeleton">
+policy_module(testmod, 1.0.0)
+</pre>
+
+<p>
+Yes, that's it. But as you can see, it is fairly empty. So let's add a rule that
+allows a regular user (in the user_t domain) to read ebuild files (of type
+portage_ebuild_t).
+</p>
+
+<pre caption="Policy module testmod">
+policy_module(testmod, 1.0.0)
+
+require {
+  type user_t;
+  type portage_ebuild_t;
+  class file { read open getattr };
+  class dir { read search open getattr };
+}
+
+allow user_t portage_ebuild_t:file { read open getattr };
+allow user_t portage_ebuild_t:dir { read search open getattr };
+</pre>
+
+<p>
+As you can see, something as simple as allowing a user to read a file requires
+quite a few privileges. The directory privileges are needed to allow a user to
+navigate through the Portage tree structure whereas the file privileges are
+needed for a user to be able to access and open the ebuilds. Save this file as
+<path>testmod.te</path>.
+</p>
+
+<p>
+To build the policy and convert it into the binary module that we can load into
+the SELinux policy store, we can use the <path>Makefile</path> available in
+<path>/usr/share/selinux/strict/include</path> (substitute strict with the
+SELinux policy type you are using).
+</p>
+
+<pre caption="Building a binary policy module">
+$ <i>make -f /usr/share/selinux/struct/include/Makefile testmod.pp</i>
+</pre>
+
+<p>
+The filename (<path>testmod.pp</path>) is the destination binary SELinux module
+name. The <path>Makefile</path> will automatically look for the
+<path>testmod.te</path> file you have in the working directory.
+</p>
+
+<p>
+As a result, you should now have a file called <path>testmod.pp</path>. This
+module file can now be loaded in the SELinux policy store as follows:
+</p>
+
+<pre caption="Loading a binary module">
+# <i>semodule -i /path/to/testmod.pp</i>
+</pre>
+
+<p>
+Congratulations! You have now build your first SELinux policy module. If you
+want to disable it, remove it through <c>semodule -r testmod</c>.
+</p>
+
+<p>
+This method of building a policy (using the <path>Makefile</path> and
+<c>semodule</c>) is something that you will need to do every time you want to
+update the SELinux policy on your system. The contents of the policy however
+does change as we will see in the rest of this document.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Getting the SELinux Policy Interfaces</title>
+<body>
+
+<p>
+To streamline policy development, the SELinux policy based on the reference
+policy uses interfaces to access privileges within a module. If you have built
+<path>selinux-base-policy</path> with <c>USE="doc"</c> then this information is
+available at
+<path>/usr/share/doc/selinux-base-policy-&lt;version&gt;/html</path>. It is
+recommended to have this information at hand, since most policy
+development/updates will be done through the interfaces offered by the policy.
+</p>
+
+<p>
+If you are just interested, you can also find these interface definitions <uri
+link="http://oss.tresys.com/docs/refpolicy/api/">online</uri>. Mind you though,
+the online resource is only the reference policy and might differ a bit from the
+policy available within Gentoo.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Using Policy Interfaces</title>
+<body>
+
+<p>
+Using the policy interfaces allows you to update the policy with more readable
+functions. For instance, to allow the user_t domain to call and use Portage
+applications, the module could look like so:
+</p>
+
+<pre caption="Example policy to allow user_t to use portage">
+policy_module(testmod, 1.0.0)
+
+require {
+  type user_t;
+  role user_r;
+}
+
+portage_run(user_t, user_r)
+</pre>
+
+<p>
+Of course, this makes the user_t domain much more privileged than the previously
+defined rules to read ebuild files: it allows the user to call portage, update
+the system, etc. Of course, the user still requires the proper regular Linux
+permissions (so he needs to be part of the portage group or become root).
+Needless to say, we do not recommend to grant this to a regular user ;-)
+</p>
+
+</body>
+</subsection>
+</section>
+
+<section>
+<title>Building a SELinux Policy Module</title>
+<subsection>
+<title>Creating an Isolated Module</title>
+<body>
+
+
+</body>
+</subsection>
+</section>
+</sections>