SELinux Policy Language

+SELinux Policy Language + +Introduction + + +

+By default, Gentoo provides a generic, yet tightly controlled policy whi= ch is +deemed a good start policy for the majority of users. However, the purpo= se +behind a Mandatory Access Control system is to put the security administ= rator in +control. As such, a handbook on SELinux without information on how to wr= ite +policies wouldn't be complete. +

+ +

+In this chapter, we'll talk a bit about the language behind SELinux poli= cies and +give some pointers on how to create your own policies, roles, etc. +

+ + + + +Building a SELinux Module + + +

+First, before we go into the art of SELinux policy writing, let's first = make a +small SELinux module with a rule we can test, build the module and see i= f things +work. Although these steps are fairly easy, they are important nonethele= ss. +Modifying the SELinux policy as offered by Gentoo is best done through +additional SELinux policy modules. Only when the core policy (the base p= olicy) +is not to your liking should you see on using a totally different policy= . +

+ +

+Let's start with a skeleton for a policy module we'll call testmod. +

+ +

+policy_module(testmod, 1.0.0)
+

+ +

+Yes, that's it. But as you can see, it is fairly empty. So let's add a r= ule that +allows a regular user (in the user_t domain) to read ebuild files (of ty= pe +portage_ebuild_t). +

+ +

+policy_module(testmod, 1.0.0)
+
+require {
+  type user_t;
+  type portage_ebuild_t;
+  class file { read open getattr };
+  class dir { read search open getattr };
+}
+
+allow user_t portage_ebuild_t:file { read open getattr };
+allow user_t portage_ebuild_t:dir { read search open getattr };
+

+ +

+As you can see, something as simple as allowing a user to read a file re= quires +quite a few privileges. The directory privileges are needed to allow a u= ser to +navigate through the Portage tree structure whereas the file privileges = are +needed for a user to be able to access and open the ebuilds. Save this f= ile as +testmod.te. +

+ +

+To build the policy and convert it into the binary module that we can lo= ad into +the SELinux policy store, we can use the Makefile available= in +/usr/share/selinux/strict/include (substitute strict with t= he +SELinux policy type you are using). +

+ +

+$ make -f /usr/share/selinux/struct/include/Makefile testmod.pp
+

+ +

+The filename (testmod.pp) is the destination binary SELinux= module +name. The Makefile will automatically look for the +testmod.te file you have in the working directory. +

+ +

+As a result, you should now have a file called testmod.pp. = This +module file can now be loaded in the SELinux policy store as follows: +

+ +

+# semodule -i /path/to/testmod.pp
+

+ +

+Congratulations! You have now build your first SELinux policy module. If= you +want to disable it, remove it through semodule -r testmod. +

+ +

+This method of building a policy (using the Makefile and +semodule) is something that you will need to do every time you wa= nt to +update the SELinux policy on your system. The contents of the policy how= ever +does change as we will see in the rest of this document. +

+ + + + +Getting the SELinux Policy Interfaces + + +

+To streamline policy development, the SELinux policy based on the refere= nce +policy uses interfaces to access privileges within a module. If you have= built +selinux-base-policy with USE=3D"doc" then this infor= mation is +available at +/usr/share/doc/selinux-base-policy-<version>/html. It= is +recommended to have this information at hand, since most policy +development/updates will be done through the interfaces offered by the p= olicy. +

+ +

+If you are just interested, you can also find these interface definition= s online. Mind yo= u though, +the online resource is only the reference policy and might differ a bit = from the +policy available within Gentoo. +

+ + + + +Using Policy Interfaces + + +

+Using the policy interfaces allows you to update the policy with more re= adable +functions. For instance, to allow the user_t domain to call and use Port= age +applications, the module could look like so: +

+ +

+policy_module(testmod, 1.0.0)
+
+require {
+  type user_t;
+  role user_r;
+}
+
+portage_run(user_t, user_r)
+

+ +

+Of course, this makes the user_t domain much more privileged than the pr= eviously +defined rules to read ebuild files: it allows the user to call portage, = update +the system, etc. Of course, the user still requires the proper regular L= inux +permissions (so he needs to be part of the portage group or become root)= . +Needless to say, we do not recommend to grant this to a regular user ;-) +

+ + + +