Author: Benjamin D. Thomas
Openswan, Xmail, Ethereal, perl, openvpn, thunderbird, xmovie, mplayer, and
ffmpeg. The distributors include Debian, Gentoo, Mandriva.SELinux Policy Development: Modifying Policy
By: Pax Dickenson
Once you have your list of all your allow statements, examine them carefully
and try to understand what you are allowing before adding them to policy. One
weakness of audit2allow is that it is unaware of macros contained in the policy,
so grep through your policy sources for allow statements close to the ones you’d
like to add and try to find appropriate macros to use instead. If you’re planning
on doing a lot of policy customization it’s a good idea to familiarize yourself
with the existing policy sources so you’re aware what macros are available.
The $policy/policy/support/obj_perm_sets.spt is one good place to start, it
contains macros that expand out to useful permissions groupings. For example,
rather than allowing a domain the ioctl, read, getattr, lock, write, and append
permissions to a given type, you can simply assign it the rw_file_perms macro
instead. This helps keep policy readable later on.
Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te
file and recompile the policy. If your application still won’t work in enforcing
mode, just repeat the process until you can run it with no SELinux audit errors.
Always keep your policy changes in the: $policy/policy/modules/admin/local.*
files. T
hese files are included in the package empty and intended for local policy
customization. If you change a file that belongs to a service and contains rules
already your changes will be lost when the policy is upgraded, so keep local
changes in the local.te and local.fc files where they belong.
If you find a problem in existing policy, add your changes to local.* but
provide a patch to the policy maintainers so they can include it in a later
build. Most SELinux policies are being constantly developed and revised since
the technology is still fairly new, and your upstream maintainers will thank
you for your help.
Policy development can be difficult at the beginning, but I think you’ll find
that as you make progress you’ll be learning not only about SELinux but about
the details of what your applications are really doing under the hood. You’ll
not only be making your system more secure, you’ll be learning about the low
level details of your system and its services. SELinux development has already
resulted in upstream patches to many applications that had hidden bugs that
were only found because SELinux alerted policy developers to the kernel level
actions the applications were attempting.
I hope you enjoyed reading this SELinux series as much as I enjoyed writing
it. Until next time, stay secure and keep your policy locked down tight.
Read Entire Aricle:
http://www.linuxsecurity.com/content/view/120837/49/
Debian | ||
Debian: New courier packages fix unauthorised access |
||
8th, December, 2005
|
||
Debian: New osh packages fix privilege escalation |
||
9th, December, 2005
|
||
Debian: New curl packages fix potential security problem |
||
12th, December, 2005
|
||
Debian: New ethereal packages fix arbitrary code execution |
||
13th, December, 2005
|
||
Debian: New Linux 2.4.27 packages fix several vulnerabilities |
||
14th, December, 2005
|
||
Debian: New Linux 2.6.8 packages fix several vulnerabilities |
||
14th, December, 2005
|
||
Gentoo | ||
Gentoo: phpMyAdmin Multiple vulnerabilities | ||
11th, December, 2005
|
||
Gentoo: Openswan, IPsec-Tools Vulnerabilities in ISAKMP |
||
12th, December, 2005
|
||
Gentoo: Xmail Privilege escalation through sendmail |
||
14th, December, 2005
|
||
Gentoo: Ethereal Buffer overflow in OSPF protocol dissector |
||
14th, December, 2005
|
||
Mandriva | ||
Mandriva: Updated curl package fixes format string vulnerability |
||
8th, December, 2005
|
||
Mandriva: Updated perl package fixes format string vulnerability |
||
8th, December, 2005
|
||
Mandriva: Updated openvpn packages fix multiple vulnerabilities |
||
10th, December, 2005
|
||
Mandriva: Updated mozilla-thunderbird package fix vulnerability in enigmail |
||
13th, December, 2005
|
||
Mandriva: Updated ethereal packages fix vulnerability |
||
14th, December, 2005
|
||
Mandriva: Updated xine-lib packages fix buffer overflow vulnerability |
||
14th, December, 2005
|
||
Mandriva: Updated xmovie packages fix buffer overflow vulnerability |
||
14th, December, 2005
|
||
Mandriva: Updated gstreamer-ffmpeg packages fix buffer overflow vulnerability |
||
14th, December, 2005
|
||
Mandriva: Updated mplayer packages fix buffer overflow vulnerability |
||
14th, December, 2005
|
||
Mandriva: Updated ffmpeg packages fix buffer overflow vulnerability |
||
14th, December, 2005
|
||