SE Linux in Action

How to create your own security policies

Friday, September 03, 2004

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Our last month's article on SE Linux (Enhancing Security in Linux, page 102) would have given you a basic idea about it. In this article we will see how you can create and implement your own SE Linux policies. 

As the name suggests, a policy is a set of rules that defines which user can enter which role and access which applications. A policy can also define how an application will act with other applications and users. The default policy is set in SE Linux to 'Deny all', which means you have to explicitly give permission to each operation. 

How policies are created
In the last month's article, you would have noticed that for adding a role to a newly created user, we first edited the '/etc/security/ selinux/src/policies/users' file and then ran the 'make' command to compile the policy. 

The different files in '/etc/security/selinux/src/ policies' are the components of the SE Linux policies. When we passed some values to them and started compiling, first of all, the m4 macro processor was applied and the policy.conf file was created, and finally the checkpolicy compiler compiled it to a binary file, which was named policy.version (.version is the auto-generated version number of the policy file). These policy files got loaded in the next reboot to enforce the policy roles. 
Understanding and creating new policies is quite complicated and needs an in-depth knowledge of SE Linux. But, we will go through some simple examples that will give an idea of modifying an SE Linux policy.

Let's do it
We assume that you have a thorough understanding of SE Linux terminologies. Now, let's start with changing some access rights on some directories. For example, let's take the /boot folder. By default this folder should not be accessed by a user who is a member of user_t domain. 

So, check the type of the folder /boot by running the following command.

#ls -Z /

This command will show you the context of all files and folders in the / directory. The last part of the context is the type of the file/folder. So /boot folder will show a context like

system_u:object_r:boot_t 

This means the type of the /boot folder is 'boot_t'. Now create a new domain file under the folder/etc/security/selinux/src/policy/domains/misc and give it any custom name, let's say test.te and add the following line in the file.

#My first policy rule (any comment you want)
r_dir_file(user_t,boot_t)

In the above lines we are passing three arguments. 'r_dir_file' describes that the folder should be read-only and browsable, 'user_t' is the name of the type of user for which the rule will take effect and 'boot_t' is the type of the folder. 

To test the above single-line configuration, compile and load the profile by running the following commands.

#cd /etc/security/selinux/ src/policy/
#make load

Then su as any user, who is the member of user_t domain. 

If you remember, we created such a user in our last article and called it seuser. So, su in as seuser and try to run the ls command on the /boot folder. And see the magic of the single line. You can also give write access to any directory by just changing the r_dir_file to rw_dir_file. 

But, just remember that if the standard Linux security doesn't allow the access, which you have given with SE Linux, you will still not be able to access it as in any case the least rights are given to the user.

This was a small example of creating your own rule in SE Linux. For more details you can refer to www.nsa.gov/selinux/info/ docs.cfm'.

Anindya Roy

Next Page :

Some third-party tools 

Page(s)   1  2