Diskussion:Linux/SELinux/05 SEPolicy
The sepolicy Suite
The sepolicy utility provides a suite of features to query the installed SELinux policy
- These features are either new or were previously provided by separate utilities, such as sepolgen or setrans
- The suite allows you to generate transition reports, man pages, or even new policy modules, thus giving users easier access and better understanding of the SELinux policy
The policycoreutils-devel package provides sepolicy
Enter the following command as the root user to install sepolicy
yum install policycoreutils-devel
- The sepolicy Features
The sepolicy suite provides the following features that are invoked as command-line parameters:
| Feature | Description |
|---|---|
| booleans | Query the SELinux Policy to see description of Booleans |
| communicate | Query the SELinux policy to see if domains can communicate with each other |
| generate | Generate an SELinux policy module template |
| gui | Graphical User Interface for SELinux Policy |
| interface | List SELinux Policy interfaces |
| manpage | Generate SELinux man pages |
| network | Query SELinux policy network information |
| transition | Query SELinux policy and generate a process transition report |
The sepolicy Python Bindings
In previous versions of Linux, the setools package included the sesearch and seinfo utilities
- The sesearch utility is used for searching rules in a SELinux policy while the seinfo utility allows you to query various other components in the policy
In Linux Python bindings for sesearch and seinfo have been added so that you can use the functionality of these utilities through the sepolicy suite
See the example below:
> python >>> import sepolicy >>> sepolicy.info(sepolicy.ATTRIBUTE) Returns a dictionary of all information about SELinux Attributes >>>sepolicy.search([sepolicy.ALLOW]) Returns a dictionary of all allow rules in the policy.
Generating SELinux Policy Modules: sepolicy generate
In previous versions of Linux, the sepolgen or selinux-polgengui utilities were used for generating a SELinux policy
- These tools have been merged to the sepolicy suite
- In Linux the sepolicy generate command is used to generate an initial SELinux policy module template
Unlike sepolgen, it is not necessary to run sepolicy generate as the root user
- This utility also creates an RPM spec file, which can be used to build an RPM package that installs the policy package file ('NAME.pp) and the interface file ('NAME.if) to the correct location, provides installation of the SELinux policy into the kernel, and fixes the labeling
- The setup script continues to install SELinux policy and sets up the labeling
- In addition, a manual page based on the installed policy is generated using the sepolicy manpage command. [7] Finally, sepolicy generate builds and compiles the SELinux policy and the manual page into an RPM package, ready to be installed on other systems
When sepolicy generate is executed, the following files are produced:
- 'NAME.te – type enforcing file
- This file defines all the types and rules for a particular domain
- 'NAME.if – interface file
- This file defines the default file context for the system
- It takes the file types created in the NAME.te file and associates file paths to the types
- Utilities, such as restorecon and rpm, use these paths to write labels
- 'NAME_selinux.spec – RPM spec file
- This file is an RPM spec file that installs SELinux policy and sets up the labeling
- This file also installs the interface file and a man page describing the policy
- You can use the sepolicy manpage -d NAME' command to generate the man page
- 'NAME.sh – helper shell script
- This script helps to compile, install, and fix the labeling on the system
- It also generates a man page based on the installed policy, compiles, and builds an RPM package suitable to be installed on other systems
If it is possible to generate an SELinux policy module, sepolicy generate prints out all generated paths from the source domain to the target domain
- See the sepolicy-generate(8) manual page for further information about sepolicy generate
Understanding Domain Transitions: sepolicy transition
Previously, the setrans utility was used to examine if transition between two domain or process types is possible and printed out all intermediary types that are used to transition between these domains or processes
- In Linux setrans is provided as part of the sepolicy suite and the sepolicy transition command is now used instead
The sepolicy transition command queries a SELinux policy and creates a process transition report
- The sepolicy transition command requires two command-line arguments – a source domain (specified by the -s option) and a target domain (specified by the -t option)
- If only the source domain is entered, sepolicy transition lists all possible domains that the source domain can transition to
- The following output does not contain all entries
- The “@” character means “execute”:
~]$ sepolicy transition -s httpd_t httpd_t @ httpd_suexec_exec_t --> httpd_suexec_t httpd_t @ mailman_cgi_exec_t --> mailman_cgi_t httpd_t @ abrt_retrace_worker_exec_t --> abrt_retrace_worker_t httpd_t @ dirsrvadmin_unconfined_script_exec_t --> dirsrvadmin_unconfined_script_t httpd_t @ httpd_unconfined_script_exec_t --> httpd_unconfined_script_t
If the target domain is specified, sepolicy transition examines SELinux policy for all transition paths from the source domain to the target domain and lists these paths
- The output below is not complete:
~]$ sepolicy transition -s httpd_t -t system_mail_t httpd_t @ exim_exec_t --> system_mail_t httpd_t @ courier_exec_t --> system_mail_t httpd_t @ sendmail_exec_t --> system_mail_t httpd_t ..
- httpd_suexec_t @ sendmail_exec_t --> system_mail_t
httpd_t ..
- httpd_suexec_t @ exim_exec_t --> system_mail_t
httpd_t ..
- httpd_suexec_t @ courier_exec_t --> system_mail_t
httpd_t ..
- httpd_suexec_t ..
- httpd_mojomojo_script_t @ sendmail_exec_t --> system_mail_t
See the sepolicy-transition(8) manual page for further information about sepolicy transition
Generating Manual Pages: sepolicy manpage
The sepolicy manpage command generates manual pages based on the SELinux policy that document process domains
- As a result, such documentation is always up-to-date
- Each name of automatically generated manual pages consists of the process domain name and the _selinux suffix, for example httpd_selinux
The manual pages include several sections that provide information about various parts of the SELinux policy for confined domains:
- The Entrypoints section contains all executable files that need to be executed during a domain transition
- The Process Types section lists all process types that begin with the same prefix as the target domain
- The Booleans section lists Booleans associated with the domain
- The Port Types section contains the port types matching the same prefix as the domain and describes the default port numbers assigned to these port types
- The Managed Files section describes the types that the domain is allowed to write to and the default paths associated with these types
- The File Contexts section contains all file types associated with the domain and describes how to use these file types along with the default path labeling on a system
- The Sharing Files section explains how to use the domain sharing types, such as public_content_t
See the sepolicy-manpage(8) manual page for further information about sepolicy manpage
[7] See Section 5.4, “Generating Manual Pages: sepolicy manpage” for more information about sepolicy manpage