tag:blogger.com,1999:blog-34510038049570843372024-03-05T02:24:24.420-08:00My public notesDominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-3451003804957084337.post-15401363068212150082010-06-18T14:15:00.001-07:002010-06-18T14:15:57.864-07:00foo1command line posting 1Dominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-66923188155583286872010-06-18T14:14:00.001-07:002010-06-18T14:14:19.040-07:00foocommand line postingDominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-4503833610895369442009-06-18T13:32:00.000-07:002009-06-18T14:51:05.216-07:00SELinux lockdownSumaary of things that can be done to lock down SELinux in Fedora 11<br /><br />1. Use confined users.<br /><br />By default Fedora maps users to a unconfined user domain. This unconfined user domain was designed to be able to exempt users for most SELinux policy.<br /><br />Using the unconfined user domain as a primary user environment is not a good idea for security. The same way root logins arent a good idea.<br /><br />So use the semanage login () command to let new be mapped to a confined user domain of your choosing instead of unconfined_t. Which confined user domain to use depends on the properties of the user.<br /><br />There are a few profiles to choose from. I map my new users to the guest_u SELinux user.<br /><br />Guest_u is a unprivileged user that can only log in via SSH. This user has no access to network resources and to setuid/getuid. This user can be denied to execute in the user home space.<br /><br />Xguest_u is similar to Guest_u except that Xguest cannot log in via SSH but can only login via XWindows.<br /><br />User_u is similar to Xguest_u except that user_u can log in both via SSH and via XWindows. User_u also has access to network resources.<br /><br />Staff_u is similar to user_u except that staff_u can use setuid and setgid programs. Staff_u can also stat all processes on the system and has some other minor privileges.<br /><br />Sysadm_u is a confined root login. root log ins arent recommended so ill skip this user<br /><br />Unconfined_u login is bad ;)<br /><br />You can override de default mapping for new users if you use useradd -Z <seuser> <user><br /><br />So if you configured SELinux to map new users to guest_u seuser but want to add a specific user to another SELinux user group (for example add user joe to user_u): useradd -Z user_u joe<br /><br />You can also change mappings later with the semanage login -m (modify) command<br /><br />refer to: man useradd and man semanage<br /><br />2. Configure pam_sepermit<br /><br />So now were using confined user environment for all our users (except root which should not log on anyways except maybe via TTY in emergencies).<br /><br />What if the system happens to be in permissive mode? If you run setenforce 0 then all SELinux AVC denials will be allowed (but logged). That means your confined users are no longer restricted by SELinux.<br /><br />We can mitigate this by using /etc/security/sepermit.conf. You can add users and seusers there and then login will be denied if SELinux is in permissive mode.<br /><br />For example: putting %user_u in sepermit.conf will disallow user_u seusers the login if getenforce returns: permissive. (try it out)<br /><br />It should be noted that setenforce (permissive mode) is not recommended or even required anymore on Fedora 11. Fedora 10 instead introduced "permissive domains". The difference between permissive mode and permissive domains is that with permissive domains we can change the state of single processes (domains) to permissive instead of having to put the whole system into a permissive state.<br /><br />So preferable use permissive domains if you need to troubleshoot some issues. the command semanage permissive -a <domain type> enable permissive mode for a domain type and the command semanage permissive -d <domain type> deletes the permissive domain for a domain type.<br /><br />refer: man semanage<br /><br />3. You can still use the unconfined user domain as a secundary user role for privileged users.<br /><br />I will admit sometimes if you want to do some generic sysadmin task you just dont want to be restricted. Thats fine. You can still use the unconfined user environment as a secundary role.<br /><br />For example. my primary user domain is staff_u as you know this seuser has access to setuid /setgid programs like sudo. I used the semanage user () command to map the unconfined user domain along with the system system domain to the staff_u seuser. Now staff_u can role transition to the unconfined user space if he want to do generic admining.<br /><br />Just setup /etc/sudoers and of you go:<br /><br />semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r unconfined_r" -P user staff_u<br />echo "joe ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL" >> /etc/sudoers<br /><br />You do not have to explicitly define your default secundairy role in /etc/sudoers like the example above. You can also define your target role when you run the sudo command like so: sudo -t unconfined_t -r unconfined_r service httpd restart.<br /><br />Note that only sudo support role transitions. su does not. if you use su (not recommended) then you also need the newrole program (yum list *newrole*)<br /><br />Also note that besides the unconfined user domain there are other confined user domain designed to be secundairy privileged roles (roles specific to a task) for example the webadm_r role which lets root only manage the webserver. Try it out add the webadmin_r role to staff_u with semanage and use sudo to transition to the webadm environment.<br /><br />refer: man sudo, man semanage, man su, man newrole<br /><br />4. More about unconfined<br /><br />Before F11 unconfined was a space for any process that needed to be unrestricted be it a program or a user. Both programs and users could be run in this unconfined space. During F11 the unconfined domain was split into a unconfined and unconfineduser domain.<br /><br />What this means to us is that we can uninstall the unconfined domain now but still use the unconfineduser functionality (unconfined user domain) (or vice versa)<br /><br />So how can this help us lock down SELinux? Well we can now uninstall the unconfined module with semodule -i unconfined so that no system services can run unconfined.<br /><br />Just like users are by default mapped to a unconfined user environment in Fedora, system services that do not have SElinux policy defined are also automaticly executed in a unconfined environment. What it means is that you might install a system service that has no policy and it will run unstricted. This presents another gaping hole in your security. Because that service can potentially be used to go around selinux.<br /><br />By uninstalling this unconfined module this can no longer happen. If you install a system service that does not have policy then it just wont run. Youd need to write policy for it first.<br /><br />5. lock down your booleans<br /><br />In Fedora some booleans are activated by default. booleans are "tunable policy". Rule that can be enabled on the fly by admin. The more rules are enabled the less fine grained your security becomes. So you need to remove as much policy as possible by toggling booleans on or off.<br /><br />I say on or off because some booleans may add policy if you turn it on and other when you turn it off.<br /><br />I cannot explain all booleans here but i will talk about some.<br /><br />- the secure mode booleans have policy that allow admin to (off is befault. to lock down set to on):<br /> -- put the system into permissive mode<br /> -- inset kernel modules<br /> -- load policy<br /><br />- xserver object manager has policy that enables the xserver selinux extension (off by default, to lock down set to on)<br />This is a very powerful feature which lets the admin define selinux policy for X server. This feature (its policy) still has rough edges. If you arent afraid of selinux feel free to experiment and improve the XACE policy like i did) <br /><br />- nsplugin booleans has policy that defines what access nsplugin has<br />nsplugin runs you browser plugins. these browser plugins are vulnerable to all kinds of threats.<br />You can diable network access for nsplugin and you can disable memory execution (execmem) for nsplugin.<br />if you decide to use unconfined user logins anyway (not recommended) then you can still configure nsplugin selinux security by setting a nsplugin boolean. Needless to say that confined users are subjected to a confined nsplugin by default.<br /><br />- unconfined login booleanhas policy that allows unconfined logins (enabled by default: to lock down set to off)<br />Disable unconfined logins. if you use confined users like this guide encourages then disallow unconfined logins. <br /><br />There are many other booleans. disable as many as possible. keep your configured as least privilege as possible. More rules means less security in general. So play with it and disable as many as possible without losing basic functionality.<br /><br />refer: man semanage, man setsebool, man getsebool<br /><br />6. sandbox.<br />If you decide you you do not want to operate in a restricted space by default. for example if you think your environment does not prefer it then you can still use SELinux in a discretionary way with the sandbox script.<br /><br />sanbox lets unconfined users run command / programs in a confined space (sandbox) So it is to the discretion of a unconfined user to run a program restricted or unrestricted, unlike confined domains which are mandatory to users (they are mapped to users by admin)<br /><br />refer: sandbox --help<br /><br />7. Conclusion<br />map you users to confined users.<br />use the unconfined user domain as a secundary environment for superusers.<br />remove the unconfined module (or unconfineduser or both depending on your security requirements)<br />lock down you booleans as tight as possible<br />use permissive domain instead of permissive mode<br />use pam sepermit if you have confined users<br /><br />Besides these ways to lock down your selinux enable system there are the basic thing you can do to keep security tight:<br /><br />http://docs.fedoraproject.org/security-guide/f11/en-US/<br />http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/Dominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-5739789249867421282008-07-25T06:34:00.000-07:002008-07-25T06:55:54.458-07:00git and refpolicyThe refpolicy repository is still svn. heres how to use git together with svn.<br /><br />1. use git svn to clone the refpolicy svn repository:<br /><br />mkdir ~/git<br />cd ~/git<br />git svn clone http://oss.tresys.com/repos/refpolicy/trunk refpolicy<br />cd ~/git/refpolicy<br />git branch (to see if master is there)<br />git branch -r (to see if remote branch (git-svn) is there)<br /><br />2. create a branch to work on.<br /><br />git svn checkout -b mybranch git-svn<br /><br />3. add changes and commit them<br />git commit<br /><br />4. create a patch with your modification (your changes from master in this case)<br />git format-patch master<br /><br />5. update master and git-svn (remote branche)<br />git svn fetch<br /><br />note eclipse-egit is a eclipse plugin that allows you to load, work on a git branch in eclipse and commit.Dominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-22476450873425449162008-07-22T05:40:00.001-07:002008-07-22T05:40:41.664-07:00rbac f9Let us assume we want to make user "joe" our website operator.<br />"joe" should only be able to operate apache.<br />To operate apache one traditionally would need a root password.<br /><br />In fedora 9 root can be confined to specific roles.<br />Also in Fedora 9 user no longer need a root password to gain root<br />privileges due to SELinux support built-in sudo.<br />Pre-Fedora 9 a combination of su and newrole was used to gain root<br />privileges. This required a user to enter his password for newrole and<br />then also the root password for su.<br /><br />Here is how you do it:<br /><br />1. useradd joe<br />2. passwd joe<br />3. /usr/sbin/semanage user -a -L s0 -r s0-s0 -R "staff_r webadm_r" -P<br />user webadmin<br />4. /usr/sbin/semanage login -a -s webadmin -r s0-s0 joe<br />5. echo "joe ALL=(all) TYPE=webadm_t ROLE=webadm_r ALL" >> /etc/sudoers<br /><br />When joe logs into the system, he will find himself in the staff_t user<br />domain (id -Z). This is a restricted user domain. The staff_r role is<br />similar to the user_r with the important exeption that staff_r may<br />transition to other , maybe more privileged, domain. unlike user_r.<br />user_r is confined to the user_t user domain, and may not transition.<br /><br />If joe wants to, for example, restart the webserver, he can just type<br />sudo service httpd restart. Similar if joe wanted to edit a file that is<br />owned by apache, joe can edit the file in the webadm_t userdomain by<br />just typing sudo vi /etc/httpd/conf.d/httpd.conf.<br /><br />Joe can also open a terminal session in the webadm_t domain by running:<br />sudo sh. If you would have even more roles, then joe would be able to<br />define in which user domain he wants to start a new terminal session:<br />sudo -t webadm_t -r webadm_r sh<br /><br />Joe can even login to the system directly in the webadm_t domain by<br />using: ssh joe/webadm_r@localhost<br /><br />You can delegate very specific administration tasks without having to<br />share the root password!Dominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-13053958624031341292008-07-22T04:03:00.000-07:002008-07-22T04:04:06.354-07:00a script#!/bin/bash<br /># -xv<br />#<br /># Name: loginaccounts.sh<br /># Description: automate login account management<br />#<br /># Author: Dominick Grift <domg472><br /># Version: 0.0.3<br /><br /># Copyright (C) 2008 Dominick Grift<br /><br /># This program is free software: you can redistribute it and/or modify<br /># it under the terms of the GNU Affero General Public License as<br /># published by the Free Software Foundation, either version 3 of the<br /># License, or (at your option) any later version.<br /><br /># This program is distributed in the hope that it will be useful,<br /># but WITHOUT ANY WARRANTY; without even the implied warranty of<br /># MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br /># GNU Affero General Public License for more details.<br /><br /># You should have received a copy of the GNU Affero General Public License<br /># along with this program. If not, see <http://www.gnu.org/licenses/>.<br /><br /># Report undefined variables<br /># shopt -s -o nounset<br /><br /># Global declarations<br />declare -rx SCRIPT=${0##*/}<br />declare -rx EXITSTATUS=$?<br /><br /># My global declarations<br />declare -r OPTSTRING="-h,-L.-P,-A,-C,-f,-a,-i:,-p:,-c:,-g:,-l:,-n:,-c:,-q:,-e:"<br />declare UCOMMNT=0 # Optional<br />declare UGRP="realusers,sshusers" # Tunable<br />declare USERID # Mandatory<br />declare RESULT # System<br />declare UPASSWD # Mandatory<br />declare ULOGNS=3 # Tunable<br />declare UNPROC=15 # Tunable<br />declare ULOCL=0 # Optional<br />declare UCATGR=0 # Optional<br />declare UFORWRD=0 # optional<br />declare UQUOT="10000" # Tunable<br />declare UEXPR=0 # Optional<br />declare UPOLY=1 # Optional<br />declare UCRON=0 # Optional<br />declare UAT=0 # Optional<br />declare UAGE=1 # Optional<br /><br /># Sanity checks<br /><br /># Requires BASH<br />if test -z "$BASH" ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Please run this script with the BASH shell" >&2<br /> exit 192<br />fi<br /><br /># Test for input<br />if test -z "$1" ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Copyright (C) 2008 Dominick Grift"<br /> printf "$SCRIPT:$LINENO: %s\n" ""<br /> printf "$SCRIPT:$LINENO: %s\n" "This program is free software: you can redistribute it and/or modify"<br /> printf "$SCRIPT:$LINENO: %s\n" "it under the terms of the GNU Affero General Public License as"<br /> printf "$SCRIPT:$LINENO: %s\n" "published by the Free Software Foundation, either version 3 of the"<br /> printf "$SCRIPT:$LINENO: %s\n" "License, or (at your option) any later version."<br /> printf "$SCRIPT:$LINENO: %s\n" ""<br /> printf "$SCRIPT:$LINENO: %s\n" "This program is distributed in the hope that it will be useful,"<br /> printf "$SCRIPT:$LINENO: %s\n" "but WITHOUT ANY WARRANTY; without even the implied warranty of"<br /> printf "$SCRIPT:$LINENO: %s\n" "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"<br /> printf "$SCRIPT:$LINENO: %s\n" "GNU Affero General Public License for more details."<br /> printf "$SCRIPT:$LINENO: %s\n" ""<br /> printf "$SCRIPT:$LINENO: %s\n" "You should have received a copy of the GNU Affero General Public License"<br /> printf "$SCRIPT:$LINENO: %s\n" "along with this program. If not, see <http://www.gnu.org/licenses/>."<br /> exit 0<br />fi<br /><br /># Test for root<br />if [ `whoami` != "root" ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "DAC: Must be root" >&2<br /> exit 192<br />fi<br /><br /># Test for unconfined<br />if [ `id -Z | awk 'BEGIN { FS=":" } { print $3 }'` != unconfined_t ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "MAC: Must be unconfined domain" >&2<br /> exit 192<br />fi<br /><br /># Check getopt mode<br />getopt -T<br />if [ $? -ne 4 ] ; then<br /> printf "$SCRIPT: %s\n" "Getopt is in compatibility mode" >&2<br /> exit 192<br />fi<br /><br /># Test parameters<br />RESULT='getopt --name "$SCRIPT" --options "$OPTSTRING" --longoptions "help" "identity" "password" "comment" "groups" "logins" "nproc" "local" "range" "forward" "quota" "expire" "poly" "cron" "at" "chage" -- "$@"'<br />if [ $? -gt 0 ] ; then<br /> exit 192<br />fi<br /><br /># Functions<br /><br />add_user() {<br /> /usr/sbin/useradd "$USERID" 1>&2 >/dev/null;<br />}<br /><br />add_user_passwd() {<br /> /bin/echo "$UPASSWD" | /usr/bin/passwd "$USERID" --stdin 1>&2 >/dev/null;<br />}<br /><br />add_comment() {<br /> /usr/sbin/usermod -c "$UCOMMNT" "$USERID" 1>&2 >/dev/null;<br />}<br /><br />add_expire() {<br /> /usr/sbin/usermod -e "$UEXPR" "$USERID" 1>&2 >/dev/null;<br />}<br /><br />add_poly() {<br /> /bin/mkdir /home/"$USERID"/"$USERID".inst && chmod -R 000 /home/"$USERID"/"$USERID".inst 1>&2 >/dev/null;<br /> <br />}<br /><br />no_poly() {<br /> /bin/sed '/^\/tmp/s/$/\,$USERID/' /etc/security/namespace.conf > tmpfile && /bin/cp tmpfile /etc/security/namespace.conf; /bin/rm tmpfile;<br /> /bin/sed '/^\/var/s/$/\,$USERID/' /etc/security/namespace.conf > tmpfile && /bin/cp tmpfile /etc/security/namespace.conf; /bin/rm tmpfile;<br /> /bin/sed '/^\$HOME/s/$/\,$USERID/' /etc/security/namespace.conf > tmpfile && /bin/cp tmpfile /etc/security/namespace.conf; /bin/rm tmpfile;<br />}<br /><br />add_forward() {<br /> /bin/echo """<br />Match User $USERID<br /> X11Forwarding no<br /> AllowTcpForwarding no""" >> /etc/ssh/sshd_config;<br />}<br /><br />add_quota() {<br /> /usr/sbin/setquota -u "$USERID" 0 "$UQUOT" 7500 10000 -a 1>&2 >/dev/null;<br />}<br /><br />add_nproc() {<br /> /bin/echo "$USERID hard nproc $UNPROC" >> /etc/security/limits.conf;<br />}<br /><br />add_logins() {<br /> /bin/echo "$USERID - maxlogins $ULOGNS" >> /etc/security/limits.conf;<br />}<br /><br />add_local() {<br />/bin/echo "- : $USERID : LOCAL" >> /etc/security/access.conf;<br />}<br /><br />add_cron() {<br /> /bin/echo "$USERID" >> /etc/cron.allow;<br />}<br /><br />add_at() {<br /> /bin/echo "$USERID" >> /etc/at.allow;<br />}<br /><br />add_groups() {<br /> /usr/sbin/usermod -G "$UGRP" "$USERID" 1>&2 >/dev/null;<br />}<br /><br />add_cat() {<br />NEWCAT=:$UCATGR<br /> /usr/sbin/semanage user -a -L s0 -r "s0-s0$NEWCAT" -R user_r -P user "$USERID" 1>&2 >/dev/null;<br /> /usr/sbin/semanage login -a -s "$USERID" -r "s0-s0$NEWCAT" "$USERID" 1>&2 >/dev/null;<br />}<br /><br />add_seuser() {<br /> /usr/sbin/semanage user -a -L s0 -r "s0-s0" -R user_r -P user "$USERID" 1>&2 >/dev/null;<br /> /usr/sbin/semanage login -a -s "$USERID" -r "s0-s0" "$USERID" 1>&2 >/dev/null;<br />}<br /><br />add_chage() {<br /> /usr/bin/chage -m 7 -M 180 -W 7 "$USERID" 1>&2 >/dev/null;<br />}<br /><br /># Main loop<br /><br /># Replace the parameters with the results of getopt<br />eval set -- "$RESULT"<br /><br /># Process the parameters<br />while [ $# -gt 0 ] ; do<br /> case "$1" in<br /> -h | --help) # Show help<br /> printf "$SCRIPT:$LINENO: %s\n" "Usage: $SCRIPT [options]"<br /> printf "$SCRIPT:$LINENO: %s\n" ""<br /> printf "$SCRIPT:$LINENO: %s\n" " Options:"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-h][--help] | View this help"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-L][--local] | Optional: Disabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-f][--forward] | Optional: Disabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-P][--poly] | Optional: Enabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-C][--cron] | Optional: Disabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-A][--at] | Optional: Disabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-a][--chage] | Optional: Enabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-i][--identity] identity | Mandatory: User name"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-p][--password] password | Mandatory: Strong password"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-c][--comment] comment | Tunable: Defaults to none"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-g][--groups] groups | Tunable: Defaults to realusers,sshusers"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-l][--logins] number of logins | Tunable: Defaults to 3"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-n][--nproc] number of processes| Tunable: Defaults to 15"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-r][--range] range | Optional: Disabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-q][--quota] number of blocks | Tunable: Defaults to 10000 blocks"<br /> printf "$SCRIPT:$LINENO: %s\n" " [-e][--expire] date | Optional: Disabled by default"<br /> printf "$SCRIPT:$LINENO: %s\n" ""<br /> printf "$SCRIPT:$LINENO: %s\n" " Examples:"<br /> printf "$SCRIPT:$LINENO: %s\n" " $SCRIPT -i john -c \"John Doe\" -p F000_Bar!!1 -r c2,c4 -e 2010-12-15 -C" <br /> exit 0<br /> ;;<br /> -i | --identity) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Identity for [-i][--identity] is missing" >&2<br /> exit 192<br /> fi<br /> USERID="$1"<br /> ;;<br /> -p | --password) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Password for [-p][--password] is missing" >&2<br /> exit 192<br /> fi<br /> UPASSWD="$1"<br /> ;;<br /> -c | --comment) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Comment for [-c][--comment] is missing" >&2<br /> exit 192<br /> fi<br /> UCOMMNT="$1"<br /> ;;<br /> -g | --groups) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Groups for [-g][--groups] are missing" >&2<br /> exit 192<br /> fi<br /> UGRP="$1"<br /> ;;<br /> -l | --logins) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Number of logins for [-l][--logins] is missing" >&2<br /> exit 192<br /> fi<br /> ULOGNS="$1"<br /> ;;<br /> -n | --nproc) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Number of processes for [-n][--nproc] is missing" >&2<br /> exit 192<br /> fi<br /> UNPROC="$1"<br /> ;;<br /> -L | --local) shift<br /> ULOCL=1<br /> ;;<br /> -P | --poly) shift<br /> UPOLY=0<br /> ;;<br /> -r | --range) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Range for [-r][--range] is missing" >&2<br /> exit 192<br /> fi<br /> UCATGR="$1"<br /> ;;<br /> -f | --forward) shift<br /> UFORWRD=1<br /> ;;<br /> -C | --cron) shift<br /> UCRON=1<br /> ;;<br /> -A | --at) shift<br /> UAT=1<br /> ;;<br /> -a | --chage) shift<br /> UAGE=0<br /> ;;<br /> -q | --quota) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Quota for [-q][--quota] is missing" >&2<br /> exit 192<br /> fi<br /> UQUOT="$1"<br /> ;;<br /> -e | --expire) shift<br /> if [ $# -eq 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Expiration date for [-e][--expire] is missing" >&2<br /> exit 192<br /> fi<br /> UEXPR="$1"<br /> ;;<br /> esac<br /> shift<br />done<br /><br />if [ -z "$USERID" ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Identity missing" >&2<br /> exit 192<br />fi<br /><br />if [ -z "$UPASSWD" ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "Password missing" >&2<br /> exit 192<br />fi<br /><br /># Processing<br />if test -n "$USERID" ; then<br /> add_user;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_user: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added user: $USERID";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "no identity specified: should not be here";<br /> exit 192<br />fi<br /><br />sleep 1;<br /><br />if test -n "$UPASSWD" ; then<br /> add_user_passwd;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_passwd: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added passwd: $UPASSWD";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "no password specified: should not be here";<br /> exit 192<br />fi<br /><br />sleep 1;<br /><br />if test "$UCOMMNT" -ne 0 ; then<br /> add_comment;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_comment: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added comment: $UCOMMNT";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "no comment specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UGRP" != "realusers,sshusers" ] ; then<br /> add_groups;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_groups: FAIL";<br /> exit 192<br /> fi<br /> printf "%s\n" "added groups: $UGRP";<br />else<br /> add_groups;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_groups: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "no groups specified: realusers,sshusers";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UEXPR" != "0" ] ; then<br /> add_expire;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_expire: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added expire: $UEXPR";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "no expire specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UPOLY" -eq 1 ] ; then<br /> add_poly;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_poly: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "poly not specified: enabled poly"<br />else<br /> no_poly;<br /> printf "$SCRIPT:$LINENO: %s\n" "poly specified: disabled poly";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UFORWRD" -lt 1 ] ; then<br /> add_forward;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add forward: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "forward not specified: added forward";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "forward specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if test "$UQUOT" -ne 10000 && test "$UQUOT" -n 0 ; then<br /> add_quota;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_quota: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added quota: $UQUOT"<br />elif [ "$UQUOT" -ne 0 ] ; then<br /> add_quota;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_quota: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "quota not specified: 10000";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "quota disabled: skipping";<br />fi<br /><br />sleep 1;<br /><br />if test "$UNPROC" -ne 15 && test "$UNPROC" -ne 0 ; then<br /> add_nproc;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_nproc: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "nproc specified: added $UNPROC";<br />elif [ "$UNPROC" -ne 0 ] ; then<br /> add_nproc;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_nproc: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "nproc not specified: 15";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "nproc disabled: skipping";<br />fi<br /><br />sleep 1;<br /><br />if test "$ULOGNS" -ne 3 && test "$ULOGNG" -ne 0 ; then<br /> add_logins;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_logins: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "logins specified: added $ULOGNS"<br />elif [ "$ULOGNS" -ne 0 ] ; then<br /> add_logins;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_logins: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "logins not specified: 3";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "logins disabled: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$ULOCL" -eq 0 ] ; then<br /> add_local;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_local: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "local not specified: added local";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "local specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UCRON" -eq 1 ] ; then<br /> add_cron;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_cron: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "cron specified: adding cron";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "cron not specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UAT" -gt 0 ] ; then<br /> add_at;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_at: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "at specified: adding $UAT";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "at not specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UAGE" -eq 1 ] ; then<br /> add_chage;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_chage: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "chage specified: adding $UAGE";<br />else<br /> printf "$SCRIPT:$LINENO: %s\n" "chage not specified: skipping";<br />fi<br /><br />sleep 1;<br /><br />if [ "$UCATGR" != "0" ] ; then<br /> add_cat;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_cat: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added cat: $UCATGR";<br />else<br /> add_seuser;<br /> if [ $? -gt 0 ] ; then<br /> printf "$SCRIPT:$LINENO: %s\n" "add_seuser: FAIL";<br /> exit 192<br /> fi<br /> printf "$SCRIPT:$LINENO: %s\n" "added seuser";<br />fi<br /><br /># Clean up<br />exit $EXITSTATUS<br /><br />#EOF<br />#TODO: list, remove, modify, loglevels, interactiveDominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-63778201537147150782008-07-21T01:39:00.000-07:002008-07-21T01:41:43.428-07:00notesExplain newrole versus sudo to: transition user domain.<br /><br />in f10 selinux-policy-targeted newrole is no longer encouraged to be used for domain transitions. in policy mls it is still used (but mls is not common)<br /><br />sudo allows root privileges without actually knowing the root password.<br /><br />su with newrole still requires a user to enter a root password to gain root privileges.<br /><br />not needing a root password anymore is a big advantage!<br /><br />---<br /><br />from the wiki:<br />SELinux and virtualization (relabeling images if images are not in /etc/xen/).<br /><br />this is not a domain specific issue. customized types. the solution should be man virt_selinux or man xen_selinux like man httpd_selinux. however there is no man xen_selinux yet etc.<br />this may no longer be an issue in fedora 10 , virt is working on a solution to be implemented in f10<br /><br />---<br /><br />make sure to use proper selinux terminology consequent in an effort to keep it simple.<br /><br />subject object, security context, domain types, file types, port types, security level, categories, domain transition, executable file types, domain, application domain, user domain, init daemon, classes, attributes, scontext, tcontext, access vector cache, type enforcement, multi level security, multi category security.<br /><br />---<br /><br />from the wiki:<br />Mounting:<br /><br />• Do mount points need to be mnt_t?<br /><br />boolean mount_any_file. this is also kind of a customized type issue. use semanage boolean -l to list all booleans and their explanation. for example:<br /><br />/usr/sbin/semanage boolean -l | grep mount<br /><br />sh-3.2# /usr/sbin/semanage boolean -l | grep mount<br />allow_mount_anyfile -> off Allow the mount command to mount any directory or file.<br />xguest_mount_media -> off Allow xguest users to mount removable media<br /><br />consideration: you should consider to not mention get,setsebool. semanage also provides this functionality. keep it simple<br /><br />---<br /><br />from the wiki:<br />mislabeled files, relabeled but still problems, touch /.autorelabel (Dans journal).<br />aplain how touch /.autorelabel && reboot relates to fixfiles relabel<br /><br />---<br /><br />different policies:<br />first there was strict and optional mls (for dod). strict was in fedora2. it was introduced too soon. users were too restricted. targeted was introduced to avoid restriction on users.unconfined domain is a domain exempted fro m most selinux policy. unconfined is a property of targeted policy. targeted policy only targets a select group. strict targets everything on a system. targeted plus multi category security (mcs) which is a (poor) implementation of confidentiality(its discretionary users can chcat aslong as they are member of the cat. mcs in policy mls is part of security level. in policy mls, mcs is mandatory.mls is strict plus BLP, plus MCS, plus MLS. strict no longer maintained, merged with targeted. (strict plus unconfined domain) if you remove the unconfined domain then you use what use to be strict. at the moment there are two selinux policy models maintained: policy targeted and policy-mls. mls aims to enforces confidentiality BLP.<br /><br />SELinux policy and dependencies.<br /><br />A policy module has 3 files. Here is the explaination of the 3 files.<br /><br />mydomain.te (.te) (type enforcement file) it has PRIVATE policy for the "mydomain" policy module.<br /><br />mydomain.if (.if) (interface file) it has PUBLIC policy for the "mydomain" policy module.<br /><br />mydomain.fc (.fc) (file context file) it has file contexts for the "mydomain" policy module.<br /><br />The type enforcement file.<br /><br />This file has private policy. Policy that is, in my example, related to "mydomain"<br /><br />for example, you might find a rule like this in the mydomain.te file:<br />apache_read_user_content(mydomain_t)<br /><br />This policy was provided by apache.if to "mydomain". You can look it up in the apache.if file. It is really a template or interface with rules for how to read apaches user content. We are using (instantiating) that interface that apache policy module provides in it's apache.if file, in our mydomain.te file.<br /><br />Let us refer to interfaces and templates as blocks of public policy. Public policy blocks should be prefixed by the policy module name of the domain that facilitates it in it's .if (interface file).<br /><br />for example, just by looking at the following interface call in mydomain.te i know: 1. which module provided the interface 2. where to roughly find it. 3. where to find what policy te interface provides. 4. which domain instantiates the block of public policy:<br /><br />alsa_read_rw_config(mydomain_t)<br /><br />1. provided by the alsa policy module.<br />2. can be found in alsa.if<br />3. Summary: Read alsa writable config files<br /><br />allow $1 alsa_etc_rw_t:dir list_dir_perms;<br />read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)<br />read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)<br /><br />4. this policy is instantiated by mydomain_t domain.<br /><br />So you can easily from looking at a .te file know the modules dependencies by parsing each called interface prefix. as each called interface is prefixed by the domain that made it available in its interface file.<br /><br />important note regarding public policy.<br /><br />creating a quick policy module package(.pp) can be very handy for implementing quick policy. but it is also limited.<br /><br />to compile policy one need selinux-devel. it has development files for each module that is used by the compiler to see if the policy that we want to compile is valid.<br /><br />when you compile and install a seperate policy package with semodule -i mydomain.pp for example. there will not be a devel package installed.<br /><br />interfaces files are therefore rendered useless for seperate policy module packages. for the reason that other modules will not be able too instantiate any public policy for that module.<br /><br />the reason is that when you try to compile your module that has a call to a public policy block of a module that was installed with semodule, the compiler will nnot find that interface/ template in its devel files because non were installed!<br /><br />This is important to know!<br />do you want to develop and implement much policy, then do not use policy module packages with semodule but instead integrate your module into the selinux-policy source provided upstream, rebuild it and reinstall it.<br /><br />by rebuilding selinux-policy, a new selinux-policy-devel package is created. this selinux-policy-devel package DOES include the public policy for the domain that you integrated and thus is usable as opposed to using a .pp with semodule.<br /><br />http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html<br /><br />Basic access control models ( DAC , MAC ) ( not so basic MDAC )<br /><br />explain discretionary<br />explain the dac model attributes: user group permission bits<br />explain why dac acl is not sufficient. example privilege escalation<br />explain the mac model attributes: security context<br />explain mandatory<br />explain that MAC is ACL layer on top of the DAC ACL layer<br />explain Type enforcement<br />explain Role Based AC<br />explain Multi Level Security<br />Explain Multi Category/Compartment Security<br /><br />compare a selinux system to a submarine with compartments. if one compartment has a leak, the water will be contained to that compartment and will not be able to spread ( escalate) . submarine will not sink<br /><br />Security context / SELinux attributes<br /><br />explain the security context tuple and how to read it (explain the fields)<br />explain user ( which SELinux user (group) created the object? )<br />explain type is the attribute for type enforcement (TE)<br />explain role is the attribute for role enforcement (RBAC)<br />explain security level is the attribute for security level enforcement (MLS)<br />explain categories/compartments is the attribute for security level enforcement or category/compartment enforcement (MLS or MCS)<br /><br />Subjects and objects ( processes and "files" )<br /><br />explain that everything in a system is a object<br />explain that even subjects in a system are represented as objects in proc mountpoint<br />explain subjects and objects<br />explain subjects are processes (ps auxZ)<br />explain objects are "files" (ls -alZ)<br />- file objects ( files , lnk files, dirs, fifo files, sock files etc)<br />- port objects<br />- interface objects<br />- node objects<br />- objects available by other programs ACE access control extension: XACE, sepostgesql, SEDBUS, mscd, etc.<br />- explain object is a class defined in kernel :process :file :tcp_socket<br />example of a class: process. example of a class: file<br />explain domain type is the attribute of a process ( user_t is (user) domain type/attribute of "user"<br />explain object type is the attribute of a object or "file". do not mistake files with file objects/file types. a "file" is any object<br />explain that a object type can never be a scontext ( source context ) in a avc denail<br />explain that processes (subjects) generally operate on files (objects)<br />explain that processes (subjects) also operate on other processes (subjects) example: process ( sigchld ) if a user processes spawns a program process.<br />explain that "files" ( objects ) do not operate. they get operated on by subjects ( processes )<br />explain permissions that define how to operate on subjects and objects ( classes ) are defined in the kernel and are attributes of classes<br />explain classes and their attributes are static defined in kernel:<br />- example of a file object class and its attributes:<br />+ file read<br />+ dir write<br />+ lnk_file getattr<br />- example of a subject class and its attributes:<br />+ process sigchld<br />- example of a object available by other programs ACL<br />+ dbus send_msg<br />explain that although classes and their attributes are defined in the kernel, that one can assign "types" to subjects and objects, and that one can define policy for these types can interact using the object classes and their attributes supplied by the kernel.<br /><br />example:<br /><br />scontext/domain type/subject | tcontext/file type/object | "object" class | "object" permissions/attributes<br />___________________________________________________________________________________________________________________________<br />user_t | user_home_t | dir | getattr<br />httpd_t | httpd_sys_content_ra_t | file | read<br />user_t | mozilla_t | process | sigchld<br />user_t | self | process | transition<br />mozilla_t | httpd_port_t | tcp_socket | connect<br />unconfined_t | cupsd_t | dbus | send_msg<br /><br /><br />How to find out if selinux is supported /enabled:<br />supported?: http://domg444.blogspot.com/2007/11/how-to-determine-if-our-system-supports.html<br />enabled?: getenforce /selinux/config sestatus<br /><br />explain selinux framework and selinux policy. explain the selinux framework is responsible for enforcing policy.<br />explain the access vector cache.<br />perruse selinux packages ( rpm -ql ) and discuss important locations : /etc/selinux , /selinux<br /><br />How to disable SELinux: i refer to dwalsh blog. some highlights selinux=0 , enforcing=0, setenforce 0, system-config-selinux, semanage<br /><br />system-config-selinux is a GUI for semanage. semanage is THE central managing point for SELinux administration:<br />label file objects ( semanage fcontect -a)<br />label port objects ( semanage port -a) etc<br />explain each optipn of semanage and system-config-selinux: label interfaces, set booleans, add , modify, delete selinux user (groups) and SELinux logins.<br />explain translation ( requires mcstransd )<br />explain what mcstransd does<br />explain what restorecond does<br />explain auditd connection to selinux ( explain ausearch /auctl )<br /><br />show some pratical examples for managing users. add a unconfined user , add a confined user , add a staff users, assign mcs categories to user (ranges)<br />create custom selinux user groups<br />create custom selinux logins<br /><br />explain booleans<br />explain customizable types<br />mention manual pages for targeted daemons.<br /><br />explain audit2allow<br />explain audit2why<br />explain sesearch and how you can use this to make decisions<br />explain semodule, sestatus , restorecon , semanage, setenforce , getenforce<br />explain limitations of chcon<br />explain advantage of chcon<br />explain chcat<br /><br />explain selinux-policy-devel ( /usr/share/selinux/devel/Makefile )<br />show example how to make a custom policy module<br />explain the limitations of a policy module package<br />explain the advantages of a policy module package<br /><br />explain role base access control and derrived types.<br /><br />explain star and selinux tar support (exmaples)<br /><br />important: Possible problems caused from running in permissive mode, such as having permissions to mislabel files.<br />important: Copying Vs moving files.<br /><br />explain avc denials field by field.<br />explain advantage and limitation of sealert/setroublehoot and how this relates to audit.<br /><br />explain file_t, unlabeled_t<br />explain initrc_t<br />explain unconfined_t<br />explain sepolgen and gui<br /><br />explain why /tmp will not be relabled: http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html<br /><br />read selinux by example book<br /><br />explain the MLS vs TARGETED<br />explain mcs role in targetted versus mcs role in mls<br /><br /><br />Subjects and object.<br />a system is really just files. we call files objects. there are different kind of files. There are devices, ports, interfaces, regular files etc. There are also file that can be executed and that spawn a process. A process is also represented as file in the proc file system. processes are called subjects. There are different kind of processes. like there are different kind of files. for example a user process is spawned from a TTY or PTS. these are also represented on a file system as a file. a user program process is spawned from a application executable file and a init daemon is started from a init script which is also represented as a file on the files system. so you see everything just really is a file on your system and processes spawned of these files. files are objects, process are subjects.<br /><br />SElinux lets us label every file and thus everything in a system. SElinux provides classes and permissions. a class for a subject is process and a permission could be signal, to signal the process. a class for a object could be file or dir or tcp_socket etc each type of file has a class and each class has a set of permission that one can use when enforcing flexible selinux.<br /><br />so theres everything(files), files are either files or processes.(objects or subjects) then there are different kind of objects (file objects , port objects), and there are also different kind of subjects.(user domains, application domains etc).<br /><br />these different files have classes defined in the kernel and each class has its own set of permissions. one can assign types to each file and specify how each of these types may interact with the other types.<br /><br />a real user logins into the system by executing a terminal. we labeled the terminal file with a type: tty_terminal_exec_type. this is a executable file. it spawns a user process. one must specify in which domain the user process should run. lets call the user process, or as we also call process: domains, user_t.<br /><br />first we should assign the type to the object. we can use chcon or semanage to assign types to file objects and interface objects and port objects. then we should define the rules so that when the user runs the tty terminal file it transition to a user domain.<br /><br />this is fiction:<br /><br />file_type tty_terminal_exec_type; # declare a type for your object<br />userdomain_transition(user_type,tty_terminal_exec_type) # this macro would suggest that when the object with type tty_terminal_type gets executed, the user process (subject) should transtion to the user_type domain.<br /><br />now we assigned a user domain type (user_type) to a user process. In SElinux world all access between the types is denied by default. so unless there is policy is specified this user domain will not be able to access any other object other then the tty object it executed to get here. lets give this user domain type access to a file type. file type is a name for a set of different kind of files including a general file and a directory file.<br /><br />lets give directory ~/test a file type of test_dir_type and a file ~/test/file.txt a file type of test_file_type. we use chcon or semanage to assign the file type to the dir and file. and specify how our user domain type may interact with these file types<br /><br />the class for our user domain type is process. this is static in the kernel. the classes for a file type are dir for the directory file and file for the regular file. also static in the kernel. permissions specific to the file type class are for examples getattr search read write etc. lets write policy<br /><br />(me executing the tty_terminal with executable file type tty_terminal_exec_t)<br /><br />allow me to get attribute of class dir with file type test_dir_t<br />allow user_type test_dir_type:dir getattr;<br /><br />allow me to manage class dir with file type test_dir_t<br />allow user_type test_dir_type:dir manage_dir_perms;<br /><br />the manage_dir_perms is a macro that represents all permissions needed to manage a dir class.<br /><br />allow me to read class file with file type test_file_type<br />allow user_type test_file_type:file read;<br /><br />now we can manage the dir object with file type test_dir_t and class dir and we (subject with a user domain type) can read the file object with file_type test_file_t and class file<br /><br />can you imagine the flexibility? can you imagine the ammount of rules? how to keep this managable? answer: macros.<br /><br />selinux_chk2lst.txt<br /><br />explain permissive mode and how that relates to selinux=0. permissive logs would be denials, selinux=0 or the option to disable it in /etc/selinux/config will fully disable selinux.<br />concentrate on semanage. this is the most important tool for users. if a users knows all options in semanage and how/when to apply them then the user knows alot about selinux. maybe treat semanage as an entrypoint.<br />if a user knows semanage then the user will have no trouble with system_config_selinux. but focus on semanage and not system config selinux (but ofcourse do mention it)Dominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-32080115538490591002008-07-07T07:05:00.000-07:002008-07-07T08:07:47.279-07:00Checklist for adding login accountsManaging login accounts is quite complex nowadays. I decided to make a checklist.<br /><br />User, only remote access, expires, password aging, restrict openssh, poly-instantiation, no su (%wheel) , no sudo, no exec user content, quota, login limits, nproc limits, mcs categories. no cron (cron.allow), no at (at.allow).<br /><br />1. Add a login account<br />/usr/sbin/useradd -c "Full name" -e 2008-12-31 -G realusers,sshusers -K PASS_MAX_DAYS=180 -K PASS_MIN_DAYS=7 -K PASS_MIN_LEN=8 -K PASS_WARN_AGE=7 -p 'password as returned by crypt (3)' 'user_name'<br /><br />2. Disable perrmissions to execute user content (one time)<br />/usr/sbin/setsebool -P allow_user_exec_content off<br /><br />3. Enable poly-instantiation<br />/usr/sbin/setsebool -P allow_polyinstantiation on<br />mkdir /home/'user_name'/'user_name'.inst<br />chmod -R 000 /home/'user_name'/'user_name'.inst<br /><br />4. Deny local access<br />echo "- : 'user_name' : LOCAL" >> /etc/security/access.conf<br /><br />5. set limits<br />echo "'user_name' - nlogins 3" >> /etc/security/limits.conf<br />echo "'user_name' hard nprocs 15" >> /etc/security/limits.conf<br /><br />6. Restrict ssh<br />echo """Match User 'user_name'<br />X11Forwarding no<br />AllowTcpForwarding no""" >> /etc/ssh/ssh_config<br /><br />7. Assign selinux usergroup,domain and categories<br />/usr/sbin/semanage user -a -L s0 -r "s0-s0:c4" -R user_r -P user 'user_name'<br />/use/sbin/semanage login -a -s 'user_name' -r "s0-s0:c4" 'user_name'<br />cp /etc/selinux/targeted/contexts/users/user_u /etc/selinux/targeted/contexts/users/'user_name'<br /><br />8. User quota<br />/usr/sbin/setquota -r -u 'user _name' 7500 10000 7500 10000 -aDominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com0tag:blogger.com,1999:blog-3451003804957084337.post-48165465812379291522008-05-15T03:46:00.000-07:002008-11-12T23:30:20.673-08:00How to create, integrate and rebuild SELinux policy for Fedora 9 using Eclipse-Slide and rpmdevtoolsIn this example i am going to show you how you can write, integrate and rebuild SELinux policy modules for Fedora 9 using Eclipse-Slide and RPMdevtools.<br /><br />I will create a SELinux policy module for the irssi user application and i will integrate this new policy module into the main Fedora selinux-policy with RPM devtools.<br /><br />What i need:<br /><br />yum install rpmdevtools selinux-policy-devel eclipse-slide<br /><br />Chapter 1. Preparing the source:<br /><br />First we should determine which selinux policy we have installed so that we can go find and download the corresponding selinux-policy source rpm.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh_SsHemyGshKX-Z71SdObVzyF89r5eWI2Df3W5ic6nLklH_fSG403bA8lELV7ZJXNF_7NUxKObVdzJ3plNDTjDvJeDP_mUGaJB2KZ-dedIX2z76durrvZD3bhyOyTtEoPvhK0SgQp8AY/s1600-h/1.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh_SsHemyGshKX-Z71SdObVzyF89r5eWI2Df3W5ic6nLklH_fSG403bA8lELV7ZJXNF_7NUxKObVdzJ3plNDTjDvJeDP_mUGaJB2KZ-dedIX2z76durrvZD3bhyOyTtEoPvhK0SgQp8AY/s320/1.png" alt="" id="BLOGGER_PHOTO_ID_5200554898615521042" border="0" /></a><br />It is determined that the source rpm that i need is not available on the main mirrors and therefore i will try to find it on koji.fedoraproject.org/koji.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibj6juSdl-jVPUmjFWgD6C7eElZ7MrUWprrbTxVUGWDNoafhQqPxCrXfAPfw_MRGINRP5nS7JvPsjIU_0aa_Mxkp3GE2Eqgh1NwkvdZHUHI6zT1u7yLOzBSmK3xNUeXWXNPq2E3EyxFHo/s1600-h/2.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibj6juSdl-jVPUmjFWgD6C7eElZ7MrUWprrbTxVUGWDNoafhQqPxCrXfAPfw_MRGINRP5nS7JvPsjIU_0aa_Mxkp3GE2Eqgh1NwkvdZHUHI6zT1u7yLOzBSmK3xNUeXWXNPq2E3EyxFHo/s320/2.png" alt="" id="BLOGGER_PHOTO_ID_5200555740429111074" border="0" /></a><br />I will download the source rpm to my default Download location and extract the package simple by alter-click ing it and chooce extract here from the menu.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdBbNwDuitTUegdkDmixo5B0CL_Iz_5ZUAi0E2Awi4mX9GIbTh94MiQ0kVkWGz9-Fn5sMHUm8wWPOXDkeGhEb2AB1YYgKjOXTLs9cx3DAcI87TOKdndlI4n3WujAeSz6fcJtxR6TfkYzY/s1600-h/3.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdBbNwDuitTUegdkDmixo5B0CL_Iz_5ZUAi0E2Awi4mX9GIbTh94MiQ0kVkWGz9-Fn5sMHUm8wWPOXDkeGhEb2AB1YYgKjOXTLs9cx3DAcI87TOKdndlI4n3WujAeSz6fcJtxR6TfkYzY/s320/3.png" alt="" id="BLOGGER_PHOTO_ID_5200557393991520082" border="0" /></a><br />Once the source rpm is extracted, a new folder appears with its contents. I am going to copy the included serefpolicy-3.3.1.tgz plus policy-20071130.patch to my desktop. After that i will extract the serefpolicy-3..3.1.tgz located on my desktop and apply the patch thats located on my desktop as well.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq-bEmuLR3LQWfreDd2SJdoln0WtzUXZ_9BqVAXDLqr-2DBc4VtDMrl92yHofCRNVl5pET74wgkTRmKZ3UWh9meE7ogx-j1qihCGzv8qx5osvUGcafH8SGwU2UIKMqzZ0_NfR7rqEwTbk/s1600-h/4.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq-bEmuLR3LQWfreDd2SJdoln0WtzUXZ_9BqVAXDLqr-2DBc4VtDMrl92yHofCRNVl5pET74wgkTRmKZ3UWh9meE7ogx-j1qihCGzv8qx5osvUGcafH8SGwU2UIKMqzZ0_NfR7rqEwTbk/s320/4.png" alt="" id="BLOGGER_PHOTO_ID_5200557909387595618" border="0" /></a><br />At this point the folder serefpolicy-3.3.1 on my desktop represents the prepared source for the binary policy that is installed on my system.<br /><br />Chapter 2. Loading source policy into a Eclipse-Slide project:<br /><br />Now i am ready to load the prepared source policy into the Eclipse-Slide IDE. I do this by starting Eclipse, creating a new Slide project and loading the prepared serefpolicy-3.3.1 folder into my new Slide project.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvp07u7xD7sK6oTbnq4645wX6rdxTIz6_iQ8mgAGxfX18GTsy66rwzSrll4-xmQ52WlIyVak8hzqsECqwWew09-xLna66Ni5a-Mlz1nHDj9iSt9MreixmFC9llgMf2ErZImSkJy-yhyM/s1600-h/5.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvp07u7xD7sK6oTbnq4645wX6rdxTIz6_iQ8mgAGxfX18GTsy66rwzSrll4-xmQ52WlIyVak8hzqsECqwWew09-xLna66Ni5a-Mlz1nHDj9iSt9MreixmFC9llgMf2ErZImSkJy-yhyM/s320/5.png" alt="" id="BLOGGER_PHOTO_ID_5200559116273405810" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkCxf6mWsDF_qHC-mTo9a078u44oS5Rsioqi2UafmxwzWQHZszfE0jK3u9zzXrbHrk4WFDWCnAWCiSopHw4GimmmDxyWcFRVogJMXRhEEaYTZuZ3aLpC9be2VjYGh5j9Z9eG22kMqggHc/s1600-h/6.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkCxf6mWsDF_qHC-mTo9a078u44oS5Rsioqi2UafmxwzWQHZszfE0jK3u9zzXrbHrk4WFDWCnAWCiSopHw4GimmmDxyWcFRVogJMXRhEEaYTZuZ3aLpC9be2VjYGh5j9Z9eG22kMqggHc/s320/6.png" alt="" id="BLOGGER_PHOTO_ID_5200559408331181954" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZK4OLxL_jb_kDDuaeTD2D5FDITkYWaAL7ElYBTX75VRXH-zpl6_oS4zuGl5vVfRDL82rLMIs_6YJ4TKMJy876ts1200X9Scyloyv6MSXHPk4HJF8i7anlPtBDOXhBopj17rqbk1PKs5g/s1600-h/7.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZK4OLxL_jb_kDDuaeTD2D5FDITkYWaAL7ElYBTX75VRXH-zpl6_oS4zuGl5vVfRDL82rLMIs_6YJ4TKMJy876ts1200X9Scyloyv6MSXHPk4HJF8i7anlPtBDOXhBopj17rqbk1PKs5g/s320/7.png" alt="" id="BLOGGER_PHOTO_ID_5200559696093990802" border="0" /></a>Once the new project is loaded i will attempt to build the project. Note that Eclipse has a settings enabled that will cause your project to be auto compiled by default. This can be an annoyance and so i opt to disable this and build the project manually. Also not that building this project will likely fail. However even so we will still have access to some of the templates and features.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNrZFwLotssniBlL8ukP3FblzUz5Xt5-EzNJxwqLhdoY7t5e7vu1bb-mt8xewjgPuhGSbn-1GSuB1OXcW04hvPkydFSVi6PChuR2-HAjPg7nZ-UkE4kh4uCK01GiHJRnSs7BVtzEsHsVo/s1600-h/8.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNrZFwLotssniBlL8ukP3FblzUz5Xt5-EzNJxwqLhdoY7t5e7vu1bb-mt8xewjgPuhGSbn-1GSuB1OXcW04hvPkydFSVi6PChuR2-HAjPg7nZ-UkE4kh4uCK01GiHJRnSs7BVtzEsHsVo/s320/8.png" alt="" id="BLOGGER_PHOTO_ID_5200560658166665122" border="0" /></a>Once the attempt to compile our newly project has finished you will notice that the right hand filter browser is now somewhat populated. This window will assist me with quick navigation in the vast area of interfaces and templates. The left hand window has a project browser which gives me a good oversight of my project. The window below has a few tabs, of which i find the declaration tab very helpfull. The status tab will display any errors or warnings that occoured during compilation. The main window in the middle of the screen i will use to write policy.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEVmlvSIkIyDUYCjUulTDBqgN6TH8OPfTJIGSCfZO7iCpk-0rk6DVGbQGv2LZ-086tK83eKW1_D4ngmmUfJsntJ3vTlh3ASf44xAL804HR5_1sFQBntHPUdNjoN4pASPW75gRTP7pRqZU/s1600-h/9.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEVmlvSIkIyDUYCjUulTDBqgN6TH8OPfTJIGSCfZO7iCpk-0rk6DVGbQGv2LZ-086tK83eKW1_D4ngmmUfJsntJ3vTlh3ASf44xAL804HR5_1sFQBntHPUdNjoN4pASPW75gRTP7pRqZU/s320/9.png" alt="" id="BLOGGER_PHOTO_ID_5200561946656853938" border="0" /></a><br />Chapter 3. Integrating a new policy module into our Eclipse-Slide project:<br /><br />Now its time to actually integrate a new policy module into the current project.<br />I choose the irssi application. This is application is started by users and therefore belongs in the apps subsection of the modules location in our project.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlBW79dLsSi60kk4F3qwLTB-33xeLs3v9eC4cni0XdROVDw_7XOjPUDjS86O3s0BjYyeWCxnm1wsiDiHPmECqpB3O_nvd6MIKdZpqBUIg1yx24wLuDx3wr7wgCfy66ibGNUjjU2A3C6sM/s1600-h/10.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlBW79dLsSi60kk4F3qwLTB-33xeLs3v9eC4cni0XdROVDw_7XOjPUDjS86O3s0BjYyeWCxnm1wsiDiHPmECqpB3O_nvd6MIKdZpqBUIg1yx24wLuDx3wr7wgCfy66ibGNUjjU2A3C6sM/s320/10.png" alt="" id="BLOGGER_PHOTO_ID_5200563153542664130" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvCRiQnXtTfvZFwkdLL-iJ7nTYx3F2_F3L4Uxd0gIbtlLxgckAcoBs5bpRSQz7M_rBS11RyIlK-sy8_w21Xk_1phxB3MNaQYVE7-HRK7ai-4MADqo_t5jeEmhOwBa9itolewkaaunuh9M/s1600-h/11.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvCRiQnXtTfvZFwkdLL-iJ7nTYx3F2_F3L4Uxd0gIbtlLxgckAcoBs5bpRSQz7M_rBS11RyIlK-sy8_w21Xk_1phxB3MNaQYVE7-HRK7ai-4MADqo_t5jeEmhOwBa9itolewkaaunuh9M/s320/11.png" alt="" id="BLOGGER_PHOTO_ID_5200563492845080530" border="0" /></a>Once you finish the new Slide module wizard, a new workspace is presented with access to your newly create module in the main window in the middle of the screen. Notice hat a module is built out of 3 seperate files which you can access by clicking the corresponding tab in the lower end of the main window in the moddle of the screen.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7cLNNClQDueiD3rBDZqlFUPjuqOC-6rhCqB-EC924B16W_bxUwYDdx1J4RcRLqyouCV-zsLk8HRV63L2oSchK51kdKRYbvL_8pY_S4l42oaAcxzVIF9ScSa5MSXgX1yucALBl9hyphenhyphenqbfQ/s1600-h/12.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7cLNNClQDueiD3rBDZqlFUPjuqOC-6rhCqB-EC924B16W_bxUwYDdx1J4RcRLqyouCV-zsLk8HRV63L2oSchK51kdKRYbvL_8pY_S4l42oaAcxzVIF9ScSa5MSXgX1yucALBl9hyphenhyphenqbfQ/s320/12.png" alt="" id="BLOGGER_PHOTO_ID_5200564506457362402" border="0" /></a><br />Chapter 4. Installing and perusing Irssi application:<br /><br />Since we are going to integrate policy for Irssi, we should install this package by running: yum install irssi. Once this package is installed we can query information about this package. We want to find out to which files irssi application needs to write or which objects Irssi must execute. In this case irssi also has a configuration file /etc/irssi.config that is of particular interest to us.<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLsZu9-mSVpltIKu18iQlXlGq-mAFvzOF8KOKq5GrgQea4Qc9C5u7BBOsiZual5VE0phM2QNpPrq3eVAF7BldGpPS9j7URy2p7793Xpw73JCMwAoMxRBe9_wWMEohKMN7Rrb3rBm77xeA/s1600-h/13.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLsZu9-mSVpltIKu18iQlXlGq-mAFvzOF8KOKq5GrgQea4Qc9C5u7BBOsiZual5VE0phM2QNpPrq3eVAF7BldGpPS9j7URy2p7793Xpw73JCMwAoMxRBe9_wWMEohKMN7Rrb3rBm77xeA/s320/13.png" alt="" id="BLOGGER_PHOTO_ID_5200565807832453106" border="0" /></a>Chapter 5. About policy modules:<br /><br />Before i start to write policy i want to explain something. Since Irssi is a user application, it is expected that users (or as wel call them userdomains) have to interact with it. The SELinux world can have infinite userdomains, and policy is based on which user domain interacts with the irssi application domain.<br /><br />You can imagine how much maintenance work it would take for us to keep our irssi policy up-to-date for any (new) selinux userdomains that may come or go.<br /><br />It would require very many rules just to differentiate between users. This is why templates and in particular the per_role_template was invented. This template can be invokes for each userdomain.<br /><br />User information is replaced by variables which are instantiated when the user domain calls the template. This mean that i can use one piece of policy for any user domains that may call it. This saves much maintenance work but also saves us from a huge pile of policy. These templates are hosted by the domain in the interface file in the module. This file is used by domains to host policy. Other domains have easy access to theres interfaces and templates to interact with the domain that hosts the interfaces or templates.<br /><br />The first step for me to take is to declare any non-user specific types. We know that irssi has an executable in /usr/bin/irssi and we have to declare a type for this excutable: irssi_exec_t.<br /><br />We also know that irssi owns a file in /etc/irssi.conf, and we should declare a type for this config file in etc as well: irssi_etc_t.<br /><br />We do this in the irssi.te file. This file has local policy regarding to irssi. The .te file in a module has a few parts: first we declare the policy_module, than we declare any types, booleans and others. and than we call interfaces in other domains and specificy local policy.<br /><br />Policy that is user domain specific does not belong in a .te file as this policy is called by the user domain and thus should be hosted in the .if file by our domain. More about the .if file later.<br /><br />So now we have to declare a tpye for irssi_exec_t and irssi_etc_t in irssi.te file in out module<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoynoy-UzTAE61FneOyWqiyV9bL10IQYx6aqxxxo7osa6AEbqArtBTOGjlNbGfIHLE5l2vFaWhcXzc-328fKdFvMtbSszr3rxrZopZ7xUrnVFblyeMK-dWYxaNsxCJGFO7lHXDF6_U1pQ/s1600-h/14.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoynoy-UzTAE61FneOyWqiyV9bL10IQYx6aqxxxo7osa6AEbqArtBTOGjlNbGfIHLE5l2vFaWhcXzc-328fKdFvMtbSszr3rxrZopZ7xUrnVFblyeMK-dWYxaNsxCJGFO7lHXDF6_U1pQ/s320/14.png" alt="" id="BLOGGER_PHOTO_ID_5200570162929291266" border="0" /></a><br />So now we have those two types declared and now i have to make sure that these objects that we declared types for get labelled (/usr/bin/irssi and /etc/irssi.conf) This is done in the .fc file<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuLXW0iCZD5Tv8v_XjTNkyJAz5JTIHVjYUBaLAR4dRpF98DEcci3L-fqtjyr8Z1tuC2pRiUqq9R5MHuNWcKyosD658h9SNqwQrKWAMjMmkmpzSHaDxozmVbY6mhAoze7Bw9y-7cKZW_ug/s1600-h/15.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuLXW0iCZD5Tv8v_XjTNkyJAz5JTIHVjYUBaLAR4dRpF98DEcci3L-fqtjyr8Z1tuC2pRiUqq9R5MHuNWcKyosD658h9SNqwQrKWAMjMmkmpzSHaDxozmVbY6mhAoze7Bw9y-7cKZW_ug/s320/15.png" alt="" id="BLOGGER_PHOTO_ID_5200570888778764306" border="0" /></a><br />At this point all out non-user domain specific types are declared and we have taken care of those objects file labelling via the file context file in our module.<br /><br />Chapter 6. User domain specific policy in modules interface file:<br /><br />Now we are ready for the part of the module that is called by the userdomains that want to execute irssi. This part is done in the interface file of the module. policy in this file is accessible by domains that call it.<br /><br />Here is how this works: user domains can call irssi per_role_template so that they can run irssi in its application domain. user domains are expected to call this template in their local policy (.te file): irssi_per_role_template(myuser, myuser_t, myuser_r)<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcclcE9ncUgd3EutvJIlCuovli3tH5bChhmbJSZtlgPAxPnh9qsNUoekEheaPLdtmFQhGYkhqx21P3nd5QlpQUTtZfaxhHRzmlT6YI1xb8S7dNxfQPxGotsJAbgNpmjrs0JLgvt9tP7Vs/s1600-h/16.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcclcE9ncUgd3EutvJIlCuovli3tH5bChhmbJSZtlgPAxPnh9qsNUoekEheaPLdtmFQhGYkhqx21P3nd5QlpQUTtZfaxhHRzmlT6YI1xb8S7dNxfQPxGotsJAbgNpmjrs0JLgvt9tP7Vs/s320/16.png" alt="" id="BLOGGER_PHOTO_ID_5200572842988884002" border="0" /></a>Above you see an example of an empty per_role_template in the irssi.if file in the module. Interfaces and templated are headed by XML comments. These comments can be read by other domains. Other domains that want to interact with out application domain needs this info to be able to calls these templates in a correct manner. This particular template takes 3 directions. userdomain prefix, user domain, and role.<br /><br />And so if a user domain called myuser wants to run our application domain (in its domain) than that user domain will have to call our per_role_template in its own local policy.<br /><br />My next step is to declare the remaining user domain specific types. such as the type for the application domain and the type of our application domains objects in the user space.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnikk_78T_dY_cBTY4vTZNH-r9gqTdPiwKKDauGBL6TJNIC4i15wL9heZmqi9Zdqyo8umwTYrzCLFXTcST_gG2Kyft02t68wxYQGsJi5aWi3aTu3Ve6dKbOQec6LQlidoggFpuZCRYNkQ/s1600-h/17.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnikk_78T_dY_cBTY4vTZNH-r9gqTdPiwKKDauGBL6TJNIC4i15wL9heZmqi9Zdqyo8umwTYrzCLFXTcST_gG2Kyft02t68wxYQGsJi5aWi3aTu3Ve6dKbOQec6LQlidoggFpuZCRYNkQ/s320/17.png" alt="" id="BLOGGER_PHOTO_ID_5200574668349984818" border="0" /></a>After i declared those types i will also have to manage object labeling to the remaining declared type for irssi owned objects in the user space.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie7ieBC8rPpG1DYWkZu0rMgTmlTMCA_xDRt4ihTvW0fyL0YG-X0u1sQpnKodVMadb6EAxdE3pGvqxJ0eT2GttCSBpPB91ppxGmJzYfhTKY69gTI-0awSH0XhddgEKtFKhEJdmYC7_b1xo/s1600-h/18.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie7ieBC8rPpG1DYWkZu0rMgTmlTMCA_xDRt4ihTvW0fyL0YG-X0u1sQpnKodVMadb6EAxdE3pGvqxJ0eT2GttCSBpPB91ppxGmJzYfhTKY69gTI-0awSH0XhddgEKtFKhEJdmYC7_b1xo/s320/18.png" alt="" id="BLOGGER_PHOTO_ID_5200575394199457858" border="0" /></a><br />Now were done with the .fc file<br />If you remember , we have declared two non user domain specific types in our irssi.te file: irrsi_exec_t and irssi_etc_t. These types are locally declared however, user domains that call the irssi_per_role_template also need access to these types, and since other domains cannot access our local policy (.te) we hav to include or require those types in our irssi_per_role_template in our .if file so that other domains can also interact with these types.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb7vxhSXpgEOK35RUji9GZt9Bp2gJKO54ji2ApwZ5NOjQbTN6azBdLb2DF03CQjRClvzfNsm8554mBghRAxuhMcq5LmSI5fapHDDfTb2hE7hjpbLw4jmCzpqpCNvMCyXPeDXZdj8pucg0/s1600-h/19.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb7vxhSXpgEOK35RUji9GZt9Bp2gJKO54ji2ApwZ5NOjQbTN6azBdLb2DF03CQjRClvzfNsm8554mBghRAxuhMcq5LmSI5fapHDDfTb2hE7hjpbLw4jmCzpqpCNvMCyXPeDXZdj8pucg0/s320/19.png" alt="" id="BLOGGER_PHOTO_ID_5200583065011048530" border="0" /></a>Please note that there is a small syntax error in the picture above. See if you can find what it is. I will at the end of this article show the correction.<br /><br />Next we have to make some more decisions. We can decide to let any (user)domain automatic transition to the irssi application domain once the user executes the irssi executable or we can decide that the source domain executes irssi in its own domain instead.<br /><br />I have chosen for an option where we make the above decision tunable by way of a boolean. The result is that by default domains will not transition to the irssi app domain unless a boolean for that particular domain is set.<br /><br />That boolean is called irssi_confine_$1, where $1 stands for the user domain prefix. The administrator can set a boolean for the particular user domain if he want that domain to run in the irssi application domain.<br /><br />First we declare our userdomain specific boolean in the declaration section of our irssi_per_role template and in the local policy bit of our template we write policy for this tunable.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFAVMhcn1Zkfw3vv74sHyhyNsshLW1pYw4skAMcOhu2yjYJKUyLuxyTHWk4Qtyo3Xl5HCDYVMP4HZeW4w34oGTLOJDYktV-tfkAdolJQbsyjWZ6Phy2eqwRPe-hOghzKJbX6x63uNJECo/s1600-h/20.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFAVMhcn1Zkfw3vv74sHyhyNsshLW1pYw4skAMcOhu2yjYJKUyLuxyTHWk4Qtyo3Xl5HCDYVMP4HZeW4w34oGTLOJDYktV-tfkAdolJQbsyjWZ6Phy2eqwRPe-hOghzKJbX6x63uNJECo/s320/20.png" alt="" id="BLOGGER_PHOTO_ID_5200585306983977058" border="0" /></a><br />Now that we have declared a local boolean we can decide to make some other possibilities optional. For example, maybe we want to enable optional support for NFS or SAMBA home directories. Since these are global booleans, we do not have to declare these booleans but we jut have to write policy for them.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiYKDVwTczp9jj0WPWL1LTG-3mPNFn6JYAddjX9AtNddzPZDSE2tjiAyVn7zge9_HFstK3ULgEQieFp3WGd0WXNVw9YtZCeHEPBeN3XokA3XV6bRHnnPiT37y6el2oRVoY0D808bF7a20/s1600-h/21.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiYKDVwTczp9jj0WPWL1LTG-3mPNFn6JYAddjX9AtNddzPZDSE2tjiAyVn7zge9_HFstK3ULgEQieFp3WGd0WXNVw9YtZCeHEPBeN3XokA3XV6bRHnnPiT37y6el2oRVoY0D808bF7a20/s320/21.png" alt="" id="BLOGGER_PHOTO_ID_5200586496689918082" border="0" /></a>Note that i also added the fs_search_auto_mountpoints() interface so that we can also always search those locations. The contents of this interfaces can easely be referenced to the filesystem module interface file or you can view its contexts by simply selecting the entry and view its declarations in the declaration tab on the lower window (which incidentally is collapsed in the example above.)<br /><br />New Chapter. Networking:<br /><br />Irssi connect to a irc server on usually port 6667. This port is already declared as port ircd_port_t in refpolicy and so we can use that policy to let irssi connect to irc servers. however we should declare a network port range for Irssi IRC DCC server facility. We declare a port ircdcc_port_t for tcp 4990-5000. Irssi will use that as its ports for a DCC server or in a single instance mode also for connecting to DCC ports. In case we are not hosting but downloading from another DCC server.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRxh4jnNofiirjPW3vuXEW3gP12YldiFzQgh6NuR5hScb_J0Sa2k7LrLmdtPyg71IeRm9oo4LG7QdOJ_jYnK054kXRH0ZVU4L_9eTymKQytbhr5egtBLzEAAVduYqWziW6nWvr-7psX4I/s1600-h/22.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRxh4jnNofiirjPW3vuXEW3gP12YldiFzQgh6NuR5hScb_J0Sa2k7LrLmdtPyg71IeRm9oo4LG7QdOJ_jYnK054kXRH0ZVU4L_9eTymKQytbhr5egtBLzEAAVduYqWziW6nWvr-7psX4I/s320/22.png" alt="" id="BLOGGER_PHOTO_ID_5200588949116244114" border="0" /></a><br />Now that we have declared irssi's DCC server port range we should also set up the rest of irssi networking policy. We simply add a interface to allow connect and send and receive irc client packets from the ircd_port_t port. Plus some other corenetwork module interfaces that are used as defaults.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9LBDVUPTsXRkIVboUxJdDZ-h-l58wKC63qwLX84X_4mwomiYYECoaJbixuct-sVnzoKvb7SvdeBD-gRG0jmggbH-tgxS0vJwQPQYdHCFXNL-Q5i1CmoJOr5i935jMoKwCid2KZN52AtU/s1600-h/23.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9LBDVUPTsXRkIVboUxJdDZ-h-l58wKC63qwLX84X_4mwomiYYECoaJbixuct-sVnzoKvb7SvdeBD-gRG0jmggbH-tgxS0vJwQPQYdHCFXNL-Q5i1CmoJOr5i935jMoKwCid2KZN52AtU/s320/23.png" alt="" id="BLOGGER_PHOTO_ID_5200590250491334818" border="0" /></a>Please note again that you can inspect what those blue lines really mean in terms of policy if you select it and view its contents in the declaration window (which is collapsable in the lower end of the window.)<br /><br />Next it is decision making time again. also lets first recap: by default users do not transition to the irssi domain. We choose to make this decision tunable by boolean. If this bool is set than the user runs irssi in its domain. As it stands now irssi may only connect to ports with type irc_port_t which is tcp 6667. irssi will not be able to connect to any other ports. Also the irc_dcc_t port we declared for irssi DCC SERVER is not yet allowed.<br /><br />We can decide to make this bit tunable or default behaviour. In this example i chose to make iRC DCC tunable and disabled by default unless set (least privilege model), and so we have to create a tunable_policy block again to allow irssi either connect or bind to its dcc port range (tcp 4990-5000)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtiwxLfhj1kapivwKzIoK-CN3vvCR5W8UPdHFX4-PIXhLxROd68JNafqMAlCs-AkJHYfcQ2Rib5fsz4ikr1bZO-LiaYFlQL37jaWPUk3Vry-EEmNjTWpt_PJxvb1i4Y4FX-HkA8-cIzU8/s1600-h/24.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtiwxLfhj1kapivwKzIoK-CN3vvCR5W8UPdHFX4-PIXhLxROd68JNafqMAlCs-AkJHYfcQ2Rib5fsz4ikr1bZO-LiaYFlQL37jaWPUk3Vry-EEmNjTWpt_PJxvb1i4Y4FX-HkA8-cIzU8/s320/24.png" alt="" id="BLOGGER_PHOTO_ID_5200592492464263346" border="0" /></a>But since this is a local (but not user domain specific) boolean and not a global boolean, we will have to declare this boolean in the irssi.te file of our module.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPig_2dmjA4bZTWgxImnfqGwVoSLX1VBZv4UA8hQiJ6KSsKsx_75JP4VjKysvubblAXTrzRsDrUmcmmY4QuWKef93K1jxsNA83XOTkt2SHnHLYjhD4W6xqmblXsNf9oQ_VuzbDnbkVFeM/s1600-h/25.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPig_2dmjA4bZTWgxImnfqGwVoSLX1VBZv4UA8hQiJ6KSsKsx_75JP4VjKysvubblAXTrzRsDrUmcmmY4QuWKef93K1jxsNA83XOTkt2SHnHLYjhD4W6xqmblXsNf9oQ_VuzbDnbkVFeM/s320/25.png" alt="" id="BLOGGER_PHOTO_ID_5200593390112428226" border="0" /></a>The final tunable option we are going to implement is to facilitate mass hosting of irssi. if you want to host multiple instances of irssi and allow those instances to bind and connect to any unreserved ports than you can set the irssi_unreserved_network boolean. this boolean will require all other booleans to be set as well for optimal performance. This scenario is for instances where you may have a shell server that hosts irssi on a machine in the dmz.<br /><br />So again theres four modes: 1. Disabled unless enabled. 2. Strict (can only connect to port 6667) 3. Single instance mode( can connect to 6667 and connect and bind to 4990-5000) and mass hosting mode ( can connect and bind to any unreserved port plus at of the above)<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDK_vWvf2a_Zydmw647UP5rTDZESso7RnN9cZS1oJtSJmEoWzeipsIikLoC-UOSWfhRypJI5n9lnhQ6val-LU-yuUEUBFrbN9oRMs5KZAO9YR4-r-rcAg6YDgLLXDRxs24h2Ki9sXiw-k/s1600-h/26.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDK_vWvf2a_Zydmw647UP5rTDZESso7RnN9cZS1oJtSJmEoWzeipsIikLoC-UOSWfhRypJI5n9lnhQ6val-LU-yuUEUBFrbN9oRMs5KZAO9YR4-r-rcAg6YDgLLXDRxs24h2Ki9sXiw-k/s320/26.png" alt="" id="BLOGGER_PHOTO_ID_5200595404452090066" border="0" /></a>And ofcourse since this is a local (but not a user domain specific) boolean we will have to also declare this boolean in the irssi.te file in our module.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjneF8Ddb0X81WVoapaPG0bk_hiEjkpSHXlTVpc3Kaqjsgg_Qmfngd8GTbBq3q6oDp6aGz4GrmdwH28SVWC3xlXiGYsQMY0wf63FXVaPBuEJyYRo3J4Xkv_EOupB-TC6Ll00TLMNyzqX28/s1600-h/27.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjneF8Ddb0X81WVoapaPG0bk_hiEjkpSHXlTVpc3Kaqjsgg_Qmfngd8GTbBq3q6oDp6aGz4GrmdwH28SVWC3xlXiGYsQMY0wf63FXVaPBuEJyYRo3J4Xkv_EOupB-TC6Ll00TLMNyzqX28/s320/27.png" alt="" id="BLOGGER_PHOTO_ID_5200596422359339234" border="0" /></a><br /><br />This next part goes into local* policy that defines how our domain may interact. This is usually the first piece of policy in the local policy block of your module and in this case it is user domain specific and thus should this be in the interface file irssi.if.<br /><br />This piece of policy i split into 3 parts, Part 1 is policy that governs how our domain can interact with its own process (allow $1_irssi_t self). Part 2 is policy that governs how user domains may interact with the application domain e.g. allow $2 $1_irssi_t. Part 3 is policy that governs how our application domain may interact with the userdomain or allow $1_irssi_t $2)<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1WZ7bfQtne4cuUtBaaunjASX8imjeXbBuaLUT9eLQhE9apf1gwkdqfYMZIUwts8HktmAZrVIUhlwJ7zIsOg0_4tpCbdW00SNhQuU0SLtRsneE4rWoY4tHGeFzny7UPiCRoAPIN2LFGs0/s1600-h/28.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1WZ7bfQtne4cuUtBaaunjASX8imjeXbBuaLUT9eLQhE9apf1gwkdqfYMZIUwts8HktmAZrVIUhlwJ7zIsOg0_4tpCbdW00SNhQuU0SLtRsneE4rWoY4tHGeFzny7UPiCRoAPIN2LFGs0/s320/28.png" alt="" id="BLOGGER_PHOTO_ID_5200599458901217522" border="0" /></a><br />Now i will deal with our domains objects and how our domain can interact with these objects. First you may remember that we declared a type irssi_etc_t in our irssi.te file. This is a global configuration file that irssi should be able to read,.and so we should give our domain access to search /etc, and we should allow our domain read and get attribute access to files with type irssi_etc_t. This will allow irssi to read the global config file.<br /><br />Next we must ensure that irssi can manage its userdomain specific objects in the user space. We must ensure that the userdomain can also manage irssi objects in the user home location.<br /><br />Third we should ensure that the userdomain is able to relabel irssi domain objects in his or her home dir. So that a user can move objects in and out of the irssi domain in his or her home location.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMH1dRCJmWJN-2xMeJqtiN8vcyQ-dsHwzM3bjqoK7MigsPdTiPI04gGY8f1hkE5rSn4cRFpnUP7Ut9DSUS3ZKWFoyZ3TjfliP1a8nwtGLLS9cMqFiU7Up25hhyhfVOdt4cWe9el3jDreU/s1600-h/29.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMH1dRCJmWJN-2xMeJqtiN8vcyQ-dsHwzM3bjqoK7MigsPdTiPI04gGY8f1hkE5rSn4cRFpnUP7Ut9DSUS3ZKWFoyZ3TjfliP1a8nwtGLLS9cMqFiU7Up25hhyhfVOdt4cWe9el3jDreU/s320/29.png" alt="" id="BLOGGER_PHOTO_ID_5200602254924927234" border="0" /></a>Most of our policy is done now. There are some interfaces that we have to call in other domains. One particular issue is that the userdomain should be able to read the application domains process. This is for using ps auxZ , top and etcetera.<br /><br />Also note the optional_policy block for nis_use_ypbind. The optional policy block means that the policy is only enabled when NIS is available. This option was added to add NIS support to our module.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioeGN5VqPG9H84_xza9Mlor42sd50L-iuHZ1VSHmrULLSyQWKGQRj-bdUPuN7DxC22SDmOl91XYo4M_4y0jU5Ixc1HKOHDmIoYLSerO44llvCtQI_esdZd4YkVbkxQQBs94s89lKq2BCo/s1600-h/30.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioeGN5VqPG9H84_xza9Mlor42sd50L-iuHZ1VSHmrULLSyQWKGQRj-bdUPuN7DxC22SDmOl91XYo4M_4y0jU5Ixc1HKOHDmIoYLSerO44llvCtQI_esdZd4YkVbkxQQBs94s89lKq2BCo/s320/30.png" alt="" id="BLOGGER_PHOTO_ID_5200604183365243154" border="0" /></a>Done! lets clean up the project<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixECq6K3scRBsCebZyXbpWXWhgpWZ1_xzY42lqJPd9I5MkdP-NTJON122ilIL5dhQr8OqST8dLinyh7kxgJnoBkUILIKg0RtSD3nmNh0scqbebfEfb3oFTZEpl_anwxVo7vCXtPZZDObY/s1600-h/31.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixECq6K3scRBsCebZyXbpWXWhgpWZ1_xzY42lqJPd9I5MkdP-NTJON122ilIL5dhQr8OqST8dLinyh7kxgJnoBkUILIKg0RtSD3nmNh0scqbebfEfb3oFTZEpl_anwxVo7vCXtPZZDObY/s320/31.png" alt="" id="BLOGGER_PHOTO_ID_5200605046653669666" border="0" /></a><br />Now i have to copy my project to my desktop and archive it with exactly the same name as the serepolicy-3.3.1.tgz we extracted and prepared earlier.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqDPymJwF_xzr8GdgJo5HFyd-Q4D1ztWUp2Zyl5ZeLSzXC2jopQZo1_497aOq1fyvr6IenaNixxrWrdRNDSCSwGkj-ie2cGluDd2O7EDd-S-1-UZl9J11Eo8U7QlsaEDvJeAgUU6EcHmM/s1600-h/32.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqDPymJwF_xzr8GdgJo5HFyd-Q4D1ztWUp2Zyl5ZeLSzXC2jopQZo1_497aOq1fyvr6IenaNixxrWrdRNDSCSwGkj-ie2cGluDd2O7EDd-S-1-UZl9J11Eo8U7QlsaEDvJeAgUU6EcHmM/s320/32.png" alt="" id="BLOGGER_PHOTO_ID_5200606687331176754" border="0" /></a><br />Next we should create our personal rpmbuild root<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIErgE96d489TQgLxHGgbxibozUpbpYlOw10K72xB20EG1vP7ebs8B1jMj33WiN5EVUOVqQbxTUhYJh7CJxDdj6twXcAdGfE8_T-Fhw3g9Uy5f3UuqI0q27pFjdPp1oCqcRC6seDD_7Xg/s1600-h/33.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIErgE96d489TQgLxHGgbxibozUpbpYlOw10K72xB20EG1vP7ebs8B1jMj33WiN5EVUOVqQbxTUhYJh7CJxDdj6twXcAdGfE8_T-Fhw3g9Uy5f3UuqI0q27pFjdPp1oCqcRC6seDD_7Xg/s320/33.png" alt="" id="BLOGGER_PHOTO_ID_5200607731008229698" border="0" /></a><br />In this part we are going to copy the contents of the folder that we have extracted from our source rpm in our Download location to the newly created SOURCES location in our ~/rpmbuild root.<br /><br />we will remove the copied *.patch and serefpolicy-3.3.1.tgz from our ~/rpmbuild/SOURCES location and copy the selinux-policy.spec that is is also located there to ~/rpmbuild/SPECS/.<br /><br />Next we will copy our modified serefpolicy-3.3.1.tgz from our desktop to the ~/.rpmbuild/SOURCES/ location.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigQspWDAQtbpLOd-qC0_3W76pRRNtpZHqKs4kWEvHKEvhJ2kFdkr79cDIY5gmoQRCKoEDQ5iKkJAR7QhPQCXRZmP5Zrtdmjnjtm7y_pfW_9KEN29WCWzWHSFNMWkf6kduaJ_LylrG2Rqs/s1600-h/34.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigQspWDAQtbpLOd-qC0_3W76pRRNtpZHqKs4kWEvHKEvhJ2kFdkr79cDIY5gmoQRCKoEDQ5iKkJAR7QhPQCXRZmP5Zrtdmjnjtm7y_pfW_9KEN29WCWzWHSFNMWkf6kduaJ_LylrG2Rqs/s320/34.png" alt="" id="BLOGGER_PHOTO_ID_5200609809772400978" border="0" /></a><br />Now we should edit our spec file located in ~/rpmbuild/SPECS/selinux-policy-spec. We have to bump up the version number to avoid difficulties. We also have to comment out any patch entries (this is because we already applied the included patches manually in the beginning of our exercise.)<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkw8w-hRJlhhNfNlQ8gx7GcAjOYkf7qh2ppFXb5g8AQQFaXPR_UeAHJjwj9Ee-SyWuOXznHHCsCOxd2MlNgT5UKXtTNLG19REhXg07KjO7QL4mDPQJ1VjfRVTMW9YH1gEqNAVrp60cE8/s1600-h/35.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkw8w-hRJlhhNfNlQ8gx7GcAjOYkf7qh2ppFXb5g8AQQFaXPR_UeAHJjwj9Ee-SyWuOXznHHCsCOxd2MlNgT5UKXtTNLG19REhXg07KjO7QL4mDPQJ1VjfRVTMW9YH1gEqNAVrp60cE8/s320/35.png" alt="" id="BLOGGER_PHOTO_ID_5200611059607884130" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6jczA1dGWxlY-hAoUo_EYHPBo5F4Vcryi1QR7E7aYsDkLWq23zGWgU0OoNPTlPvUuFSMFLrf39nztXnLe4hRXheXFymLgGVgCI9M21G8__GQhfByBGgzpX7wKGrcZ7Y3oDtZmW5-_g4s/s1600-h/36.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6jczA1dGWxlY-hAoUo_EYHPBo5F4Vcryi1QR7E7aYsDkLWq23zGWgU0OoNPTlPvUuFSMFLrf39nztXnLe4hRXheXFymLgGVgCI9M21G8__GQhfByBGgzpX7wKGrcZ7Y3oDtZmW5-_g4s/s320/36.png" alt="" id="BLOGGER_PHOTO_ID_5200611794047291762" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9HbA3vmL11PKZz_egVCaFwfOIzRqV4Qy9-uPBd809u4lfb71zSH3t9HwIAMLtopkUZ-JTPPiMs0V-y7NGGK5FndZIuXZmkQFZFhjtbZI7GOduox5O-NOPkh6QoimT2-eJM9V13ddyuIQ/s1600-h/37.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9HbA3vmL11PKZz_egVCaFwfOIzRqV4Qy9-uPBd809u4lfb71zSH3t9HwIAMLtopkUZ-JTPPiMs0V-y7NGGK5FndZIuXZmkQFZFhjtbZI7GOduox5O-NOPkh6QoimT2-eJM9V13ddyuIQ/s320/37.png" alt="" id="BLOGGER_PHOTO_ID_5200612601501143426" border="0" /></a><br />Finally we should add our new module to the modules-targeted.conf file in ~/rpmbuild/SOURCES/ if we want our module to be active in the selinux-policy-targeted package.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTdsbd-8C5JLXwRQEIwj3DM28Oo0RCqkplaxAKplrbTPyUBYr5zIn9-HsXenHvsBTz1oh2NKHaS2uHGbE94rlKF_PvdGRKNdG3084YqNbpSC6gNuaR9fAs3SsUsiNmlzRy10s6_zl0NV4/s1600-h/38.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTdsbd-8C5JLXwRQEIwj3DM28Oo0RCqkplaxAKplrbTPyUBYr5zIn9-HsXenHvsBTz1oh2NKHaS2uHGbE94rlKF_PvdGRKNdG3084YqNbpSC6gNuaR9fAs3SsUsiNmlzRy10s6_zl0NV4/s320/38.png" alt="" id="BLOGGER_PHOTO_ID_5200613984480612754" border="0" /></a><br />Now we can execute rpmbuild -ba ~/rpmbuild/SPECS/selinux-policy.spec and let her rip.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgErzt72a6pq_wkk_SFzIR7hty__B5cVoQh0ms5IVT1u2KWUj8j0yqkM2R9YQ9bjlgggMwRgfsryIr1Jz-EkT03D-EA-ipGUJtyPCjyut70-MbXX5oLQXz676cuthrtk5shNphcqsiMPZ0/s1600-h/39.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgErzt72a6pq_wkk_SFzIR7hty__B5cVoQh0ms5IVT1u2KWUj8j0yqkM2R9YQ9bjlgggMwRgfsryIr1Jz-EkT03D-EA-ipGUJtyPCjyut70-MbXX5oLQXz676cuthrtk5shNphcqsiMPZ0/s320/39.png" alt="" id="BLOGGER_PHOTO_ID_5200615049632502178" border="0" /></a><br />If all (would) go well than you'd get your freshly brewed set of rpms.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfjm9yJXPbodLDvMUNZWfomEwvyLu6___k0g7J7ZbpUslzoOWH3FSqGnPCk3IgCYkr72P8CuW90laq4uJUK5Ji-hFF5QPGUNoVRkpioGYQ2w8Dx-bWkzkszkJiPBjvWet2iKvCWxSkqKU/s1600-h/40.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfjm9yJXPbodLDvMUNZWfomEwvyLu6___k0g7J7ZbpUslzoOWH3FSqGnPCk3IgCYkr72P8CuW90laq4uJUK5Ji-hFF5QPGUNoVRkpioGYQ2w8Dx-bWkzkszkJiPBjvWet2iKvCWxSkqKU/s320/40.png" alt="" id="BLOGGER_PHOTO_ID_5200616028885045682" border="0" /></a><br />But all did not went go well in this example as i made a mistake. The image below shows my mistake corrected. If you have any questions or comments please ping me at #fedora-selinux on freenode<br /><br />You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages but it may need some work.<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijKf_XSpw6lDWfJIXpt96A5oZVSQcwlStsHjrrVJ7vvK4MLcxICgX1iOfFfRTpN0rpCLIKalDax-IX24NZK-QMjSvEq0yfzi5_GR_8b9ggdNxmdOdokMKxSFPIOiYSSOQI4AFK1Q96eQ4/s1600-h/mistake1.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijKf_XSpw6lDWfJIXpt96A5oZVSQcwlStsHjrrVJ7vvK4MLcxICgX1iOfFfRTpN0rpCLIKalDax-IX24NZK-QMjSvEq0yfzi5_GR_8b9ggdNxmdOdokMKxSFPIOiYSSOQI4AFK1Q96eQ4/s320/mistake1.png" alt="" id="BLOGGER_PHOTO_ID_5200617295900398018" border="0" /></a><br /><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixECq6K3scRBsCebZyXbpWXWhgpWZ1_xzY42lqJPd9I5MkdP-NTJON122ilIL5dhQr8OqST8dLinyh7kxgJnoBkUILIKg0RtSD3nmNh0scqbebfEfb3oFTZEpl_anwxVo7vCXtPZZDObY/s1600-h/31.png"><span style="font-weight: bold;"></span></a>Dominick "domg472" Grifthttp://www.blogger.com/profile/11819170833190325982noreply@blogger.com1