Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be covered then it may be more appropriate for them to make the additions rather than me. Consider it a "get the ball rolling" contribution that the community can add to as necessary :) Comments welcomed, Ned
Ned Slider wrote:> Hi list, > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux > > I've tried to pitch it as an introduction for those not already > familiar with SELinux but also hopefully a useful reference. > > I'm relatively new to SELinux and have covered pretty much everything > I know to the limits of my limited knowledge. If folks think other > material needs to be covered then it may be more appropriate for them > to make the additions rather than me. Consider it a "get the ball > rolling" contribution that the community can add to as necessary :) > > Comments welcomed,I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #============= postfix_postdrop_t ============= allow postfix_postdrop_t httpd_log_t:file getattr; we decide that we do not want either to *relabel* the files or to *allow* the action, but it is safe to *ignore* the warnings. Therefore we edit the action rule, like below: dontaudit postfix_postdrop_t httpd_log_t:file getattr; We now need to compile and load the policy: $ checkmodule -M -m -o postfix.mod postfix.te $ semodule_package -o local.pp -m postfix.mod $ semodule -i postfix.pp -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080811/b97861d7/attachment-0002.html>
On 11/08/2008, Ned Slider <ned at unixmail.co.uk> wrote:> > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux > > I've tried to pitch it as an introduction for those not already familiar > with SELinux but also hopefully a useful reference.Excellent work and, IMO, a very valuable reference guide. :-D Alan. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080811/db0a693c/attachment-0002.html>
Ned Slider wrote:> Hi list, > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux > > I've tried to pitch it as an introduction for those not already familiar > with SELinux but also hopefully a useful reference.Great article. What maybe should be added to the article is the fact, that SELinux doesn't need programs to be changed, meaning that programs do not (need to) know about SELinux at all for it to work. So a SELinux denial just looks like a normal "access denied" to any program. Cheers, Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080811/3eb465aa/attachment-0002.sig>
Ralph Angenendt wrote:> Ned Slider wrote: >> Hi list, >> >> I've knocked up a contribution on SELinux here: >> >> http://wiki.centos.org/HowTos/SELinux >> >> I've tried to pitch it as an introduction for those not already familiar >> with SELinux but also hopefully a useful reference. > > Great article. > > What maybe should be added to the article is the fact, that SELinux > doesn't need programs to be changed, meaning that programs do not (need > to) know about SELinux at all for it to work. So a SELinux denial just > looks like a normal "access denied" to any program. > > Cheers, > > Ralph >Thanks Ralph. Added the following sentence: Because SELinux is implemented within the kernel, individual applications do not need to be especially written or modified to work with SELinux. If SELinux blocks an action, this appears as just a normal "access denied" type error to the application.
Manuel Wolfshant wrote:> Ned Slider wrote: >> Hi list, >> >> I've knocked up a contribution on SELinux here: >> >> http://wiki.centos.org/HowTos/SELinux >> >> I've tried to pitch it as an introduction for those not already >> familiar with SELinux but also hopefully a useful reference. >> >> I'm relatively new to SELinux and have covered pretty much everything >> I know to the limits of my limited knowledge. If folks think other >> material needs to be covered then it may be more appropriate for them >> to make the additions rather than me. Consider it a "get the ball >> rolling" contribution that the community can add to as necessary :) >> >> Comments welcomed, > I would add the following just before "Sumamry" (in case one wants to > edit the rules suggested by audit2allow): > > Building module policy manually > > > - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix > - while reviewing the generated postfix.te > > module local 1.0; > > require { > type httpd_log_t; > type postfix_postdrop_t; > class dir getattr; > class file { read getattr }; > } > > #============= postfix_postdrop_t =============> allow postfix_postdrop_t httpd_log_t:file getattr; > > > we decide that we do not want either to *relabel* the files or to > *allow* the action, but it is safe to *ignore* the warnings. Therefore > we edit the action rule, like below: > > dontaudit postfix_postdrop_t httpd_log_t:file getattr; > > We now need to compile and load the policy: > > $ checkmodule -M -m -o postfix.mod postfix.te > $ semodule_package -o local.pp -m postfix.mod > $ semodule -i postfix.pp >Thanks Wolfy :) I think I need to read up some more and expand section(s) at the end of the document on policy modules. I'll incorporate the above into that process. Also, does anyone know if there are any guidelines/best practice on the naming of custom policy modules? I'm wondering if it's wise to create local policy modules with names like postfix or postgrey etc, as conceivably these may later get overwritten by policy modules supplied from elsewhere? Maybe something like postfix.local.pp might be more appropriate?
Manuel Wolfshant wrote:> Ned Slider wrote: >> Hi list, >> >> I've knocked up a contribution on SELinux here: >> >> http://wiki.centos.org/HowTos/SELinux >> >> I've tried to pitch it as an introduction for those not already >> familiar with SELinux but also hopefully a useful reference. >> >> I'm relatively new to SELinux and have covered pretty much everything >> I know to the limits of my limited knowledge. If folks think other >> material needs to be covered then it may be more appropriate for them >> to make the additions rather than me. Consider it a "get the ball >> rolling" contribution that the community can add to as necessary :) >> >> Comments welcomed, > I would add the following just before "Sumamry" (in case one wants to > edit the rules suggested by audit2allow): > > Building module policy manually > > > - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix > - while reviewing the generated postfix.te > > module local 1.0; > > require { > type httpd_log_t; > type postfix_postdrop_t; > class dir getattr; > class file { read getattr }; > } > > #============= postfix_postdrop_t =============> allow postfix_postdrop_t httpd_log_t:file getattr; > >Wolfy, Are you able to supply an example of the audit.log AVC message(s) that are used to create this .te policy? It might be useful to show the actual AVC error messages in explaining this process. Thanks, Ned
Ned Slider wrote:> Hi list, > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux >Any suggestions as to where this should be linked under http://wiki.centos.org/HowTos ? I don't see an obvious existing category to add it under. Any thoughts?