SELinux Part 2 — Creating Custom Policy
Assume that you want to prevent access to custom files in a folder even a user has access rights to files.
You should install SELinux tools to do steps completely.
$ yum install policycoreutils-python policycoreutils-devel setools-console setroubleshoot setroubleshoot-server selinux-policy -yFirstly login to system as root, create a folder and go to inside it.
$ mkdir /policytest
$ cd /policytestCreate a policy file.
cat <<'EOF' >> policytest.tepolicy_module(policytest,1.0)require {
type unconfined_t;
}type policytest_t;
files_type(policytest_t);
fs_associate(policytest_t);allow unconfined_t policytest_t:{dir file} { relabelto relabelfrom getattr };
policy_module is used to specify module name. require block tells which domains are necessary to define this policy. type declares new type, files_type tells this type will also be used as file context. fs_associate is associates type with filesystem. This allow line has been added so that root can change type definition of a file to policytest_t or revert it back.
Policy is built and added with this lines;
$ make -f /usr/share/selinux/devel/Makefile policytest.pp
$ semodule -i policytest.ppNow create a shell script and change it’s type. Add it persistently with semanage and set persistent configuration to current setting of file with restorecon
$ echo "pwd" > test.sh
$ semanage fcontext -a -t policytest_t /policytest/test.sh
$ restorecon -v /policytest/test.shAdd a new user, give permissions to user of folder recursively. Change users SELinux mapping to user_u, so it will run in user_t domain when it logged in.
$ useradd policytest
$ passwd policytest
$ semanage login -a -s user_u policytest
$ chown -R policytest:policytest /policytestNow login to system from different session and go to folder, try to list files and execute shell script.
$ ssh policytest@your_host
$ cd /policytest
$ ls -alZ test.sh
ls: cannot access /policytest/test.sh: Permission denied
$ /policytest/test.sh
-bash: /policytest/test.sh: Permission deniedAs you see it can’t list or execute file event it ownes them. Now switch to your root session. Check deny messages.
$ ausearch -m AVC
type=AVC msg=audit(1606860547.620:2190): avc: denied { execute } for pid=121738 comm="bash" name="test.sh" dev="dm-0" ino=51506749 scontext=user_u:user_r:user_t:s0 tcontext=unconfined_u:object_r:policytest_t:s0 tclass=file permissive=0...
You can create a policy for all denied messages with audit2allow
$ ausearch -m AVC | audit2allow -M testdenials
$ sepolicy -i testdenials.ppOr you can create a new policy that let user_t can access policytest_t
policy_module(policytest,1.0)require {
type unconfined_t;
type user_t;
}type policytest_t;
files_type(policytest_t);
fs_associate(policytest_t);allow unconfined_t policytest_t:{dir file} { relabelto relabelfrom getattr };
allow user_t policytest_t:file { execute execute_no_trans ioctl open read getattr };
allow user_t policytest_t:dir { execute ioctl open read getattr };
Again you should build and add policy.
$ make -f /usr/share/selinux/devel/Makefile policytest.pp
$ semodule -i policytest.ppNow switch back to policytest user and try to list files and execute again.
$ /policytest/test.sh
/home/policytest$ cd /policytest
$ ls -alZ
-rwxr-xr-x. policytest policytest unconfined_u:object_r:user_home_t:s0 test.sh
As you see now this user has been able to list and execute files.
