New SELinux Policy
New SELinux Policy
I'm trying to learn more about SELinux on CentOS but I'm struggling to find any good resources. I've read a few books also but none of them really explains it so one can create a new policy from scratch for CentOS. Is there a good tutorial anyone can recommend?
-
gerald_clark
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: New SELinux Policy
Did you read https://wiki.centos.org/HowTos#head-ed8 ... d139e88421
and the security section of
https://access.redhat.com/documentation ... ?version=6 ?
and the security section of
https://access.redhat.com/documentation ... ?version=6 ?
Re: New SELinux Policy
How about this? It's not exactly a tutorial but it's the most approachable method that I've found. A combination of this and looking at the refpolicy is how I learned to write what I do.
Introducing sepolicy: http://danwalsh.livejournal.com/61107.html
Creating a confined administrator: http://danwalsh.livejournal.com/66587.html
Man page for sepolicy: http://man7.org/linux/man-pages/man8/se ... ate.8.html
SELinux refpolicy: https://github.com/TresysTechnology/refpolicy
In the reference policy, a good place to start is the file which defines object permission sets, https://github.com/TresysTechnology/ref ... m_sets.spt. There are other files that define permission sets like this too but the refpolicy lets you start with allowing a user to perform basic actions on a Linux system. Other files to check out are the interface files (end in .if ) for other projects, found at /usr/share/selinux/devel/include/contrib and installed by selinux-policy-devel. In your policy, you can reference the interfaces from other projects and grant your app or user the ability to perform other tasks without having to specify each system call that's required.
The second link from Dan Walsh's blog that I shared might be a good way to practice. You write and compile policy and then map your confined administrator to your policy.
Introducing sepolicy: http://danwalsh.livejournal.com/61107.html
Creating a confined administrator: http://danwalsh.livejournal.com/66587.html
Man page for sepolicy: http://man7.org/linux/man-pages/man8/se ... ate.8.html
SELinux refpolicy: https://github.com/TresysTechnology/refpolicy
In the reference policy, a good place to start is the file which defines object permission sets, https://github.com/TresysTechnology/ref ... m_sets.spt. There are other files that define permission sets like this too but the refpolicy lets you start with allowing a user to perform basic actions on a Linux system. Other files to check out are the interface files (end in .if ) for other projects, found at /usr/share/selinux/devel/include/contrib and installed by selinux-policy-devel. In your policy, you can reference the interfaces from other projects and grant your app or user the ability to perform other tasks without having to specify each system call that's required.
The second link from Dan Walsh's blog that I shared might be a good way to practice. You write and compile policy and then map your confined administrator to your policy.
-- Jeremy --
Re: New SELinux Policy
On the CentOS IRC channel we have a "bot" that has some helpful information about lots of things and when you ask it about selinux, it produces this list of links to read and digest!
Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide
Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke