Labeled NFS/Demo/CustomizingServerPolicy

From SELinux Wiki
Revision as of 14:54, 22 December 2008 by CraigGrube (Talk | contribs)

Jump to: navigation, search


The server policy contains three SELinux policy modules that are required for NFS to function properly. This section will not cover the specifics of the sefosnfsserver and sefosrpc policies, but will focus on the sefosexports policy. The sefosnfsserver and sefosrpc policies are required for the NFS server and related RPC services to function properly. The sefosexports policy is required to allow the NFS server to access and manage files being shared to the clients.

Sample Policy

module sefosexports 1.0.0;

require {
        ## specific to access files/dirs in exports
        type mnt_t;
        type home_root_t;
        type user_home_dir_t;
        type user_home_t;
        type kernel_t;
        type nfsd_t;

        class file { create open getattr setattr read write append rename link unlink ioctl lock };
        class dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir
lock ioctl };
        class udp_socket { name_bind listen };
        class lnk_file {create getattr unlink};

## specifc to type of exported dirs

The policy shown above provides the NFS server read-only access to three file types (using the nfs_ro_export_dir_type macro):

  • mnt_t - /mnt, /mnt/export
  • home_root_t - /mnt/export/home

The policy provides read-write access to one file type (using the nfs_rw_export_type macro):

  • user_home_t - /mnt/export/home/newuser

The two macros should make it fairly easy to allow the NFS server to access additional file types. To allow the NFS server to access additional types, simply add the type in the requires block and apply the appropriate macro. There currently is no macro to provide read-only access to a file type, but it should be fairly trivial to create one modeled after the read-write macro.

Modifying the policy

For the example of policy modification we will be adding read-write access to the type httpd_user_content_t.

Here are the steps required to modify the policy:

  1. Install the server policy source RPM
    rpm -i sefos-server-policy-0.2-1.fc9.src.rpm
  2. Change directory to /usr/src/redhat/SOURCES
  3. Extract the policy archive:
    tar -xzf sefos-server-policy-0.2.tar.gz
  4. Edit the sefeosexports.te file:
    1. Increment the module version number.
    2. In the requires section add the following to allow us to later reference the httpd_user_content_t type:
      type httpd_user_content_t;
    3. At the end of the file add a line to allow read-write access to the httpd_user_content_t type:
  5. In /usr/src/redhat/SOURCES recreate the tarball:
    tar -czvf sefos-server-policy-0.2.tar.gz sefos-server-policy-0.2

Building the policy

We recommend incrementing the release number to allow the package to be upgraded, instead of forcing the administrator to remove the old version and install the new version. To do so edit /usr/src/redhat/SPECS/sefos-server-policy.spec. Increment the number in the line that looks similar to the following:

Release:        1%{?dist}

To build the binary RPM run (use -ba to build binary and source packages or -bs for building just the source package):

rpmbuild -bb /usr/src/redhat/SPECS/sefos-server-policy.spec

Installing the policy

Use <code>rpm to upgrade the policy on the server:

rpm --upgrade /usr/src/redhat/RPMS/i386/sefos-server-policy-0.2-2.fc9.i386.rpm

You should now be able to access the new file type through NFS.