NB RefPolicy

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 14:10, 21 May 2010 (edit)
RichardHaines (Talk | contribs)
(Reference Policy Build Options - policy/modules.conf)
← Previous diff
Revision as of 14:16, 21 May 2010 (edit) (undo)
RichardHaines (Talk | contribs)
(Building the targeted Policy Type)
Next diff →
Line 1,232: Line 1,232:
make load make load
</pre> </pre>
 +<pre>
# Finally copy over two files that are not automatically # Finally copy over two files that are not automatically
# managed by the build process. These are held in the # managed by the build process. These are held in the

Revision as of 14:16, 21 May 2010

Contents

The Reference Policy

Introduction

The Reference Policy is now the standard policy source used to build SELinux policies. This provides a single source tree with supporting documentation that can be used to build policies for different purposes such as: confining important daemons, supporting MLS / MCS type policies and locking down systems so that all processes are under SELinux control.

This section details how the Reference Policy is:

  1. Constructed and types of policy builds supported.
  2. Installation as a full Reference Policy source or as Header files.
  3. Modifying the configuration files to build new policies.
  4. Adding new modules to the build.

Notebook Reference Policy Information

This section makes use of the F-12 distribution that is built from the standard Reference Policy VERSION=20090730[1]. This is modified and distributed by Red Hat as the following RPM:

selinux-policy-3.6.32-103.fc12.src.rpm[2]

This core source code is then used to build various policy RPMs that are distributed by Red Hat as:

selinux-policy-3.6.32-103.fc12.noarch - Contains the SELinux /etc/selinux/config file, man pages and the "Policy Header" development environment that is located at /usr/share/selinux/devel
selinux-policy-doc-3.6.32-103.fc12.noarch - Contains the html policy documentation that is located at /usr/share/doc/selinux-policy-3.6.32/html
selinux-policy-minimum-3.6.32-103.fc12.noarch
selinux-policy-mls-3.6.32-103.fc12.noarch
selinux-policy-targeted-3.6.32-103.fc12.noarch

These three rpms contain policy configuration files and the packaged policy modules (*.pp). These will be used to build the particular policy type in /usr/share/selinux/<policy_name>, the install process will then install the policy in the appropriate /etc/selinux/<policy_name> directory.


Reference Policy Overview

The Reference Policy can be used to build two different formats of a policy:

  1. Loadable Module Policy - A policy that has a base module for core services and has the ability to load / unload modules to support applications as required[3]. This is now the standard used by GNU / Linux distributions.
  2. Monolithic Policy - A policy that has all the required policy information in a single base policy.

Each of the policy types are built using module files that define the specific modules required by the policy as detailed in the Reference Policy Module Files section. Note that the monolithic policy is built using the the same module files, however they are all assembled into a single "base" source file.

The Reference Policy is now used by all major distributions of SELinux, however each distribution makes its own specific changes to support their "version of the Reference Policy" (as this section should show as the Red Hat F-12 policy distribution has a slightly different build to the standard Reference PolicyVERSION=2.20090730).

There are tools such as SLIDE (SELinux integrated development environment) that can be used to make the task of policy development and testing easier when using the Reference Policy source or headers. SLIDE is an Eclipse plugin and details can be found at:

http://oss.tresys.com/projects/slide

Distributing Policies

It is possible to distribute the Reference Policy in two forms:

  1. As source code that is then used to build policies. This is not the general way policies are distributed as it contains the complete source that most administrators do not need. The Reference Policy Source section describes the source and the Installing and Building the Reference Policy Source section describes how to install the source and build a policy.
  2. As "Policy Headers". This is the most common way to distribute the Reference Policy. Basically, the modules that make up "the distribution" are pre-built and then linked to form a base and optional modules. The "headers" that make-up the policy are then distributed along with makefiles and documentation. A policy writer can then build policy using the core modules supported by the distribution, and using development tools they can add their own policy modules. The Reference Policy Headers section describes how these are installed and used to build modules.

The policy header files for F-12 are distributed in a number of rpms as follows:

selinux-policy-3.6.32-103.fc12.noarch - This package contains the SELinux /etc/selinux/config file, man pages and the "Policy Header" development environment that is located at /usr/share/selinux/devel
selinux-policy-doc-3.6.32-103.fc12.noarch - This package contains the html policy documentation that is located at /usr/share/doc/selinux-policy-3.6.32/html
selinux-policy-minimum-3.6.32-103.fc12.noarch
selinux-policy-mls-3.6.32-103.fc12.noarch
selinux-policy-targeted-3.6.32-103.fc12.noarch
These three packages contain policy configuration files and policy modules (*.pp files) for the particular policy type to be installed. These files are used to build the policy type in /usr/share/selinux/<policy_name> and then install the policy in the /etc/selinux/<policy_name> directory.
Normally only one policy would be installed and active, however for development purposes all three can be installed.

Policy Functionality

As can be seen from the policies distributed with F-12 above, they can be classified by the name of the functionality they support (taken from the NAME entry of the build.conf as shown in Table 2), for example the Red Hat policies support[4]:

mminimum - supports a minimal set of confined daemons within their own domains. The remainder run in the unconfined_t space.
mls - supports server based MLS systems.
targeted - supports a greater number of confined daemons and can also confine other areas and users (this targeted version also supports the older "strict" version).

For information, the Reference Policy supports the following types (taken from the TYPE entry of the build.conf as shown in Table 2):

standard - supports confined daemons and can also confine other areas and users (this is an amalgamated version of the older "targeted" and "strict" versions).

mcs - As standard but supports MCS labels.
mls - supports MLS labels and confines server processes.

Reference Policy Module Files

The reference policy modules are constructed using a mixture of policy language statements, support macros and access interface calls using three principle types of source file:

1. A private policy file that contains statements required to enforce policy on the specific GNU / Linux service being defined within the module. These files are named <module_name>.te.

For example the ada.te file shown below has two statements:

a) one to state that the ada_t process has permission to write to the stack and memory allocated to a file.
b) one that states that if the unconfined module is loaded, then allow the ada_t domain unconfined access. Note that if the flow of this statement is followed it will be seen that many more interfaces and macros are called to build the final raw SELinux language statements.
2. An external interface file that defines the services available to other modules. These files are named <module_name>.if.
For example the ada.if file shown below has two interfaces defined for other modules to call (see also the Example Documentation Screen Shot that shows a screen shot of the documentation that can be automatically generated):
a) ada_domtrans - that allows another module (running in domain $1) to run the ada application in the ada_t domain.
b) ada_run - that allows another module to run the ada application in the ada_t domain (via the ada_domtrans interface), then associate the ada_t domain to the caller defined role ($2) and terminal ($3).
Provided of course that the caller domain has permission.
It should be noted that there are two types of interface specification:
Access Interfaces - These are the most common and define interfaces that .te modules can call as described in the ada examples. They are generated by the interface macro as detailed in the the interface Macro section.
Template Interfaces - These are required whenever a module is required in different domains and allows the type(s) to be redefined by adding a prefix supplied by the calling module. The basic idea is to set up an application in a domain that is suitable for the defined SELinux user and role to access but not others. These are generated by the template macro as detailed in the template Macro section that also explains the openoffice.if template.
3. A file labeling file that defines the labels to be added to files for the specified module. These files are named <module_name>.fc. The build process will amalgamate all the .fc files and finally form the file_contexts file that will be used to label the filesystem.

For example the ada.fc file shown below requires that the specified files are all labeled system_u:object_r:ada_exec_t:s0.

The <module_name> must be unique within the reference policy source tree and should reflect the specific GNU / Linux service being enforced by the policy.

The module files are constructed using a mixture of:

  1. Policy language statements as defined in the SELinux Policy Language section.
  2. Reference Policy macros that are defined in the Reference Policy Macros section.
  3. External interface calls defined within other modules (.te and .if only).

An example of each file taken from the ada module is as follows:

ada.te file contents:

policy_module(ada, 1.4.0)

########################################
#
# Declarations
#

type ada_t;
type ada_exec_t;
application_domain(ada_t, ada_exec_t)
role system_r types ada_t;

########################################
#
# Local policy
#

allow ada_t self:process { execstack execmem };

userdom_use_user_terminals(ada_t)
optional_policy(`
unconfined_domain(ada_t)
')

ada.if file contents:

## <summary>GNAT Ada95 compiler</summary>
########################################
## <summary>
##Execute the ada program in the ada domain.
## </summary>
## <param name="domain">
##<summary>
##Domain allowed access.
##</summary>
## </param>
#
interface(`ada_domtrans',`
gen_require(`
type ada_t, ada_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, ada_exec_t, ada_t)
')

########################################
## <summary>
##Execute ada in the ada domain, and
##allow the specified role the ada domain.
## </summary>
## <param name="domain">
##<summary>
##Domain allowed access.
##</summary>
## </param>
## <param name="role">
##<summary>
##The role to be allowed the ada domain.
##</summary>
## </param>
## <param name="terminal">
##<summary>
##The type of the terminal allow the ada domain to use.
##</summary>
## </param>
#
interface(`ada_run',`
gen_require(`
type ada_t;
')

ada_domtrans($1)
role $2 types ada_t;
')

ada.fc file contents:

#
# /usr
#
/usr/bin/gnatbind--gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatls--gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatmake--gen_context(system_u:object_r:ada_exec_t,s0)
/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)

Reference Policy Documentation

One of the advantages of the reference policy is that it is possible to automatically generate documentation as a part of the build process. This documentation is defined in XML and generated as HTML files suitable for viewing via a browser.

The documentation for F-12 can be found in the following locations:

Distributed as Policy Headers - /usr/share/doc/selinux-policy-<version>/html. Where <version> is the version number of the Red Hat release, for the build used in this Notebook the location is:
/usr/share/doc/selinux-policy-3.6.32/html
Distributed as Policy Source - <location>/src/policy/doc/html. Where <location> is the location of the installed source after make install-src has been executed as described in the Installing The Reference Policy Source section. The documentation can then be generated using make html, where for the build used in this Notebook the location is:
/etc/selinux/targeted-103/src/policy/doc/html

The Example Documentation Screen Shot shows an example screen of the documentation produced for the ada module interfaces.

Reference Policy Source

This section will explain the source layout and configuration files, with the actual installation and building covered in the Building the Reference Policy Source section.

The source has a README file containing information on the configuration and installation processes that has been used within this section (and updated with the authors comments as necessary). There is also a VERSION file that contains the Reference Policy release date which can be used to obtain the original source from the repository located at:

http://oss.tresys.com/projects/refpolicy

Source Layout

The The Reference Policy Source Tree diagram shows the layout of the reference policy source tree, that once installed would be located at:

/etc/selinux/<policy_name>/src/policy

The following sections detail the source contents:

The Installing and Building the Reference Policy Source section then describes how the initial source is installed and configured to allow a version of the F-12 targeted policy to be built.

Reference Policy Files and Directories

Table 1 shows the major files and their directories with a description of each taken from the README file. All directories are relative to the root of the Reference Policy source directory ./policy.

Two of these configuration files (build.conf and modules.conf) are further detailed in the Source Configuration Files section as they define how the policy will be built.

During the build process, a file is generated in the ./policy directory called either policy.conf or base.conf depending whether a monolithic or modular policy is being built. This file is explained in the Modular Policy Build Structure section.

File / Directory Name Comments
Makefile General rules for building the policy.
Rules.modular Makefile rules specific to building loadable module policies.
Rules.monolithic Makefile rules specific to building monolithic policies.
build.conf Options which influence the building of the policy, such as the policy type and distribution.
config/appconfig-<type> Application configuration files for all configurations of the Reference Policy where <type> is taken from the build.conf TYPE entry that are currently: standard, MLS and MCS). These files are used by SELinux-aware programs.
config/local.users The file read by load policy for adding SELinux users to the policy on the fly.

Note that this file is not used in the F-12 modular policy build.

doc/html/* When make html has been executed, contains the in-policy XML documentation, presented in web page form
doc/policy.dtd The doc/policy.xml file is validated against this DTD.
doc/policy.xml This file is generated/updated by the conf and html make targets. It contains the complete XML documentation included in the policy.
doc/templates/* Templates used for documentation web pages.
support/* Tools used in the build process.
policy/flask/initial_sids This file has declarations for each initial SID.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/flask/security_classes This file has declarations for each security class.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/flask/access_vectors This file defines the access vectors. Common prefixes for access vectors may be defined at the beginning of the file. After the common prefixes are defined, an access vector may be defined for each security class.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/modules/* Each directory represents a layer in Reference Policy all of the modules are contained in one of these layers.

The files present are:

metadata.xml - describes the layer.

<module_name>.te, .if & .fc - contains policy source as described in the Reference Policy Module Files section.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/booleans.conf This file is generated/updated by the conf make target. It contains the booleans in the policy, and their default values. If tunables are implemented as booleans, tunables will also be included. This file will be installed as the /etc/selinux/NAME/booleans file (note that this is not true for F-12 or any system that implements the modular policy - see the Booleans, Global Booleans and Tunable Booleans section).

This file is also included in the F-12 source updates as described in the Installing and Building the Reference Policy Source section.

policy/constraints This file defines additional constraints on permissions in the form of boolean expressions that must be satisfied in order for specified permissions to be granted. These constraints are used to further refine the type enforcement rules and the role allow rules. Typically, these constraints are used to restrict changes in user identity or role to certain domains.

(Note that this file does not contain the MLS / MCS constraints as they are in the mls and mcs files described below).

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/global_booleans This file defines all booleans that have a global scope, their default value, and documentation. See the Booleans, Global Booleans and Tunable Booleans section.
policy/global_tunables This file defines all tunables that have a global scope, their default value, and documentation. See the Booleans, Global Booleans and Tunable Booleans section.
policy/mcs This contains information used to generate the sensitivity, category, level and mlsconstraint statements used to define the MCS configuration.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/mls This contains information used to generate the sensitivity, category, level and mlsconstraint statements used to define the MLS configuration.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/modules.conf This file contains a listing of available modules, and how they will be used when building Reference Policy.

This file is described in the Reference Policy Build Options section, it is also updated by the F-12 source updates as described in the Installing and Building the Reference Policy Source section.

policy/policy_capabilities This file defines the policy capabilities that can be enabled in the policy.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/rolemap This file contains prefix and user domain type that corresponds to each user role. The contents of this file will be used to expand the per-user domain templates for each module.

Note this is not used in the Reference Policy (commented out in makefiles).

policy/users This file defines the users included in the policy.

The file usage in policy generation is described in the Modular Policy Build Structure section.

policy/support/* Reference Policy support macros. These are described in the Reference Policy Macros section.
securetty_types These files are not part of the standard distribution but is added by the F-12 source updates as described in the Installing and Building the Reference Policy Source section.
setrans.conf

Table 1: The Reference Policy Files and Directories

Source Configuration Files

There are two major configuration files (build.conf and modules.conf) that define the policy to be built and are detailed in this section.


Reference Policy Build Options - build.conf

This file defines the policy type to be built that will influence its name and where the source will be located once it is finally installed. It also configures the MCS / MLS sensitivity and category maximum values. An example file content is shown in the Installing and Building the Reference Policy Source section where it is used to install and then build the policy.

Table 2 explains the fields that can be defined within this file, however there are a number of m4 macro parameters that are set up when this file is read by the build process makefiles. These definitions are shown in Table 3 and are also used within the module source files to control how the policy is built with examples shown in the ifdef / ifndef Parameters section.


Option Type Comments
OUTPUT_POLICY Integer Set the version of the policy created when building a monolithic policy. This option has no effect on modular policy.
TYPE String Available options are standard, mls, and mcs. For a type enforcement only system, set standard. This optionally enables multi-level security (MLS) or multi-category security (MCS) features. This option controls enable_mls, and enable_mcs policy blocks.
NAME String (optional) Sets the name of the policy; the NAME is used when installing files to e.g., /etc/selinux/NAME and /usr/share/selinux/NAME. If not set, the policy type field (TYPE) is used.

The policy built under this directory is also controlled by the modules.conf that is described in the Reference Policy Build Options section.

DISTRO String (optional) Enable distribution-specific policy. Available options are redhat, rhel4, gentoo, debian, and suse. This option controls distro_redhat, distro_rhel4, distro_suse policy blocks.
UNK_PERMS String Set the kernel behaviour for handling of permissions defined in the kernel but missing from the policy. The permissions can either be allowed, denied, or the policy loading can be rejected. See the SELinux Filesystem for more details.
DIRECT_INITRC Boolean (y|n) If 'y' sysadm will be allowed to directly run init scripts, instead of requiring the run_init tool. This is a build option instead of a tunable since role transitions do not work in conditional policy. This option controls direct_sysadm_daemon policy blocks.
MONOLITHIC Boolean (y|n) If 'y' a monolithic policy is built, otherwise a modular policy is built.
UBAC Boolean (y|n) If 'y' User Based Access Control policy is built. The default for Red Hat is 'n'. These are defined as constraints in the policy/constraints file. Note Version 1 of the Reference Policy did not have this entry and defaulted to Role Based Access Control.
MLS_SENS Integer Set the number of sensitivities in the MLS policy. Ignored on standard and MCS policies.
MLS_CATS Integer Set the number of categories in the MLS policy. Ignored on standard and MCS policies.
MCS_CATS Integer Set the number of categories in the MCS policy. Ignored on standard and MLS policies.
QUIET Boolean (y|n) If 'y' the build system will only display status messages and error messages. This option has no effect on policy.

Table 2: build.conf Entries


m4 Parameter Name in Makefile From build.conf entry Comments
enable_mls TYPE Set if MLS policy build enabled.
enable_mcs TYPE Set if MCS policy build enabled.
enable_ubac UBAC Set if UBAC set to 'y'.
mls_num_sens MLS_SENS The number of MLS sensitivities configured.
mls_num_cats MLS_CATS The number of MLS categories configured.
mcs_num_cats MCS_CATS The number of MCS categories configured.
distro_$(DISTRO) DISTRO The distro name or blank.
direct_sysadm_daemon DIRECT_INITRC If DIRECT_INITRC entry set to 'y'.
hide_broken_symtoms This is set up in the Makefile and can be used in modules to hide errors with dontaudit rules (or even allow rules).

Table 3: m4 parameters set at build time - These have been extracted from the Reference Policy Makefile file.

Reference Policy Build Options - policy/modules.conf

This file controls what modules are built within the policy with example entries as follows:

# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem, unlabeled processes and objects.
# 
kernel = base

# Module: amanda
#
# Automated backup program.
# 
amanda = module

# Layer: admin
# Module: ddcprobe
#
# ddcprobe retrieves monitor and graphics card information
# 
ddcprobe = off

As can be seen the only active line (those without comments[5]) is:

<module_name> = base | module | off

Where:

module_name The name of the module to be included within the build.
base The module will be in the base module for a modular policy build (build.conf entry MONOLITHIC = n).
module The module will be built as a loadable module for a modular policy build. If a monolithic policy is being built (build.conf entry MONOLITHIC = y), then this module will be built into the base module.
off The module will not be included in any build.

Generally it is up to the policy writer to decide which modules are in the base and those that are loadable, however there are some modules that MUST be in the base module. To highlight this there is a special entry at the start of the modules interface file (.if) that has the entry <required val='true'> as shown below (taken from the kernel.if file):

## <summary>
##Policy for kernel threads, proc filesystem, 
##and unlabeled processes and objects.
## </summary>
## <required val="true">
##This module has initial SIDs.
## </required>

The modules.conf file will also reflect that a module is required in the base by adding a comment "Required in base" when the make conf target is executed (as all the .if files are checked during this process and the modules.conf file updated).

# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
# 
kernel = base

There are 13 modules in the F-12 reference policy source marked as required and are shown in Table 4.

Layer Module Name Comments
system application Policy for user executable applications. All the interface calls start with 'application_'.
system setrans Policy for the SELinux MLS/MCS label translation service. All the interface calls start with 'setrans_'.
kernel corecommands Core policy for shells, and generic programs in: /bin, /sbin, /usr/bin, and /usr/sbin. The .fc file sets up the labels for these items. All the interface calls start with 'corecmd_'.
kernel corenetwork Policy controlling access to network objects and also contains the initial SIDs for these.

The .if file is large and automatically generated. All the interface calls start with 'corenet_'.

kernel devices This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules (that is a char or block device file, usually in /dev). All types that are used to label device nodes should use the dev_node macro.

Additionally this module controls access to three things:

  1. the device directories containing device nodes.
  2. device nodes as a group
  3. individual access to specific device nodes covered by this module.

All the interface calls start with 'dev_'.

kernel domain Contains the core policy for forming and managing domains.

All the interface calls start with 'domain_'.

kernel files This module contains basic filesystem types and interfaces and includes:
  1. The concept of different file types including basic files, mount points, tmp files, etc.
  2. Access to groups of files and all files.
  3. Types and interfaces for the basic filesystem layout (/, /etc, /tmp, /usr, etc.).
  4. Contains the file initial SID.

All the interface calls start with 'files_'.

kernel filesystem Contains the policy for filesystems and the initial SID.

All the interface calls start with 'fs_'.

kernel kernel Contains the policy for kernel threads, proc filesystem, and unlabeled processes and objects. This module has initial SIDs.

All the interface calls start with 'kernel_'.

kernel mcs Policy for Multicategory security. The .te file only contains attributes used in MCS policy.

All the interface calls start with 'mcs_'.

kernel mls Policy for Multilevel security. The .te file only contains attributes used in MLS policy.

All the interface calls start with 'mls_'.

kernel selinux Contains the policy for the kernel SELinux security interface (selinuxfs).

All the interface calls start with 'selinux_'.

kernel terminal Contains the policy for terminals.

All the interface calls start with 'term_'.

Table 4: Mandatory modules.conf Entries


Building the modules.conf File

The file can be created by an editor, however it is generally built initially by make conf that will add any additional modules to the file. The file can then be edited to configure the required modules as base, module or off.

As will be seen in the Installing and Building the Reference Policy Source section, the reference policy source comes with a number of pre-configured files that are used to produce the required policy including multiple versions of the modules.conf file.

Source Installation and Build Make Options

This section explains the various make options available that have been taken from the README file. Table 5 describes the general make targets, Table 6 describes the modular policy make targets and Table 7 describes the monolithic policy make targets.


Make Target Comments
install-src Install the policy sources into /etc/selinux/NAME/src/policy, where NAME is defined in the build.conf file. If it is not defined, then TYPE is used instead. If a build.conf does not have the information, then the Makefile will default to the current entry in the /etc/selinux/config file or default to refpolicy. A pre-existing source policy will be moved to /etc/selinux/NAME/src/policy.bak.
conf Regenerate policy.xml, and update/create modules.conf and booleans.conf. This should be done after adding or removing modules, or after running the bare target. If the configuration files exist, their settings will be preserved. This must be run on policy sources that are checked out from the CVS repository before they can be used.
clean Delete all temporary files, compiled policies, and file_contexts. Configuration files are left intact.
bare Do the clean make target and also delete configuration files, web page documentation, and policy.xml.
html Regenerate policy.xml and create web page documentation in the doc/html directory.
install-appconfig Installs the appropriate SELinux-aware configuration files.

Table 5: General Build Make Targets


Make Target Comments
base Compile and package the base module. This is the default target for modular policies.
modules Compile and package all Reference Policy modules configured to be built as loadable modules.
MODULENAME.pp Compile and package the MODULENAME Reference Policy module.
all Compile and package the base module and all Reference Policy modules configured to be built as loadable modules.
install Compile, package, and install the base module and Reference Policy modules configured to be built as loadable modules.
load Compile, package, and install the base module and Reference Policy modules configured to be built as loadable modules, then insert them into the module store.
validate Validate if the configured modules can successfully link and expand.
install-headers Install the policy headers into /usr/share/selinux/NAME. The headers are sufficient for building a policy module locally, without requiring the complete Reference Policy sources. The build.conf settings for this policy configuration should be set before using this target.

Table 6: Modular Policy Build Make Targets


Make Target Comments
policy Compile a policy locally for development and testing. This is the default target for monolithic policies.
install Compile and install the policy and file contexts.
load Compile and install the policy and file contexts, then load the policy.
enableaudit Remove all dontaudit rules from policy.conf.
relabel Relabel the filesystem.
checklabels Check the labels on the filesystem, and report when a file would be relabeled, but do not change its label.
restorelabels Relabel the filesystem and report each file that is relabeled.

Table 7: Monolithic Policy Build Make Targets


Booleans, Global Booleans and Tunable Booleans

The three files booleans.conf, global_booleans and global_tunables are built and used as follows:

booleans.conf This file is generated / updated by make conf, and contains all the booleans in the policy with their default values. If tunable and global booleans are implemented then these are also included.

This file can also be delivered as a part of the reference policy source as shown in the outline Installing and Building the Reference Policy Source section. This is generally because other default values are used for booleans and not those defined within the modules themselves (i.e. distribution specific booleans). When the make install is executed, then this file will be used to set the default values.

Note that if booleans are updated locally then the policy store will contain a booleans.local file.

In SELinux enabled systems that support the policy store features (modular policies) this file is not installed as /etc/selinux/NAME/booleans.

global_booleans These are booleans that have been defined in the global_tunables file using the gen_bool macro. They are normally booleans for managing the overall policy and currently consist of the following (where the default values are false):
secure_mode
secure_mode_insmod
secure_mode_policyload
global_tunables These are booleans that have been defined in module files using the gen_tunable macro and added to the global_tunables file by make conf. The tunable_policy macros are defined in each module where policy statements or interface calls are required. They are booleans for managing specific areas of policy that are global in scope. An example is allow_execstack that will allow all processes running in unconfined_t to make their stacks executable.


Modular Policy Build Structure

This section explains the way a modular policy is constructed, this does not really need to be known but is used to show the files used that can then be investigated if required.

When make all or make load or make install are executed the build.conf and modules.conf files are used to define the policy name and what modules will be built in the base and those as individual loadable modules.

Basically the source modules (.te, .if and .fc) and core flask files are rebuilt in the tmp directory where the reference policy macros[6] in the source modules will be expanded to form actual policy language statements as described in the Policy Language section. Figure 3 shows these temporary files that are used to form the base.conf[7] file during policy generation.

The base.conf file will consist of language statements taken from the module defined as base in the modules.conf file along with the constraints, users etc. that are required to build a complete policy.

The individual loadable modules are built in much the same way as shown in Figure 4.

Base Policy Component Description Policy Source File Name (relative to ./policy/policy) ./policy/tmp

File Name

The object classes supported by the kernel. flask/security_classes pre_te_files.conf
The initial SIDs supported by the kernel. flask/initial_sids
The object class permissions supported by the kernel. flask/access_vectors
This is either the expanded mls or mcs file depending on the type of policy being built. mls or mcs
These are the policy capabilities that can be configured / enabled to support the policy. policy_capabilities
This area contains all the attribute, bool, type and typealias statements extracted from the *.te and *.if files that form the base module. modules/*/*.te

modules/*/*.if


all_attrs_types.conf
Contains the global and tunable bools extracted from the conf files. global_bools.conf

global_tunables.conf

global_bools.conf
Contains the rules extracted from each of the modules .te and .if files defined in the modules.conf file as "base". base modules only_te_rules.conf
Contains the expanded users from the users file. users all_post.conf
Contains the expanded constraints from the constraints file. constraints
Contains the default SID labeling extracted from the *.te files. modules/*/*.te
Contains the fs_use_xattr, fs_use_task, fs_use_trans and genfscon statements extracted from each of the modules .te and .if files defined in the modules.conf file as "base". modules/*/*.te

modules/*/*.if



Contains the netifcon, nodecon and portcon statements extracted from each of the modules .te and .if files defined in the modules.conf file as "base". modules/*/*.te

modules/*/*.if


Contains the expanded file context file entries extracted from the *.fc files defined in the modules.conf file as "base". modules/*/*.fc base.fc.tmp
Expanded seusers file. seusers seusers
These are the commands used to compile, link and load the base policy module:

checkmodule base.conf -o tmp/base.mod

semodule_package -o base.conf -m base_mod -f base_fc -u users_extra -s tmp/seusers

semodule -s $(NAME) -b base.pp) -i and each module .pp file

The "NAME" is that defined in the build.conf file.

Figure 3: Base Module Build - This shows the temporary build files used to build the base module "base.conf" as a part of the "make" process. Note that the modules marked as base in modules.conf are built here.


Base Policy Component Description Policy Source File Name (relative to ./policy/policy) ./policy/tmp

File Name

For each module defined as "module" in the modules.conf configuration file, a source module is produced that has been extracted from the *.te and *.if file for that module. modules/*/<module_name>.te

modules/*/<module_name>.if


<module_name>.tmp



For each module defined as "module" in the modules.conf configuration file, an object module is produced from executing the checkmodule command shown below. tmp/<module_name>.tmp <module_name>.mod
For each module defined as "module" in the modules.conf configuration file, an expanded file context file is built from the <module_name>.fc file. modules/*/<module_name>.fc base.fc.tmp
This command is used to compile each module:

checkmodule tmp/<module_name>.tmp -o tmp/<module_name>.mod


Each module is packaged and loaded with the base module using the following commands:

semodule_package -o base.conf -m base_mod -f base_fc -u users_extra -s tmp/seusers

semodule -s $(NAME) -b base.pp) -i and each module .pp file

The "NAME" is that defined in the build.conf file.

Figure 4: Module Build - This shows the module files and the temporary build files used to build each module as a part of the "make" process (i.e. those modules marked as module in modules.conf).


Creating Additional Layers

One objective of the reference policy is to separate the modules into different layers reflecting their "service" (e.g. kernel, system, app etc.). While it can sometimes be difficult to determine where a particular module should reside, it does help separation, however because the way the build process works, each module must have a unique name.

If a new layer is required, then the following will need to be completed:

  1. Create a new layer directory ./policy/modules/LAYERNAME that reflects the layer's purpose.
  2. In the ./policy/modules/LAYERNAME directory create a metadata.xml file. This is an XML file with a summary tag and optional desc (long description) tag that should describe the purpose of the layer and will be used as a part of the documentation. An example is as follows:
<summary>ABC modules for the XYZ components.</summary>

Installing and Building the Reference Policy Source

This section explains how to install the F-12 reference policy source that is distributed by Red Hat (however the same principle is followed for the source taken directly from the Tresys repository, except that it will not build a compatible policy to that discussed in this section).

Any F-12 policy source rpm will suffice and can be obtained from the http://koji.fedoraproject.org web site, however it is assumed that the source rpm is:

selinux-policy-3.6.32-103.fc12.src.rpm

The objective of this exercise is to show that the policy built from the above source rpm is an exact replica of the targeted policy distributed as header files in the F-12 targeted rpm:

selinux-policy-targeted-3.6.32-103.fc12.noarch.rpm

Note that there is a good overview of rebuilding the source policy at Dan Walsh's site:

http://danwalsh.livejournal.com/2009/02/16/

Installation and Configuration

Install the source by:

rpm -Uvh selinux-policy-3.6.32-103.fc12.src.rpm

The source will be installed in the users home directory under ./rpmbuild/SOURCES where the serefpolicy-3.6.32.tgz will need to be unpacked:

cd $HOME/rpmbuild/SOURCES
tar -xzf serefpolicy.tgz

The SOURCES directory contents will then look like this:

booleans-minimum.conf    booleans-mls.conf      booleans-olpc.conf
booleans-targeted.conf   config.tgz             customizable_types
Makefile.devel           modules-minimum.conf   modules-mls.conf
modules-olpc.conf        modules-targeted.conf  policy-20100106.patch
policy-F12.patch         policygentool          securetty_types-minimum
securetty_types-mls      securetty_types-olpc   securetty_types-targeted
serefpolicy-3.6.32       serefpolicy-3.6.32.tgz setrans-minimum.conf
setrans-mls.conf         setrans-olpc.conf      setrans-targeted.conf
users-minimum            users-mls              users-olpc
users-targeted

The files with minimum, targeted, mls and olpc within their names are the specific configuration files used within the Reference Policy for that particular Red Hat policy type.

The latest patches now need to be applied to the source tree as follows:

patch -p0 <policy-F12.patch

patch -p0 <policy-20100106.patch

The config.tgz is Red Hat's updated configuration files this will need to be unpacked and replace the original set of files:

# Unpack the archive:
tar -xzf config.tgz

# move to source directory:
cd serefpolicy-3.6.32

# save the old files:
mv config config.org

# and copy over the new Red Hat files
cp -r ../config config

As the "targeted" policy is being built, the files shown in Table 8 left hand column need to be copied to the location and named as shown in the right hand column.

Configuration File:
Installed as Reference Policy Configuration File:
booleans-targeted.conf ./serefpolicy-3.6.32/policy/booleans.conf
customizable_types ./serefpolicy-3.6.32/config/appconfig-mcs/ customizable_types
modules-targeted.conf ./serefpolicy-3.6.32/policy/modules.conf
securetty_types-targeted ./serefpolicy-3.6.32/config/appconfig-mcs/ securetty_types
setrans-targeted.conf ./serefpolicy-3.6.32/config/appconfig-mcs/ setrans.conf
users-targeted.conf ./serefpolicy-3.6.32/policy/users

Table 8: Red Hat specific policy configuration files - This example builds a "targeted" policy.


The serefpolicy-3.6.32 directory will now contain the source code with the latest patches for this release (3.6.32-103) of the Red Hat Reference Policy and the correct configuration files for a targeted policy.

The ./serefpolicy-3.6.32/build.conf must now be modified to allow the source to be installed in its final location and have the correct parameters set for the build. The entries that need to be updated in the build.conf file are highlighted below[8]:

#
# Policy build options
#

# Policy version
# By default, checkpolicy will create the highest version policy it supports. 
# Setting this will override the version. This only has an effect for
# monolithic policies.
#OUTPUT_POLICY = 18

# Policy Type
# standard, mls, mcs. Note Red Hat always build the MCS Policy Type as their “targeted” version.
TYPE = mcs

# Policy Name
# If set, this will be used as the policy name. Otherwise the policy type 
# will be used for the name. This entry is also used by the "make install-src" process to copy the source to the:
# /etc/selinux/targeted-103/src/policy directory.
NAME = targeted-103

# Distribution
# Some distributions have portions of policy for programs or configurations 
# specific to the distribution. Setting this will enable options for the
# distribution. redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
DISTRO = redhat

# Unknown Permissions Handling
# The behaviour for handling permissions defined in the kernel but missing from 
# the policy. The permissions can either be allowed, denied, or the policy 
# loading can be rejected.
# allow, deny, and reject are current options. Red Hat use allow for all
# policies except MLS that uses 'deny'.
UNK_PERMS = allow

# Direct admin init
# Setting this will allow sysadm to directly run init scripts, instead of 
# requiring run_init. This is a build option, as role transitions do not work in
# conditional policy.
DIRECT_INITRC = n

# Build monolithic policy. Putting n here will build a loadable module policy.
MONOLITHIC = n

# User-based access control (UBAC)
# Enable UBAC for role separations. Note Red Hat disable UBAC.
UBAC = n

# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1). Dominance will be in increasing
# numerical order with s0 being lowest.
MLS_SENS = 16

# Number of MLS Categories. Note Red Hat use 1024 categories for MLS and MCS.
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS = 1024

# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
MCS_CATS = 1024

# Set this to y to only display status messages during build.
QUIET = n

The policy source is now in a position to be installed at its default location that will be derived from the NAME = targeted-103 entry and will therefore be located at:

/etc/selinux/targeted-103/src/policy

Building the targeted Policy Type

From the ./serefpolicy-3.6.32 directory run the following command:

make install-src

This will copy the source code to its final location making any directories required.

Once the copy process is complete the policy can be built and the modules loaded into the policy store[9] by running the following commands:

# Go to the source location:
cd /etc/selinux/targeted-103/src/policy
# To ensure a clean source build:
make clean
# Build the policy modules and load into the policy store:
make load
# Finally copy over two files that are not automatically 
# managed by the build process. These are held in the
# config/appconfig-mcs directory.
#
cp config/appconfig-mcs/setrans.conf /etc/selinux/targeted-103

# Need to over-write the old version of this file with this one:
cp config/appconfig-mcs/customizable_types /etc/selinux/targeted-103/contexts

The policy will now be built as a targeted policy that will be an exact copy of the policy distributed in the following rpm:

selinux-policy-targeted-3.6.32-103.fc12.noarch.rpm

Checking the Build

Now that the targeted policy has been built, the policy binary file can be compared to the one that is distributed and built by the following rpm:

selinux-policy-targeted-3.6.32-103.fc12.noarch

The binary files sizes of both policies should be 4,776,004 bytes.

ls -l /etc/selinux/targeted/policy
-rw-r--r-- root root 4776004 <date+time> policy.24

ls -l /etc/selinux/targeted-103/policy
-rw-r--r-- root root 4776004 <date+time> policy.24

Note that the binaries would not be an exact comparison due to time stamps etc., therefore the SETools sediffx utility should be run against the two binary policies[10] which should show that they are the same and give the results shown in The two "targeted" policies should be the same using sediffx screen shots.


Running with the new Policy

To run the system using the new targeted-103 build edit the /etc/selinux/config file entry to read SELINUXTYPE=targeted-103, and then run the following commands:

touch /.autorelabel
reboot

During reboot, the system will be relabeled and the policy loaded (hopefully with no errors).

Reference Policy Headers

This method of building policy and adding new modules is used for distributions that do not require access to the source code.

Note that the Reference Policy header and the Red Hat F-12 policy header installations are slightly different as described below.

Building and Installing the Header Files

To be able to fully build the policy headers from the reference policy source two steps are required:

  1. Ensure the source is installed and configured as described in the Installing and Building the Reference Policy Source section. This is because the make load (or make install) command will package all the modules as defined in the modules.conf file, producing a base.pp and the relevant .pp packages. The build process will then install these files in the /usr/share/selinux/<policy_name> directory.
  2. Execute the make install-headers command that will:
a) Produce a build.conf file that represents the contents of the master build.conf file and place it in the /usr/share/selinux/<policy_name>/include directory.
b) Produce the XML documentation set that reflects the source and place it in the /usr/share/selinux/<policy_name>/include directory.
c) Copy a development Makefile for building from policy headers to the /usr/share/selinux/<policy_name>/include directory.
d) Copy the support macros .spt files to the /usr/share/selinux/<policy_name>/include/support directory.
e) Copy the module interface files (.if) to the relevant module directories at:
/usr/share/selinux/<policy_name>/include/modules.

The directory structure for the targeted-103 build generated above (edited for readability) would be:

# The policy packages:
targeted-103/abrt.pp
....
targeted-103/base.pp

# Build / Configuration files:
targeted-103/include/build.conf
targeted-103/include/Makefile
targeted-103/include/rolemap # Note this file is not used by F-12

# XML Documentation:
targeted-103/include/global_tunables.xml
targeted-103/include/global_booleans.xml
targeted-103/include/apps.xml
targeted-103/include/roles.xml
targeted-103/include/system.xml
targeted-103/include/kernel.xml
targeted-103/include/services.xml
targeted-103/include/admin.xml

# Support Macros:
targeted-103/include/support/ipc_patterns.spt
...
...

# The module interface files in their relevant directories:
targeted-103/include/admin/acct.if
..
targeted-103/include/apps/ada.if
..
targeted-103/include/kernel/corecommands.if
..
targeted-103/include/roles/auditadm.if
..
targeted-103/include/services/abrt.if
...
targeted-103/include/system/application.if
...

Using the Header Files

Note that this section describes the standard Reference Policy headers, the F-12 installation is slightly different and described in the Using F-12 Supplied Headers section.

Once the headers are installed as defined above, new modules can be built in any local directory. An example set of module files are located in the reference policy source at /etc/selinux/targeted-103/src/policy/doc and are called example.te, example.if, and example.fc.

During the header build process a Makefile was included in the headers directory. This Makefile can be used to build the example modules by using makes -f option as follows (assuming that the example module files are in the local directory):

make -f <tt>/usr/share/selinux/<policy_name>/include/Makefile</tt>

However there is another Makefile that can be installed in the users home directory ($HOME) that will call the master Makefile. This is located at /etc/selinux/targeted-103/src/policy/doc in the reference policy source and is called Makefile.example. This is shown below (note that it extracts the <policy_name> from the SELinux config file):

AWK ?= gawk

NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
SHAREDIR ?= /usr/share/selinux
HEADERDIR := $(SHAREDIR)/$(NAME)/include

include $(HEADERDIR)/Makefile

Table 9 shows the make targets for modules built from headers.

Make Target Comments
MODULENAME.pp Compile and package the MODULENAME local module.
all Compile and package the modules in the current directory.
load Compile and package the modules in the current directory, then insert them into the module store.
refresh Attempts to reinsert all modules that are currently in the module store from the local and system module packages.
xml Build a policy.xml from the XML included with the base policy headers and any XML in the modules in the current directory.

Table 9: Header Policy Build Make Targets


Using F-12 Supplied Headers

The F-12 distribution installs the headers in a slightly different manner as Red Hat installs:

  • The packaged files under the /usr/share/selinux/<policy_name>, these files may be .pp files or .pp.bz2 depending on the version of rpm installed (later ones compressed the packages). They are installed by the selinux-policy-<policy_name>-3.6.32-103.fc12.noarch type rpms.
  • The development header files are installed in the /usr/share/selinux/devel directory by the selinux-policy-3.6.32-103.fc12.noarch rpm. Red Hat also include an additional application called policygentool that allows users to generate policy by answering various questions. This tool is described in the Fedora 12 SELinux User Guide. The example modules are also in this directory and the Makefile is also slightly different to that used by the Reference Policy source.
  • The documentation is supplied in the selinux-policy-doc-3.6.32-103.fc12.noarch type rpms and would be installed (for this version), in the /usr/share/doc/selinux-policy-3.6.32/html directory.

Reference Policy Support Macros

This section explains some of the support macros used to build reference policy source modules (see Table 10 for the list). These macros are located at:

  • ./policy/policy/support for the reference policy source.
  • /usr/share/selinux/<policy_name>/include/support for reference policy installed header files.
  • /usr/share/selinux/devel/support for Red Hat installed header files.

They consist of the following files:

loadable_module.spt - Loadable module support.
misc_macros.spt - Generate users, bools and security contexts.
mls_mcs_macros.spt - MLS / MCS support.
file_patterns.spt - Sets up allow rules via parameters for files and directories.
ipc_patterns.spt - Sets up allow rules via parameters for Unix domain sockets.
misc_patterns.spt - Domain and process transitions.
obj_perm_sets.spt - Object classes and permissions.


Macro Name Function Macro file name
policy_module For adding the module statement and mandatory require block entries. loadable_module.spt
gen_require For use in interfaces to optionally insert a require block
template Generate template interface block
interface Generate the access interface block
optional_policy Optional policy handling
gen_tunable Tunable declaration
tunable_policy Tunable policy handling
gen_user Generate an SELinux user misc_macros.spt



gen_context Generate a security context
gen_bool Generate a boolean
gen_cats Declares categories c0 to c(N-1) mls_mcs_macros.spt



gen_sens Declares sensitivities s0 to s(N-1) with dominance in increasing numeric order with s0 lowest, s(N-1) highest.
gen_levels Generate levels from s0 to (N-1) with categories c0 to (M-1)
mls_systemlow Basic level names for system low and high
mls_systemhigh
mcs_systemlow
mcs_systemhigh
mcs_allcats Allocates all categories

Table 10: Support Macros described in this section

Notes:

  1. The macro calls can be in any configuration file read by the build process and are contained in (for example) the users, mls, mcs and constraints files.
  2. There are four main m4 ifdef parameters used within modules:
    1. enable_mcs - this is used to test if the MCS policy is being built.
    2. enable_mls - this is used to test if the MLS policy is being built.
    3. enable_ubac - this enables the user based access control within the constraints file.
    4. hide_broken_symptoms - this is used to hide errors in modules with dontaudit rules.

These are also mentioned in Table 3 as they are set by the initial build process with examples shown in the ifdef / ifndef Parameters section.

  1. The macro examples in this section have been taken from the reference policy module files and shown in each relevant 'Example Macro' section. The macros are then expanded by the build process to form modules containing the policy language statements and rules in the tmp directory. These files have been extracted and modified for readability, then shown in each relevant 'Expanded Macro' section.
  2. An example policy that has had macros expanded is shown in the Module Expansion Process section.
  3. Be aware that spaces between macro names and their parameters are not allowed:

Allowed:

policy_module(ftp, 1.7.0)

Not allowed:

policy_module (ftp, 1.7.0)

Loadable Policy Macros

The loadable policy module support macros are located in the loadable_module.spt file.

policy_module Macro

This macro will add the module Statement to a loadable module, and automatically add a require Statement with pre-defined information for all loadable modules such as the system_r role, kernel classes and permissions, and optionally MCS / MLS information (sensitivity and category statements).

The macro definition is:

policy_module(module_name,version)

Where:

policy_module The policy_module macro keyword.
module_name The module identifier that must be unique in the module layers.
version_number The module version number in M.m.m format (where M = major version number and m = minor version numbers).

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
No
No

Example Macro:

# This example is from the modules/services/ftp.te module:
#
policy_module(ftp, 1.7.0)

Expanded Macro:

# This is the expanded macro from the tmp/ftp.tmp file:
#
module ftp 1.7.0;
    
require {
    role system_r;
    class security {compute_av compute_create .... };
    ....
    class capability2 (mac_override mac_admin };

# If MLS or MCS configured then the:
    sensitivity s0;
    ....
    category c0;
    ....
}
<pre>

==== gen_require Macro ====
For use within module files to insert a <tt>require</tt> block.

'''The macro definition is:'''
<pre>
gen_require(`require_statements`)

Where:

gen_require The gen_require macro keyword.
require_statements These statements consist of those allowed in the policy language require Statement.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
Yes
No

Example Macro:

# This example is from the modules/services/ftp.te module:
#
gen_require(`type ftp_script_exec_t;')

Expanded Macro:

# This is the expanded macro from the tmp/ftp.tmp file:
#
require {
    type ftp_script_exec_t; 
}

optional_policy Macro

For use within module files to insert an optional block that will be expanded by the build process only if the modules containing the access or template interface calls that follow are present. If one module is present and the other is not, then the optional statements are not included (need to check).

The macro definition is:

optional_policy(`optional_statements`)

Where:

optional_policy The optional_policy macro keyword.
optional_statements outline interface], [#8.6.1.7.template Macro|outline template] or support macro calls.

The macro is valid in:


Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
Yes
No

Example Macro:

# This example is from the modules/services/ftp.te module and 
# shows the optional_policy macro with two levels.
#
optional_policy(`
    corecmd_exec_shell(ftpd_t)
    files_read_usr_files(ftpd_t)
    cron_system_entry(ftpd_t, ftpd_exec_t)

    optional_policy(`
        logrotate_exec(ftpd_t)
    ')
')

Expanded Macro:

  1. This is the expanded macro from the tmp/ftp.tmp file showing
  2. the policy language statements with both optional levels
  3. expanded.
          1. Start optional_policy - Level 1 ###########

optional {

          1. begin corecmd_exec_shell(ftpd_t)
   require {
   type bin_t, shell_exec_t;
   } # end require
   allow ftpd_t bin_t:dir { getattr search };
   allow ftpd_t bin_t:dir { getattr search read lock ioctl };
   allow ftpd_t bin_t:dir { getattr search };
   allow ftpd_t bin_t:lnk_file { getattr read };
   allow ftpd_t shell_exec_t:file { { getattr read execute ioctl } ioctl lock execute_no_trans };
          1. end corecmd_exec_shell(ftpd_t)
          1. begin files_read_usr_files(ftpd_t)
   require {
       type usr_t;
   } # end require
   allow ftpd_t usr_t:dir { getattr search read lock ioctl };
   allow ftpd_t usr_t:dir { getattr search };
   allow ftpd_t usr_t:file { getattr read lock ioctl };
   allow ftpd_t usr_t:dir { getattr search };
   allow ftpd_t usr_t:lnk_file { getattr read };
          1. end files_read_usr_files(ftpd_t)
          1. begin cron_system_entry(ftpd_t,ftpd_exec_t)
   require {
       type crond_t, system_crond_t;
   } # end require
   allow system_crond_t ftpd_exec_t:file { getattr read execute };
   allow system_crond_t ftpd_t:process transition;
   dontaudit system_crond_t ftpd_t:process { noatsecure siginh rlimitinh };
   type_transition system_crond_t ftpd_exec_t:process ftpd_t;
  1. cjp: perhaps these four rules from the old
  2. domain_auto_trans are not needed?
   allow ftpd_t system_crond_t:fd use;
   allow ftpd_t system_crond_t:fifo_file { getattr read write append ioctl lock };
   allow ftpd_t system_crond_t:process sigchld;
   allow ftpd_t crond_t:fifo_file { getattr read write append ioctl lock };
   allow ftpd_t crond_t:fd use;
   allow ftpd_t crond_t:process sigchld;
   role system_r types ftpd_t;
          1. end cron_system_entry(ftpd_t,ftpd_exec_t)
          1. Start optional_policy - Level 2 ##########
   optional {
          1. begin logrotate_exec(ftpd_t)
   require {
       type logrotate_exec_t;
   } # end require
   allow ftpd_t logrotate_exec_t:file { { getattr read execute ioctl } ioctl lock execute_no_trans };
          1. end logrotate_exec(ftpd_t)
   } # end optional 2nd level

} # end optional 1st level </pre>

gen_tunable Macro

This macro defines booleans that are global in scope. The corresponding tunable_policy macro contains the supporting statements allowed or not depending on the value of the boolean. These entries are extracted as a part of the build process (by the make conf target) and added to the global_tunables file where they can then be used to alter the default values for the make load or make install targets.

Note that the comments shown in the example MUST be present as they are used to describe the function and are extracted for the documentation.

The macro definition is:

gen_tunable(boolean_name,boolean_value)
</pre
'''Where:'''

{| border="1"
| gen_tunable
| The gen_tunable macro keyword.

|-
| boolean_name
| The <tt>boolean</tt> identifier.

|-
| boolean_value
| The <tt>boolean</tt> value that can be either <tt>true</tt> or <tt>false</tt>.

|}

'''The macro is valid in:'''

{| border="1"
| <center>Private Policy File (.te)</center>
| <center>External Interface File (.if)</center>
| <center>File Labeling Policy File (.fc)</center>

|-
| <center>'''Yes'''</center>
| <center>'''Yes'''</center>
| <center>'''No'''</center>

|}

'''Example Macro:'''
<pre>
# This example is from the modules/services/ftp.te module:
#

## <desc>
## <p>
## Allow ftp servers to use nfs
## for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)

Expanded Macro:

# This is the expanded macro from the tmp/ftp.tmp file:
#
bool allow_ftpd_use_nfs false;

tunable_policy Macro

This macro contains the statements allowed or not depending on the value of the boolean defined by the gen_tunable macro.

The macro definition is:

tunable_policy(`gen_tunable_id`,`tunable_policy_rules`)

Where:

tunable_policy The tunable_policy macro keyword.
gen_tunable_id This is the boolean identifier defined by the gen_tunable macro. It is possible to have multiple entries separated by && or as shown in the example.
tunable_policy_rules These are the policy rules and statements as defined in the if Statement policy language section.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
Yes
No

Example Macro:

# This example is from the modules/services/ftp.te module
# showing the use of the boolean with the && operator.
#
tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
fs_manage_nfs_files(ftpd_t)
')
<pre>
'''Expanded Macro:'''
<pre>
# This is the expanded macro from the tmp/ftp.tmp file.
#
if (allow_ftpd_use_nfs && allow_ftpd_anon_write) {

##### begin fs_manage_nfs_files(ftpd_t)
require {
    type nfs_t;
    } # end require
allow ftpd_t nfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow ftpd_t nfs_t:file { create open getattr setattr read write append rename link unlink ioctl lock };
##### end fs_manage_nfs_files(ftpd_t)
} # end if

interface Macro

Access interface macros are defined in the interface module file (.if) and form the interface through which other modules can call on the modules services (as shown in The Resulting Code diagram and described in the Module Expansion section.

Note that the comments shown in the example MUST be present as they are used to describe the function and are extracted for the documentation.

The macro definition is:

interface(`name`,`interface_rules`)

Where:

interface The interface macro keyword.
name The interface identifier that should be named to reflect the module identifier and its purpose.
interface_rules This can consist of the support macros, policy language statements or other interface calls as required to provide the service.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
No
Yes
No

Example Interface Definition:

# This example is from the modules/services/ftp.if module
# showing the "ftp_read_config" interface.
#

########################################
## <summary>
## Read ftpd etc files
## </summary>
## <param name="domain">
##<summary>
## Domain allowed access.
##</summary>
## </param>
#
interface(`ftp_read_config',`
gen_require(`
    type ftpd_etc_t;
    ')

files_search_etc($1)
allow $1 ftpd_etc_t:file { getattr read };
')

Expanded Macro: (taken from the base.conf file):

# Access Interfaces are only expanded at policy compile time 
# if they are called by a module that requires their services.
#
# In this example the ftp_read_config interface is called from
# the init.te module via the optional_policy macro as shown
# below with the expanded code shown afterwards.
#
######## From ./policy/policy/modules/system/init.te ########
#
# optional_policy(`
# ftp_read_config(initrc_t)
# ')
#
#
############# Expanded policy statements taken ##############
############# from the base.conf file that ##################
############# forms the base policy. ########################
#
optional { # Start optional_policy segment for ftp interface
#
# This is the resulting output contained the base.conf file
# where init calls the ftp_read_config ($1) interface from
# init.te with the parameter initrc_t:
#
    require {
        type ftpd_etc_t;
    } 

#
# Call the files_search_etc ($1) interface contained in the 
# ftp.if file with the parameter initrc_t:
#
    require {
        type etc_t;
    } 
    allow initrc_t etc_t:dir { getattr search };
#
# end files_search_etc(initrc_t)
#
# This is the '''allow $1 ftpd_etc_t:file { getattr read };
# statement with the '''initrc_t''' parameter resolved: 
#
    allow initrc_t ftpd_etc_t:file { getattr read };
#
# end ftp_read_config(initrc_t)

} # End optional_policy segment for this ftp interface

template Macro

A template interface is used to help create a domain and set up the appropriate rules and statements to run an application / process. The basic idea is to set up an application in a domain that is suitable for the defined SELinux user and role to access but not others. Should a different user / role need to access the same application, another domain would be allocated (these are known as "derived domains" as the domain name is derived from caller information).

The application template shown in the example below is for openoffice.org where the domain being set up to run the application is based on the SELinux user xguest (parameter $1) therefore a domain type is initialised called xguest_openoffice_t, this is then added to the user domain attribute xguest_usertype (parameter $2). Finally the role xguest_r (parameter $3) is allowed access to the domain type xguest_openoffice_t. If a different user / role required access to openoffice.org, then by passing different parameters (i.e. user_u), a different domain would be set up.

The main differences between an application interface and a template interface are:

  • An access interface is called by other modules to perform a service.
  • A template interface allows an application to be run in a domain based on user / role information to isolate different instances.

Note that the comments shown in the example MUST be present as they are used to describe the function and are extracted for the [[NB_RefPolicy#Reference_Policy_Documentation | documentation].

The macro definition is:

template(`name`,`template_rules`)

Where:

template The template macro keyword.
name The template identifier that should be named to reflect the module identifier and its purpose. By convention the last component is _template (e.g. ftp_per_role_template).
template_rules This can consist of the support macros, policy language statements or interface calls as required to provide the service.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
No
Yes
No

Example Macro:

# This example is from the modules/apps/openoffice.if module
# showing the "openoffice_per_role_template" template interface.
#
#######################################
## <summary>
##The per role template for the openoffice module.
## </summary>
## <desc>
##<p>
##This template creates a derived domains which are used
##for openoffice applications.
##</p>
## </desc>
## <param name="userdomain_prefix">
##<summary>
##The prefix of the user domain (e.g., user
##is the prefix for user_t).
##</summary>
## </param>
## <param name="user_domain">
##<summary>
##The type of the user domain.
##</summary>
## </param>
## <param name="user_role">
##<summary>
##The role associated with the user domain.
##</summary>
## </param>
#
template(`openoffice_per_role_template',`
    gen_require(`
        type openoffice_exec_t;
    ')

    type $1_openoffice_t;
    domain_type($1_openoffice_t)
    domain_entry_file($1_openoffice_t, openoffice_exec_t)
    role $3 types $1_openoffice_t;

    domain_interactive_fd($1_openoffice_t)

    userdom_unpriv_usertype($1, $1_openoffice_t)
    userdom_exec_user_home_content_files($1, $1_openoffice_t)

    allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };

    allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
    allow $1_openoffice_t $2:tcp_socket { read write };

    domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)

    dev_read_urand($1_openoffice_t)
    dev_read_rand($1_openoffice_t)

    fs_dontaudit_rw_tmpfs_files($1_openoffice_t)

    allow $2 $1_openoffice_t:process { signal sigkill };
    allow $1_openoffice_t $2:unix_stream_socket connectto;
')

Expanded Macro:

# Template Interfaces are only expanded at policy compile time 
# if they are called by a module that requires their services.
# This has been expanded as a part of the roles/xguest.te
# module and extracted from tmp/xguest.tmp.
#
################# START Expanded code segment ###########
#
optional {

##### begin openoffice_per_role_template(xguest,xguest_usertype,xguest_r)
    require {
        type openoffice_exec_t;
    } # end require
    type xguest_openoffice_t; # Paremeter $1

    ......
# This is a long set of rules, therefore has been cut down.'''
    ......
    ....
    typeattribute xguest_openoffice_t xguest_usertype; # Paremeter $2
    ..
    type_transition xguest_usertype openoffice_exec_t:process xguest_openoffice_t; 
    ..
    role xguest_r types xguest_openoffice_t; # Paremeter $3
    ....
    allow xguest_usertype xguest_openoffice_t:process { signal sigkill };
    allow xguest_openoffice_t xguest_usertype:unix_stream_socket connectto;
##### end openoffice_per_role_template(xguest,xguest_usertype,xguest_r)

} # end optional

Miscellaneous Macros

These macros are in the misc_macros.spt file.

gen_context Macro

This macro is used to generate a valid security context and can be used in any of the module files. Its most general use is in the .fc file where it is used to set the files security context.

The macro definition is:

gen_context(context[,mls | mcs]) 

Where:

gen_context The gen_context macro keyword.
context The security context to be generated. This can include macros that are relevant to a context as shown in the example below.
mcs MLS or MCS labels if enabled in the policy.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
Yes
Yes

Example Macro:

# This example shows gen_context being used to generate a
# security context for the security initial sid in the 
# selinux.te module:

sid security gen_context(system_u:object_r:security_t:mls_systemhigh)

Expanded Macro:

# This is the expanded entry built into the base.conf source
# file for an MLS policy:

sid security system_u:object_r:security_t:s15:c0.c255 

Example File Context .fc file:

# This is from the modules/apps/gnome.fc file. Note that the
# HOME_DIR and USER parameters will be entered during
# the file_contexts.homedirs file build.
#

HOME_DIR/.gnome2(/.*)?gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.config/gtk-.*gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)?gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.local.*gen_context(system_u:object_r:gconf_home_t,s0)

/tmp/gconfd-USER/.*--gen_context(system_u:object_r:gconf_tmp_t,s0)

HOME_DIR/.pulse(/.*)?gen_context(system_u:object_r:gnome_home_t,s0)

Expanded File Context .fc file:

# The resulting expanded tmp/gnome.mod.fc file. This will be
# concatenated with the main file_contexts file during the
# policy build process.
#

HOME_DIR/.gnome2(/.*)?system_u:object_r:gnome_home_t:s0
HOME_DIR/\.config/gtk-.*system_u:object_r:gnome_home_t:s0
HOME_DIR/\.gconf(d)?(/.*)?system_u:object_r:gconf_home_t:s0
HOME_DIR/\.local.*system_u:object_r:gconf_home_t:s0

/tmp/gconfd-USER/.*--system_u:object_r:gconf_tmp_t:s0
HOME_DIR/.pulse(/.*)?system_u:object_r:gnome_home_t:s0

gen_user Macro

This macro is used to generate a valid user statement and add an entry in the users_extra configuration file if it exists.

The macro definition is:

gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) 

Where:

gen_user The gen_user macro keyword.
username The SELinux user id.
prefix SELinux users without the prefix will not be in the users_extra file. This is added to user directories by the genhomedircon as discussed in the modules/active/file_contexts.template File section.
role_set The user roles.
mls_defaultlevel The default level if MLS / MCS policy.
mls_range The range if MLS / MCS policy.
mcs_categories The categories if MLS / MCS policy.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
No
No

Example Macro:

 # This example has been taken from the policy/policy/users file:
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) 

Expanded Macro:

# The expanded gen_user macro from the base.conf for an MLS
# build. Note that the prefix is not present. This is added to
# the users_extra file as shown below.
#
user root roles { unconfined_r sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - s15:c0.c1023; 
# users_extra file entry:
#
user root prefix user; 

gen_bool Macro

This macro defines a boolean and requires the following steps:

  1. Declare the boolean in the global_booleans file.
  2. Use the boolean in the module files with an if Statement as shown in the example.

Note that the comments shown in the example MUST be present as they are used to describe the function and are extracted for the [#8.2.4.Reference Policy Documentation|outline documentation].

The macro definition is:

gen_bool(name,default_value) 

Where:

gen_bool The gen_bool macro keyword.
name The boolean identifier.
default_value The value true or false.

The macro is only valid in in the global_booleans file but the boolean declared can be used in the following module types:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
Yes
Yes
No

Example Macro (in global_booleans):

# This example is from the global_booleans file where the bool
# is declared. The comments must be present as it is used to
# generate the documentation.
#

## <desc>## <p>## Disable transitions to insmod.## </p>## </desc>gen_bool(secure_mode_insmod,false)

# Example usage from the system/modutils.te module:
#
if( ! secure_mode_insmod ) {
    kernel_domtrans_to(insmod_t,insmod_exec_t)
}

Expanded Macro: <pre.

  1. This has been taken from the base.conf source file after
  2. expansion by the build process of the modutils.te module.

if( ! secure_mode_insmod ) {

          1. begin kernel_domtrans_to(insmod_t,insmod_exec_t)
   allow kernel_t insmod_exec_t:file { getattr read execute };
   allow kernel_t insmod_t:process transition;
   dontaudit kernel_t insmod_t:process { noatsecure siginh rlimitinh };
   type_transition kernel_t insmod_exec_t:process insmod_t;
   allow insmod_t kernel_t:fd use;
   allow insmod_t kernel_t:fifo_file { getattr read write append ioctl lock };
   allow insmod_t kernel_t:process sigchld;
          1. end kernel_domtrans_to(insmod_t,insmod_exec_t)

} </pre>

MLS and MCS Macros

These macros are in the mls_mcs_macros.spt file.

gen_cats Macro

This macro will generate a category Statement for each category defined. These are then used in the base.conf / policy.conf source file and also inserted into each module by the policy_module Macro. The policy/policy/mcs and mls configuration files are the only files that contain this macro in the current reference policy.

The macro definition is:

gen_cats(mcs_num_cats | mls_num_cats)

Where:

gen_cats The gen_cats macro keyword.
mcs_num_cats

mls_num_cats

These are the maximum number of categories that have been extracted from the build.conf file MCS_CATS or MLS_CATS entries and set as m4 parameters.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
na
na
na

Example Macro:

# This example is from the policy/policy/mls configuration file.
#

gen_cats(mls_num_cats)

Expanded Macro:

# This example has been extracted from the base.conf source
# file.

category c0;
category c1;
...
category c1023;

gen_sens Macro

This macro will generate a sensitivity Statement for each sensitivity defined. These are then used in the base.conf / policy.conf source file and also inserted into each module by the policy_module Macro. The policy/policy/mcs and mls configuration files are the only files that contain this macro in the current reference policy (note that the mcs file has gen_sens(1) as only one sensitivity is required).

The macro definition is:

gen_sens(mls_num_sens)

Where:

gen_sens The gen_sens macro keyword.
mls_num_sens These are the maximum number of sensitivities that have been extracted from the build.conf file MLS_SENS entries and set as an m4 parameter.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
na
na
na

Example Macro:

# This example is from the policy/policy/mls configuration file.
#

gen_cats(mls_num_sens)

Expanded Macro: <prr>

  1. This example has been extracted from the base.conf source
  2. file.

sensitivity s0; sensitivity s1; ... sensitivity s15; </pre>

gen_levels Macro

This macro will generate a level Statement for each level defined. These are then used in the base.conf / policy.conf source file. The policy/policy/mcs and mls configuration files are the only files that contain this macro in the current reference policy.

The macro definition is:

gen_levels(mls_num_sens,mls_num_cats)

Where:

gen_levels The gen_levels macro keyword.
mls_num_sens This is the parameter that defines the number of sensitivities to generate. The MCS policy is set to "1".
mls_num_cats

mcs_num_cats

This is the parameter that defines the number of categories to generate.

The macro is valid in:

Private Policy File (.te)
External Interface File (.if)
File Labeling Policy File (.fc)
na
na
na

Example Macro:

# This example is from the policy/policy/mls configuration file.
#
gen_levels(mls_num_sens,mls_num_cats)

Expanded Macro:

# This example has been extracted from the base.conf source
# file. Note that the all categories are allocated to each
# sensitivity.

level s0:c0.c1023; 
level s1:c0.c1023; 
...
level s15:c0.c1023; 

System High/Low Parameters

These macros define system high etc. as shown.

mls_systemlow
# gives:
s0

mls_systemhigh
# gives:
s15:c0.c1023 

mcs_systemlow
# gives:
s0

mcs_systemhigh
# gives:
s0:c0.c1023

mcs_allcats
# gives:
c0.c1023

ifdef / ifndef Parameters

This section contains examples of the common ifdef / ifndef parameters that can be used in module source files.

hide_broken_symptoms

This is used within modules as shown in the example. The parameter is set up by the Makefile at the start of the build process.

Example Macro:

# This example is from the modules/kernel/domain.te module.
#
ifdef(`hide_broken_symptoms',`
    cron_dontaudit_rw_tcp_sockets(domain)
    allow domain domain:key { link search };
 ')

enable_mls and enable_mcs

These are used within modules as shown in the example. The parameters are set up by the Makefile with information taken from the build.conf file at the start of the build process.

Example Macros:

# This example is from the modules/kernel/kernel.te module.
#
ifdef(`enable_mls',`
    role secadm_r;
    role auditadm_r;
')
# This example is from the modules/kernel/kernel.if module.
#
ifdef(`enable_mcs',`
    range_transition kernel_t $2:process $3;
')

ifdef(`enable_mls',`
    range_transition kernel_t $2:process $3;
    mls_rangetrans_target($1)
')

enable_ubac

This is used within the ./policy/constraints configuration file to set up various attributes to support user based access control (UBAC). These attributes are then used within the various modules that want to support UBAC. This support was added in version 2 of the Referefence Policy.

The orginal method (role based access control, or RBAC) is the default for F-12 (ubac = n). The parameter is set up by the Makefile with information taken from the build.conf file at the start of the build process (ubac = y | ubac = n).

Example Macro:

# This example is from the ./policy/constraints file.
# Note that the ubac_constrained_type attribute is defined in
# modules/kernel/ubac.te module.

define(`basic_ubac_conditions',`
    ifdef(`enable_ubac',`
        u1 == u2
        or u1 == system_u
        or u2 == system_u
        or t1 != ubac_constrained_type
        or t2 != ubac_constrained_type
    ')
')

direct_sysadm_daemon

This is used within modules as shown in the example. The parameter is set up by the Makefile with information taken from the build.conf file at the start of the build process (if DIRECT_INITRC = y).

Example Macros:

# This example is from the modules/system/selinuxutil.te module.
#
ifndef(`direct_sysadm_daemon',`
    ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
        init_script_file_entry_type(run_init_t)
    ')
')
# This example is from the modules/system/userdomain.te module.
#
ifdef(`direct_sysadm_daemon',`
    domain_system_change_exemption($1_t)
')


Module Expansion Process

The objective of this section is to show how the modules are expanded by the reference policy build process to form files that can then be compiled and then loaded into the policy store by using the make MODULENAME.pp target.

The files shown are those produced by the build process using the ada policy modules from the Reference Policy source tree (ada.te, ada.if and ada.fc) that are shown in the Reference Policy Module Files section.

The initial build process will build the source text files in the policy/tmp directory as ada.tmp and ada.mod.fc (that are basically build equivalent ada.conf and ada.fc formatted files). The basic steps are shown in The make ada sequence of events diagram, and the resulting expanded code shown in The Resulting Code diagram. The actual module expansion is left to the reader to investigate.



  1. The full source code and details are at the following site: http://oss.tresys.com/projects/refpolicy.
  2. This RPM can be obtained from the http://koji.fedoraproject.org web site.
  3. These can be installed by system administrators as required. The dynamic loading / unloading of policies as applications are loaded is not yet supported.
  4. Note that Red Hat pre-configure MCS support within all their policies.
  5. The comments are also important as they form part of the documentation when it is generated by the make html target.
  6. These are explained in the Reference Policy Macros section.
  7. The base.conf gets built for modular policies and a policy.conf file gets built for a monolithic policy.
  8. The README file in this directory contains helpful information on installation of the source, headers, documentation etc. The only point the README will not cover are the Red Hat specific configuration files that need to be copied over as shown in Table 8.
  9. Note that the term "load" is not loading the policy as the active policy, but just building the base policy + the modules and installing them ready to be activated if required
  10. Be aware that comparing these two policies on a low specification machine will take hours. It is best to select a few items for comparison first.
Personal tools