PolicyValidate - Revision history

JoshuaBrindle at 20:24, 25 November 2009

2009-11-25T20:24:19Z

JoshuaBrindle at 18:13, 20 November 2009

2009-11-20T18:13:14Z

←Older revision		Revision as of 18:13, 20 November 2009
Line 37:		Line 37:

	module badmod 1.0;		module badmod 1.0;
-		+
	require {		require {
	type user_t, shadow_t;		type user_t, shadow_t;
	class file { read };		class file { read };
	}		}
-		+
	allow user_t shadow_t : file read;		allow user_t shadow_t : file read;

JoshuaBrindle at 17:00, 20 November 2009

2009-11-20T17:00:25Z

←Older revision		Revision as of 17:00, 20 November 2009
Line 2:		Line 2:

	First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.		First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.
		+
		+	To use the script below you need to have setools-console installed.

	Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):		Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):

JoshuaBrindle: New page: Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will...

2009-11-20T16:58:22Z

New page: Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will...

New page

Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will show you how to make a basic validator and tell libsemanage to run it before allowing any policy updates.

First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.

Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):

#!/bin/bash

# Usage: validate <policy file>

# The following searches for a file rule with user_t as the source and shadow_t as the target.
# If the output of sesearch has "Found", meaning matching rules were found, then grep will return 0
# otherwise it will return 1. This is actually the reverse of the logic we want, so we'll reverse it.
sesearch --allow -s user_t -t shadow_t -c file $1 | grep "Found" > /dev/null

if [ $? == 1 ]; then
exit 0
fi

exit 1

Then add the validation script to /etc/selinux/semanage.conf

[verify kernel]
path = /usr/local/bin/validate
args = $@
[end]

Next try rebuilding your policy with no changes:

semodule -B

It should succeed. Make a module that would violate this rule:

module badmod 1.0;

require {
type user_t, shadow_t;
class file { read };
}

allow user_t shadow_t : file read;

Do the standard compilation steps:

[root@F12 ~]# checkmodule -o badmod.mod badmod.te -m -M
checkmodule: loading policy configuration from badmod.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to badmod.mod
[root@F12 ~]# semodule_package -m badmod.mod -o badmod.pp

And then attempt to insert it:

[root@F12 ~]# semodule -i badmod.pp
semodule: Failed!

You can run sesearch yourself to ensure that there is no matching rule:

[root@F12 ~]# sesearch --allow -s user_t -t shadow_t -c file

There is also a [verify module] and [verify linked].

←Older revision		Revision as of 20:24, 25 November 2009
Line 32:		Line 32:
	Next try rebuilding your policy with no changes:		Next try rebuilding your policy with no changes:

-	semodule -B	+	# semodule -B

	It should succeed. Make a module that would violate this rule:		It should succeed. Make a module that would violate this rule:
Line 48:		Line 48:
	Do the standard compilation steps:		Do the standard compilation steps:

-	~~[root@F12 ~]~~# checkmodule -o badmod.mod badmod.te -m -M	+	# checkmodule -o badmod.mod badmod.te -m -M
	checkmodule: loading policy configuration from badmod.te		checkmodule: loading policy configuration from badmod.te
	checkmodule: policy configuration loaded		checkmodule: policy configuration loaded
	checkmodule: writing binary representation (version 10) to badmod.mod		checkmodule: writing binary representation (version 10) to badmod.mod
-	~~[root@F12 ~]~~# semodule_package -m badmod.mod -o badmod.pp	+	# semodule_package -m badmod.mod -o badmod.pp

	And then attempt to insert it:		And then attempt to insert it:

-	~~[root@F12 ~]~~# semodule -i badmod.pp	+	# semodule -i badmod.pp
	semodule: Failed!		semodule: Failed!

	You can run sesearch yourself to ensure that there is no matching rule:		You can run sesearch yourself to ensure that there is no matching rule:

-	~~[root@F12 ~]~~# sesearch --allow -s user_t -t shadow_t -c file	+	# sesearch --allow -s user_t -t shadow_t -c file


	There is also a [verify module] and [verify linked].		There is also a [verify module] and [verify linked].