PolicyValidate

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 16:58, 20 November 2009 (edit)
JoshuaBrindle (Talk | contribs)
(New page: Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will...)
← Previous diff
Current revision (20:24, 25 November 2009) (edit) (undo)
JoshuaBrindle (Talk | contribs)

 
(2 intermediate revisions not shown.)
Line 2: Line 2:
First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t. First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.
 +
 +To use the script below you need to have setools-console installed.
Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail): Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):
Line 30: Line 32:
Next try rebuilding your policy with no changes: Next try rebuilding your policy with no changes:
- semodule -B+ # semodule -B
It should succeed. Make a module that would violate this rule: It should succeed. Make a module that would violate this rule:
module badmod 1.0; module badmod 1.0;
- +
require { require {
type user_t, shadow_t; type user_t, shadow_t;
class file { read }; class file { read };
} }
- +
allow user_t shadow_t : file read; allow user_t shadow_t : file read;
Line 46: Line 48:
Do the standard compilation steps: Do the standard compilation steps:
- [root@F12 ~]# checkmodule -o badmod.mod badmod.te -m -M+ # checkmodule -o badmod.mod badmod.te -m -M
checkmodule: loading policy configuration from badmod.te checkmodule: loading policy configuration from badmod.te
checkmodule: policy configuration loaded checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to badmod.mod checkmodule: writing binary representation (version 10) to badmod.mod
- [root@F12 ~]# semodule_package -m badmod.mod -o badmod.pp+ # semodule_package -m badmod.mod -o badmod.pp
And then attempt to insert it: And then attempt to insert it:
- [root@F12 ~]# semodule -i badmod.pp+ # semodule -i badmod.pp
semodule: Failed! semodule: Failed!
You can run sesearch yourself to ensure that there is no matching rule: You can run sesearch yourself to ensure that there is no matching rule:
- [root@F12 ~]# sesearch --allow -s user_t -t shadow_t -c file + # sesearch --allow -s user_t -t shadow_t -c file
There is also a [verify module] and [verify linked]. There is also a [verify module] and [verify linked].

Current revision

Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will show you how to make a basic validator and tell libsemanage to run it before allowing any policy updates.

First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.

To use the script below you need to have setools-console installed.

Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):

#!/bin/bash

# Usage: validate <policy file> 
 
# The following searches for a file rule with user_t as the source and shadow_t as the target.
# If the output of sesearch has "Found", meaning matching rules were found, then grep will return 0
# otherwise it will return 1. This is actually the reverse of the logic we want, so we'll reverse it.
sesearch --allow -s user_t -t shadow_t -c file $1 | grep "Found" > /dev/null

if [ $? == 1 ]; then
        exit 0
fi

exit 1

Then add the validation script to /etc/selinux/semanage.conf

[verify kernel]
path = /usr/local/bin/validate
args = $@
[end]


Next try rebuilding your policy with no changes:

# semodule -B

It should succeed. Make a module that would violate this rule:

module badmod 1.0;

require {
      type user_t, shadow_t;
      class file { read };
}

allow user_t shadow_t : file read;


Do the standard compilation steps:

# checkmodule -o badmod.mod badmod.te -m -M
checkmodule:  loading policy configuration from badmod.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to badmod.mod
# semodule_package -m badmod.mod -o badmod.pp

And then attempt to insert it:

# semodule -i badmod.pp
semodule:  Failed!

You can run sesearch yourself to ensure that there is no matching rule:

# sesearch --allow -s user_t -t shadow_t -c file 

There is also a [verify module] and [verify linked].

Personal tools