Difference between revisions of "PolicyValidate"

From SELinux Wiki
Jump to: navigation, search
(New page: Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will...)
 
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.
 
First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.
 +
 +
To use the script below you need to have setools-console installed.
  
 
Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):
 
Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail):
Line 30: Line 32:
 
Next try rebuilding your policy with no changes:
 
Next try rebuilding your policy with no changes:
  
  semodule -B
+
  # semodule -B
  
 
It should succeed. Make a module that would violate this rule:
 
It should succeed. Make a module that would violate this rule:
  
 
  module badmod 1.0;
 
  module badmod 1.0;
 
+
 
  require {
 
  require {
 
       type user_t, shadow_t;
 
       type user_t, shadow_t;
 
       class file { read };
 
       class file { read };
 
  }
 
  }
 
+
 
  allow user_t shadow_t : file read;
 
  allow user_t shadow_t : file read;
  
Line 46: Line 48:
 
Do the standard compilation steps:
 
Do the standard compilation steps:
  
  [root@F12 ~]# checkmodule -o badmod.mod badmod.te -m -M
+
  # checkmodule -o badmod.mod badmod.te -m -M
 
  checkmodule:  loading policy configuration from badmod.te
 
  checkmodule:  loading policy configuration from badmod.te
 
  checkmodule:  policy configuration loaded
 
  checkmodule:  policy configuration loaded
 
  checkmodule:  writing binary representation (version 10) to badmod.mod
 
  checkmodule:  writing binary representation (version 10) to badmod.mod
  [root@F12 ~]# semodule_package -m badmod.mod -o badmod.pp
+
  # semodule_package -m badmod.mod -o badmod.pp
  
 
And then attempt to insert it:
 
And then attempt to insert it:
  
  [root@F12 ~]# semodule -i badmod.pp
+
  # semodule -i badmod.pp
 
  semodule:  Failed!
 
  semodule:  Failed!
  
 
You can run sesearch yourself to ensure that there is no matching rule:
 
You can run sesearch yourself to ensure that there is no matching rule:
  
  [root@F12 ~]# sesearch --allow -s user_t -t shadow_t -c file  
+
  # sesearch --allow -s user_t -t shadow_t -c file  
 
   
 
   
  
 
There is also a [verify module] and [verify linked].
 
There is also a [verify module] and [verify linked].

Latest revision as of 20:24, 25 November 2009

Libsemanage is the library responsible for building a kernel policy from policy modules. It has many features but one that is rarely mentioned is the policy validation hook. This page will show you how to make a basic validator and tell libsemanage to run it before allowing any policy updates.

First we'll write the validator. In this case we'll use sesearch to search for a rule between user_t and shadow_t. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t.

To use the script below you need to have setools-console installed.

Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail): 

#!/bin/bash

# Usage: validate <policy file> 
 
# The following searches for a file rule with user_t as the source and shadow_t as the target.
# If the output of sesearch has "Found", meaning matching rules were found, then grep will return 0
# otherwise it will return 1. This is actually the reverse of the logic we want, so we'll reverse it.
sesearch --allow -s user_t -t shadow_t -c file $1 | grep "Found" > /dev/null

if [ $? == 1 ]; then
        exit 0
fi

exit 1

Then add the validation script to /etc/selinux/semanage.conf 

[verify kernel]
path = /usr/local/bin/validate
args = $@
[end]


Next try rebuilding your policy with no changes: 

# semodule -B

It should succeed. Make a module that would violate this rule: 

module badmod 1.0;

require {
      type user_t, shadow_t;
      class file { read };
}

allow user_t shadow_t : file read;


Do the standard compilation steps: 

# checkmodule -o badmod.mod badmod.te -m -M
checkmodule:  loading policy configuration from badmod.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to badmod.mod
# semodule_package -m badmod.mod -o badmod.pp

And then attempt to insert it: 

# semodule -i badmod.pp
semodule:  Failed!

You can run sesearch yourself to ensure that there is no matching rule: 

# sesearch --allow -s user_t -t shadow_t -c file

There is also a [verify module] and [verify linked].

Retrieved from "http://selinuxproject.org/w/?title=PolicyValidate&oldid=825"