Getting help with supporting tools – SELinux

July 07, 2021

There are tools out there that help in developing SELinux policies, and if needed we can build our own support tools as well. Let’s see what support environments we can use.

Verifying code with selint

While SELinux policies can be functionally working, validating whether the code itself is proper and follows best practices is important to ensure that the code is maintainable in the long run.

One of the tools that support validating SELinux policy code is selint, as offered from https://github.com/TresysTechnology/selint. Once built and installed, selint offers insights into four main areas:

  • Convention checks validate whether the SELinux policy follows the reference policy convention on how code should be structured and documented.
  • Style checks give hints for code style that might be wrong, and where the developer might have intended a different behavior.
  • Warnings are triggered when the code has bad calls that might trigger runtime issues or security issues.
  • Errors catch construction faults that will result in compile issues or runtime issues.

This allows the use of selint in automated build processes, as well as facilitating the development of policies.

Calling selint is simple:

$ selint minecraft.te
minecraft.te: 31: (C): Permissions in av rule not ordered
 (signull before execmem) (C-005)
minecraft.te: 118: (C): Require block used in te file (use an 
 interface call instead) (S-001)

In this case, two convention malpractices were detected. One is in the ordering of permissions, while another has an explicit require block mentioned for a domain that is not part of that policy module.

Querying the interfaces and macros locally

To help in finding the right interface or macro, we also want to quickly be able to show interface and macro information. With some shell scripting, we can create a few functions that help us along.

The functions are provided as code together with this book. You might want to change the path that the POLICY_LOCATION variable points to at the beginning of the script. By default, it points to the system-installed interface and macros, but you can point it to repository checkouts as well:

POLICY_LOCATION="/usr/share/selinux/devel"

Source the file to have access to the helper functions:

$ source ./localfuncs

The helper functions you can use are the following:

  • With sefindif you can search for an SELinux interface that has a specific SELinux rule inside. You can use regular expressions to find the appropriate one.

    For instance, to find the interface that grants a domain the privileges to manage certificate files (for readability, we only show the interface code; it will be prefixed with the location where it found it):

$ sefindif "manage.* cert_t"
interface(`miscfiles_manage_all_certs',`
 manage_files_pattern($1, cert_type, cert_type)
 manage_lnk_files_pattern($1, cert_type, cert_type)
interface(`miscfiles_manage_generic_cert_dirs',`
 manage_dirs_pattern($1, cert_t, cert_t)
interface(`miscfiles_manage_generic_cert_files',`
 manage_files_pattern($1, cert_t, cert_t)
 manage_lnk_files_pattern($1, cert_t, cert_t)
  • With seshowif the interface in its entirety (excluding the comment) is displayed.

    For instance, to show the miscfiles_manage_all_certs() interface, use the following code:

$ seshowif miscfiles_manage_all_certs
interface(`miscfiles_manage_all_certs',`
 gen_require(`
 attribute cert_type;
 ')
 allow $1 cert_type:dir list_dir_perms;
 manage_files_pattern($1, cert_type, cert_type)
 manage_lnk_files_pattern($1, cert_type, cert_type)
')
  • With sefinddef and seshowdef, the same is possible but for the supporting macros.

    For instance, to see the content of the admin_pattern() helper macro, use the following code:

$ seshowdef admin_pattern
define(`admin_pattern',`
 manage_dirs_pattern($1,$2,$2)
 manage_files_pattern($1,$2,$2)
 manage_lnk_files_pattern($1,$2,$2)
 manage_fifo_files_pattern($1,$2,$2)
 manage_sock_files_pattern($1,$2,$2)
 relabel_dirs_pattern($1,$2,$2)
 relabel_files_pattern($1,$2,$2)
 relabel_lnk_files_pattern($1,$2,$2)
 relabel_fifo_files_pattern($1,$2,$2)
 relabel_sock_files_pattern($1,$2,$2)
')

While such functions do not offer the same versatility as a full-fledged policy editor suite would, they can help in quickly finding the right interface or macro.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

ten − 5 =