Using and understanding the policy macros – SELinux

Across the various SELinux policy definitions, we have come across macros that are not tied to a specific SELinux policy module. These are support macros, available inside the policy/support/*.spt files.

The most common macros are those declared inside the obj_perm_sets.spt file (which group common permissions for the same class in a single definition) and the *_patterns.spt files (which group permissions across different classes in a single definition).

Making use of single-class permission groups

Single-class permission groups allow developers to ignore possible extensions of the SELinux supported permissions as time goes by. For instance, if you want to allow a domain to execute a certain resource, it is most often not enough to allow the execute permission. You also need the open and read permissions (as otherwise, the domain cannot read the executable) and the map permission (to allow mapping the file in memory).

If you were to put all these permissions in your own SELinux policy module, then the rule could look like so:

allow dhcpd_t dhcpd_exec_t:file { getattr open map read execute ioctl execute_no_trans };

If, later on, the SELinux policy is extended with an additional permission that is associated with executing resources, then you will need to look for and update these permissions all over the different SELinux policy modules.

So the reference policy moves all these permissions in a macro called exec_file_perms, defined as follows:

define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')

With this macro defined, our policy line can be simplified as follows:

allow dhcpd_t dhcpd_exec_t:file { exec_file_perms };

If at any point the permissions need to be extended, all that has to happen is to extend the macro definition itself, and the SELinux policy modules can be left untouched.

Calling permission groups

While single-class permission groups are a good use for simplifying policy development, permission groups that cover multiple classes are even more common.

For instance, if a domain needs full management privileges (implying read, write, as well as creating and removing resources) on resources inside /var/lib/dhcpd, then not only are these privileges needed on the files inside that directory (which are labeled with the dhcpd_state_t SELinux type), but you also need read/write permissions on the directory itself.

Such a privilege definition would result in something like so:

allow $1 dhcpd_state_t:dir { rw_dir_perms };
allow $1 dhcpd_state_t:file { manage_file_perms };

Rather than declaring these as separate calls, they can be put into a single one that groups the two:

manage_files_pattern($1, dhcpd_state_t, dhcpd_state_t)

SELinux policy developers best get acquainted with the various macros available to allow for rapid and efficient SELinux policy development.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur


Submit a Comment

Your email address will not be published. Required fields are marked *

1 × 5 =