Friday, March 3, 2006

SELinux Loadable Policy Modules

A new SELinux feature which makes local SELinux policy adjustments much easier was not easy to notice
among all the complaints that SELinux is hard to use.

The `audit2allow` tool should be well-known by now:
given a snippet of the audit log, it outputs policy rules to allow all operations that are are currently prohibited.
The user is expected to add the rules to the (large) policy, recompile the policy and load it.
Finding the "right" place in the policy is not always obvious, though, and a future update of the `selinux-policy`
package might overwrite the modifications.

Now there is an alternative, very convenient especially when trying to extend the policy to handle a new daemon:
Run

> `audit2allow -M` modulename `-i` audit_log_file

This will create a binary loadable module modulename`.pp` that can be quickly loaded by

> `semodule -i` modulename`.pp`

or unloaded using

> `semodule -r` modulename

The `audit2allow` command also creates modulename`.te`, a plain-text representation of the module,
which can be edited and compiled to create a changed binary loadable module, or used as a basis for
patches to the default SELinux policy.

No comments:

Post a Comment