cheatsheet:selinux

Selinux

audit2allow

If we switch SELinux into Permissive mode and run our mail server for a set period of time, we can log SELinux issues whilst still permitting access (as mentioned in Gathering Audit Logs in Permissive Mode). Checking our logs, we see the following SELinux AVC messages: 

type=AVC msg=audit(1218128130.653:334): avc:  denied  { connectto } for  pid=9111 comm="smtpd" path="/var/spool/postfix/postgrey/socket"
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1218128130.653:334): avc:  denied  { write } for  pid=9111 comm="smtpd" name="socket" dev=sda6 ino=39977017
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file

Then we can use 'audit2allow' to generate a set of policy rules that would allow the required actions. We can generate a local postgrey Type Enforcement policy file (postgreylocal.te): 

# grep smtpd_t /var/log/audit/audit.log | audit2allow -m postgreylocal > postgreylocal.te
# cat postgreylocal.te
module postgreylocal 1.0;
require {
        type postfix_smtpd_t;
        type postfix_spool_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;

Above we see that we can grep the audit.log file for issues relating to our smtp server and pipe those issues to audit2allow which generates a set of rules that it thinks would permit the actions currently denied by the SELinux policy. Reviewing these rules we see our smtp server wants to connect and write to a Unix socket which we see from out logs is the Unix socket that the postgrey service is listening on. As this seems perfectly reasonable, we can go ahead and use audit2allow to make a custom policy module to allow these actions: 

# grep smtpd_t /var/log/audit/audit.log | audit2allow -M postgreylocal

We then load our postgrey policy module using the 'semodule' command into the current SELinux policy: 

semodule -i postgreylocal.pp

which will add our postgrey policy module to /etc/selinux/targeted/modules/active/modules/postgreylocal.pp. We can check the policy module loaded correctly by listing loaded modules with 'semodule -l'.

We can then continue to monitor our SELinux log files to check that our custom policy module works and once we are satisfied we can re-enable SELinux Enforcing mode and again benefit from SELinux protection of our now fully functional smtp server.

Modules

  • Compile modules
checkmodule -M -m -o myapp.mod myapp.te
semodule_package -o myapp.pp -m myapp.mod
  • Load module
semodule -i myapp.pp

semanage-port

  • List all port definitions
# semanage port -l
  • Allow Apache to listen on tcp port 81
# semanage port -a -t http_port_t -p tcp 81
  • Allow sshd to listen on tcp port 8991
# semanage port -a -t ssh_port_t -p tcp 8991
  • Allow rsyslog to listen on tcp port 5000
# semanage port -m -t syslogd_port_t -p tcp 5000
  • instructing se to authorize the /var/spool/rsyslog directory
# semanage fcontext -a -t syslogd_var_lib_t "/var/spool/rsyslog/*"
# restorecon -R -v /var/spool/rsyslog
  • instructing se to authorize /etc/rsyslog.d/*
# semanage fcontext -a -t syslog_conf_t "/etc/rsyslog.d/"
# restorecon -R -v /etc/rsyslog.d/
# semanage fcontext -a -t etc_t "/etc/rsyslog.d"
# restorecon -v /etc/rsyslog.d
  • cheatsheet/selinux.txt
  • Last modified: 2024/10/14 20:59
  • by 127.0.0.1