How to apply new policy exactly?

Benjamin Tsai benjamin.tsai at intervideo.com
Wed Sep 20 03:06:03 UTC 2006 

Thank you for the reply, I now a bit closer to the right track. :)

To work the build path around, I start with "audit2allow."
With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned
selinux mode to "permissive," I run audit2allow as follows:

#audit2allow -m dmesg -d > dmesg.te
#checkmodule -M -m -o dmesg.mod dmesg.te
#semodule_package -o dmesg.pp -m dmesg.mod
#semodule -I dmesg.pp

Then I had the following errors:

/etc/selinux/strict/contexts/files/file_contexts: Multiple different
specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and
system_u:object_r:apt_exec_t:s0).
/etc/selinux/strict/contexts/files/file_contexts: Multiple different
specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0
and system_u:object_r:apt_exec_t:s0).

I googled out your reply on same errors in 2004 and it says:
"You shouldn't enable both rpm.te and dpkg.te in the same policy; they
conflict."

Without policy source, how can I disable either rpm.te or dpkg.te?
Besides, I tried to mark rules related to rpm in my .te file, but it
didn't fix the problem.
Here is a copy of my dmesg.te file:

####################################################################
module dmesg 1.0;

require {
	class blk_file { ioctl read }; 
	class dbus send_msg;
	class dir { add_name create relabelfrom relabelto remove_name
rename reparent rmdir search setattr write }; 
	class fd use;
	class fifo_file { getattr ioctl write }; 
	class file { append create execute getattr ioctl lock read
relabelfrom relabelto rename setattr unlink write }; 
	class lnk_file { create read relabelfrom relabelto rename
setattr }; 
	class process { execmem setexec }; 
	class security load_policy;
	class shm { associate getattr read unix_read unix_write write };

	class sock_file { unlink write }; 
	class unix_stream_socket connectto;
	type apmd_log_t; 
	type auditctl_exec_t; 
	type auditd_exec_t; 
	type auditd_log_t; 
	type etc_t; 
	type faillog_t; 
	type file_context_t; 
	type file_t; 
	type fonts_t; 
	type hald_t; 
	type ice_tmp_t; 
	type initrc_exec_t; 
	type krb5_conf_t; 
	type lastlog_t; 
	type lib_t; 
	type man_t; 
	type nscd_var_run_t; 
	type pam_t; 
	type policy_config_t; 
	type removable_device_t; 
	type rpm_log_t; 
	type rpm_var_lib_t; 
	type sbin_t; 
#	type security_t; 
	type selinux_config_t; 
	type semanage_read_lock_t; 
	type semanage_store_t; 
	type semanage_trans_lock_t; 
	type staff_t; 
	type staff_tmpfs_t; 
	type system_dbusd_t; 
	type system_dbusd_var_run_t; 
	type tmp_t; 
	type user_home_dir_t; 
	type user_home_t; 
	type usr_t; 
	type var_log_t; 
	type var_run_t; 
	type var_t; 
	type xdm_t; 
	type xdm_xserver_t; 
	role staff_r; 
	role system_r; 
};

allow hald_t staff_t:dbus send_msg;
allow pam_t lib_t:file { execute getattr read };
allow pam_t nscd_var_run_t:dir search;
allow pam_t xdm_t:fd use;
allow pam_t xdm_t:fifo_file { getattr ioctl write };
allow staff_t apmd_log_t:file read;
allow staff_t auditctl_exec_t:file { relabelto setattr };
allow staff_t auditd_exec_t:file { relabelto setattr };
allow staff_t auditd_log_t:dir { relabelto setattr };
allow staff_t etc_t:dir { add_name remove_name write };
allow staff_t etc_t:file { create relabelfrom relabelto rename setattr
write };
allow staff_t etc_t:lnk_file create;
allow staff_t faillog_t:file read;
allow staff_t file_context_t:dir { add_name remove_name write };
allow staff_t file_context_t:file { create rename setattr unlink write
};
allow staff_t file_t:file read;
allow staff_t fonts_t:file read;
allow staff_t hald_t:dbus send_msg;
allow staff_t ice_tmp_t:sock_file write;
allow staff_t initrc_exec_t:file { relabelto setattr };
allow staff_t krb5_conf_t:file { read write };
allow staff_t lastlog_t:file read;
allow staff_t lib_t:dir { add_name remove_name write };
allow staff_t lib_t:file { create relabelfrom relabelto rename setattr
unlink write };
allow staff_t lib_t:lnk_file { create relabelfrom relabelto rename
setattr };
allow staff_t man_t:dir { add_name remove_name write };
allow staff_t man_t:file { create relabelfrom relabelto rename setattr
write };
allow staff_t policy_config_t:dir { add_name remove_name write };
allow staff_t policy_config_t:file { create read rename unlink write };
allow staff_t removable_device_t:blk_file { ioctl read };
allow staff_t rpm_log_t:file append;
allow staff_t rpm_var_lib_t:dir { add_name write };
allow staff_t rpm_var_lib_t:file { create lock read write };
allow staff_t sbin_t:dir { add_name remove_name write };
allow staff_t sbin_t:file { create relabelfrom relabelto rename setattr
write };
#allow staff_t security_t:security load_policy;
allow staff_t selinux_config_t:dir { add_name create remove_name rename
rmdir write };
allow staff_t selinux_config_t:file { create rename unlink write };
allow staff_t semanage_read_lock_t:file { lock read write };
allow staff_t semanage_store_t:dir { remove_name rename rmdir write };
allow staff_t semanage_store_t:file { read unlink };
allow staff_t semanage_trans_lock_t:file { lock read write };
allow staff_t self:process { execmem setexec };
allow staff_t system_dbusd_t:unix_stream_socket connectto;
allow staff_t system_dbusd_var_run_t:sock_file write;
allow staff_t tmp_t:file { execute read write };
allow staff_t tmp_t:sock_file { unlink write };
allow staff_t user_home_dir_t:dir { add_name create rename rmdir write
};
allow staff_t user_home_dir_t:file { create ioctl read relabelfrom
rename setattr write };
allow staff_t user_home_dir_t:lnk_file { create read };
allow staff_t user_home_t:dir { add_name create remove_name rename
reparent rmdir write };
allow staff_t user_home_t:file { create ioctl lock relabelto rename
setattr unlink };
allow staff_t user_home_t:lnk_file create;
allow staff_t usr_t:dir { add_name create relabelfrom relabelto
remove_name setattr write };
allow staff_t usr_t:file { create relabelfrom relabelto rename setattr
write };
allow staff_t var_log_t:dir { add_name create relabelfrom write };
allow staff_t var_log_t:file read;
allow staff_t var_run_t:dir { add_name remove_name write };
allow staff_t var_run_t:file { create unlink write };
allow staff_t var_t:dir { add_name remove_name write };
allow staff_t var_t:file { create setattr unlink write };
allow staff_t xdm_xserver_t:unix_stream_socket connectto;
allow xdm_xserver_t staff_t:fd use;
allow xdm_xserver_t staff_t:shm { associate getattr read unix_read
unix_write write };
allow xdm_xserver_t staff_tmpfs_t:file { read write };

###################################################################
-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Tuesday, September 19, 2006 8:58 PM
To: Benjamin Tsai
Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua
Brindle; fedora-selinux-list at redhat.com
Subject: RE: How to apply new policy exactly?

On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote:
> I want to write policy for my own daemon, instead of a strict policy.
> So, I stepped on the wrong road from the beginning?
> Though, according to the document "Configuring the SELinux Policy", it
> indicates a path to policy source.

That's because it was written before modular policy support existed.
Useful links:
Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/
Fedora SELinux Wiki http://fedoraproject.org/wiki/SELinux/

Dan and Joshua, it looks like the links to various Tresys site pages are
no longer valid.

> Well then, what's a correct build path? Are the following steps
correct?
> write foo.te file, and execute
> #checkmodule -M -m foo.te -o foo.mod
> Then
> #semodule -i foo.mod

semodule acts on a policy module package rather than just a module,
which you can create via:
	semodule_package -o foo.pp -m foo.mod
If you have file contexts as well, you can bundle them within the
package, as in:
	semodule_package -o foo.pp -m foo.mod -f foo.fc

But this can all be handled more easily via the sequence described in:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577


> Besides, is it then impossible to customize my own base policy
package?
> Or I shall start over and write my own base module word by word?

It isn't impossible, but in many cases, it is no longer necessary - you
can define your own policy modules and add them, or you can use semanage
to customize other local settings, while still being able to just use
the Fedora-provided base policy and any updates to it.

You can certainly replace the entire policy and just use the refpolicy
from oss.tresys.com, but if you don't need to do so, then it is just
making more work for yourself.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list