8 Add policy by policy generation tool

8.1 Test in permissive mode

If you find confined application run due to SELinux denial, you have to add policy.
Before trying to add policy, test in permissive mode. If application run in permissive mode, it is highly possible that SELinux is denying some access. You have to add policy. We have GUI and command line utility.

8.2 How policy generator works?

Policy is generated from SELinux access log. In test in permissive mode, access log is obtained. In permissive mode, if access is denied by policy, it only takes log. To make application work, you have to allow denied access.

Following is example of access denial log in audit.log. By this example, how policy generator generates policy is shown.

----
time->Wed Apr 26 18:34:32 2006
1: type=PATH msg=audit(1146090872.442:29): item=0 
name="/etc/vsftpd/vsftpd.conf" flags=101  inode=584775 dev=03:03 
mode=0100600 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1146090872.442:29):  
cwd="/etc/selinux/seedit/src/policy/simplified_policy"
2: type=SYSCALL msg=audit(1146090872.442:29): arch=40000003 
syscall=5 success=yes exit=3 a0=bfb04c52 a1=8800 a2=0 a3=8800 
items=1 pid=13151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 comm="vsftpd" exe="/usr/sbin/vsftpd"
3: type=AVC msg=audit(1146090872.442:29): avc:  denied  { read } 
for  pid=13151 comm="vsftpd" name="vsftpd.conf" dev=hda3 
ino=584775 scontext=user_u:system_r:ftpd_t 
tcontext=system_u:object_r:default_t tclass=file
----

Line 3 means, read access by ftpd_t domain to filename vsftpd.conf is denied. From line 3, we can say that following should be added.

allow vsftpd.conf r;

However, full path for vsftpd.conf is not known. To obtain full path we use log in line 1. It says full path for vsftpd.conf is /etc/vsftpd/vsftpd.conf. By combining line 1 and 3 we can conclude that following should be added.

allow /etc/vsftpd/vsftpd.conf r;

If you are not running auditd service log in line 1 is not obtained. In other words, full path information is not included in log. That is why we recommend to run auditd in using SELinux Policy Editor.
When auditd is not running policy generator tries to obtain full path by locate command, but it often fails.

8.3 GUI(policy generator)

8.3.1 Launch tool

Select Generate Policy from control panel, window like figure 10 will open.

Figure 10: Policy Generate tool

Usually, you do not have to configure nothing. Press Generate policy button.

What can be configured is shown below for reference.

• Input
  This is input source of SELinux access log. If auditd service is running, choose audit.log. auditd service is not running choose dmesg.
• Generate more secure policy
  If checked, generator trys to generate more secure policy. In current version, it trys to use detailed file write permission(a,o,c,e,t). If not checked, those permissions are not used, instead w permission is used in generated policy.
• Read All log
  When checked, read all message from log input. If not input is read only from last policy load(the place where load_policy permission is granted).
• Skip search log
  When checked, access denial for dir:search permission is skipped. dir:search often lead to unwanted output.

8.3.2 Examine result and add policy

After pressing Generate policy button, policy is generated. It takes some time. When finished, result is outputted in Result tab. Figure 11 is example output.

Figure 11: Policy Generate result

First row is asking, do you want to add allownet -protocol tcp -port 1024- server; to vsftpd_t domain? And Log is access denial of SELinux, from that log policy is generated. If you want to add policy, check check box.
Glob button is very useful.You can allow access to all files in directories. For example, select row allow /etc/vsftpd/vsftpd.conf r,s; After clicking Glob button, the filename changes like below.

/etc/vsftpd/vsftpd.conf ->
/etc/vsftpd/* ->
/etc/vsftpd/** ->
/etc/* ->
/etc/** ->
/* ->
/** ->

By Undo Glob, filename get back to previous one.
Policy that is going to be added is displayed in Following will be saved, like figure 12. If it looks good, press Save and Apply button. The policy is added to domain, and policy is loaded to kernel.

Figure 12: Before save

8.4 Command line(audit2spdl)

You can add policy by audit2spdl command. The usage is easy. When auditd is running

# audit2spdl -al

When auditd is not running,

# audit2spdl -dl

You can read log by specifying filename,

# audit2spdl -l -i /var/log/messages

This command translate SELinux log denial to simplified policy. It is recommended to use auditd service if it is prepared for your distro. For Fedora Core 5, you can install auditd by following commands.

#yum install audit
#chkconfig auditd on
#/etc/init.d/auditd start

Following is sample output.

#audit2spdl -dl
.... It takes some time...
-------------------------
#SELinux deny log:
audit(1146162965.963:16): avc:  denied  { read } for  pid=6653 
comm="vsftpd" name="vsftpd.conf" dev=hda3 ino=584775 
scontext=user_u:system_r:ftpd_t 
tcontext=system_u:object_r:default_t tclass=file
#Suggested configuration
File ftpd_t.sp:
allow /etc/vsftpd/vsftpd.conf  r;
-------------------------
...

Above says you have to add

allow /etc/vsftpd/vsftpd.conf  r;

to ftpd_t.sp to resolve SELinux access denial.

To add generated policy, in above example, open /etc/seedit/policy/vsftpd.sp. and add allow /etc/vsftpd/vsftpd.conf r; between ${}$, like below

{
domain vsftpd\_t
program /usr/sbin/program;
allow ....
<add here!!>

}

After adding file, you have to notice it to SELinux kernel. Type seedit-load.

#seedit-load
seedit-load: Success

You can see progress of seedit-load by -v option like below

# seedit-load -v
mkdir -p ./sepolicy;
m4 -s ./simplified_policy/*.sp >./simplified_policy/all.sp;
/usr/bin/seedit-converter -i ./simplified_policy/all.sp -o 
./sepolicy -b ./base_policy -I ./simplified_policy/include ;
.................

cp /etc/selinux/seedit/contexts/files/file_contexts.all 
/etc/selinux/seedit/contexts/files/file_contexts.all.old
seedit-load: Success

In above case, you can add

allow /etc/vsftpd/* r;.

It is a little different from that suggested by audit2spdl. Because system administrate knows /etc/vsftpd is vsftp's configuration directory, so it is more effective to allow access whole /etc/vsftpd directory.

8.4.1 Advanced topic:Notice about audit2spdl

1. Not best security
   audit2spdl not always suggest best solution. You have to review suggested configuration carefully. For example, audit2spdl does not generate detailed file permission(o,a,c,e,t), but generate w.
   To generate permission o,a,c,e,t, use s option, like audit2spdl -dls .

2. Fail to suggest
   In special case, suggesting configuration fails, following message appear.

   #Failed to generate, because failed to obtain fullpath.
   

   In SELinux log, full-path is not contained. To obtain full path audit2spdl is doing some works, but it sometimes fail. To obtain full-path in all cases, you have to use auditd. auditd is not installed in Fedora Core 5. You can use auditd like below.

   #yum install audit
   #chkconfig auditd on
   #/etc/init.d/auditd start
   

   The use audit2spdl -al, and try again. It is also faster than audit2spdl -dl.