next up previous contents
Next: 8 Add policy by Up: SELinux Policy Editor(SEEdit) Administration Previous: 6 Unconfine applications   Contents

Subsections


7 Simplified Policy basics

7.1 Where is simplified policy?

Our simplified policy is located at /etc/seedit/policy directory. In the directory, files named domain name.sp are located.

7.2 Policy syntax overview

Simplified policy is described in syntax called Simplified Policy Description Language(SPDL). For detail, see other document(SPDL specification). You do not have to understand its full specification, because there is a helper tool when you describe policy. But it is better for you to be able to understand policy.
Let's see overview of SPDL by looking at example. Figure 6 shows policy for Apache web server.

Figure 6: Typical example of policy: Policy for Apache Web server
\begin{figure}\begin{verbatim}1 {
2 domain httpd_t;
3 program /usr/sbin/htt...
...tcp -port 80,443 server;
11 allowpriv netlink;
12 }\end{verbatim}
\end{figure}

7.2.1 Give domain to application

Line 2 and 3 is configuration that gives domain to application . Line 2 names domain as httpd_t. Access rights for the domain is configured. By default domain has no access rights, by configuring to allow access to resources, domains can access resources.

line 3 means we will give httpd_t domain to /usr/sbin/httpd. By them, when /usr/sbin/httpd is executed, it is confined by httpd_t domain.

7.2.2 Import typical configuration

By line 4,5,6 configurations common to applications are imported. To see what is imported, see files in include directory. For example, include include nameservice.sp;, configuration that is described in include/nameservice.sp is imported. Read access to files such as /etc/hosts are allowed.

7.2.3 Allow access to file

Line 7-10 allows access to files. File name and permissions are described. For filename, you can use grab like below.
directory/* : means files under directory, not include subdirectory.
directory/**: means files under directory, including files under
		subdirectory.
File name that starts with ~  represents home directory(Not including /root).
~/public_html/**
means public_html directories under each user's home directories(except /root).

You can specify following permissions.

Now you can understand line 7-9.

7.2.4 Allow access to network

Access to network can be described by simplified policy. By line 10, httpd_t is allowed to behave as a server using tcp 80,443 port.
If you want to allow httpd_t to connect MySQL(TCP 3306), you have to specify following.
allownet -protocol tcp -port 3306 client;
You can use -1023, 1024-, and * for port number. -1023 means all wellknown ports(excepts ports used by other domains). 1024- means all ports(except ports used by other domains) over 1024, and * means all port number.

7.2.5 Allow other privilege

Other important operations not related to files and networks are restricted by SELinux. You can use allowpriv name_of_privilege;. For example, usage of netlink socket(it is used to communicate with kernel) is allowed in line 11.


7.3 GUI Editor

By selecting Edit Policy from control panel, you can launch policy Editor. From Open icon, you can select domain. For example, when you open httpd_t domain, you can see like figure 7. You can edit policy like text editor.
By Save button, you can save it and apply edited policy, policy load is automatically done.
Reload button read configuration file for domain again, it is useful when you edit policy from another tool(such as generator).
By Add button, you can insert policy at the end of file from GUI selection window. You can see window like Figure 8 and 9. From file tab, you can insert configuration related to file, in the example of e Figure 8, after pressing Add,
allow /var/www/** r,s;
will be inserted. From network tab, you can insert configuration related to file, in the example of e Figure 9, after pressing Add,
allownet -protocol tcp -port 80 server;
will be inserted.

Figure 7: GUI Editor
Image edit

Figure 8:
Image edit-file

Figure 9:
Image edit-network


next up previous contents
Next: 8 Add policy by Up: SELinux Policy Editor(SEEdit) Administration Previous: 6 Unconfine applications   Contents
Yuichi Nakamura 2007-02-13