Next: 8 Add policy by Up: SELinux Policy Editor(seedit) Administration Previous: 6 Unconfine applications Contents

Subsections

7 Simplified Policy basics

7.1 Where is simplified policy?

Our simplified policy is located at /etc/seedit/policy directory. In the directory, files named domain name.sp are located.

7.2 Policy syntax overview

Simplified policy is described in syntax called Simplified Policy Description Language(SPDL). For detail, see other document(SPDL specification). You do not have to understand its full specification, because there is a helper tool when you describe policy. But it is better for you to be able to understand policy.
Let's see overview of SPDL by looking at example. Figure 6 shows policy for Apache web server.

**Figure 6:** Typical example of policy: Policy for Apache Web server
$\begin{figure}\begin{verbatim}1 { 2 domain httpd_t; 3 program /usr/sbin/htt... ...tcp -port 80,443 server; 11 allowpriv netlink; 12 }\end{verbatim} \end{figure}$

7.2.1 Give domain to application

Line 2 and 3 is configuration that gives domain to application . Line 2 names domain as httpd_t. Access rights for the domain is configured. By default domain has no access rights, by configuring to allow access to resources, domains can access resources.

line 3 means we will give httpd_t domain to /usr/sbin/httpd. By them, when /usr/sbin/httpd is executed, it is confined by httpd_t domain.

Note to experts
To give domain we are using SELinux's domain transition mechanism. By line 2 and 3, domain transition from unconfined domain(such as initrc_t) to httpd_t, and entry point is /usr/sbin/httpd(which is labeled automatically by SPDL compiler). So you have to notice that domain transition does not happen from confined domain.

7.2.2 Import typical configuration

By line 4,5,6 configurations common to applications are imported. To see what is imported, see files in include directory. For example, include include nameservice.sp;, configuration that is described in include/nameservice.sp is imported. Read access to files such as /etc/hosts are allowed.

7.2.3 Allow access to file

Line 7-10 allows access to files. File name and permissions are described. For filename, you can use grab like below.

directory/* : means files under directory, not include subdirectory.
directory/**: means files under directory, including files under
		subdirectory.

File name that starts with ~ represents home directory(Not including /root).

~/public_html/**

means public_html directories under each user's home directories(except /root).

You can specify following permissions.

Basic permissions
- s
  Search.Permission to search file tree.i.e. Read file name list in directory. For file, it means nothing.
- r
  Read files.
- x
  Execute files.
- w
  Write. This includes write,append,create,delete files.
Detailed permissions
w permission is allowing too much, if you want more security, w permission can be splitted into 5.
- a
  Append.
- o
  Overwrite. This means, write open file.
- c
  Create. Create files.
- e
  Erase. Delete files.
- t
  Setattr.Modify file attribute(not including file security attribute).

Now you can understand line 7-9.

Line7: http_t can see file lists and read all files under /var/www, including sub-directories.
Line 8: http_t can see file lists, read/append all files under /var/log/httpd, including sub-directories.
Line 9: httpd_t can see file list in /etc. Can not do anything files in /etc directory. Because /etc/* is not described.

7.2.4 Allow access to network

Access to network can be described by simplified policy. By line 10, httpd_t is allowed to behave as a server using tcp 80,443 port.
If you want to allow httpd_t to connect MySQL(TCP 3306), you have to specify following.
allownet -protocol tcp -port 3306 client;
You can use -1023, 1024-, and * for port number. -1023 means all wellknown ports(excepts ports used by other domains). 1024- means all ports(except ports used by other domains) over 1024, and * means all port number.

7.2.5 Allow other privilege

Other important operations not related to files and networks are restricted by SELinux. You can use allowpriv name_of_privilege;. For example, usage of netlink socket(it is used to communicate with kernel) is allowed in line 11.

7.3 GUI Editor

By selecting Edit Policy from control panel, you can launch policy Editor. From Open icon, you can select domain. For example, when you open httpd_t domain, you can see like figure 7. You can edit policy like text editor.
By Save button, you can save it and apply edited policy, policy load is automatically done.
Reload button read configuration file for domain again, it is useful when you edit policy from another tool(such as generator).
By Add button, you can insert policy at the end of file from GUI selection window. You can see window like Figure 8 and 9. From file tab, you can insert configuration related to file, in the example of e Figure 8, after pressing Add,

allow /var/www/** r,s;

will be inserted. From network tab, you can insert configuration related to file, in the example of e Figure 9, after pressing Add,

allownet -protocol tcp -port 80 server;

will be inserted.

**Figure 7:** GUI Editor

**Figure 8:**

**Figure 9:**

Next: 8 Add policy by Up: SELinux Policy Editor(seedit) Administration Previous: 6 Unconfine applications Contents

2006-07-05