9 Creating domain

Let's see by example to create domain ftpd_t for vsftpd, and confine behavior of vsftpd. By following this example you'll be able to prepare domain for other programs. Generally, process of creating domain is following.

1. Create template
   
2. Check domain
   
3. Test run and add policy
   

9.1 Create domain from GUI

We will create vsftp_t domain, and configure the domain to work as Anonymous FTP server.

9.1.1 Create template

By Domain manager GUI you can create template configuration. From control panel, select Manage Domain. Let's assign vsftpd vsftpd_t domain.

You can do it like fig 13. First, specify name of executable file. Enter /usr/sbin/vsftpd.
Next, specify domain name. Enter vsftpd_t.
There are some questions you have to answer.
Then press Create Template button. You will see created configuration is shown in Created template.

Figure 13: Create new domain

If you know about application, you already know what kind of access rights are necessary. You can add it now. If you do not know, do not worry. You can generate policy later.
You will prepare anonymous FTP server,so read access to /var/ftp is necessary. And you need access right to TCP 21 port to behave as FTP server.
You can add configuration from GUI. Press Add policy button. Figure 14, you are configuring to allow read access under /var/ftp. Figure 15, you are configuring to allow usage of tcp port 21. By pressing Add button, configuration

allow  /var/ftp/** r,s;
allownet -protocol tcp -port 21 server;

is added. After adding configuration, press Save and Apply button.

Figure 14: Insert file access control policy

Figure 15: Insert network access control policy

If you are installing target application from rpm package, you can save time to create policy by Generate more policy button. By pressing this button, some policy is generated using information in rpm package. In this example case, following will be generated.

allow /etc/pam.d/vsftpd r,s;
allow /etc/vsftpd/** r,s;
allow /usr/sbin/vsftpd r,s;
allow /var/ftp/** r,s;

9.1.2 Check domain

Switch to permissive mode(you can do by setenforce 0 or status GUI). Start vsftpd and make sure its domain is vsftpd_t(You can do it by status GUI)

9.1.3 Test run and add policy

Test run vsftpd in permissive mode.

Let's test ftp like following.

$ ftp localhost
Name (localhost:ynakam): Anonymous
Password: <anything is OK>
...
and do something..

And see log.

#auserch -m AVC

Various accesses are denied. So you have to add policy that allows denied access. You can do it easily by policy generation tool. Select Generate Policy from control panel, window like figure 16 will open. Usually, you do not have to change configuration, if you want more secure configuration, check Generate more secure policy, it will generate policy that uses detailed write permission, but you will need more time to complete configuration. To generate policy press generate button. Then result is shown like figure 17. If you want to add generated policy, check check boxes, and if you want to allow to directory, use Glob button. In this case, it is more efficient to allow access to /etc/vsftpd directory, so click Glob button twice.
Filename changes /etc/vsftpd/vsftpd.conf $\rightarrow$ /etc/vsftpd/* $\rightarrow$ /etc/vsftpd/**.
In this case, configuration like 18 will be saved. Click Save and Apply button.
Test vsftpd again and use Policy Generation tool again, if you see nothing, then test in Enforcing mode. If it works, all done!. If not, add configuration by Policy Generation tool until it works.

Figure 16: Policy Generate tool

Figure 17: Policy Generate result

Figure 18: Before save

9.2 Create domain from command line

9.2.1 Create template

You can create template configuration by seedit-template command. Usage is following.

seedit-template -d <domain> -e <path to application> -o <output>

Following is output for us.

# seedit-template -d vsftpd_t -e /usr/sbin/vsftpd
{
domain ftpd_t;
program /usr/sbin/vsftpd;
include common-relaxed.sp;
include daemon.sp;
include nameservice.sp;
}

Template configuration is generated. In this, domain is named, and given to /usr/sbin/vsftpd. By include , access rights commonly used for daemons are imported. You have to save this configuration under /etc/seedit/policy/ftpd_t.sp. Note that file name must be domain-name.sp, otherwise seedit-load fails.
Save above configuration to /etc/seedit/policy/ftpd_t.sp.

9.2.2 Check domain

Load simplified policy by following.

#seedit-load

And switch to permissive mode, because vsftpd will fail to work in enforcing mode due to SELinux access denial.

#setenforce 0
#getenforce
Permissive

Start vsftpd and check domain of vsftpd by seedit-unconfined.

# /etc/init.d/vsftpd restart
# seedit-unconfined -e
10530   vsftpd  Confined by ftpd_t

You will see vsftpd is running as ftpd_t as above.

9.2.3 Test run and add policy

Let's run application in permissive mode, and find out what access is denied, and allow such access by audit2spdl. In this article, we aim to develop policy for vsftpd to work as Anonymous FTP server. Let's test ftp like following.

$ ftp localhost
Name (localhost:ynakam): Anonymous
Password: <anything is OK>
...
and do something..

And see log.

#dmesg

Various accesses are denied. Let's audit2spdl.

#audit2spdl -dl
-------------------------
#SELinux deny log:
audit(1146179470.043:86): avc:  denied  { search } for  
pid=10904 comm="vsftpd" name="vsftpd" dev=hda3 ino=584772 
scontext=user_u:system_r:ftpd_t 
tcontext=system_u:object_r:etc_t tclass=dir
#Suggested configuration
File ftpd_t.sp:
allow /etc/vsftpd  s;
-------------------------

-------------------------
#SELinux deny log:
audit(1146179477.891:108): avc:  denied  { search } for  
pid=10911 comm="vsftpd" name="ftp" dev=hda3 ino=163477
 scontext=user_u:system_r:ftpd_t 
tcontext=system_u:object_r:var_t tclass=dir
#Suggested configuration
File ftpd_t.sp:
allow /var/ftp  s;
-------------------------
.....

audit2spdl tells us various configuration should be added. You might find following.

-------------------------
#SELinux deny log:
type=AVC msg=audit(1148486754.718:36): avc:  denied  { lock } for  
pid=11763 comm="vsftpd" name="test.txt" dev=hda3 ino=163311 
scontext=user_u:system_r:ftpd_t tcontext=system_u:object_r:default_t
 tclass=file
#Suggested configuration
File ftpd_t.sp:
#Failed to generate, because failed to obtain fullpath.
#allow test.txt  r,s;
-------------------------

It means failed to suggest configuration because audit2spdl failed to guess fullpath for test.txt. But you know fullpath of test.txt is /var/ftp/pub/test.txt. So, you will add allow /var/ftp/pub/test.txt r,s;

In my case, following are suggested at first test.

allow /etc/vsftpd  s;
allow /var/ftp  s;
allow /root  s;
allownet -protocol tcp -port 21 server;
allowpriv cap_sys_chroot;
allow /var/log/xferlog  r,w;
allow /etc/vsftpd/vsftpd.conf  r;
allow /etc/vsftpd/vsftpd.conf  s;

You can add them, but you will notice it is more effective To allow r,s to /var/ftp and /etc/vsftpd. So, your ftpd_t.sp will be following.

{
domain ftpd_t;
program /usr/sbin/vsftpd;
include common-relaxed.sp;
include daemon.sp;
include nameservice.sp;
# added by audit2spdl suggestion
allow /etc/vsftpd/**  r,s;
allow /var/ftp/**  r,s;
allow /var/log/xferlog  r,w;
allow /root  s;
allownet -protocol tcp -port 21 server;
allowpriv cap_sys_chroot;
}

After seedit-load, test vsftpd again. You will find access denial again. By audit2spdl you will find like following.

allownet -protocol tcp -port 6353 server;

This says ftpd is trying to behave server using 6553 tcp. But the port number varies time to time.So it seems ftpd requires to use all port over 1024. You can add following.

allownet -protocol tcp -port 1024- server;

Then, test again and add policy until no access denial is outputted. At last, switch to enforcing mode.

#setenforce 1

Test vsftpd again.

SPDL has advanced feature to configure more secure policy. For example, login user is not confined by default, to enhance login user security, you can use RBAC feature. About RBAC see RBAC guide.