Next: 8 Add policy by
Up: SELinux Policy Editor(SEEdit) Administration
Previous: 6 Unconfine applications
Contents
Subsections
7 Simplified Policy basics
Our simplified policy is located at /etc/seedit/policy
directory. In the directory, files named domain name.sp are
located.
Simplified policy is described in syntax called Simplified Policy Description
Language(SPDL). For detail, see other document(SPDL specification).
You do not have to understand its full specification, because there is a
helper tool when you describe policy. But it is better for you to be
able to understand policy.
Let's see overview of SPDL by looking at example.
Figure 6 shows policy for Apache web server.
Figure 6:
Typical example of policy: Policy for Apache Web server
|
Line 2 and 3 is configuration that gives domain to application .
Line 2 names domain as httpd_t. Access rights for the domain is
configured. By default domain has no access rights, by configuring to
allow access to resources, domains can access resources.
line 3 means we will give httpd_t
domain to /usr/sbin/httpd. By them, when /usr/sbin/httpd is executed, it
is confined by httpd_t domain.
- Note to experts
To give domain we are using SELinux's domain transition
mechanism. By line 2 and 3, domain transition from unconfined
domain(such as initrc_t) to httpd_t, and entry point is
/usr/sbin/httpd(which is labeled automatically by SPDL
compiler). So you have to notice that domain transition does
not happen from confined domain.
By line 4,5,6 configurations common to applications are imported.
To see what is imported, see files in include directory.
For example, include include nameservice.sp;, configuration that
is described in include/nameservice.sp is imported. Read access to files such
as /etc/hosts are allowed.
Line 7-10 allows access to files. File name and permissions are described.
For filename, you can use grab like below.
directory/* : means files under directory, not include subdirectory.
directory/**: means files under directory, including files under
subdirectory.
File name that starts with ~ represents
home directory(Not including /root).
~/public_html/**
means public_html directories under each user's home directories(except
/root).
You can specify following permissions.
- Basic permissions
- s
Search.Permission to search file tree.i.e. Read file name list
in directory. For file, it means nothing.
- r
Read files.
- x
Execute files.
- w
Write. This includes write,append,create,delete files.
- Detailed permissions
w permission is allowing too much, if you want more security,
w permission can be splitted into 5.
- a
Append.
- o
Overwrite. This means, write open file.
- c
Create. Create files.
- e
Erase. Delete files.
- t
Setattr.Modify file attribute(not including file security attribute).
Now you can understand line 7-9.
- Line7: http_t can see file lists and read all files under
/var/www, including sub-directories.
- Line 8:
http_t can see file lists, read/append all files under
/var/log/httpd, including sub-directories.
- Line 9:
httpd_t can see file list in /etc. Can not do anything files
in /etc directory. Because /etc/* is not described.
Access to network can be described by simplified policy.
By line 10, httpd_t is allowed to behave as a server using tcp 80,443 port.
If you want to allow httpd_t to connect MySQL(TCP 3306), you have to
specify following.
allownet -protocol tcp -port 3306 client;
You can use -1023, 1024-, and * for port number. -1023 means all
wellknown ports(excepts ports used by other domains). 1024- means all
ports(except ports used by other domains) over 1024, and * means all port number.
Other important operations not related to files and networks are restricted by
SELinux. You can use allowpriv name_of_privilege;.
For example, usage of netlink socket(it is used to communicate with
kernel) is allowed in line 11.
7.3 GUI Editor
By selecting Edit Policy from control panel, you can launch policy Editor.
From Open icon, you can select domain.
For example, when you open httpd_t domain, you can see like figure 7.
You can edit policy like text editor.
By Save button, you can save it and apply edited policy, policy
load is automatically done.
Reload button read configuration file for domain again, it is
useful when you edit policy from another tool(such as generator).
By Add button, you can insert policy at the end of file from GUI selection window.
You can see window like Figure 8 and 9.
From file tab, you can insert configuration related to file, in the
example of e Figure 8, after pressing Add,
allow /var/www/** r,s;
will be inserted.
From network tab, you can insert configuration related to file, in the
example of e Figure 9, after pressing Add,
allownet -protocol tcp -port 80 server;
will be inserted.
Figure 7:
GUI Editor
|
Figure 8:
|
Figure 9:
|
Next: 8 Add policy by
Up: SELinux Policy Editor(SEEdit) Administration
Previous: 6 Unconfine applications
Contents
Yuichi Nakamura
2007-02-13