Tips & TricksIT tutorials and documentations

Creating Custom SELinux Policy Modules with audit2allow

Sometimes there are occasions when none of the above methods deal with a given situation and we need to extend the SELinux policy by creating a custom policy module to allow for a certain set of conditions. For example, consider the smb service add-on for a file server. Our file server needs to communicate with samba over a Unix socket and that is something the default SELinux policy for our samba server does not allow. Consequently the service is blocked by SELinux. This is an issue that can not be fixed by changing or restoring file type security contexts and isn’t something that has a boolean value we can toggle to allow. We could disable SELinux protection of the samba server through a boolean, which would be better than disabling SELinux completely, but that is still far from ideal.

If we switch SELinux into Permissive mode and run our file server for a set period of time, we can log SELinux issues whilst still permitting access. Checking our logs, we see the following SELinux AVC messages:

type=SYSCALL msg=audit(1264381313.497:1327): arch=40000003 syscall=196
type=AVC msg=audit(1264381314.363:1328): avc:  denied  { search } for
type=SYSCALL msg=audit(1264381314.363:1328): arch=40000003 syscall=195
type=AVC msg=audit(1264381315.686:1329): avc:  denied  { getattr } for

*) The above output is trimed to fit in the box.

Then we can use ‘audit2allow’ to generate a set of policy rules that would allow the required actions. We can generate a local samba Type Enforcement policy file (sambalocal.te):

# mkdir selinux_samba
# cd selinux_samba
# grep smbd_t /var/log/audit/audit.log | audit2allow -m sambalocal > smblocal.te
# cat sambalocal.te
module sambalocal 1.0;
require {
 type home_root_t;
 type default_t;
 type smbd_t;
 class file getattr;
 class dir { read getattr search };
}
#============= smbd_t ==============
allow smbd_t default_t:dir { read search };
 smbd_t default_t:file getattr;
allow smbd_t home_root_t:dir { getattr search };
 

Above we see that we can grep the audit.log file for issues relating to our samba server and pipe those issues to audit2allow which generates a set of rules that it thinks would permit the actions currently denied by the SELinux policy. Reviewing these rules we see our samba server wants to connect and write to a Unix socket which we see from out logs is the Unix socket that the smb service is listening on. As this seems perfectly reasonable, we can go ahead and use audit2allow to make a custom policy module to allow these actions:

# grep smbd_t /var/log/audit/audit.log | audit2allow -M sambalocal 

We then load our samba policy module using the ‘semodule’ command into the current SELinux policy:

semodule -i sambalocal 

which will add our samba policy module to /etc/selinux/targeted/modules/active/modules/sambalocal.pp. We can check the policy module loaded correctly by listing loaded modules with ‘semodule -l’.

We can then continue to monitor our SELinux log files to check that our custom policy module works and once we are satisfied we can re-enable SELinux Enforcing mode and again benefit from SELinux protection of our now fully functional samba server.