Quickly create SELinux modules using sepolicy
The policycoreutils-devel package includes a python sepolicy utility that makes writing a module much easier. In this article we will look at the process of creating a module for nmap using this utility.
Tl; DR
In previous articles, we discussed in detail the creation of a policy module and related issues. Now I will tell you how to make your life much easier with man 8 sepolicy
')
Tasks that we will solve in the article:
Sepolicy has a baseline generation mode called by the sepolicy generate (or sepolgen) command. Let's create a template for our module:
Let us examine the command line arguments:
Since the path / usr / bin / nmap is already described as traceroute_exec_t, the assembly of the as is module will cause a conflict. Therefore, we delete the nmap.fc file before building the module, and after the assembly, we do chcon.
Now the module is working in permissive mode, i.e., policies are checked, but no real blocking occurs. This can be understood from the permissive nmap_t line in the nmap.te file.
Now run nmap with various options to generate enough logs. Preliminary I recommend to execute the semodule -DB command to disable dontaudit rules (rules that prevent you from writing certain restrictions to the log).
See the results:
At the same time, we see that out.log was created with the context of user_home_dir_t - we need to create a new type (nmap_result_log_t) and give the necessary access rights.
So, we need to do the following:
Edit the module and get the following code:
Rebuild module:
And check in enforcing mode:
ShowMacro Interface Lists
Track possible type transitions
Track “common” types for data exchange
And also generate documentation, show the status of booleans and other useful things. Very good utility, actually.
SELinux is not as scary as it is painted. Use utility tools, and writing a policy will be easy and enjoyable for you.
If you want to know more, come to PHDays 18, where I will conduct a four-hour seminar on setting up a SELinux environment .
PS Download the source of this module (and others) here .
Tl; DR
In previous articles, we discussed in detail the creation of a policy module and related issues. Now I will tell you how to make your life much easier with man 8 sepolicy
')
Other articles of the cycle
Formulation of the problem
Tasks that we will solve in the article:
- Write a module for nmap.
- Allow users to conduct scans.
- Restrict any destructive actions.
Creating a blank
Sepolicy has a baseline generation mode called by the sepolicy generate (or sepolgen) command. Let's create a template for our module:
# sepolgen -n nmap --application /usr/bin/nmap -u user_u -u staff_u Loaded plugins: fastestmirror Created the following files: /root/nmap_module/nmap.te # Type Enforcement file /root/nmap_module/nmap.if # Interface file /root/nmap_module/nmap.fc # File Contexts file /root/nmap_module/nmap_selinux.spec # Spec file /root/nmap_module/nmap.sh # Setup Script Let us examine the command line arguments:
- -n - the name of the module.
- --application - type / application.
- / usr / bin / nmap - path to the executable file.
- -u staff_u -u user_u - a list of users who can use this application.
Since the path / usr / bin / nmap is already described as traceroute_exec_t, the assembly of the as is module will cause a conflict. Therefore, we delete the nmap.fc file before building the module, and after the assembly, we do chcon.
# rm nmap.fc rm: remove regular file 'nmap.fc'? y # ./nmap.sh Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile nmap.pp Compiling minimum nmap module /usr/bin/checkmodule: loading policy configuration from tmp/nmap.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/nmap.mod Creating minimum nmap.pp policy package rm tmp/nmap.mod tmp/nmap.mod.fc + /usr/sbin/semodule -i nmap.pp ... # chcon -t nmap_exec_t /usr/bin/nmap Debugging
Now the module is working in permissive mode, i.e., policies are checked, but no real blocking occurs. This can be understood from the permissive nmap_t line in the nmap.te file.
Now run nmap with various options to generate enough logs. Preliminary I recommend to execute the semodule -DB command to disable dontaudit rules (rules that prevent you from writing certain restrictions to the log).
# chmod u+s /usr/bin/nmap # semodule -DB $ id user_u:user_r:user_t:s0 $ nmap -sS -A -PI jnode.in .... $ nmap -A -sU -PI jnode.in .... $ nmap jnode.in -o out.log .... See the results:
# audit2allow -bl -R -t nmap_t allow nmap_t self:capability {net_raw dac_read_search dac_override}; allow nmap_t self:unix_dgram_socket { create ioctl }; allow nmap_t self:packet_socket { bind create getopt ioctl read setopt write }; allow nmap_t self:rawip_socket { create setopt write }; corenet_tcp_connect_http_port(nmap_t) corenet_tcp_connect_smtp_port(nmap_t) corenet_tcp_connect_ssh_port(nmap_t) kernel_read_network_state(nmap_t) kernel_read_system_state(nmap_t) userdom_use_inherited_user_ptys(nmap_t) At the same time, we see that out.log was created with the context of user_home_dir_t - we need to create a new type (nmap_result_log_t) and give the necessary access rights.
Finalize
So, we need to do the following:
- Allow necessary network access.
- Allow to write logs.
- Make a new type for logs.
- Make a type conversion rule for logs.
- Give rights to users and the application to edit these logs.
Edit the module and get the following code:
policy_module(nmap, 1.0.0) ######################################## # # Declarations # attribute_role nmap_roles; roleattribute system_r nmap_roles; type nmap_t; type nmap_exec_t; application_domain(nmap_t, nmap_exec_t) role nmap_roles types nmap_t; # log files type type nmap_result_log_t; files_type(nmap_result_log_t) # home transition userdom_user_home_dir_filetrans(nmap_t, nmap_result_log_t, { dir file }) # permissive nmap_t; ######################################## # # nmap local policy # allow nmap_t self:process { setrlimit }; allow nmap_t self:fifo_file manage_fifo_file_perms; allow nmap_t self:unix_stream_socket create_stream_socket_perms; domain_use_interactive_fds(nmap_t) files_read_etc_files(nmap_t) auth_use_nsswitch(nmap_t) miscfiles_read_localization(nmap_t) sysnet_dns_name_resolve(nmap_t) optional_policy(` gen_require(` type user_t; role user_r; ') nmap_run(user_t, user_r) # nmap log files access manage_files_pattern(user_t, nmap_result_log_t, nmap_result_log_t) ') optional_policy(` gen_require(` type staff_t; role staff_r; ') nmap_run(staff_t, staff_r) # autogenerated macro from nmap.if # nmap log files access manage_files_pattern(staff_t, nmap_result_log_t, nmap_result_log_t) ') # from audit2allow allow nmap_t self:capability { dac_override net_raw dac_read_search }; allow nmap_t self:packet_socket { bind create getopt ioctl read setopt write }; allow nmap_t self:rawip_socket { create setopt write }; kernel_read_network_state(nmap_t) kernel_read_system_state(nmap_t) userdom_use_inherited_user_ptys(nmap_t) corenet_tcp_connect_all_ports(nmap_t) #nmap log files access manage_files_pattern(nmap_t, nmap_result_log_t, nmap_result_log_t) Rebuild module:
# ./nmap.sh .... And check in enforcing mode:
$ nmap -A -PI -sX -p 53 jnode.in -o out.log Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-13 13:29 CEST WARNING: Running Nmap setuid, as you are doing, is a major security risk. Nmap scan report for jnode.in (79.137.74.224) Host is up (0.012s latency). PORT STATE SERVICE VERSION 53/tcp open domain ISC BIND hostmaster ... $ ls -laZ out.log -rw-rw-r--. root user user_u:object_r:nmap_result_log_t:s0 out.log $ rm out.log $ What else can sepolicy?
Show
# sepolicy interface -v -l|grep filetrans|grep user_home_dir userdom_user_home_dir_filetrans(domain, private_type, object_class, name) Create objects in a user home directory with an automatic type transition to a specified private type. # sepolicy interface -v -l|grep corenet_tcp_connect|grep all corenet_tcp_connect_all_ports(domain) Connect TCP sockets to all ports. # sepolicy interface -v -l|grep files_pattern|grep manage manage_files_pattern Track possible type transitions
# sepolicy transition -s user_t -t nmap_t user_t @ nmap_exec_t --> nmap_t Track “common” types for data exchange
# sepolicy communicate -s user_t -t nmap_t xserver_tmpfs_t user_tmp_t user_fonts_t nmap_result_log_t And also generate documentation, show the status of booleans and other useful things. Very good utility, actually.
Instead of conclusion
SELinux is not as scary as it is painted. Use utility tools, and writing a policy will be easy and enjoyable for you.
If you want to know more, come to PHDays 18, where I will conduct a four-hour seminar on setting up a SELinux environment .
PS Download the source of this module (and others) here .
Source: https://habr.com/ru/post/354598/
All Articles