Lead Image © Amy Walters, 123RF.com
Writing SELinux modules
Creative Security
SELinux struggles to cast off its image as difficult to maintain and the cause of potential application problems. Yet in recent years, much has changed for the better, especially with regard to usability. For example, modules have replaced its monolithic set of rules. If you want to develop a new SELinux module, three files are typically necessary for this purpose.
Three Files for an SELinux Module
A type enforcement (.te) file stores the actual ruleset. To a large extent, it consists of m4 macros, or interfaces. For example, if you want to access a particular service's resources, such as the logfiles, the service provides a corresponding interface for this purpose. If you want your own application to access these resources, you can draw this on the service's interface without having to deal with the logfile details. For example, you do not need to know the logfile's security label, because the interface abstracts access.
In addition to the actual ruleset, a second file is necessary. This file, known as the file context (.fc) file, defines the security label of your own application for which you are developing a policy. Optionally, interfaces can be made available as necessary. This is always helpful if other applications or services need to access their own resources. The m4-based interfaces are saved in a file with the .fc suffix.
To create a policy module from these files, you first have to create a file in .mod format. The checkmodule tool is used for this purpose. As a result, you receive a file containing the complete ruleset from the .te file. The m4 macros have already been resolved, but the information from the .fc file is missing for the final policy module. You can add this using the semodule
package, resulting in the finished policy module, then load it in the Linux kernel's
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Setting up SELinux policies
Writing custom SELinux policy modules is not hard with some basic knowledge of SELinux. We show you how to distribute those modules to all the machines in your own system landscape. -
Linux configuration with OpenLMI
One of the biggest hurdles for prospective Linux administrators is a lack of standards for configuring systems based on different Linux distributions. The Open Linux Management Infrastructure – OpenLMI – is looking to establish and define a standard approach to configuring such systems. - Fedora Considering a Big Change to SELinux
- SELinux Systems Vulnerable to sudo Vulnerability
-
Certificate management with FreeIPA and Dogtag
The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network.