2017-05-13 19:51:44 +08:00
|
|
|
=======
|
|
|
|
SELinux
|
|
|
|
=======
|
|
|
|
|
selinux: add support for installing a dummy policy (v2)
In August 2006 I posted a patch generating a minimal SELinux policy. This
week, David P. Quigley posted an updated version of that as a patch against
the kernel. It also had nice logic for auto-installing the policy.
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
(then a few versions later...):
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
Changelog:
Aug 26: Added Documentation/SELinux.txt
Aug 26: Incorporated a set of comments by Stephen Smalley:
1. auto-setup SELINUXTYPE=dummy
2. don't auto-install if selinux is enabled with
non-dummy policy
3. don't re-compute policy version
4. /sbin/setfiles not /usr/sbin/setfiles
Aug 22: As per JMorris comments, made sure make distclean
cleans up the mdp directory.
Removed a check for file_contexts which is now
created in the same file as the check, making it
superfluous.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2008-08-27 03:47:57 +08:00
|
|
|
If you want to use SELinux, chances are you will want
|
|
|
|
to use the distro-provided policies, or install the
|
|
|
|
latest reference policy release from
|
2017-05-13 19:51:44 +08:00
|
|
|
|
selinux: add support for installing a dummy policy (v2)
In August 2006 I posted a patch generating a minimal SELinux policy. This
week, David P. Quigley posted an updated version of that as a patch against
the kernel. It also had nice logic for auto-installing the policy.
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
(then a few versions later...):
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
Changelog:
Aug 26: Added Documentation/SELinux.txt
Aug 26: Incorporated a set of comments by Stephen Smalley:
1. auto-setup SELINUXTYPE=dummy
2. don't auto-install if selinux is enabled with
non-dummy policy
3. don't re-compute policy version
4. /sbin/setfiles not /usr/sbin/setfiles
Aug 22: As per JMorris comments, made sure make distclean
cleans up the mdp directory.
Removed a check for file_contexts which is now
created in the same file as the check, making it
superfluous.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2008-08-27 03:47:57 +08:00
|
|
|
http://oss.tresys.com/projects/refpolicy
|
|
|
|
|
|
|
|
However, if you want to install a dummy policy for
|
2017-05-13 19:51:44 +08:00
|
|
|
testing, you can do using ``mdp`` provided under
|
selinux: add support for installing a dummy policy (v2)
In August 2006 I posted a patch generating a minimal SELinux policy. This
week, David P. Quigley posted an updated version of that as a patch against
the kernel. It also had nice logic for auto-installing the policy.
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
(then a few versions later...):
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
Changelog:
Aug 26: Added Documentation/SELinux.txt
Aug 26: Incorporated a set of comments by Stephen Smalley:
1. auto-setup SELINUXTYPE=dummy
2. don't auto-install if selinux is enabled with
non-dummy policy
3. don't re-compute policy version
4. /sbin/setfiles not /usr/sbin/setfiles
Aug 22: As per JMorris comments, made sure make distclean
cleans up the mdp directory.
Removed a check for file_contexts which is now
created in the same file as the check, making it
superfluous.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2008-08-27 03:47:57 +08:00
|
|
|
scripts/selinux. Note that this requires the selinux
|
|
|
|
userspace to be installed - in particular you will
|
|
|
|
need checkpolicy to compile a kernel, and setfiles and
|
|
|
|
fixfiles to label the filesystem.
|
|
|
|
|
|
|
|
1. Compile the kernel with selinux enabled.
|
2017-05-13 19:51:44 +08:00
|
|
|
2. Type ``make`` to compile ``mdp``.
|
selinux: add support for installing a dummy policy (v2)
In August 2006 I posted a patch generating a minimal SELinux policy. This
week, David P. Quigley posted an updated version of that as a patch against
the kernel. It also had nice logic for auto-installing the policy.
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
(then a few versions later...):
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
Changelog:
Aug 26: Added Documentation/SELinux.txt
Aug 26: Incorporated a set of comments by Stephen Smalley:
1. auto-setup SELINUXTYPE=dummy
2. don't auto-install if selinux is enabled with
non-dummy policy
3. don't re-compute policy version
4. /sbin/setfiles not /usr/sbin/setfiles
Aug 22: As per JMorris comments, made sure make distclean
cleans up the mdp directory.
Removed a check for file_contexts which is now
created in the same file as the check, making it
superfluous.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2008-08-27 03:47:57 +08:00
|
|
|
3. Make sure that you are not running with
|
|
|
|
SELinux enabled and a real policy. If
|
|
|
|
you are, reboot with selinux disabled
|
|
|
|
before continuing.
|
2017-05-13 19:51:44 +08:00
|
|
|
4. Run install_policy.sh::
|
|
|
|
|
selinux: add support for installing a dummy policy (v2)
In August 2006 I posted a patch generating a minimal SELinux policy. This
week, David P. Quigley posted an updated version of that as a patch against
the kernel. It also had nice logic for auto-installing the policy.
Following is David's original patch intro (preserved especially
bc it has stats on the generated policies):
se interested in the changes there were only two significant
changes. The first is that the iteration through the list of classes
used NULL as a sentinel value. The problem with this is that the
class_to_string array actually has NULL entries in its table as place
holders for the user space object classes.
The second change was that it would seem at some point the initial sids
table was NULL terminated. This is no longer the case so that iteration
has to be done on array length instead of looking for NULL.
Some statistics on the policy that it generates:
The policy consists of 523 lines which contain no blank lines. Of those
523 lines 453 of them are class, permission, and initial sid
definitions. These lines are usually little to no concern to the policy
developer since they will not be adding object classes or permissions.
Of the remaining 70 lines there is one type, one role, and one user
statement. The remaining lines are broken into three portions. The first
group are TE allow rules which make up 29 of the remaining lines, the
second is assignment of labels to the initial sids which consist of 27
lines, and file system labeling statements which are the remaining 11.
In addition to the policy.conf generated there is a single file_contexts
file containing two lines which labels the entire system with base_t.
This policy generates a policy.23 binary that is 7920 bytes.
(then a few versions later...):
The new policy is 587 lines (stripped of blank lines) with 476 of those
lines being the boilerplate that I mentioned last time. The remaining
111 lines have the 3 lines for type, user, and role, 70 lines for the
allow rules (one for each object class including user space object
classes), 27 lines to assign types to the initial sids, and 11 lines for
file system labeling. The policy binary is 9194 bytes.
Changelog:
Aug 26: Added Documentation/SELinux.txt
Aug 26: Incorporated a set of comments by Stephen Smalley:
1. auto-setup SELINUXTYPE=dummy
2. don't auto-install if selinux is enabled with
non-dummy policy
3. don't re-compute policy version
4. /sbin/setfiles not /usr/sbin/setfiles
Aug 22: As per JMorris comments, made sure make distclean
cleans up the mdp directory.
Removed a check for file_contexts which is now
created in the same file as the check, making it
superfluous.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2008-08-27 03:47:57 +08:00
|
|
|
cd scripts/selinux
|
|
|
|
sh install_policy.sh
|
|
|
|
|
|
|
|
Step 4 will create a new dummy policy valid for your
|
|
|
|
kernel, with a single selinux user, role, and type.
|
2017-05-13 19:51:44 +08:00
|
|
|
It will compile the policy, will set your ``SELINUXTYPE`` to
|
|
|
|
``dummy`` in ``/etc/selinux/config``, install the compiled policy
|
|
|
|
as ``dummy``, and relabel your filesystem.
|