Learn how to write a custom SELinux policy using the CIL (Common Intermediate Language) format. In this tutorial, we’ll create a policy to confine the xcowsay program step-by-step.
Step 1 Set SELinux to Permissive Mode
sudo setenforce 0
Step 2. Create the file called xcowsay.cil
nano xcowsay.cil
Step 3. Create the file context for our file
(filecon "/usr/bin/xcowsay" file (staff_u object_r xcowsay_exec_t ((s0) (s0))))
Step 4. Declare our process type and executable type
(type xcowsay_t)
(type xcowsay_exec_t)
Step 5. Associate our process type and executable type with the object_r role type
(roletype object_r xcowsay_t)
(roletype object_r xcowsay_exec_t)
Step 6. Associate our current role on the system as a logged in user which in this case is staff_r to the process type
(roletype staff_r xcowsay_t)
Step 7. Add rules that are equivalent to the application_domain interface in Refpolicy
(typeattributeset application_domain_type (xcowsay_t))
(typeattributeset application_exec_type (xcowsay_exec_t))
(typeattributeset domain (xcowsay_t))
(typeattributeset entry_type (xcowsay_exec_t))
Step 8. Add allow rules so that we can do a typetransition
(allow xcowsay_t xcowsay_exec_t (file (entrypoint ioctl read getattr lock map execute open)))
(allow staff_t xcowsay_exec_t (file (ioctl read getattr map execute open execute_no_trans)))
(allow staff_t xcowsay_t (process (transition)))
(typetransition staff_t xcowsay_exec_t process xcowsay_t)
Step 9. Change the context of the xcowsay program to match what we have in our .cil file and make sure it is labeled correct
sudo chcon -t xcowsay_exec_t /usr/bin/xcowsay
ls -lZ /usr/bin/xcowsay
Step 10. Build and Install our module like so:
sudo semodule -i xcowsay.cil
Step 11. Run the xcowsay program and check the logs to see what AVC denials we get and decide on whether to add them or not to the policy. To do that run the following command
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts 16:18
Step 12. These are the allow rules I got from checking the AVC denials from the previous step and decided they were ok to add to the policy.
(allow xcowsay_t staff_t (fd (use)))
(allow xcowsay_t staff_t (fifo_file (ioctl read write getattr lock append)))
(allow xcowsay_t staff_t (process (sigchld)))
(allow xcowsay_t staff_t (unix_stream_socket (connectto)))
(allow xcowsay_t fs_t (filesystem (getattr)))
After you add the allow rules you have to install the module again like so:
sudo semodule -i xcowsay.cil
Step 13. Run the xcowsay program again and you should get no AVC denials. Put it back into enforcing mode and run the program again to make sure it doesn't get blocked. In our case it does not get blocked once set to enforcing so there is nothing more and our policy is done!
sudo setenforce 1