Chapter 8 explained the syntax and operation of the statements that make up the SELinux policy language. This chapter explains how to customize SELinux policies. It begins by reviewing the structure of the SELinux policy source tree and the Makefile that’s used to compile, build, and load an SELinux policy. The chapter then explains several typical policy customizations of the sort you’re most likely to perform. Most often, you’ll use customizations recommended by the Audit2allow program. However, you’ll need to carefully review such recommendations rather than blindly implement them. Otherwise, you may extend an unnecessarily broad set of permissions, thereby compromising system security. The chapter concludes with descriptions of some policy management tools, along with hints and procedures for using them.
Chapter 5 explained
the
structure of the SELinux policy source tree. The source tree
typically resides in the directory
/etc/security/selinux/src/policy; however, your
SELinux distribution may place it elsewhere. Table 9-1 recaps the structure of the policy source
tree. You’ll likely find it convenient to refer to
this table as you read this chapter; it will help you locate the file
that contains a particular type of declaration, the file to which you
should add a particular type of declaration, or the directory in
which you should create the file to hold a particular type of
declaration. In other words, it’s your roadmap to
the policy source tree.
Table 9-1. The SELinux policy source tree
|
Directory/file |
Description |
|---|---|
|
Defines contexts for special applications, such as
| |
|
Defines TE assertions. | |
|
Defines type attributes. | |
|
Defines Boolean constraints on permissions. | |
|
Defines administrative domains. | |
|
Defines miscellaneous domains, such as the
| |
|
Defines domains for specific programs. | |
|
Defines user domains. | |
|
Defines security contexts of miscellaneous domains. | |
|
Defines security contexts for files related to specific programs. | |
|
Defines security contexts applied when the security policy is installed. | |
|
Contains files—such as | |
|
Defines the labeling behavior for specific filesystem types. | |
|
Defines security contexts for filesystem types not supporting persistent labels or that use a fixed labeling scheme. | |
|
Defines the security context for each initial SID. Generally, only SELinux developers modify the contents of this file. | |
|
Defines macros used in specifying administrative domains. | |
|
Defines rules and types related to an ordinary user domain. | |
|
Defines core TE macros. | |
|
Defines macros used throughout the policy. | |
|
Defines macros used in specifying very simple user domains. | |
|
Defines macros used to specify derived domains that support policy separation among multiple instances of a single program. | |
|
Defines macros used in specifying user domains. | |
|
Supports common administrative operations, as explained in the section of this chapter titled “Using the SELinux Makefile.” | |
|
Defines the MLS configuration. | |
|
Defines the security contexts of network objects. | |
|
The policy binary file; for example, | |
|
The policy source file, assembled under control of the Makefile, from the component sources. | |
|
Defines the RBAC (Role-Based Access Control) configuration. | |
|
Defines users related to specific services (Fedora Core). | |
|
A working directory used during policy compilation. The
Makefile assembles the component files of the TE
configuration into the file | |
|
Provides tweakable macro definitions for tuning the policy (Fedora Core). | |
|
Contains files defining general types—types not associated with a particular domain—and related rules. | |
|
Defines the users. |