humikacpIT, Linux

SELinux – Create your custom policy to solve prevent access / write / read / …. problem.

Introduction:

If you are a system-administrator, 100% that you faced with at least one issue with SELinux. In short: SELinux is a security mechanism which allow / prevent processes to reach stored files in paths. If you are using default processes with default paths SELinux will allow access as it was defined on it. But if you changed for example the default logging path, SELinux without your declaration will not know that this access is expected, or it is a trojan-modified process.

Detect that SELinux blocks your task:

The simplest way to know, SELinux is the reason or not: Temporary disable SELinux.

[root@lab-test01.test] /home/pmikaczo # getenforce
Enforcing
[root@lab-test01.test] /home/pmikaczo # setenforce 0
[root@lab-test01.test] /home/pmikaczo # getenforce
Permissive

If your task works, enable again SELinux & check audit log-file.

Logging of denied actions is in /var/log/audit/audit.log. If you found “denied” string on it means that SELinux prevent something (the action is defined after deny as {} ) for some process. For example:

  • denied  { write } for  pid=39736 comm="logrotate" name="http_access.log" dev=dm-0 ino=527..........
      
    avc:  denied  { open } for  pid=24683 comm="cat" name="IAMcheck01" dev=dm-0 ino=920..........

    If you not found any related message on audit.log, maybe you faced with Silent denial.  So please disable temporary do-not-audit with the following command:

     

  • semodule -DB
    After you found denied message, please enable it again. This option filter out a lot of unneeded message.

    Hint:To read time-stamp in audit.log use this online epoch-converter.

Create your custom policy to solve it.

Grep to the command which was denied (defined as comm=””) on audit.log

grep cat /var/log/audit/audit.log | audit2allow -M SNMP_IAM_Check_fix
  • If you have more denied message it is better if you copy messages form audit.log to an separated file & grep to it (not to audit.log).
  • If you want, now you can edit created *.te file.

Create module & policy from it:

checkmodule -M -m -o SNMP_IAM_Check_fix.mod SNMP_IAM_Check_fix.te
semodule_package -o SNMP_IAM_Check_fix.pp  -m SNMP_IAM_Check_fix.mod

Install created, custom local policy module:

semodule -i SNMP_IAM_Check_fix.pp

 

Test & correct it if needed:

Some cases created local policy not solve (for first time) your problem. This is not a problem as your created policy work. Please verify again audit.log as the created policy solved one problem but a new access problem can be appeared. It is a common case as the denied process in a lot cases need more right to the same task (open; write; read) & SELinux log always just the first problem. If you found the next problem, just create the next module and install it. If every denied message was disappeared at the end you can create ONE local policy which contain all definition (edit *.te file and follow the described process).

Leave a Reply