Versions Compared

Version Old Version 1 New Version 2
Changes made by

Edward Ned Harvey

Edward Ned Harvey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The information on this page is largely derived, with necessary modifications, from Creating and enforcing an SELinux policy for a custom application.

Prerequisites

Code Block
dnf -y install selinux-policy-devel setroubleshoot-server
dnf -y group install 'Development Tools'
    # needed for at least gccg++ and rpmbuild. Not sure if anything else is needed from this group.

Become root

All of this documentation is to be completed as root.

Creating the service

Create mydaemon.ccpp

Code Block
cat > mydaemon.ccpp << EOF
#include <unistd.h><iostream>
#include <fstream>
#include <stdio.h><chrono>
#include <time.h><ctime>
#include <stdint.h><thread>

using FILEnamespace *fstd;

int main(void) {
    while (1) {
        time_t t = chrono::system_clock::to_time(NULL);  // number of seconds since epoch_t(chrono::system_clock::now());
              f = fopenofstream MyFile("/var/log/mydaemon.log","w");
   ios_base::app);  // app = append, not overwrite
     fprintf(f, "%jd seconds since epoch\n", (intmax_t)t )MyFile << ctime(&t);
        fcloseMyFile.close(f);
         sleep(5this_thread::sleep_for(chrono::milliseconds(5000));
    }
}
EOF

Build it

Code Block
gccg++ -o /usr/local/bin/mydaemon mydaemon.ccpp

Create the systemd unit

Code Block
cat > /etc/systemd/system/mydaemon.service << EOF
[Unit]
Description=Simple testing daemon

[Service]
Type=simple
ExecStart=/usr/local/bin/mydaemon

[Install]
WantedBy=multi-user.target
EOF

...

Code Block
ls -lZ /usr/local/bin/mydaemon

-rwxr-xr-x. 1 root root system_u:object_r:mydaemon_exec_t:s0 24504 Dec  1 15:24 /usr/local/bin/mydaemon

Temporarily set this domain selinux to permissive . (Or set the whole system to permissive via setenforce 0)

...

and clear the audit log

Code Block
setenforce 0
semodule --reload

Restart the daemon, and check that it now runs confined by SELinux:

Code Block
systemctl restart mydaemon
ps -efZ | grep mydaemon

For your information. (Just get a look at what selinux would have blocked.)

Code Block
sealert -l "*"

Build whatever new policy you need

Code Block
mkdir ~/mydaemon-sepolicy2
cd ~/mydaemon-sepolicy2

# Make up a meaningful name for the module, such as "httpdwritehomes"
export newmod=mydaemonwritefiles

audit2allow -m $newmod -l -i /var/log/audit/audit.log > $newmod.te

# Edit the $newmod.te file and verify that it looks like what you want.

# Finally, to build & install the new module:
checkmodule -M -m -o $newmod.mod $newmod.te
semodule_package -o $newmod.pp -m $newmod.mod

...

semodule -i $newmod.pp

Re-enable selinux, restart the daemon, confirm that it’s working properly

Code Block
setenforce 1
systemctl stop mydaemon
ps -eZ | grep mydaemon

# Confirm it's not running

rm -f /var/log/mydaemon.log 
systemctl start mydaemon
ps -eZ | grep mydaemon

# Confirm it's running, and confined by selinux under mydaemon_t
system_u:system_r:mydaemon_t:s0   54205 ?        00:00:00 mydaemon

# Confirm it's successfully writing
cat /var/log/mydaemon.log