Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The information on this page is largely derived, with necessary modifications, from Creating and enforcing an SELinux policy for a custom application.

Prerequisites

dnf -y install selinux-policy-devel
dnf -y group install 'Development Tools'
    # needed for at least gcc and rpmbuild. Not sure if anything else is needed from this group.

Become root

All of this documentation is to be completed as root.

Creating the service

Create mydaemon.c

cat > mydaemon.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <time.h>
#include <stdint.h>

FILE *f;

int main(void) {
    while(1) {
    time_t t = time(NULL);  // number of seconds since epoch

        f = fopen("/var/log/mydaemon.log","w");
        fprintf(f, "%jd seconds since epoch\n", (intmax_t)t );
        fclose(f);

        sleep(5);
    }
}
EOF

Build it

gcc -o /usr/local/bin/mydaemon mydaemon.c

Create the systemd unit

cat > /etc/systemd/system/mydaemon.service << EOF
[Unit]
Description=Simple testing daemon

[Service]
Type=simple
ExecStart=/usr/local/bin/mydaemon

[Install]
WantedBy=multi-user.target
EOF

By default, the unit file has selinux context that systemd cannot access, so fix that and load it:

restorecon /usr/lib/systemd/system/mydaemon.service
systemctl daemon-reload

Try to start the service. Notice it fails.

systemctl start mydaemon
systemctl status mydaemon

Notice that it's running in unconfined_t

ps -efZ | grep mydaemon

Generate a custom policy for the daemon:

mkdir ~/mydaemon-sepolicy
cd ~/mydaemon-sepolicy
sepolicy generate --init /usr/local/bin/mydaemon

Created the following files:
/root/mydaemon-sepolicy/mydaemon.te # Type Enforcement file
/root/mydaemon-sepolicy/mydaemon.if # Interface file
/root/mydaemon-sepolicy/mydaemon.fc # File Contexts file
/root/mydaemon-sepolicy/mydaemon_selinux.spec # Spec file
/root/mydaemon-sepolicy/mydaemon.sh # Setup Script

Build it

./mydaemon.sh

Note that the setup script relabels the daemon to the newly created domain mydaemon_exec_t

ls -lZ /usr/local/bin/mydaemon

-rwxr-xr-x. 1 root root system_u:object_r:mydaemon_exec_t:s0 24504 Dec  1 15:24 /usr/local/bin/mydaemon

Temporarily set this domain to permissive. (Or set the whole system to permissive via setenforce 0)

Restart the daemon, and check that it now runs confined by SELinux:

systemctl restart mydaemon
ps -efZ | grep mydaemon

asd

  • No labels