Re: Generating policy for embedded platforms.

[Stephen Smalley <sds@tycho.nsa.gov>]

On Thu, 2011-04-14 at 09:07 -0700, Sam Gandhi wrote:
> Hello,
> 
> Hopefully this is appropriate mailing list for this type of email, if
> not please do let what is the appropriate forum for questions below.
> 
> I am trying to enable SELinux on a embedded platform running linux 2.6.35.
> 
> One of the idea we have is to run seLinux is permissive mode and
> gather the AVC messages as our programs start and convert those
> messages to 'allow' policy and deny everything else, much like what is
> done in IP packet forwarding, allow only traffic you know you want to
> process and deny everything else.
> 
> Now the question are: is how does one generate deny-all policy for SELinux?
> 
> I have come across mdp program in kernel source code and
> install_policy.sh script is that the right way to get started on
> building the most minimum policy set for embedded system, where large
> desktop policy may not be appropriate?
> 
> Below is the script I am trying to use to setup the dummy policy (as
> described in Documentation/SELinux.txt), and booting kernel with
> enforcing=0 selinux=1 kernel parameters.
> 
> problem is I don't see any of the avc messages as my applications
> start and open files/sockets etc. What am I doing wrong?

First, are you loading the policy into the kernel at boot?  That is the
responsibility of early userspace, typically handled from /sbin/init or
the initramfs script.  Look for messages from SELinux in dmesg output
beyond the initial ones, along the lines of:
SELinux: 2048 avtab hash slots, 215487 rules.
SELinux: 2048 avtab hash slots, 215487 rules.
SELinux:  9 users, 14 roles, 3521 types, 184 bools, 1 sens, 1024 cats
SELinux:  81 classes, 215487 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
...

Second, if you use the policy generated by mdp, you'll have a policy
with exactly one type that is allowed to do everything.  So you'll see
no denials at all until you start adding further types to the policy.
New types are not automatically generated by audit2allow - you have to
create them.  A type is a security equivalence class, so you don't need
one for every individual program or file, only where you need to
distinguish permissions.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.