TE Policy Modules for SELinux policies

TE Policy Modules for SELinux policies

[Serge Hallyn]

[-- Attachment #1: Type: text/plain, Size: 2366 bytes --]

Hi,

Three or four years ago I started using "policy modules" to write DTE
policies.  A year or two ago I considered porting/extending the policy
modules to support selinux.  I've played on and off, and finally decided
this weekend to get it to a state where I could send it out.

The attached tarball contains sel_pc.py (and supporting code), which
converts policy modules to an selinux policy.  A sample module is in
selinux_policy_modules/modules/basic, which compiled to bootable
policies - under enforcing mode.  I have not added sufficient permisssions
(ie to class lnkfile, process, etc) to bother trying to use enforcing.

One way in which this differs from writing selinux policy by hand, is that
access rules are actually grants and requests (and denials) by specific
domains and types.  As such, priorities can be used to resolve conflicts
in intuitive ways.  For instance, if we have

type etc_t
        access boot_d f:r
        access user_d none
end

domain user_d
        type etc_t f:r
end

Then domain user_d will not receive the f:r to etc_t, because the "incoming"
permission grant (into etc_t) trumps the "outgoing" permission request (from
user_d).  Of course this example isn't very useful, but it becomes useful with
grouping, ie domain user_d can simply ask for 'f:r' to 'bin.*" or "all", even if
etc_t is defined as "bin.etc_t".

The DTE module compiler code had support for automatic policy analysis.
I have not yet tested this under sel_pc, but will do plan to do so.  One
class which I had written, for instance, checked for maintenance of
Bell-LaPadula dominates relations among pre-existing types when a new module
was applied to a policy.  (an idea I took from TIS' live policy extension
paper)

Usage:

tar jxf selinux_policy_modules.03.tar.bz2
cd selinux_policy_modules/modules
../src/sel_pc.py -f list -o policy -c file_contexts
checkpolicy policy -o policy.bin
install policy.bin and set file_contexts
(I installed under /etc/selinux/serge/, for instance)

TODO:
        general debugging
        write better policies
        test under enforcing
        test policy consistency classes (blp, mod_blp, etc)
        incorporate booleans into module language

thanks,
-serge

PS - For more information, usenix members can read
http://www.usenix.org/events/usenix04/tech/freenix/hallyn.html.  Sorry
it's not publically available...

[-- Attachment #2: selinux_policy_modules.03.tar.bz2 --]
[-- Type: application/octet-stream, Size: 17848 bytes --]

Re: TE Policy Modules for SELinux policies

[Serge Hallyn]

As (and if) I make changes, the latest version will be linked at the top of
http://www.cs.wm.edu/~hallyn/dte  (specifically,
http://www.cs.wm.edu/~hallyn/dte/selinux_policy_modules.latest.tar.bz2).

The latest version has a bit more documentation and policy than the one sent out
last night.

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.