weblog d’un abbe

20070505

Hacking first SELinux policy module

Filed under: Fun, Hacking — abbe @ 2146

Yesterday night, I found (using sudo tail /var/log/audit/audit.log) that there are some SELinux AVC denials due to eGroupware‘s phpsysinfo module. So this means I need to revise my previously created SELinux policy for httpd for eGroupware. So I jdownloaded current selinux-policy SRPM using yumdownloader (yumdownloader -e updates-source -e core-source --source selinux-policy). And then I installed it in my local rpmbuild tree. So, after installing it I produced following patch for changes I did to ~/rpmbuild/BUILD/serefpolicy-*/policy/modules/services/apache.te:

diff -urN serefpolicy-2.4.6/policy/global_tunables serefpolicy-2.4.6.new/policy/global_tunables
--- serefpolicy-2.4.6/policy/global_tunables	2007-05-05 15:06:48.000000000 +0530
+++ serefpolicy-2.4.6.new/policy/global_tunables	2007-05-04 21:00:49.000000000 +0530
@@ -104,6 +104,13 @@
 gen_tunable(allow_httpd_anon_write,false)
 
 ## <desc>
+## <p>Allow apache to retrieve/send mails
+## using external mail servers, by connecting
+## to 'smtp' and 'pop3'/'imap' ports.</p>
+## </desc>
+gen_tunable(allow_httpd_egroupware,false)
+
+## <desc>
 ## <p>
 ## Allow Apache to use mod_auth_pam
 ## </p>
diff -urN serefpolicy-2.4.6/policy/modules/services/apache.te serefpolicy-2.4.6.new/policy/modules/services/apache.te
--- serefpolicy-2.4.6/policy/modules/services/apache.te	2007-05-05 15:06:48.000000000 +0530
+++ serefpolicy-2.4.6.new/policy/modules/services/apache.te	2007-05-05 15:05:34.000000000 +0530
@@ -337,6 +337,29 @@
 	allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
 ')
 
+# hack for egroupware application
+tunable_policy(`allow_httpd_egroupware', `
+	corenet_tcp_connect_pop_port(httpd_t)
+	corenet_tcp_sendrecv_pop_port(httpd_t)
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_tcp_sendrecv_smtp_port(httpd_t)
+	miscfiles_read_hwdata(httpd_t)
+	mount_exec(httpd_t)
+	kernel_read_fs_sysctls(httpd_t)
+	dev_read_usbfs(httpd_t)
+	rpc_read_nfs_state_data(httpd_t)
+	files_read_etc_runtime_files(httpd_t)
+	init_read_utmp(httpd_t)
+	kernel_read_network_state(httpd_t)
+#allow httpd_t etc_runtime_t:dir search;
+#allow httpd_t initrc_var_run_t:file read;
+#allow httpd_t proc_net_t:dir search;
+#allow httpd_t mount_exec_t:file execute;
+#allow httpd_t sysctl_fs_t:dir search;
+#allow httpd_t usbfs_t:dir search;
+#allow httpd_t var_lib_nfs_t:dir search;
+	')
+
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
 	allow httpd_t httpd_sys_script_t:fd use;
@@ -716,6 +739,7 @@
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
 
+
 ########################################
 #
 # httpd_rotatelogs local policy

After this I modified, selinux-policy.spec to include my patch during package building. Now, after this I’ve built and installed the new SELinux policy RPM and now no more AVC denials due to eGroupware :)

But, what will happen, when selinux-policy* package(s) will get updated. It seems I need to repatch the new selinux-policy. Oops, this means for any new SELinuxed application, policy changes need to be done in selinux-policy package. :-( . So, then I realized I’m just making a workaround (or a hotfix or a जुगाड़) which is better than disabling SELinux but not a good solution, so I need something like SELinux policy module. So, I looked on FedoraProject.org, and I’ve found Packaging SELinux modules. So with the help of the article I hacked a SELinux policy module for eGroupware. The result of this hacking, selinux-policy-egroupware.src.rpm (md5sum: bb6f8456e84c929b6ae63b67dd194399) and selinux-policy-egroupware.noarch.rpm (md5sum: 90e1bf62212741b6d7892f195afcf4c1) are available for download. Anyways, happy SELinuxing… ;-)

Advertisements

2 Comments »

  1. Thanks for this work, I didn’t know how to solve the probleme of using egroupware without stopping selinux :(.
    Now it’s goood :)

    Comment by Pierre — 20070804 @ 2308

  2. I’m glad someone is using it.

    Comment by आशीष शुक्ल — 20070805 @ 0004


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: