Google Summer of Code/2012/Ideas/SELinux policy originator

From Gentoo Wiki
Jump to: navigation, search

SELinux policy originator

Gentoo Hardened is maturing its SELinux support rapidly. In SELinux, policies are written in a higher abstract format (dictated by the reference policy) and converted to the SELinux-specific rules (like allow, dontaudit, type transitions, etc.). For troubleshooting rights however, it is a very daunting task to find out why a particular rule is set (in other words, to find which higher level rule is causing the SELinux rule to exist).

The rules are converted in M4 language from constructs like "corenet_tcp_bind_http_port" to rules like:

  • allow $1 http_port_t:tcp_socket name_bind
  • allow $1 self:capability net_bind_service

It is the latter that end users can easily see (with tools such as sesearch) but it is not easy to find that "allow openvpn_t http_port_t:tcp_socket name_bind" comes from "corenet_tcp_bind_http_port(openvpn_t)" defined in the openvpn.te definition.

In this idea, we would like to find a way to register where these lines come from to improve debugging and troubleshooting


Contacts Required Skills
  • M4
  • SELinux