SELinux/Tutorials/Using gentoo selocal for small policy enhancements
Using Gentoo selocal for small policy enhancements
In a previous tutorial, we explained how to create your own policy module. However, when you want to make small changes here and there, this might seem like too much overhead. To allow for small changes to be made to the policy, Gentoo introduced the selocal command which manages a local policy module (called "selocal") where you can add and remove SELinux policy rules to.
The selocal application is Gentoo-specific!
As the name implies, selocal aims to provide an interface for handling local policy updates that do not need to be packaged or distributed otherwise. It is a command-line application that you feed single policy rules at one at a time. Each rule can be accompanied with a single-line comment, making it obvious for the user to know why he added the rule in the first place.
Usage: selocal [<command>] [<options>] <rule|line> Command can be one of: -l, --list List the content of a SELinux module -a, --add Add an entry to a SELinux module -d, --delete Remove an entry from a SELinux module -M, --list-modules List the modules currently known by selocal -u, --update-dep Update the dependencies for the rules -b, --build Build the SELinux module (.pp) file (requires privs) -L, --load Load the SELinux module (.pp) file (requires privs) Options can be one of: -m, --module <module> Module name to use (default: selocal) -c, --comment <comment> Comment (with --add) The option -a requires that a rule is given, like so: selocal -a "dbadm_role_change(staff_r)" The option -d requires that a line number, as shown by the --list, is given, like so: selocal -d 12
Let’s say that you need to launch a small script you written as a daemon, but you want this to run while you are still in the staff_t domain (it is a user-sided daemon you use personally). As regular staff_t isn’t allowed to have processes bind on generic ports/nodes, you need to enhance the SELinux policy a bit. With selocal, you can do so as follows:
selocal --add "corenet_tcp_bind_generic_node(staff_t)" --comment "Launch local webserv.py daemon"
selocal --add "corenet_tcp_bind_generic_port(staff_t)" --comment "Launch local webserv.my daemon"
selocal --build --load
When finished, the local policy is enhanced with the two mentioned rules. You can query which rules are currently stored in the policy:
12: corenet_tcp_bind_generic_node(staff_t) # Launch local webserv.py daemon 13: corenet_tcp_bind_generic_port(staff_t) # Launch local webserv.py daemon
If you need to delete a rule, just pass the line number:
selocal --delete 13
Having this tool around also makes it easier to test out changes suggested through bugreports as well.
Underlyingly, selocal creates and maintains the necessary policy file in ~/.selocal and by default uses the selocal policy module name.
What you need to remember
What you should remember from this tutorial is that
- Gentoo provides a selocal script to easily manage small enhancements
- The selocal script by default manages the selocal policy module