Loadable Policy Module
June 22nd, 2007 By shazkhan

I have been throught  the architecture of loadable policy module. Its really nice. Now I am understanding to handle it and write policies accordingly. I am going through 2005 nsa technical document containing configuration of selinux policies. I hope it helps.

Currently I need to know where the text form of the policy lies if any? And if it is’nt there how do I make one. Per package or per module is easy and i know it but what about base. Then how do I make a policy for corenetwork. And I am not getting any messages in permissive mode! There is a solution but this should be by default!

Mr. MMA what do u suggest?

6 Responses to " Loadable Policy Module "
 
clickforamin
June 23rd, 2007

1.Loadable Policy Modules

Along with creating Reference Policy they (the community) have also moved to a new mechanism for shipping and management of the SELinux policy called Loadable Policy Modules. also described at the Tresys web site:

“As a result of the increased integration of SELinux into distributions, the need for a robust policy management infrastructure has become clear. This policy management infrastructure should help administrators and policy authors dynamically deploy, update, and modify SELinux policies in a secure and convenient manner. Loadable policy modules attempt to address this need.”

http://www.tresys.com/selinux/loadable_modules.shtml

audit2allow has the capability to create a policy module from AVC messages. In FC4 you had the ability to create a local.te file and then recompile the policy. In FC5 you can use audit2allow to create a policy and then use semodule to load it into the kernel as a loadable module. More explanation of loadable modules is available at the following :
http://fedoraproject.org/wiki/SELinux/LoadableModules

2.Development Environment for building policy packages.

selinux-policy, now contains the reference policy interface files that were used to build the system. These files are shipped in the selinux-policy package. They are installed under /usr/share/selinux/devel/. they have shipped a Makefile, as well as a simple script tool policygentool, which will allow you to get experimenting with SELinux policy writing quicker. policyhelp will take you to the reference policy html pages, to describe the interfaces available.

audit2allow has been enhanced to understand the new reference policy format, and will attempt to match a avc message to the appropriate interface(s).

 
clickforamin
June 23rd, 2007

SOME EXCELLENT WORK

hay shaz khan here is a superb link for your problem as for as i think. But u might be some way a head of it ….as u are workin long on this topic.
Here goes the link:

http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/

do go for it..its really cool.

amin.

 
recluze
June 23rd, 2007

Amin sahab, auron k kaam ko chorain. We need an expert in TC. get to work!

 
clickforamin
June 23rd, 2007

hmmmmm….

not bad too efficient reply……for TC i think u got mr.tamleek….am not intervening in some ones work…. i have habit of searching links and posting them on blog…. if u say so u can delete it as well from the blog… similar to my previous mail that some 1 considered an extra weight…… :)

 
alam78
June 23rd, 2007

…do not agree that Mr Tamleek is working on Trusted Computing. He is i think so (may be i am wrong) working on Trust Establishment and Negotiation on “real” life scenarios.

 
alam78
June 23rd, 2007

Shahbaz, if I get you right, you are asking that where the original policy of SELinux in text version is: right?

Actually with LPM support, there is no one big Monolithic policy as previously done in SELinux. Now there are only policy modules. You have the code of the LPM that you have written for your specific task, so this is the policy.

After compilation, this policy is then made part of the big compiled policy. Search arround /etc/selinux/targeted… for other loadable policy modules too, since, i have heard that NSA is converting all the policies into the LPMs.

Other Question: have you checked the log of SElinux /var/log/… some where, don’t remember exactly the name of the file, but you should be getting some of the messages. For a full featured SELinux in Action, you should change your mode from permissive to targeted right?

The built in policy modules from NSA might help you locating some LPM’s specifically for your purpose i.e. Network traffic control through SELinux labeling — My Impression.

Leave a Reply


(Required)

(Required)