Today, I’ll show you how to modify SELinux module from distro policy without rebuilding whole selinux-policy rpm package. This can be useful during testing new features in your application or debugging SELinux policy. All current Fedora stable releases (Fedora 23, Fedora 24) support this feature.
For example, we have openwsman SELinux module containing following macro:
optional_policy(` unconfined_domain(openwsman_t) ')
That means, openwsman_t domain is part of unconfined_domain_type attribute:
$ seinfo -xtopenwsman_t | grep unconfined_domain_type unconfined_domain_type
This macro makes SELinux domain unconfined. Let’s say, we want openwsman_t domain confined, so we need to remove rule above.
First step is download openwsman policy source files from our repo.
$ ls openwsman.fc openwsman.if openwsman.te
We can edit openwsman.te file:
$ diff -u openwsman.te.old openwsman.te --- openwsman.te.old 2016-08-17 19:38:30.617111430 +0200 +++ openwsman.te 2016-08-17 19:38:41.105155383 +0200 @@ -68,7 +68,3 @@ sblim_getattr_exec_sfcbd(openwsman_t) ') -optional_policy(` - unconfined_domain(openwsman_t) -') -
Modified policy needs to be compiled:
$ make -f /usr/share/selinux/devel/Makefile openwsman.pp
Now, we have compiled policy in .pp format:
$ ls openwsman.fc openwsman.if openwsman.pp openwsman.te openwsman.te.old tmp/
Last step, we load modified policy to kernel:
# semodule -i openwsman.pp libsemanage.semanage_direct_install_info: Overriding openwsman module at lower priority 100 with module at priority 400.
We can check if modified policy is loaded into kernel and openwsman_t domain is part of unconfined_domain_type:
# semodule -lfull | grep openwsman 400 openwsman pp 100 openwsman pp $ seinfo -xtopenwsman_t | grep unconfined_domain_type $
Two SELinux modules called openwsman are loaded. Firt one, with priority 400 is our local modified module. Second, with priority 100, coming from distro policy. Only SELinux module with the highest priority is active on system.
This is pretty easy and quick solution for modifying distro policy modules, isn’t it? 😉