How to modify SELinux module from distro policy?

Hi!

Today, I’ll show you how to modify SELinux module from distro policy without rebuilding whole selinux-policy rpm package. This can be useful during testing new features in your application or debugging SELinux policy. All current Fedora stable releases (Fedora 23, Fedora 24) support this feature.

For example, we have openwsman SELinux module containing following macro:

optional_policy(`
     unconfined_domain(openwsman_t)
')

That means, openwsman_t domain is part of unconfined_domain_type attribute:

$ seinfo -xtopenwsman_t | grep unconfined_domain_type
unconfined_domain_type

This macro makes SELinux domain unconfined. Let’s say, we want openwsman_t domain confined, so we need to remove rule above.
First step is download openwsman policy source files from our repo.

$ ls
openwsman.fc  openwsman.if  openwsman.te

We can edit openwsman.te file:

$ diff -u openwsman.te.old openwsman.te
--- openwsman.te.old	2016-08-17 19:38:30.617111430 +0200
+++ openwsman.te	2016-08-17 19:38:41.105155383 +0200
@@ -68,7 +68,3 @@
     sblim_getattr_exec_sfcbd(openwsman_t)
 ')
 
-optional_policy(`
-    unconfined_domain(openwsman_t)
-')
-

Modified policy needs to be compiled:

$ make -f /usr/share/selinux/devel/Makefile openwsman.pp

Now, we have compiled policy in .pp format:

$ ls
openwsman.fc  openwsman.if  openwsman.pp  openwsman.te  openwsman.te.old  tmp/

Last step, we load modified policy to kernel:

# semodule -i openwsman.pp 
libsemanage.semanage_direct_install_info: Overriding openwsman module at lower priority 100 with module at priority 400.

We can check if modified policy is loaded into kernel and openwsman_t domain is part of unconfined_domain_type:

# semodule -lfull | grep openwsman
400 openwsman                pp         
100 openwsman                pp 

$ seinfo -xtopenwsman_t | grep unconfined_domain_type
$

Two SELinux modules called openwsman are loaded. Firt one, with priority 400 is our local modified module. Second, with priority 100, coming from distro policy. Only SELinux module with the highest priority is active on system.

This is pretty easy and quick solution for modifying distro policy modules, isn’t it? 😉

Related Posts

Multiple SELinux modules installed on system. Why?

Udica & SELinux talks on Devconf.cz and Fosdem 2020

How to prove that operation is allowed in SELinux policy?