New trick: macro-expander!

Hi All,

Sysadmins and SELinux policy developers are often asking me one simple question. “Lukas, How should I know what allow rules will be allowed by using specific macro?” And… My answer was not so simple, I try to fix it now.

There is macro: mysqld_read_config().

What does it mean? What allow rules will be allowed if I use it in my policy? There was just one option, to find macro definition in interface files, which is not user friendly.

We tried to make it simple, we created macro-expander tool!

All you need to do is install selinux-policy-devel package on Fedora29 and Rawhide

# dnf install selinux-policy-devel -y

Then you can use macro-expander to analyze SELinux policy macros!

$ macro-expander "mysql_read_config(httpd_t)" 
allow httpd_t mysqld_etc_t:dir { getattr search open read lock ioctl };
allow httpd_t mysqld_etc_t:file { open { getattr read ioctl lock } };
allow httpd_t mysqld_etc_t:lnk_file { getattr read };

mysql_read_config() is allowing read mysqld_etc_t directories, files and lnk files. It’s also possible switch to CIL output with “-c” parameter:

$ macro-expander -c "mysql_read_config(httpd_t)"
(allow httpd_t mysqld_etc_t (dir (ioctl read getattr lock search open)))
(allow httpd_t mysqld_etc_t (file (ioctl read getattr lock open)))
(allow httpd_t mysqld_etc_t (lnk_file (read getattr)))

And last but not least usecase is to generate local SELinux module using the macro:

$ macro-expander -M "mysql_read_config(httpd_t)" > expander.te
$ make -f /usr/share/selinux/devel/Makefile expander.pp
# semodule -i expander.pp
# semodule -lfull | grep expander
400 expander                pp

So, now answer for question: “How should I know what allow rules will be allowed by using specific macro?” is simple, use macro-expander!

For more information about macro-expander check sources available here.

Leave a Reply

Your email address will not be published. Required fields are marked *