How to prove that operation is allowed in SELinux policy?

Last week colleague of mine asked, how to prove that some operation is allowed in installed SELinux policy? This could be useful when you’re troubleshooting SELinux related problem, to prove if allow rules are installed. I’ll try to demonstrate it using 2 ways.

For both ways, let’s use following SELinux denial:

type=AVC msg=audit(1569577632.284:333): avc:  denied  { map } for  pid=2258 comm="LoadRoots" path="/usr/share/pki/ca-trust-source/README" dev="dm-0" ino=419927 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0

Mentioned SELinux denial, describing missing allow rules in SELinux distribution policy, when web browser Firefox couldn’t validate certificates of website, because process firefox was running in the user_t domain, started by confined user user_u. Let’s assume that SELinux allow rules was previously allowed on the system and we want to prove it.

First way could be usage of audit2allow tool which is part of policycoreutils-python-utils rpm package in Fedora. The tool needs to read SELinux denial from input file (-i parameter) or from standard input. In our case, mentioned SELinux denial is stored in file /tmp/avc. So, let’s install rpm package policycoreutils-python-utils.

# dnf install -y policycoreutils-python-utils
...
...
Installed:
  policycoreutils-python-utils-2.9-5.fc31.noarch                                                         

Complete!

The tools tells you, if the rule is already allowed on installed policy:

$ audit2allow -i /tmp/avc
#============= user_t ==============
#!!!! This avc is allowed in the current policy
allow user_t cert_t:file map;

Second way is using another the tool called sesearch. This tool is used for querying SELinux policy allow rules installed on the system or from compiled policy file stored on filesystem. Usage of sesearch is really simple, you need to understand these parameters:

  • -A – Find allow rules
  • -s context – Find rules with context as source type
  • -t context – Find rules with context as target type
  • -c class – Find rules with specified class
  • -p permission – Find rules only with specified permissions

The tools is part of setools-console rpm package. Let’s install it:

# dnf install -y setools-console
...
...
Installed:
  setools-console-4.2.2-1.fc31.x86_64                                                                    

Complete!

When the tools is installed, we could query for our SELinux denial:

$ sesearch -A -s user_t -t cert_t -c file -p map 
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow user_t cert_t:file { getattr ioctl lock map open read };

In output we see two SELinux allow rules. First one is related to boolean called domain_can_mmap_files. And this would be allowed only when mentioned bolean is turned on (or in True state). The second one is important in this case. The sesearch tool found rule matching all criteria passed as parameters . This means SELinux denial is allowed in the system. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.