It is difficult to verify Type Enforcement with own process because the process does not touch needless places but the verification needs to touch the places.
However now, we have a good idea! A control of Type Enforcement goes along with SELinux domain and type. Therefore, if a program for the verification is executed as a domain which is same with own process, it could be said to done the verification for own process.
- You must have a permission which equals SELinux managers to install policies.
- Is a SELinux mode on your environment set to Enforce? If Permissive, the verification is unable.
- The tool will spend about 30 sec for policy install before an execution of the velification and 10 sec for uninstall after the velification.
- Uninstalling the policy, audit2allow and others don't work.
- If you need to not uninstall the policy, set --disabled-uninstall-policy option to the first argument. You must uninstall the policy when you finish your work.
The main tool for realizing the concept. This tool make it possible to that!
- This tool recives two parameters: a target domain and a verification program.
- A policy is built for the program to executed as the domain.
- The verification program is executed as the domain and the verification is done!!
- The policy is removed...
- python 2.x
- rpm-build
- policycoreutils-devel
python selinux_te_tester.py <domain> <program>
- <domain>: a domain which you want to verify. (e.g. httpd_t)
- <program>: a verification program (e.g. script/access.py)
A verification program. This verification will do below:
- open, read and close to specified files
- bind to specified ports
A config file is used to specify files and ports. The file example is below:
dir, /var/www
file, /var/www/html/index.html
file, /etc/shadow
file, /etc/passwd
port, 1-10
port, 8080
"dir" is below:
- search files in a directory tree
- take care only files which be found, under permissions.
- ignore files which is not regular files or cannot get the attribute.
CAUTION: This script could hung up if some special file is read, i.e. trace_pipe.
python selinux_te_tester.py <domain> script/access.py <config-file>
NG,open(r),file,/etc/shadow,[Errno 13] Permission denied: '/etc/shadow'
OK,open(r),file,/etc/passwd,-
OK,read,file,/etc/passwd,-
OK,close,file,/etc/passwd,-
NG,bind,port,1,[Errno 13] Permission denied
NG,bind,port,2,[Errno 13] Permission denied
NG,bind,port,3,[Errno 13] Permission denied
This tool touches real resources. Thus, it is denger to verify writing or deleting files because the environment will be destroied!
However now, we have a good idea! A control of Type Enforcement goes along with SELinux domain and type. Therefore, writing to files as a type which is same with a file you want to verify, it could be said to done the verification for the files.
This tool will do below:
- Check SELinux types of target files.
- Create dummy files which have same types with target files.
- Write and delete to dummy files on a process as a target domain.
python selinux_te_destroy_tester.py <domain> <config-file>
- <domain>: a domain which you want to verify. (e.g. httpd_t)
- <config-file>: a config file written target files (e.g. conf/destory.conf.txt)
/etc/shadow
/etc/passwd
NG,open(w),file,/etc/shadow,[Errno 13] Permission denied: '/root/workspace/te-tester/work/20180409120133882724_AjRkNZp8sO'
NG,delete,file,/etc/shadow,[Errno 13] Permission denied: '/root/workspace/te-tester/work/20180409120133882724_AjRkNZp8sO'
NG,open(w),file,/etc/passwd,[Errno 13] Permission denied: '/root/workspace/te-tester/work/20180409120133885883_dZP5omMCRC'
NG,delete,file,/etc/passwd,[Errno 13] Permission denied: '/root/workspace/te-tester/work/20180409120133885883_dZP5omMCRC'
We are grateful for contributing bug reports, bugfixes and improvements.
Please open a new issue.
Please open a new pull request.
Copyright (C) 2018 Hitachi, Ltd.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.