8

Is there a way to view all custom policies applied to SELinux, preferably rolling them all up into one policy "package"?

I've just spent the last week or so working through a series of SELinux errors when a certain process (awstats update from logrotate scripts, FWIW) tried to run. With SELinux in permissive mode I'd wait for logrotate to run, view the SELinux blocks in the audit log, run audit2allow to create an allow policy, and then repeat the process the next day with a whole new list of related errors. Finally, this morning the audit log came up clean, so I think I have all the required rules in place to allow the scripts to run properly.

Of course I wasn't thinking as I ran thorough this process, so I don't have all the .pp/.te files created along the way. So what I would like to do is pull all the currently active custom policies back out of SELinux, so I can have a backup copy for use on other machines or restores. Is this possible?

Edit: This is on a machine running CentOS 6.7, if that makes a difference

ibrewster
  • 387
  • 1
  • 4
  • 16
  • 1
    One thing to look at is "semanage export". – Aaron Dec 31 '15 at 17:49
  • @Aaron: I'm not finding an "export" option in the semanage man page. I did find an option to output booleans and contexts I have changed, which is helpful, and an option to enable/disable policies based on module name (which might explain why it took so long for me to get a clean run, if the name of the policy created by audit2allow makes a difference), and list module names, but no export option I can see. Maybe it's a combination of flags to the module command? – ibrewster Dec 31 '15 at 18:02
  • Do you by chance have the __policycoreutils-python__ package installed? – Aaron Dec 31 '15 at 18:07
  • @Aaron I do, yes – ibrewster Dec 31 '15 at 18:12
  • It is possible the c6 version does not contain the export option. I am testing on centos 7. Dan Walsh added that function in 2013. Perhaps you could use something from upstream as a one-off in this particular use case. I am curious now and will keep looking around. – Aaron Dec 31 '15 at 18:22
  • I have not tested this and it may not even work, but you might try temporarily using the latest policycoreutils-python package from [fedora](https://dl.fedoraproject.org/pub/fedora/linux/updates/23/x86_64/p/) assuming you have a backup of your data and understand the risk of pulling in packages from another distro. – Aaron Dec 31 '15 at 18:41

2 Answers2

3

This answer is borrowed from this question. While it doesn't exactly answer the question of seeing all custom SELinux policies applied to the machine, it does provide the set of tools you would want to use to see any custom policies or narrow it down a fair bit.

Some of the commands to obtain this info are (examples use httpd_log_t):

  1. seinfo

    # seinfo -x --type=httpd_log_t /etc/selinux/default/policy/policy.26
   httpd_log_t
      file_type
      non_security_file_type
      logfile

  2. sesearch

    # sesearch --dontaudit -t httpd_log_t /etc/selinux/default/policy/policy.26 | head
Found 35 semantic av rules:
    dontaudit run_init_t file_type : dir { getattr search open } ;
    dontaudit staff_t non_security_file_type : file getattr ;
    dontaudit staff_t non_security_file_type : dir { ioctl read getattr lock search open } ;
    dontaudit staff_t non_security_file_type : lnk_file getattr ;
    dontaudit staff_t non_security_file_type : sock_file getattr ;
    dontaudit staff_t non_security_file_type : fifo_file getattr ;
    dontaudit unconfined_t non_security_file_type : file getattr ;
    dontaudit unconfined_t non_security_file_type : dir { ioctl read getattr lock search open } ;
    dontaudit unconfined_t non_security_file_type : lnk_file getattr ;

  3. semanage

    # semanage fcontext -l | grep httpd_log_t
/etc/httpd/logs                                    all files          system_u:object_r:httpd_log_t:s0
/var/log/apache(2)?(/.*)?                          all files          system_u:object_r:httpd_log_t:s0
/var/log/apache-ssl(2)?(/.*)?                      all files          system_u:object_r:httpd_log_t:s0
/var/log/cacti(/.*)?                               all files          system_u:object_r:httpd_log_t:s0
/var/log/cgiwrap\.log.*                            regular file       system_u:object_r:httpd_log_t:s0
/var/log/horde2(/.*)?                              all files          system_u:object_r:httpd_log_t:s0
/var/log/httpd(/.*)?                               all files          system_u:object_r:httpd_log_t:s0
/var/log/lighttpd(/.*)?                            all files          system_u:object_r:httpd_log_t:s0
/var/log/piranha(/.*)?                             all files          system_u:object_r:httpd_log_t:s0
/var/www(/.*)?/logs(/.*)?                          all files          system_u:object_r:httpd_log_t:s0

References: RHEL6 SELinux manual

J.W.F.
  • 338
  • 2
  • 4
  • 16
3

As of RHEL 7:

 semanage export

should export all local configuration changes.

Systemspoet
  • 419
  • 4
  • 10
  • What package provides that command on RHEL 7? I am unable to find it with: yum whatprovides '*bin/selinux' – Liczyrzepa May 10 '18 at 15:22
  • Good catch, my I brain-deadedly put the wrong command in. It's 'semanage export' provided by policycoreutils-python-2.5-17.1.el7.x86_64 – Systemspoet May 10 '18 at 19:39