Step-by-Step Guide To Creating SELinux Policy for Google Earth

Benjy Grogan benjy.grogan at gmail.com
Tue Jun 20 05:46:42 UTC 2006 

On 6/19/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Benjy Grogan wrote:
> > On 6/17/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> >> Benjy Grogan wrote:
> >> > Hello:
> >> >
> >> > On 6/15/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> >> >> Benjy Grogan wrote:
> >> >> > Hello:
> >> >> >
> >> >> > Would it be possible for the SELinux team at Red Hat to create an
> >> >> > SELinux policy module for Google Earth and to show the step by step
> >> >> > process for confining the application?  I think these kind of
> >> examples
> >> >> > would be useful to developers attempting to create SELinux policies
> >> >> > for other rpm packages out there.  I'm not interested so much in
> >> the
> >> >> > actual policy module, but in creating it myself from step-by-step
> >> >> > instructions.  IMHO, that would be the best way to educate
> >> developers
> >> >> > on how to use SELinux.
> >> >> >
> >> >> Google-earth is not the best example of this but
> >> >>
> >> >> The way I would go about it would be to first use policygentool to
> >> >> create my initial fc/if/te files
> >> >>
> >> >> #cd /tmp
> >> >> #mkdir googlearth
> >> >> #cd googleearth
> >> >> STEP 1
> >> >> #policygentool googlearth /usr/local/google-earth/googleearth-bin
> >> >> answer some questions to the best of my ability
> >> >
> >> > I answered the questions, but I had little idea as to what pidfiles
> >> > were.  As for logs, Google Earth doesn't use /var/log but I know it
> >> > must log something in ~/.googleearth.  That would be a directory that
> >> > depends on which user is at the moment using Google Earth.  There's
> >> > probably a better way of specifying this after running policygentool.
> >> >
> >> > I didn't know if there were any /var/lib files, so I left that alone.
> >> > The module didn't have an init script, which is used by
> >> > daemons/services, right?  The module will be a heavy user of the
> >> > network, so that was answered yes, but further restricting Google
> >> > Earth's network access would be useful, such as no access 192.168.x.x.
> >> >
> >> >> STEP2
> >> >> add the following lines to the te file to cause the transition form
> >> >> uncofined_t to googleearth
> >> >> cat >> googleearth.te << __EOF
> >> >> gen_require(`
> >> >>              type unconfined_t;
> >> >> ')
> >> >
> >> > First time I've seen ` and ' used.
> >> >
> >> >> domain_auto_trans(uncofined_t, googleearth_exec_t, googleearth_t)
> >> This should be unconfined_t.
> >
> > I had made this change.  I was avoiding the policy completely by using
> > /usr/local/google-earth/googleearth instead of
> > /usr/local/google-earth/googleearth-bin.
> >
> > When I do run googleearth-bin I get:
> >
> > $ /usr/local/google-earth/googleearth-bin
> > /usr/local/google-earth/googleearth-bin: error while loading shared
> > libraries: ./libcomponent.so: cannot open shared object file: No such
> > file or directory
> >
> You should be running in permissive mode and translating avc messages to
> allow rules via
>
> audit2allow -R -i /var/log/messages

Okay, I created a policy from audit2allow and used as many macros as I
could where it made sense.  Below I have the TE file that I wrote.
This policy works fine with setenforce 0 and doesn't generate many
AVCs at all anymore, except when I navigate outside of the user's home
directory when saving or opening a jpeg, and I've auditdenied some of
that stuff.  But when I turn enforcing on, setenforce 1, I get this
error:

$ googleearth
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

There are no AVCs to be found in /var/log/messages.  I figured these
lines should've handled any X server issues:

# XServer set-up

xserver_use_xdm_fds(googleearth_t)
xserver_stream_connect_xdm(googleearth_t)

... but they don't.

So my Google Earth policy works in permissive mode but fails in
enforcing mode without any AVCs to explain why not.  Do you know how
to fix this?  Here's the TE I wrote:

policy_module(googleearth,1.0.7)

########################################
#
# Declarations
#

type googleearth_t;
type googleearth_exec_t;
domain_type(googleearth_t)
init_daemon_domain(googleearth_t, googleearth_exec_t)

########################################
#
# googleearth local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of
allow rules.

# Some common macros (you might be able to remove some)
files_read_etc_files(googleearth_t)
libs_use_ld_so(googleearth_t)
libs_use_shared_libs(googleearth_t)
miscfiles_read_localization(googleearth_t)
## internal communication is often done using fifo and unix sockets.
allow googleearth_t self:fifo_file { getattr read write };
allow googleearth_t self:unix_stream_socket create_stream_socket_perms;

allow googleearth_t self:tcp_socket { connect create getopt read write };
allow googleearth_t self:udp_socket { connect create getattr read write };


# Init script handling
init_use_fds(googleearth_t)
init_use_script_ptys(googleearth_t)
domain_use_interactive_fds(googleearth_t)

gen_require(`
	type unconfined_t;
')
domain_auto_trans(unconfined_t, googleearth_exec_t, googleearth_t)

# XServer set-up

xserver_use_xdm_fds(googleearth_t)
xserver_stream_connect_xdm(googleearth_t)

# var_t stuff

gen_require(`
	type var_t;
')

allow googleearth_t var_t:file { getattr read };

# Connect to the unconfined domain using a unix domain stream socket.
unconfined_stream_connect(googleearth_t)

# Send and receive messages from an unlabeled IPSEC association.
kernel_sendrecv_unlabeled_association(googleearth_t)

allow googleearth_t devpts_t:chr_file { read write };
dev_rw_dri(googleearth_t)

# DISK ACCESS
# allow reading of libcomponent.so et al in /usr/local/
allow googleearth_t usr_t:file { read execute getattr };
allow googleearth_t usr_t:lnk_file read;

# allow access to .googleearth in home directory

gen_require(`
	type user_home_dir_t;
	type user_home_t;
	type home_root_t;
')
allow googleearth_t user_home_dir_t:dir { getattr search read write };
allow googleearth_t user_home_dir_t:file getattr;
allow googleearth_t user_home_t:dir { add_name getattr remove_name
search read write };
allow googleearth_t user_home_t:file { append getattr lock read write };
allow googleearth_t user_home_t:lnk_file { create read unlink };

# don't create AVCs outside of the user's home directory

auditdeny googleearth_t home_root_t:dir { getattr search };

# get extended attributes on files

fs_getattr_xattr_fs(googleearth_t)

# allow memory access

allow googleearth_t self:process { execmem execstack };

# kernel

gen_require(`
	type sysctl_kernel_t;
	type sysctl_t;
')
allow googleearth_t sysctl_kernel_t:dir search;
allow googleearth_t sysctl_kernel_t:file { getattr read };

allow googleearth_t sysctl_t:dir search;

# device proc

gen_require(`
	type proc_t;
')
allow googleearth_t proc_t:dir search;
allow googleearth_t proc_t:file { getattr read };

# temp dir

gen_require(`
	type tmp_t;
')
allow googleearth_t tmp_t:file getattr;
allow googleearth_t tmp_t:dir search;
allow googleearth_t tmp_t:sock_file write;

# read fonts

miscfiles_read_fonts(googleearth_t)

# network stuff

corenet_tcp_sendrecv_all_if(googleearth_t)
corenet_tcp_sendrecv_all_nodes(googleearth_t)

corenet_udp_sendrecv_all_if(googleearth_t)
corenet_udp_sendrecv_all_nodes(googleearth_t)

corenet_tcp_connect_http_port(googleearth_t)
corenet_tcp_sendrecv_http_port(googleearth_t)

corenet_udp_sendrecv_dns_port(googleearth_t)

sysnet_read_config(googleearth_t)


# unknown stuff

gen_require(`
	type ice_tmp_t;
')
allow googleearth_t ice_tmp_t:dir search;
allow googleearth_t ice_tmp_t:sock_file write;

gen_require(`
	type urandom_device_t;
')
allow googleearth_t urandom_device_t:chr_file { getattr read };



Benjy

More information about the selinux mailing list