SELinux CIL
SELinux CIL (Common Intermediate Language) 是编写 SELinux 模块新的中间层语言。
要求 libsepol 的版本大于 2.4:
$ rpm -qi libsepol
Name : libsepol
Version : 2.5
Release : 10.el7
Architecture: x86_64
Install Date: Sat 29 Jun 2019 05:27:14 PM CST
Group : System Environment/Libraries
Size : 686640
License : LGPLv2+
Signature : RSA/SHA256, Mon 12 Nov 2018 10:37:35 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : libsepol-2.5-10.el7.src.rpm
Build Date : Wed 31 Oct 2018 05:36:15 AM CST
Build Host : x86-01.bsys.centos.org
...
$ ldd /usr/libexec/selinux/hll/pp
linux-vdso.so.1 => (0x00007ffdd8fae000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00007ff110721000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff110353000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff110bc2000)
可以将 SELinux pp 模块转成 cil 模块,假设 pp 模块的源文件 te 内容如下:
$ cat libceph.te
policy_module(libceph, 1.0.0)
# refpolicy/policy/support/obj_perm_sets.spt
# https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20190609/policy/support/obj_perm_sets.spt
### /var/run/ceph
optional {
require {
type virtd_t;
type var_run_t;
}
allow virtd_t var_run_t:dir rw_dir_perms;
allow virtd_t var_run_t:sock_file manage_sock_file_perms;
}
optional {
require {
type virtd_t;
type ceph_var_run_t;
}
allow virtd_t ceph_var_run_t:dir rw_dir_perms;
allow virtd_t ceph_var_run_t:sock_file manage_sock_file_perms;
}
optional {
require {
type svirt_t;
type var_run_t;
}
allow svirt_t var_run_t:dir rw_dir_perms;
allow svirt_t var_run_t:sock_file manage_sock_file_perms;
}
optional {
require {
type svirt_t;
type ceph_var_run_t;
}
allow svirt_t ceph_var_run_t:dir rw_dir_perms;
allow svirt_t ceph_var_run_t:sock_file manage_sock_file_perms;
}
### /var/log/ceph
optional {
require {
type virtd_t;
type var_log_t;
}
allow virtd_t var_log_t:dir rw_dir_perms;
allow virtd_t var_log_t:file manage_file_perms;
}
optional {
require {
type virtd_t;
type ceph_var_log_t;
}
allow virtd_t ceph_var_log_t:dir rw_dir_perms;
allow virtd_t ceph_var_log_t:file manage_file_perms;
}
optional {
require {
type svirt_t;
type var_log_t;
}
allow svirt_t var_log_t:dir rw_dir_perms;
allow svirt_t var_log_t:file manage_file_perms;
}
optional {
require {
type svirt_t;
type ceph_var_log_t;
}
allow svirt_t ceph_var_log_t:dir rw_dir_perms;
allow svirt_t ceph_var_log_t:file manage_file_perms;
}
使用 pp 命令可以将 pp 模块转成 cil 模块:
$ ls
libceph.pp
$ /usr/libexec/selinux/hll/pp libceph.pp libceph.cil
$ ls
libceph.cil libceph.pp
得到 cil 模块如下:
$ cat libceph.cil
(roleattributeset cil_gen_require system_r)
(optional libceph_optional_2
(typeattributeset cil_gen_require virtd_t)
(typeattributeset cil_gen_require var_run_t)
(allow virtd_t var_run_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow virtd_t var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_3
(typeattributeset cil_gen_require virtd_t)
(typeattributeset cil_gen_require ceph_var_run_t)
(allow virtd_t ceph_var_run_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow virtd_t ceph_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_4
(typeattributeset cil_gen_require var_run_t)
(typeattributeset cil_gen_require svirt_t)
(allow svirt_t var_run_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow svirt_t var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_5
(typeattributeset cil_gen_require ceph_var_run_t)
(typeattributeset cil_gen_require svirt_t)
(allow svirt_t ceph_var_run_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow svirt_t ceph_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_6
(typeattributeset cil_gen_require virtd_t)
(typeattributeset cil_gen_require var_log_t)
(allow virtd_t var_log_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow virtd_t var_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_7
(typeattributeset cil_gen_require virtd_t)
(typeattributeset cil_gen_require ceph_var_log_t)
(allow virtd_t ceph_var_log_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow virtd_t ceph_var_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_8
(typeattributeset cil_gen_require svirt_t)
(typeattributeset cil_gen_require var_log_t)
(allow svirt_t var_log_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow svirt_t var_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
(optional libceph_optional_9
(typeattributeset cil_gen_require svirt_t)
(typeattributeset cil_gen_require ceph_var_log_t)
(allow svirt_t ceph_var_log_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow svirt_t ceph_var_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
)
cil 模块可以直接安装:
$ sudo semodule -X 400 -i libceph.cil
$ sudo semodule -lfull | grep libceph
400 libceph cil
参考资料
SELinux insides – Part1: Policy module store, policy modules and kernel policy.
CIL – Part1: Faster SELinux policy (re)build
https://mgrepl.wordpress.com/2015/07/30/cil-part1-faster-selinux-policy-rebuild/
Fundamental SELinux Concepts
https://hub.packtpub.com/fundamental-selinux-concepts/
Writing SELinux modules
http://www.admin-magazine.com/Archive/2016/36/Writing-SELinux-modules
CIL (Common Intermediate Language)
https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/README.md
最后修改于 2020-01-02