Local policy management script

I’ve written a small script that I call selocal which manages locally needed SELinux rules. It allows me to add or remove SELinux rules from the command line and have them loaded up without needing to edit a .te file and building the .pp file manually. If you are interested, you can download it from my github location.

Its usage is as follows:

  • You can add a rule to the policy with selocal -a “rule”
  • You can list the current rules with selocal -l
  • You can remove entries by referring to their number (in the listing output), like semodule -d 19.
  • You can ask it to build (-b) and load (-L) the policy when you think it is appropriate

It even supports multiple modules in case you don’t want to have all local rules in a single module set.

So when I wanted to give a presentation on Tor, I had to allow the torbrowser to connect to an unreserved port. The torbrowser runs in the mozilla domain, so all I did was:

~# selocal -a "corenet_tcp_connect_all_unreserved_ports(mozilla_t)" -b -L

At the end of the presentation, I removed the line from the policy:

~# selocal -l | grep mozilla_t
19. corenet_tcp_connect_all_unreserved_ports(mozilla_t)
~# selocal -d 19 -b -L

I can also add in comments in case I would forget why I added it in the first place:

~# selocal -a "allow mplayer_t self:udp_socket create_socket_perms;" \
  -c "MPlayer plays HTTP resources" -b -L

This then also comes up when listing the current local policy rules:

~# selocal -l
...
40: allow mplayer_t self:udp_socket create_socket_perms; # MPlayer plays HTTP resources

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>