SELinux policy for palo

    SELinux policy for palo

    I had a go first go at creating an SELinux policy for palo. In general this should be a better approach than chroot.

    I'll update the .rpm to include and build the policy and to set the security contexts appropriately on install. If your primarily intersted in the improved security then rather follow the .rpm install instructions on:
    Packaging Palo Server for Fedora

    I only use a limited subset of palo, so its tricky to know if this policy accomodates all use cases. If SELinux starts to block you getting your stuff done with palo, then please run:

    Source Code

    1. su
    2. semodule -DB
    3. cat /var/log/audit/audit.log | audit2allow

    and send me the output and I'll incorporate it back into the policy.

    The SELinux policy file (palo.te) is as follows:

    Source Code

    1. policy_module(palo, 1.0.3)
    2. require {
    3. type net_conf_t;
    4. type unreserved_port_t;
    5. type palo_t;
    6. type node_t;
    7. type sysfs_t;
    8. type setfiles_t;
    9. type var_lib_t;
    10. type proc_t;
    11. type palo_db_t;
    12. type palo_exec_t;
    13. type palo_lock_t;
    14. class tcp_socket { name_bind setopt bind create accept getattr shutdown node_bind listen read write};
    15. class dir { write relabelto read remove_name add_name };
    16. class file { rename read lock create write getattr relabelto unlink open append };
    17. }
    18. #Palo domain
    19. type palo_t;
    20. domain_type(palo_t)
    21. type palo_exec_t;
    22. init_daemon_domain(palo_t, palo_exec_t)
    23. #Palo file context types
    24. type palo_db_t;
    25. files_type(palo_db_t)
    26. type palo_etc_t;
    27. files_config_file(palo_etc_t)
    28. type palo_lock_t;
    29. files_lock_file(palo_lock_t)
    30. type palo_log_t;
    31. logging_log_file(palo_log_t)
    32. type palo_archived_t;
    33. files_type(palo_db_t)
    34. type palo_unit_file_t;
    35. files_type(palo_db_t)
    36. #Give palo_t access to its objects
    37. allow palo_t palo_db_t:dir {create open read getattr search lock ioctl write link unlink remove_name add_name};
    38. allow palo_t palo_db_t:file {create open read getattr lock ioctl write rename unlink append};
    39. allow palo_t palo_etc_t:file {open read getattr lock ioctl};
    40. allow palo_t palo_lock_t:file {read getattr lock ioctl unlink open};
    41. allow palo_t palo_log_t:file {getattr lock ioctl append};
    42. allow palo_t palo_archived_t:file { write append };
    43. allow palo_t var_lib_t:dir { write remove_name read add_name };
    44. allow palo_t var_lib_t:file { rename read lock create write getattr unlink open append };
    45. allow palo_t net_conf_t:file { read getattr open };
    46. allow palo_t node_t:tcp_socket node_bind;
    47. allow palo_t self:tcp_socket { getattr setopt shutdown bind create accept listen read write};
    48. allow palo_t unreserved_port_t:tcp_socket name_bind;
    49. allow palo_t palo_db_t:dir { remove_name add_name };
    50. allow palo_t proc_t:file { read open };
    51. allow palo_t sysfs_t:file { read open };
    52. allow setfiles_t palo_db_t:dir relabelto;
    53. allow setfiles_t palo_exec_t:file relabelto;


    If you want to build and install the policy yourself, then something like:

    Source Code

    1. sudo dnf install libselinux-devel
    2. mkdir ~/palo
    3. <<use the content above to create a palo.te file in ~/palo>>
    4. make -f /usr/share/selinux/devel/Makefile palo.pp
    5. sudo semodule -i ./palo.pp


    You can temporary modify a SELinux security context's with chcon, so for example:

    Source Code

    1. chcon -t palo_exec_t /usr/bin/palo

    Should pull the palo executable file and hence the palo process into the palo security context. You can see the impact of you handywork with:

    Source Code

    1. ls -lZ /usr/bin/palo
    2. ps -efZ | grep palo


    To remove the policy use:
    sudo semodule -r palo

    As always comments / suggestions / criticism etc. welcome.

    Kind regard
    Michael