Monday, August 29, 2011

How to create custom SELinux module on linux box?

■ Requirement : Create a custom SELinux module
■ OS Environment : Linux ( RHEL, Centos)
■ Symptom Encountered : 

        sftp was setup on linux box and sshd was not allowing sftp users to access their directories. Following messages found in audit.log:

type=CRED_ACQ msg=audit(1314648699.931:26195): user pid=25524 uid=0 auid=503 ses=671 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="user" exe="/usr/sbin/sshd" hostname=kmaiti.pnq.redhat.com addr=10.65.192.160 terminal=ssh res=success'
type=AVC msg=audit(1314648699.931:26196): avc: denied { getattr } for pid=25524 comm="sshd" path="/chroots" dev=dm-0 ino=34612 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

■ Implementation Steps : 

 1. To allow source context to target once I created a custom module and loaded it in SELinux .

$ grep sshd_t /var/log/audit/audit.log | audit2allow -m sftplocal > sftplocal.te
$ checkmodule -M -m -o sftplocal.mod sftplocal.te
$ semodule_package -o sftplocal.pp -m sftplocal.mod
$ semodule -i sftplocal.pp
$ semodule -l |grep sftplocal

2. To unload module do:

$ semodule module -d --disable sftplocal.pp



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)