# selinux: writing local policies

## nsoveiko

i'm a selinux noob and this is my first install with hardened/selinux profile. after reading selinux handbook i decided to go with the 'strict' policy. after booting into permissive mode and examining /var/log/avc.log i found a whole bunch of denials.

1) apparently there's no dhclient policy. audit2allow suggests rules that are way too permissive:

```
# grep dhclient /var/log/avc.log | audit2allow -m local_dhclient

module local_dhclient 1.0;

require {

        type dhcpc_t;

        type unreserved_port_t;

        type var_lib_t;

        class dir { write add_name };

        class udp_socket name_bind;

        class file { write create open getattr };

}

#============= dhcpc_t ==============

allow dhcpc_t unreserved_port_t:udp_socket name_bind;

allow dhcpc_t var_lib_t:dir { write add_name };

allow dhcpc_t var_lib_t:file { write create open getattr };
```

from what i inderstand, this allows wholesale writing to /var/lib and binding to any udp port. how do i make it more restrictive?

2) i'm usually running sshd on a port different to 22. agang, audit2allow suggest allowing sshd to bind to any port:

```
# grep sshd /var/log/avc.log | audit2allow -m local_sshd

module local_sshd 1.0;

require {

        type reserved_port_t;

        type sshd_t;

        class tcp_socket name_bind;

}

#============= sshd_t ==============

allow sshd_t reserved_port_t:tcp_socket name_bind;
```

how do i properly redefine sshd port?

----------

## Sven Vermeulen

Regarding dhclient (dhcpc_t), try to find out what it wants to do in /var/lib. It might have a subdirectory there that shouldn't be labeled var_lib_t but dhcpc_state_t instead:

```

# semanage fcontext -l | grep dhclient

/etc/dhclient-script                               regular file       system_u:object_r:dhcp_etc_t 

/etc/dhclient.*conf                                regular file       system_u:object_r:dhcp_etc_t 

/etc/dhcp/dhclient\.d(/.*)?                        all files          system_u:object_r:bin_t 

/etc/dhcp3?/dhclient.*                             all files          system_u:object_r:dhcp_etc_t 

/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* regular file       system_u:object_r:bin_t 

/sbin/dhclient.*                                   regular file       system_u:object_r:dhcpc_exec_t 

/var/lib/dhclient(/.*)?                            all files          system_u:object_r:dhcpc_state_t 

/var/lib/dhcp3?/dhclient.*                         all files          system_u:object_r:dhcpc_state_t 

/var/run/dhclient.*                                regular file       system_u:object_r:dhcpc_var_run_t 

/var/run/nm-dhclient.*                             all files          system_u:object_r:NetworkManager_var_run_t 

```

If the /var/lib/dhclient directory doesn't exist by default, and dhclient creates it, it doesn't get this proper context automatically.

Since you run in permissive mode, you might just need to run restorecon -Rv /var/lib to correct the labels.

The unreserved port might be correct to add though, can't tell without looking at the AVC denial itself and perhaps dhclient code.

On the SSH port stuff, it's better to assign the non-default port the ssh_port_t type instead. Below tells SELinux that port 8022 should also be labeled ssh_port_t:

```

# semanage port -a -t ssh_port_t -p tcp 8022

```

----------

## nsoveiko

 *Sven Vermeulen wrote:*   

> Regarding dhclient (dhcpc_t), try to find out what it wants to do in /var/lib. It might have a subdirectory there that shouldn't be labeled var_lib_t but dhcpc_state_t instead:

 

it writes to /var/lib/dhcp/dhclient.leases creating that directory at runtime if necessary. and since it's not included in the policy module, it gets default context for /var/lib. bug?

 *Quote:*   

> The unreserved port might be correct to add though, can't tell without looking at the AVC denial itself and perhaps dhclient code.

 

```
May 19 06:31:02 spook kernel: [248066.681969] type=1400 audit(1368937862.040:197): avc:  denied  { name_bind } for  pid=18961 comm="dhclient" src=29949 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
```

 *Quote:*   

> On the SSH port stuff, it's better to assign the non-default port the ssh_port_t type instead. Below tells SELinux that port 8022 should also be labeled ssh_port_t:
> 
> ```
> 
> # semanage port -a -t ssh_port_t -p tcp 8022
> ...

 

neat! will it survive a reboot?

----------

## nsoveiko

 *nsoveiko wrote:*   

> neat! will it survive a reboot?

 

well, it did. thank you!

----------

