Writing SELinux rules for RPM

When I needed to write a SELinux policy for a web application running on httpd for CentOS 7, I was surprised by the lack of documentation. Despite SELinux being available for many years, I haven’t found well documented best practices for packaging and distributing a policy.

After some research I found there are two main ways to do it: by writing a SELinux module or by writing imperative commands in RPM scriplets.

SELinux module

The best way is to write a SELinux module, as it declares a state that must be enforced. I haven’t found any good resources on the syntax or on how to start from scratch. It seems the recommendation is to use audit2allow, a program that generates SELinux policy rules from logs of denied operations. The idea is that you run the application in permissive mode and then you pass the logs to the tool.

RPM scriplets

The easy way is to write the necessary commands in RPM scriplets. There’s good documentation on how to configure rules with the semanage and setsebool CLI. You can write these in the post/preun scriplets in the RPM that contains the application. See the end of this page for example scriplets. The problem with these is that, because you don’t declare a state, you have to specify the commands for installing and uninstalling the rules. Plus, you need to take into account how upgrades are affected by policy (for example if new unlabeled files are added). A potential problem is that if a package fails to install, you could end up with an inconsistent or unclean state.

Conclusion

Fortunately SELinux provides sensible defaults for Apache httpd, so your scriplets should be short. However, if you want to do something more complex, you will have to do more research on how to write a module. Some documents that might be worth reading:

• https://static.jboss.org/rhd/docs/selinux_for_red_hat_developers.pdf
• https://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf