With the maturing of the SE Linux environment, it is time that I started to use the target policies to reduce the chance of compromise on my servers. While in the past 14 years of running linux servers in production environments, I have only had a small number of the compromised. Having SE Linux policies wrapped around the publicly facing daemons, seems to be an additional tool in my belt. Anyway, enough of the ranting.

The following steps are what I had to do to get a working smbd policy for my server. I had a quick look around and was not able to find an easy way of making the policy so I had to resort to the basics and do it by trial and error.

I used tools from the following packages. The one(s) marked with a * I had to install.

policycoreutils
checkpolicy *
audit *

I installed all of the above packages and started to tail the /var/log/audit/audit.log to see what was happening to my smbd calls. I started by trying to access the shares, then once that was working tried the basic adding and removing of files and directories until I came up with a running policy.

The basic steps I took were as follows;

1. make a call via smbd ( just browsing to a share to start with)
2. watch the audit log ( tail -f /var/log/audit/audit.log )
3. then ran audit2allow against the audit log
4. then installed the resulting policy

I continued the above process until I was happy with the resulting policy.

As I was only interested in the smbd daemon calls I filtered the audit log with a grep as follows;

grep type=AVC /var/log/audit/audit.log | grep smbd | audit2allow -M local_smbd

This took a bit of doing as each time I wanted to change the policy, I had to unload the current one first ( I am sure there is a way to make updates to a policy, however I haven't found it as yet.).  So i wrote a script to handle the rebuilding of the policy.

build_smb_sepol:

#!/bin/sh
   # Build smbd sel policy
   #
   #
   semodule -l | grep -q local_smbd
   if [ "$?" == "0" ] ; then
      echo "Module loaded!"
      echo -n "Unloading ... "
      semodule -r local_smbd
      if [ "$?" != "0" ] ; then
         echo " "
         exit 1;
      fi
      echo "OK"
   fi
   grep type=AVC /var/log/audit/audit.log | grep smbd | audit2allow -M local_smbd
   semodule -i local_smbd.pp
    

The resulting policy (local_smbd.te):

module local_smbd 1.0;
 require {
         role object_r;
         role system_r;
         class dir { add_name create getattr read remove_name rename rmdir search write };
         class file { create getattr lock read setattr unlink write };
         type binfmt_misc_fs_t;
         type file_t;
         type rpc_pipefs_t;
         type smbd_t;
         type sysctl_fs_t;
         type var_lib_nfs_t;
  };
 
 allow smbd_t binfmt_misc_fs_t:dir getattr;
 allow smbd_t file_t:dir { add_name create getattr read remove_name rename rmdir search write };
 allow smbd_t file_t:file { create getattr lock read setattr unlink write };
 allow smbd_t rpc_pipefs_t:dir getattr;
 allow smbd_t sysctl_fs_t:dir search;
 allow smbd_t var_lib_nfs_t:dir search;
 

This is a short description of what I have done to get a working policy. Please feel free to drop me a line to < darrink at dknss dot com > if you would like to add some information to this page or correct some of the processes.