Contribution of SELinux security policy

[GoogleCodeExporter]

What new or enhanced feature are you proposing?

Defining a MUNGE SELinux security policy.

What goal would this enhancement help you achieve?

An SELinux security policy is missing from the munge rpm in Red Hat EPEL.

With an initial SELinux policy for defining a security domain, one can put that domain into permissive mode to see what is required to use the software.

This makes it possible to use MUNGE on an SELinux enabled system, as one can put a single domain into permissive mode to observe what permissions are required for the full functionality.

Please provide any additional information below.

With SELinux, each process runs in a domain which determines its access rights with respect to other domains. The policy defines a domain munge_t in which the munge daemon as well as the user commands run (automatic domain transition on execution of the binaries), and provides minimal permissions the daemon needs to start. The working directories in /var/run belong to the domain munge_var_run_t. This assumes that SELinux runs the Red Hat targeted policy.

munge.te.gz
munge.if.gz
munge.fc.gz

Contributed by Cezary Sliwa <[email protected]>.

References:
https://wiki.centos.org/HowTos/SELinux

Original issue reported on code.google.com by chris.m.dunlap on 3 Apr 2014 at 5:52

[William-Brown]

I was unable to compile this policy without adding to munge.te, in the gen_require section, 'role user_r;'. Otherwise it failed to compile, reporting 'unknown role user_r'.
munge.zip

[dun]

Thanks! Could you post the list of steps you used to get this installed?

[William-Brown]

In fact having started to use the policy I had to make some more changes to munge.te, as otherwise munged couldn't write to /var/log/munge. I am not 100% sure if my fixes were the cleanest solution but they did work. So I attach a further revised munge.te.

munge.zip

I was installing to Centos 7 (CentOS Linux release 7.3.1611).

To compile the module, you need to install the selinux-policy-devel package as that provides the Makefile required.

Copy the three provided Reference Policy Module files into an empty directory. These are munge.te (Type Enforcement file), munge.fc (File Contexts file); munge.if (Interfaces file).

Copy the example makefile from /usr/share/selinux/devel/Makefile into the same directory.

Run make to create the .pp file.

Install the new policy (this will survive reboots):

/usr/sbin/semodule -i munge.pp

Once the munge.pp file is created it can be copied to other systems and installed using semodule as above. Once it is built it is worth saving the .pp file off-host, as if you rebuild the server you don't need to install selinux-policy-devel and recompile, you just run semodule to install the compiled policy. Note however that if an update is made to the source files it would need to be recompiled.

[dun]

I haven't had time to do anything with SELinux yet, so this helps a lot. I'll get this installed on a test system next week and try to make sense of it all. Thanks again!