Wednesday, March 13, 2019

Fedora 29 : Use Selinux with Firefox.

Today I tested Selinux with the Firefox browser. The main purpose was to create a policy for this browser. You can use this example to create your own policies. Using Fedora 29 this problem can be resolved easily. Let's start with installing an important packet using the dnf tool.
[root@desk selinux_001]# dnf install policycoreutils-devel
Let's see the other commands used to create policies named firefox.te:
[mythcat@desk ~]$ mkdir selinux_001
[mythcat@desk ~]$ cd selinux_001/
[mythcat@desk selinux_001]$ whereis firefox
firefox: /usr/bin/firefox /usr/lib64/firefox /etc/firefox /usr/share/man/man1/firefox.1.gz
[mythcat@desk selinux_001]$ sepolicy generate --init -n firefox /usr/bin/firefox 
nm: /usr/bin/firefox: file format not recognized
Failed to retrieve rpm info for selinux-policy
Created the following files:
/home/mythcat/selinux_001/firefox.te # Type Enforcement file
/home/mythcat/selinux_001/firefox.if # Interface file
/home/mythcat/selinux_001/firefox.fc # File Contexts file
/home/mythcat/selinux_001/firefox_selinux.spec # Spec file
/home/mythcat/selinux_001/firefox.sh # Setup Script
[mythcat@desk selinux_001]$ cat firefox.te


policy_module(firefox, 1.0.0)

########################################
#
# Declarations
#

type firefox_t;
type firefox_exec_t;
init_daemon_domain(firefox_t, firefox_exec_t)

permissive firefox_t;

########################################
#
# firefox local policy
#
allow firefox_t self:fifo_file rw_fifo_file_perms;
allow firefox_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(firefox_t)

files_read_etc_files(firefox_t)

miscfiles_read_localization(firefox_t)
[mythcat@desk selinux_001]$ cat firefox.fc 
/usr/bin/firefox        --    gen_context(system_u:object_r:firefox_exec_t,s0)
I have modified this policy generated by sepolicy by adding my own rules:
[mythcat@desk selinux_001]$ cat firefox.te
policy_module(firefox, 1.0.0)

########################################
#
# Declarations
#

type firefox_t;
type firefox_exec_t;
init_daemon_domain(firefox_t, firefox_exec_t)

permissive firefox_t;
# my rules
require {
    type unreserved_port_t;
    type http_port_t;
    class tcp_socket { accept listen name_bind name_connect };
}

########################################
#
# firefox local policy
#
allow firefox_t self:fifo_file rw_fifo_file_perms;
allow firefox_t self:unix_stream_socket create_stream_socket_perms;

# my rules
allow firefox_t http_port_t:tcp_socket { name_bind name_connect };
allow firefox_t unreserved_port_t:tcp_socket { name_bind name_connect };
allow firefox_t self:tcp_socket { listen accept };

domain_use_interactive_fds(firefox_t)

files_read_etc_files(firefox_t)

miscfiles_read_localization(firefox_t)
I used the following commands to get my own policy:
[mythcat@desk selinux_001]$ make -f /usr/share/selinux/devel/Makefile
Compiling targeted firefox module
/usr/bin/checkmodule:  loading policy configuration from tmp/firefox.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 19) to tmp/firefox.mod
Creating targeted firefox.pp policy package
rm tmp/firefox.mod tmp/firefox.mod.fc
[mythcat@desk selinux_001]$ sudo semodule -i firefox.pp
[sudo] password for mythcat: 
The semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. Let's see the result:
[root@desk selinux_001]# semodule -l | grep firefox
firefox

1 comment:

Leslie Satenstein said...

It is an interesting idea. Before I implement, what happens with
a) upgrades?
b) with the addition/removal of addons to existing Firefox.

What protection does it give me if b) is not reported by Selinux?

Post a Comment