login: root .... # newrole -r sysadm_r # id -Z root:sysadm_r:sysadm_t # cd /etc/selinux/seedit/src/policy/simplified_policy # setenforce 0And for detail of syntax, see 8 .
# simplified_policy/vsftpd_t.a { domain vsftpd_t; domain_trans initrc_t /usr/sbin/vsftpd; }
In line 2, you defined domain vsftpd_t. In line 3, you configured domain transition, parent domain is initrc_t, entry point is /usr/sbin/vsftpd.
# make diffrelabelUsually make diffrelabel is enough.
# /etc/init.d/vsftpd restart # ps -eZ ... root:system_r:vsftpd_t 13621 pts/1 00:00:00 vsftpd ...You see that the domain of vsftpd is vsftpd_t. Domain transition is successful.
Protect files related to vsftpd
If you want to protect files related to domain, the best way is deny in global. In this case, let's protect /etc/vsftpd and
/var/ftp. Add following in simplified_policy global. Note you
have to add between { and }.
# In simplifed_policy/global deny /etc/vsftpd; deny /var/ftp;And
# make diffrelabelAs a result, if some domain want to access /etc/vsftpd and /var/ftp, it must be allowed explicitly. e.g: If httpd_t want to read /etc/vsftpd, allow /etc/vsftpd r; must be described in httpd_t, if allow /etc r; is described, access to /etc/vsftpd is not allowed. deny is useful to mark important files.
# simplifed_policy/vsftpd_t.a 1 { 2 domain vsftpd_t; 3 domain_trans initrc_t /usr/sbin/vsftpd; 4 # access to files related to vsftpd 5 allow /etc/vsftpd r,s; 6 allow /var/ftp r,s; 7 allowonly /var/log r,w,s; 8 # allow to communicate with syslog 9 allow dev_log_t r,w,s; 10 allowcom -unix syslogd_t; 11 # allow to use tcp 20 and 21 12 allownet; 13 allownet -connect; 14 allownet -tcp -port 20; 15 allownet -tcp -port 21; 16 # 17 allowadm chroot; 18 }After writing this,
# make diffrelabelLet's review the file.
allowonly /var/log r,w,s;In this, we want to allow to write /var/log/xferlog. If we could configure,
allow /var/log/xferlog r,w,s;this would be the best. /var/log/xferlog may be deleted by administrater, and when re-created the SELinux label information is lost. So we can not control access to /var/log/xferlog. So we used allowonly /var/log r,w,s. In this vsftpd_t can write all files on /var/log/, but can not write files on child directories. This is better than allow /var/log r,w,s;(This allows write access to all files under /var/log including child directories). Similally, for /tmp, /var/run, you can not controll access per-file, in those directories, files are deleted and re-created, SElinux label information may be lost.
#add to simplified_policy/initrc_t.a allow /etc/vsftpd r,s;Then,
# make diffrelabel