14.2. Preparation and PlanningBefore writing our policy module, we need to gather some information about the applications, create a test configuration, and specify our security goals. We also must choose our target platform and policies. For our example, we target an FC4 system and create policy modules for the example strict policy (see Chapter 11) and a strict reference policy (see Chapter 12). 14.2.1. Gathering Application InformationLike all policy modules, our IRC module is primarily about creating a domain for the IRC daemon. Writing the policy module will require as much information as possible about how this daemon is designed and functions. In general, the better we understand the target application, the better the security and functionality of the resulting policy. Of particular importance is the application architecture (for example, number and purpose of processes and resources), administration (for example, documentation of configuration files), and existing security information. Existing information about the security of the applications, including hardening guidelines, can prove helpful. Be warned, however, that security guidelines often do not give the full picture of the application security or necessarily meet your specific security needs. Here is a sample of the information we collected about the Hybrid IRC daemon, which is standard for FC4:
14.2.2. Creating a Test EnvironmentWriting policy modules requires testing and (in many cases) experimentation. Therefore, we need a test installation of the service on a system configured for policy development. Like all testing, it is important that the test environment match the deployment environment as closely as possible. For our purposes, we create a basic example IRC daemon installation on FC4. We also need a test system with an IRC client on the same network. We start with a basic workstation installation of FC4, to which we need to add the example and reference policy source files and the IRC daemon. Appendix A, "Obtaining SELinux Sample Policies," provides instructions on how to obtain and install the required strict example policy and reference policy. The IRC daemon is installed with the following yum command. (As root running with the security root:sysadm_r:sysadm_t, for example, log in and su to root on a standard FC4 system.) # yum install ircd-hybrid This installs the IRC daemon, startup scripts, and example configuration files. We are now ready to edit the configuration file /etc/ircd/ircd.conf. We start with the file simple.conf provided in the documentation (/usr/share/doc/ircd-hybrid-7.2.0/simple.conf) and modify it slightly (the server info sid and the operator password options), as shown in Listing 14-1 (changed options are bolded). Listing 14-1. Modified IRC Daemon Configuration File (ircd.conf)
Tip For policy development, it is important to understand all the files and directories that are part of an application. The command rpm -ql ircd-hybrid will list the files and directories installed as part of the IRC daemon package. The three changes that we make to this file are to change the unique identifier of the server (line 15), the administrative password (line 68), and disable the use of identd (line 107). After saving this file as /etc/ircd/ircd.conf, we start the server (for now, on a permissive mode SELinux FC4 system) with the following command: # setenforce 0 # /etc/init.d/ircd start Starting ircd: ircd: version hybrid-7.2.0 ircd: pid 9052 ircd: running in background mode from /usr/lib/ircd [ OK ] These commands show the ircd service starting successfully. Once started, the log file /var/log/ircd/ircd.log should contain the following entry (at or near the end): [2006/2/3 04.25] Server Ready Note that there may be some access vector cache (AVC) messages generated because we have not yet installed a specific policy for the server. We can ignore them for now. 14.2.3. Specifying Security GoalsThe last preparation step is to specify the security goals for our IRC policy module. Without understanding what security means for this application, we have no basis for making security-critical decisions during the development of our policy module proverb. This is our chance to think about the overall security concerns before we become immersed in the many details of the policy language. (Or in the words of the proverbial saying, let's examine the "forest" before we are overwhelmed by the "trees.") We will revisit these security goals after creating our policy module to determine whether we meet our objectives (to determine whether our forest is what we expected after we spend all our time planting trees). How to correctly determine and specify security goals is a large topic itself, beyond the scope of this book. It comes mostly with experience and the correct mind set. Following are some security goals for a basic policy module for our IRC daemon:
These security goals are just a starting point. Many other security goals are possible for an IRC daemon or similar applications. |