SELinux modules and priority

introduction

The new SELinux modules storage in /var/lib/selinux/ allows to use priority on SELinux modules.

# ls /var/lib/selinux/targeted/active/modules
100  400  disabled  

The default priority and priority used in selinux-policy-* packages is 100.

# ls /var/lib/selinux/targeted/active/modules/100 | wc -l
396  

It means that a user can overwrite an existing module with a module she modified. The highest priority wins.

# semodule --list-modules=full | grep sandbox
400 sandbox           pp  
100 sandbox           pp  

example

Lets say that we change the default SELinux context for /var/www/html from httpd_sys_content_t to httpd_sys_rw_content_t (it's only example, not a good idea)

apache.pp

we prepare a new apache.pp module with modified file context for /var/www

$ dnf download --source selinux-policy
$ rpm -i selinux-policy-3.13.1-127.fc23.3.src.rpm
$ rpmbuild -bp ~/rpmbuild/SPECS/selinux-policy.spec
$ cd ~/rpmbuild/BUILD/serefpolicy-contrib-3.13.1
$ vim apache.fc
---
-/var/www(/.*)?              gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?              gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
---
$ make -f /usr/share/selinux/devel/Makefile apache.pp

install the module

$ sudo matchpathcon /var/www 
/var/www        system_u:object_r:httpd_sys_content_t:s0

$ sudo semodule -X 400 -i apache.pp
$ sudo semodule --list=full | grep apache
400 apache            pp  
100 apache            pp         

$ sudo matchpathcon /var/www                         
/var/www        system_u:object_r:httpd_sys_rw_content_t:s0

and return back to default

$ sudo semodule -X 400 -r apache   
libsemanage.semanage_direct_remove_key: apache module at priority 100 is now active.

$ sudo matchpathcon /var/www       
/var/www        system_u:object_r:httpd_sys_content_t:s0

note

You need to have the latest release 20150202 of SELinux userspace tools and selinux-policy packages with migrated storage. You can find everything in plautrba/selinux repository.