How to create an SELinux custom RPM package
Technical Articles ID:
KB94454
Last Modified: 8/31/2021
Environment
McAfee Agent (MA) 5.7.x
Security-Enhanced Linux (SELinux)
Summary
This article provides steps to build an SELinux custom RPM package with McAfee Agent. The package contains an SELinux policy, so that the McAfee Agent process can read, write, and execute in a custom folder path.
IMPORTANT:
- This package can't be deployed through ePO. You need to follow the manual installation steps below.
- This package isn’t a managed agent. You must have a managed agent on version 5.7.x already installed and managed by ePO.
- Download McAfeeAgent-selinux-5.7.x-ReleasePackages.tar.gz from the Product Downloads site.
- Copy the package to a location on your Linux system and extract the package using the command below:
[root@root selinux]# tar -xvf McAfeeAgent-selinux-5.7.0-ReleasePackages.tar.gz
Extracted Packages:
McAfeeAgent-selinux-5.7.0-ReleasePackages/
McAfeeAgent-selinux-5.7.0-ReleasePackages/MFEma-selinux-5.7.0-1.src.rpm
McAfeeAgent-selinux-5.7.0-ReleasePackages/MFEma-selinux-5.7.0-1.el7.noarch.rpm
McAfeeAgent-selinux-5.7.0-ReleasePackages/MFEma-selinux-5.7.0-1.el8.noarch.rpm
- Locate the folder where the above files were extracted to. Use the commands below:
[root@root selinux]# cd McAfeeAgent-selinux-5.7.0-ReleasePackages/
[root@root McAfeeAgent-selinux-5.7.0-ReleasePackages]# ls -lsa
Screen Output Example
total 160
0 drwxrwxr-x. 2 500 500 131 Feb 11 12:51 .
0 drwxr-xr-x. 3 root root 111 May 26 10:39 ..
64 -. 1 500 500 62564 Feb 11 12:51 MFEma-selinux-5.7.0-1.el7.noarch.rpm
56 -. 1 500 500 55692 Feb 11 12:51 MFEma-selinux-5.7.0-1.el8.noarch.rpm
40 -. 1 500 500 40675 Feb 11 12:51 MFEma-selinux-5.7.0-1.src.rpm
- Run the command below to install the package:
rpm -ivh MFEma-selinux-5.7.xx.src.rpm
Example:
[root@root McAfeeAgent-selinux-5.7.0]# rpm -ivh MFEma-selinux-5.7.0-1.src.rpm
Screen Output Example:
1:MFEma-selinux-5.7.0-1 ## [100%]
NOTE: If we’re giving the SA replication path as /test3/test3/test3, the context of this folder is with root_t. So we need to allow the masvc and macmnsvc processes to manage folders and files under this context.
Example:
[root@root SOURCES]# ls -alZ
Screen Output Example
total 168
drwxr-xr-x. 3 root root unconfined_u:object_r:admin_home_t:s0 240 May 26 11:05 .
drwxr-xr-x. 8 root root unconfined_u:object_r:admin_home_t:s0 89 Jan 20 11:01
-. 1 bserver bserver unconfined_u:object_r:admin_home_t:s0 53454 Feb 11 12:50 license.txt
- Execute the command below to move to the SOURCES folder.
pushd ${HOME}/rpmbuild/SOURCES
NOTE: rpmbuild must be installed on the Linux system.
- Confirm the files from the rpm command exist
[root@root SOURCES]# ls -lsa
Screen Output Example
total 168
0 drwxr-xr-x. 3 root root 240 May 26 11:05
0 drwxr-xr-x. 8 root root 89 Jan 20 11:01
56 -. 1 bserver bserver 53454 Feb 11 12:50 license.txt
4 -. 1 bserver bserver 1711 Feb 11 12:50 Makefile
8 -. 1 bserver bserver 5890 Feb 11 12:50 mfe_ma.fc
20 -. 1 bserver bserver 19039 Feb 11 12:50 mfe_ma.if
4 -. 1 bserver bserver 935 Feb 11 12:50 mfe_ma_perm.if
4 -. 1 bserver bserver 1041 Feb 11 12:50 mfe_ma_rt.fc
8 -. 1 bserver bserver 4735 Feb 11 12:50 mfe_ma_rt.if
4 -. 1 bserver bserver 2186 Feb 11 12:50 mfe_ma_rt.te
0 drwxr-xr-x. 2 root root 6 May 14 12:17 MFEma-selinux
4 -. 1 bserver bserver 1034 Feb 11 12:50 MFEma-selinux.tar.gz
52 -. 1 bserver bserver 50456 Feb 11 12:50 mfe_ma.te
4 -. 1 bserver bserver 3566 Feb 11 12:50 README.md
- Define the context type in the gen_require function section in the mfe_ma.te file using a VI editor.
NOTE: mfe_ma.te is located in ${HOME}/rpmbuild/SOURCES.
Example:
Before defining:
1. Required
class passwd all_passwd_perms;
type unconfined_service_t, crond_t, crontab_exec_t, crontab_t, user_cron_spool_t, crond_var_run_t, systemd_unit_file_t, useradd_t, groupadd_t, shell_exec_t, usr_t, var_t, etc_t, ldconfig_cache_t, rhsmcertd_t, system_dbusd_t, system_dbusd_var_run_t, rpm_script_t, net_conf_t, sysfs_t, pstore_t, configfs_t, sysctl_fs_t, binfmt_misc_fs_t, system_map_t;'
)
After defining:
gen_require(`
1. Required
class passwd all_passwd_perms;
type root_t, unconfined_service_t, crond_t, crontab_exec_t, crontab_t, user_cron_spool_t, crond_var_run_t, systemd_unit_file_t, useradd_t, groupadd_t, shell_exec_t, usr_t, var_t, etc_t, ldconfig_cache_t, rhsmcertd_t, system_dbusd_t, system_dbusd_var_run_t, rpm_script_t, net_conf_t, sysfs_t, pstore_t, configfs_t, sysctl_fs_t, binfmt_misc_fs_t, system_map_t;
')
- Add the lines below to the end of the file using a VI editor (press Shift+G):
allow mfe_ma_masvc_t root_t:dir { manage_dir_perms };
allow mfe_ma_masvc_t root_t:file { manage_file_perms };
allow mfe_ma_macmnsvc_t root_t:dir { manage_dir_perms };
allow mfe_ma_macmnsvc_t root_t:file { manage_file_perms };
- Exit the VI editor (press the Esc key and the colon key :), and save the file.
- Type the command below if you aren’t in the /rpmbuild/SOURCES folder:
cd ${HOME}/rpmbuild/SOURCES
- Run the make command below. It places the targeted policy files in the selinux-* folder within /rpmbuild/SOURCES.
[root@root SOURCES]# make
Screen Output Example
SOURCES is mfe_ma.te mfe_ma_rt.te mfe_ma.fc mfe_ma_rt.fc
TARGETS is mfe_ma.pp mfe_ma_rt.pp
- Execute the commands below sequentially:
mkdir -p ${HOME}/rpmbuild/SOURCES/MFEma-selinux
cp -f license.txt ${HOME}/rpmbuild/SOURCES/MFEma-selinux
pushd selinux-*
cp -f mfe_ma*targeted ${HOME}/rpmbuild/SOURCES/MFEma-selinux
pushd ${HOME}/rpmbuild/SPECS
rpmbuild --define 'pkg_version <version-num>' --define '_src 1' -ba MFEma-selinux.spec
NOTE: Where <version-um> equals a number higher than the version of the rpm package.
Example:
[root@root SOURCES]#rpmbuild --define 'pkg_version 2' --define '_src 1' -ba MFEma-selinux.spec
NOTE: The above rpmbuild command creates a custom RPM package with MA version 5.7.0 inside ${HOME}/rpmbuild/RPMS/noarch/.
Example:
[root@root SOURCES]#cd ${HOME}/rpmbuild/RPMS/noarch/
[root@root noarch] ls
MFEma-selinux-5.7.0-2.noarch.rpm
Version #.#.# must be greater than the already installed version.
- Update the MA SELinux using the command below:
rpm -uvh MFEma-selinux-5.7.0-2.noarch.rpm
For more details, see ${HOME}/rpmbuild/SOURCES/README.md.
|