ContextQMD
Back to Shadowsocks Rust

Shadowsocks SELinux Policy

selinux/README.md

1.24.02.6 KB
Original Source

Shadowsocks SELinux Policy

Prerequisites

Install required SELinux development tools:

bash
dnf upgrade && dnf install setools-console policycoreutils-python-utils selinux-policy-devel make

Creating SELinux Policy

1. Compile the policy

bash
make -f /usr/share/selinux/devel/Makefile shadowsocks.pp

2. Install the policy module

bash
semodule -i shadowsocks.pp

Apply File Contexts

1. Add file context mappings

bash
semanage fcontext -a -t shadowsocks_exec_t "/usr/bin/ssservice"
semanage fcontext -a -t shadowsocks_conf_t "/etc/shadowsocks(/.*)?"
semanage fcontext -a -t shadowsocks_unit_file_t "/usr/lib/systemd/system/ss-server@.*\.service"

2. Apply contexts to files

bash
restorecon -v /etc/systemd/system/[email protected]
restorecon -R /usr/bin/ssservice /etc/shadowsocks

3. Start the service

bash
systemctl start ss-server@main

4. Verify the policy is working

bash
# Check that shadowsocks is running in the correct domain
ps -eZ | grep ssservice
# Should show: system_u:system_r:shadowsocks_t:s0 (not unconfined_service_t)

Troubleshooting

Check for SELinux denials

bash
# View recent AVC denials
ausearch -m avc -ts recent | grep denied

# Generate additional policy rules if needed
ausearch -m avc -ts recent | grep shadowsocks | audit2allow

Update policy if needed

If you need to add more permissions:

bash
# Edit shadowsocks.te file
# Recompile and update
make -f /usr/share/selinux/devel/Makefile shadowsocks.pp
semodule -u shadowsocks.pp

Remove policy (if needed)

bash
# Remove file contexts first
semanage fcontext -d "/usr/bin/ssservice"
semanage fcontext -d "/etc/shadowsocks(/.*)?"
semanage fcontext -d "/usr/lib/systemd/system/ss-server@.*\.service"

# Reset file labels
restorecon -F /usr/bin/ssservice
restorecon -RF /etc/shadowsocks

# Remove the policy module
semodule -r shadowsocks

Security Benefits

This policy provides several security improvements over running shadowsocks as unconfined_service_t:

  • Principle of least privilege: Only grants necessary permissions
  • Network isolation: Controls which ports and connections are allowed
  • File system protection: Restricts file access to configuration and required system files
  • Process isolation: Runs in a dedicated SELinux domain
  • Audit trail: All access attempts are logged for security monitoring

Notes

  • The policy includes optional monitoring features (cgroup access, DNS watching)
  • File contexts use equivalency rules between /etc/systemd/system and /usr/lib/systemd/system