source/shadowsocks-rust
1
0
Fork 0
mirror of https://github.com/shadowsocks/shadowsocks-rust.git synced 2026-02-08 17:49:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
shadowsocks-rust/selinux
History
Artem D. 5d491bc2c1 feat: add selinux module (#1995) 
This policy provides several security improvements over running shadowsocks as `unconfined_service_t`:

- **Principle of least privilege**: Only grants necessary permissions
- **Network isolation**: Controls which ports and connections are allowed
- **File system protection**: Restricts file access to configuration and required system files
- **Process isolation**: Runs in a dedicated SELinux domain
- **Audit trail**: All access attempts are logged for security monitoring
2025-08-06 10:26:51 +08:00
..
README.md
feat: add selinux module (#1995)
2025-08-06 10:26:51 +08:00
shadowsocks.fc
feat: add selinux module (#1995)
2025-08-06 10:26:51 +08:00
shadowsocks.te
feat: add selinux module (#1995)
2025-08-06 10:26:51 +08:00

README.md

Shadowsocks SELinux Policy

Prerequisites

Install required SELinux development tools:

dnf upgrade && dnf install setools-console policycoreutils-python-utils selinux-policy-devel make

Creating SELinux Policy

1. Compile the policy

make -f /usr/share/selinux/devel/Makefile shadowsocks.pp

2. Install the policy module

semodule -i shadowsocks.pp

Apply File Contexts

1. Add file context mappings

semanage fcontext -a -t shadowsocks_exec_t "/usr/bin/ssservice"
semanage fcontext -a -t shadowsocks_conf_t "/etc/shadowsocks(/.*)?"
semanage fcontext -a -t shadowsocks_unit_file_t "/usr/lib/systemd/system/ss-server@.*\.service"

2. Apply contexts to files

restorecon -v /etc/systemd/system/ss-server@.service
restorecon -R /usr/bin/ssservice /etc/shadowsocks

3. Start the service

systemctl start ss-server@main

4. Verify the policy is working

# Check that shadowsocks is running in the correct domain
ps -eZ | grep ssservice
# Should show: system_u:system_r:shadowsocks_t:s0 (not unconfined_service_t)

Troubleshooting

Check for SELinux denials

# View recent AVC denials
ausearch -m avc -ts recent | grep denied

# Generate additional policy rules if needed
ausearch -m avc -ts recent | grep shadowsocks | audit2allow

Update policy if needed

If you need to add more permissions:

# Edit shadowsocks.te file
# Recompile and update
make -f /usr/share/selinux/devel/Makefile shadowsocks.pp
semodule -u shadowsocks.pp

Remove policy (if needed)

# Remove file contexts first
semanage fcontext -d "/usr/bin/ssservice"
semanage fcontext -d "/etc/shadowsocks(/.*)?"
semanage fcontext -d "/usr/lib/systemd/system/ss-server@.*\.service"

# Reset file labels
restorecon -F /usr/bin/ssservice
restorecon -RF /etc/shadowsocks

# Remove the policy module
semodule -r shadowsocks

Security Benefits

This policy provides several security improvements over running shadowsocks as unconfined_service_t:

  • Principle of least privilege: Only grants necessary permissions
  • Network isolation: Controls which ports and connections are allowed
  • File system protection: Restricts file access to configuration and required system files
  • Process isolation: Runs in a dedicated SELinux domain
  • Audit trail: All access attempts are logged for security monitoring

Notes

  • The policy includes optional monitoring features (cgroup access, DNS watching)
  • File contexts use equivalency rules between /etc/systemd/system and /usr/lib/systemd/system
Reference in New Issue View Git Blame Copy Permalink