Step-by-Step Guide To Creating SELinux Policy for Google Earth
Daniel J Walsh
dwalsh at redhat.com
Thu Jun 15 13:45:59 UTC 2006
Benjy Grogan wrote:
> Hello:
>
> Would it be possible for the SELinux team at Red Hat to create an
> SELinux policy module for Google Earth and to show the step by step
> process for confining the application? I think these kind of examples
> would be useful to developers attempting to create SELinux policies
> for other rpm packages out there. I'm not interested so much in the
> actual policy module, but in creating it myself from step-by-step
> instructions. IMHO, that would be the best way to educate developers
> on how to use SELinux.
>
Google-earth is not the best example of this but
The way I would go about it would be to first use policygentool to
create my initial fc/if/te files
#cd /tmp
#mkdir googlearth
#cd googleearth
STEP 1
#policygentool googlearth /usr/local/google-earth/googleearth-bin
answer some questions to the best of my ability
STEP2
add the following lines to the te file to cause the transition form
uncofined_t to googleearth
cat >> googleearth.te << __EOF
gen_require(`
type unconfined_t;
')
domain_auto_trans(uncofined_t, googleearth_exec_t, googleearth_t)
__EOF
STEP 3
# make -f /usr/share/selinux/devel/Makefile
# semodule -i googleearth.pp
# setenforce 0
In a different window as a normal user
> googleearth
Test out lots of stuff
Go back to the original root window
grep googleearth /var/log/messages (or /var/log/audit/audit.log) |
audit2allow -R
Analyze these rules and macros to the best of my ability and add them to
the te file
GOTO STEP 3
> Thanks,
> Benjy
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list