example of a domain with transition policy

Dominick Grift domg472 at gmail.com
Thu Jan 29 19:20:24 UTC 2009 

Lets assume we have an init script: /etc/rc.d/init.d/ai, a
executable: /usr/sbin/ai

first we create our file context file:

mkdir ~/ai; cd ~/ai;
echo "/etc/rc\.d/init\.d/ai --
gen_context(system_u:object_r:ai_initrc_exec_t, s0)" > ai.fc
echo "/usr/sbin/ai -- gen_context(system_u:object_r:ai_exec_t, s0)" >>
ai.fc

this will take care of our file contexts. Now lets declare our module
and some types to enforce:

echo "policy_module(ai, 0.0.1)" > ai.te
echo "type ai_initrc_exec_t;" >> ai.te
echo "init_script_file(ai_initrc_exec_t)" >> ai.te
echo "type ai_t;" >> ai.te
echo "type ai_exec_t;" >> ai.te
echo "init_daemon_domain(ai_t, ai_exec_t)" >> ai.te

Now lets compile our module:

make -f /usr/share/selinux/devel/Makefile

Now lets install our module:

sudo semodule -i ai.pp

Now lets restore the file context of our executable file and the init
script.

restorecon -v /etc/rc.d/init.d/ai
restorecon -v /usr/sbin/ai

Now we have to create actual policy. We do this by testing. Since EL5
does not support permissive domains, we will have to put the system into
permissive mode: setenforce 0

now lets start the daemon:

sudo service ai start

after some testing of the daemons functionility we stop the daemon:

sudo service ai stop

now we enforce selinux again: setenforce 1

..and we check for avc denials and pipe those into audit2allow to
translate raw avc denials to policy language:

ausearch -m avc -ts today | audit2allow -R

then we simply append the output to our ai.te file, recompile and
reinstall.

Thats about it in a nutshell.

Ofcourse this example is over simplified. there are only two files owned
by ai. in real life there are more files that need types (we would use
rpm -ql to find those, and we would inspect the output of audit2allow -R
to identify any file owned by ai that were created (like pid files ,
files in /tmp etc etc)

Also audit2allow -R's output is not optimal so we would try to find
optimal interfaces for the policy it may not have translated in a
optimal way.

If you have questions you can also join us on #fedora-selinux on
irc.freenode.org.

happy policy writing!

Dominick

On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> Hi,
> 
> Could somebody give me a working example of a policy module with transition, please. I am trying to create a policy for a vendor product I have to use (Asset Insight). 
> The basic idea is to create domains ai_exec_t, ai_t, proper transition rules for initrc_exec_t -> initrc_t -> ai_exec_t -> ai_t. 
> Then I want to ai_t be unconfined (for the moment) so probably make ai_t as an alias of unconfined_t, since there is no "permissive domain" in Redhat5 yet, but I want to be able to see what needs to be added to .te file to make it work. There is no much documentation about writing policy in Redhat/Fedora, unfortunately, or maybe I am missing some.
> Thank you.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/05027bea/attachment.sig>

More information about the fedora-selinux-list mailing list