example of a domain with transition policy
Vadym Chepkov
chepkov at yahoo.com
Thu Jan 29 19:35:03 UTC 2009
Thank you so much.
Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me.
Sincerely yours,
Vadym Chepkov
P.S. To my shame never used IRC in my life :(
--- On Thu, 1/29/09, Dominick Grift <domg472 at gmail.com> wrote:
> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: example of a domain with transition policy
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: fedora-selinux-list at redhat.com
> Date: Thursday, January 29, 2009, 2:20 PM
> Lets assume we have an init script: /etc/rc.d/init.d/ai, a
> executable: /usr/sbin/ai
>
> first we create our file context file:
>
> mkdir ~/ai; cd ~/ai;
> echo "/etc/rc\.d/init\.d/ai --
> gen_context(system_u:object_r:ai_initrc_exec_t, s0)"
> > ai.fc
> echo "/usr/sbin/ai --
> gen_context(system_u:object_r:ai_exec_t, s0)" >>
> ai.fc
>
> this will take care of our file contexts. Now lets declare
> our module
> and some types to enforce:
>
> echo "policy_module(ai, 0.0.1)" > ai.te
> echo "type ai_initrc_exec_t;" >> ai.te
> echo "init_script_file(ai_initrc_exec_t)"
> >> ai.te
> echo "type ai_t;" >> ai.te
> echo "type ai_exec_t;" >> ai.te
> echo "init_daemon_domain(ai_t, ai_exec_t)"
> >> ai.te
>
> Now lets compile our module:
>
> make -f /usr/share/selinux/devel/Makefile
>
> Now lets install our module:
>
> sudo semodule -i ai.pp
>
> Now lets restore the file context of our executable file
> and the init
> script.
>
> restorecon -v /etc/rc.d/init.d/ai
> restorecon -v /usr/sbin/ai
>
> Now we have to create actual policy. We do this by testing.
> Since EL5
> does not support permissive domains, we will have to put
> the system into
> permissive mode: setenforce 0
>
> now lets start the daemon:
>
> sudo service ai start
>
> after some testing of the daemons functionility we stop the
> daemon:
>
> sudo service ai stop
>
> now we enforce selinux again: setenforce 1
>
> ..and we check for avc denials and pipe those into
> audit2allow to
> translate raw avc denials to policy language:
>
> ausearch -m avc -ts today | audit2allow -R
>
> then we simply append the output to our ai.te file,
> recompile and
> reinstall.
>
> Thats about it in a nutshell.
>
> Ofcourse this example is over simplified. there are only
> two files owned
> by ai. in real life there are more files that need types
> (we would use
> rpm -ql to find those, and we would inspect the output of
> audit2allow -R
> to identify any file owned by ai that were created (like
> pid files ,
> files in /tmp etc etc)
>
> Also audit2allow -R's output is not optimal so we would
> try to find
> optimal interfaces for the policy it may not have
> translated in a
> optimal way.
>
> If you have questions you can also join us on
> #fedora-selinux on
> irc.freenode.org.
>
> happy policy writing!
>
> Dominick
>
> On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> > Hi,
> >
> > Could somebody give me a working example of a policy
> module with transition, please. I am trying to create a
> policy for a vendor product I have to use (Asset Insight).
> > The basic idea is to create domains ai_exec_t, ai_t,
> proper transition rules for initrc_exec_t -> initrc_t
> -> ai_exec_t -> ai_t.
> > Then I want to ai_t be unconfined (for the moment) so
> probably make ai_t as an alias of unconfined_t, since there
> is no "permissive domain" in Redhat5 yet, but I
> want to be able to see what needs to be added to .te file to
> make it work. There is no much documentation about writing
> policy in Redhat/Fedora, unfortunately, or maybe I am
> missing some.
> > Thank you.
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list