example of a domain with transition policy

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 29 21:54:47 UTC 2009 

On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
> 
> My first draft is this, by the way, and it's "working", so managers are off my back.
> 
> ai.te:
> 
> policy_module(ai,0.0.1)
> 
> type ai_initrc_exec_t;
> init_script_type(ai_initrc_exec_t);
> 
> type ai_exec_t;
> userdom_executable_file(ai_exec_t);
> 
> unconfined_alias_domain(ai_t);

I don't think you want an alias (i.e. two names for the same domain) but
rather another domain that is unconfined as well.  Use
unconfined_domain().

> init_daemon_domain(ai_t,ai_exec_t)
> 
> type ai_log_t;
> logging_log_file(ai_log_t)
> 
> manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
> manage_files_pattern(ai_t,ai_log_t,ai_log_t)
> 
> ai.fc:
> 
> /etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)
> 
> I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
> 
> The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.

There used to be a /usr/share/doc/selinux-policy* directory that had the
HTML documentation for the policy - not sure where that is now in F10.

Latest interface docs are also online,
http://oss.tresys.com/docs/refpolicy/api/

Interesting question about auditallow; you might need a script to
generate the right set, maybe derived from audit2allow/sepolgen innards.
Watch out though - auditallow'ing everything will flood your system with
too many audit messages.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list