On Wed, 24 Jun 2020 at 20:45, Nathanael D. Noblet <nathanael@xxxxxxx> wrote: > > On Wed, 2020-06-24 at 12:12 +0200, Iñaki Ucar wrote: > > Thanks, I got [1] and [2] more or less covered thanks to the output > > of > > the SELinux troubleshooter. The missing parts were how to get > > policies > > into a subpackage (and [3] explains this, thanks), and how to write a > > rule just for my script, not for the whole python3 stack, and I'm > > still missing that bit. > > So I can't exactly point you to some documents but the link below may > help. The basic idea is you need to label your script and give it a > type and then allow that type to access the type/action its trying to > do. Like the httpd daemon has a type and there are then file types. and > a process running in the httpd_t domain can read files but not talk to > the network for example... Hope that helps. > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-Security-Enhanced_Linux-SELinux_Contexts Thanks. I found another tutorial (from RedHat) which basically says: 1. Implement your service, give it a new SELinux type and run it. 2. Collect all the complaints from SELinux. 3. Use audit2allow to convert them to rules. 4. Repeat until you don't get any more complaints. And I cannot believe my eyes. Is this *really* the way to implement SELinux policies? It seems like a joke to me. Isn't there any notion of inheritance or something like that? Like, I want my type to have the permissions of this other type plus these two more rules. Also, audit2allow tells me that a bunch of rules can be substituted by just flipping a boolean, but I cannot include booleans in the .te file? Everything is very confusing to me. -- Iñaki Úcar _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
