Benjy Grogan wrote:
Hello:
Would it be possible for the SELinux team at Red Hat to create an
SELinux policy module for Google Earth and to show the step by step
process for confining the application? I think these kind of examples
would be useful to developers attempting to create SELinux policies
for other rpm packages out there. I'm not interested so much in the
actual policy module, but in creating it myself from step-by-step
instructions. IMHO, that would be the best way to educate developers
on how to use SELinux.
Google-earth is not the best example of this but
The way I would go about it would be to first use policygentool to
create my initial fc/if/te files
#cd /tmp
#mkdir googlearth
#cd googleearth
STEP 1
#policygentool googlearth /usr/local/google-earth/googleearth-bin
answer some questions to the best of my ability
STEP2
add the following lines to the te file to cause the transition form
uncofined_t to googleearth
cat >> googleearth.te << __EOF
gen_require(`
type unconfined_t;
')
domain_auto_trans(uncofined_t, googleearth_exec_t, googleearth_t)
__EOF
STEP 3
# make -f /usr/share/selinux/devel/Makefile
# semodule -i googleearth.pp
# setenforce 0
In a different window as a normal user
> googleearth
Test out lots of stuff
Go back to the original root window
grep googleearth /var/log/messages (or /var/log/audit/audit.log) |
audit2allow -R
Analyze these rules and macros to the best of my ability and add them to
the te file
GOTO STEP 3
Thanks,
Benjy
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
