Lets assume we have an init script: /etc/rc.d/init.d/ai, a executable: /usr/sbin/ai first we create our file context file: mkdir ~/ai; cd ~/ai; echo "/etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t, s0)" > ai.fc echo "/usr/sbin/ai -- gen_context(system_u:object_r:ai_exec_t, s0)" >> ai.fc this will take care of our file contexts. Now lets declare our module and some types to enforce: echo "policy_module(ai, 0.0.1)" > ai.te echo "type ai_initrc_exec_t;" >> ai.te echo "init_script_file(ai_initrc_exec_t)" >> ai.te echo "type ai_t;" >> ai.te echo "type ai_exec_t;" >> ai.te echo "init_daemon_domain(ai_t, ai_exec_t)" >> ai.te Now lets compile our module: make -f /usr/share/selinux/devel/Makefile Now lets install our module: sudo semodule -i ai.pp Now lets restore the file context of our executable file and the init script. restorecon -v /etc/rc.d/init.d/ai restorecon -v /usr/sbin/ai Now we have to create actual policy. We do this by testing. Since EL5 does not support permissive domains, we will have to put the system into permissive mode: setenforce 0 now lets start the daemon: sudo service ai start after some testing of the daemons functionility we stop the daemon: sudo service ai stop now we enforce selinux again: setenforce 1 ..and we check for avc denials and pipe those into audit2allow to translate raw avc denials to policy language: ausearch -m avc -ts today | audit2allow -R then we simply append the output to our ai.te file, recompile and reinstall. Thats about it in a nutshell. Ofcourse this example is over simplified. there are only two files owned by ai. in real life there are more files that need types (we would use rpm -ql to find those, and we would inspect the output of audit2allow -R to identify any file owned by ai that were created (like pid files , files in /tmp etc etc) Also audit2allow -R's output is not optimal so we would try to find optimal interfaces for the policy it may not have translated in a optimal way. If you have questions you can also join us on #fedora-selinux on irc.freenode.org. happy policy writing! Dominick On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote: > Hi, > > Could somebody give me a working example of a policy module with transition, please. I am trying to create a policy for a vendor product I have to use (Asset Insight). > The basic idea is to create domains ai_exec_t, ai_t, proper transition rules for initrc_exec_t -> initrc_t -> ai_exec_t -> ai_t. > Then I want to ai_t be unconfined (for the moment) so probably make ai_t as an alias of unconfined_t, since there is no "permissive domain" in Redhat5 yet, but I want to be able to see what needs to be added to .te file to make it work. There is no much documentation about writing policy in Redhat/Fedora, unfortunately, or maybe I am missing some. > Thank you. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
