Thank you so much. Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me. Sincerely yours, Vadym Chepkov P.S. To my shame never used IRC in my life :( --- On Thu, 1/29/09, Dominick Grift <domg472@xxxxxxxxx> wrote: > From: Dominick Grift <domg472@xxxxxxxxx> > Subject: Re: example of a domain with transition policy > To: "Vadym Chepkov" <chepkov@xxxxxxxxx> > Cc: fedora-selinux-list@xxxxxxxxxx > Date: Thursday, January 29, 2009, 2:20 PM > Lets assume we have an init script: /etc/rc.d/init.d/ai, a > executable: /usr/sbin/ai > > first we create our file context file: > > mkdir ~/ai; cd ~/ai; > echo "/etc/rc\.d/init\.d/ai -- > gen_context(system_u:object_r:ai_initrc_exec_t, s0)" > > ai.fc > echo "/usr/sbin/ai -- > gen_context(system_u:object_r:ai_exec_t, s0)" >> > ai.fc > > this will take care of our file contexts. Now lets declare > our module > and some types to enforce: > > echo "policy_module(ai, 0.0.1)" > ai.te > echo "type ai_initrc_exec_t;" >> ai.te > echo "init_script_file(ai_initrc_exec_t)" > >> ai.te > echo "type ai_t;" >> ai.te > echo "type ai_exec_t;" >> ai.te > echo "init_daemon_domain(ai_t, ai_exec_t)" > >> ai.te > > Now lets compile our module: > > make -f /usr/share/selinux/devel/Makefile > > Now lets install our module: > > sudo semodule -i ai.pp > > Now lets restore the file context of our executable file > and the init > script. > > restorecon -v /etc/rc.d/init.d/ai > restorecon -v /usr/sbin/ai > > Now we have to create actual policy. We do this by testing. > Since EL5 > does not support permissive domains, we will have to put > the system into > permissive mode: setenforce 0 > > now lets start the daemon: > > sudo service ai start > > after some testing of the daemons functionility we stop the > daemon: > > sudo service ai stop > > now we enforce selinux again: setenforce 1 > > ..and we check for avc denials and pipe those into > audit2allow to > translate raw avc denials to policy language: > > ausearch -m avc -ts today | audit2allow -R > > then we simply append the output to our ai.te file, > recompile and > reinstall. > > Thats about it in a nutshell. > > Ofcourse this example is over simplified. there are only > two files owned > by ai. in real life there are more files that need types > (we would use > rpm -ql to find those, and we would inspect the output of > audit2allow -R > to identify any file owned by ai that were created (like > pid files , > files in /tmp etc etc) > > Also audit2allow -R's output is not optimal so we would > try to find > optimal interfaces for the policy it may not have > translated in a > optimal way. > > If you have questions you can also join us on > #fedora-selinux on > irc.freenode.org. > > happy policy writing! > > Dominick > > On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote: > > Hi, > > > > Could somebody give me a working example of a policy > module with transition, please. I am trying to create a > policy for a vendor product I have to use (Asset Insight). > > The basic idea is to create domains ai_exec_t, ai_t, > proper transition rules for initrc_exec_t -> initrc_t > -> ai_exec_t -> ai_t. > > Then I want to ai_t be unconfined (for the moment) so > probably make ai_t as an alias of unconfined_t, since there > is no "permissive domain" in Redhat5 yet, but I > want to be able to see what needs to be added to .te file to > make it work. There is no much documentation about writing > policy in Redhat/Fedora, unfortunately, or maybe I am > missing some. > > Thank you. > > > > Sincerely yours, > > Vadym Chepkov > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
