Re: example of a domain with transition policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you so much.

Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me.

Sincerely yours,
  Vadym Chepkov

P.S. To my shame never used IRC in my life :(

--- On Thu, 1/29/09, Dominick Grift <domg472@xxxxxxxxx> wrote:

> From: Dominick Grift <domg472@xxxxxxxxx>
> Subject: Re: example of a domain with transition policy
> To: "Vadym Chepkov" <chepkov@xxxxxxxxx>
> Cc: fedora-selinux-list@xxxxxxxxxx
> Date: Thursday, January 29, 2009, 2:20 PM
> Lets assume we have an init script: /etc/rc.d/init.d/ai, a
> executable: /usr/sbin/ai
> 
> first we create our file context file:
> 
> mkdir ~/ai; cd ~/ai;
> echo "/etc/rc\.d/init\.d/ai --
> gen_context(system_u:object_r:ai_initrc_exec_t, s0)"
> > ai.fc
> echo "/usr/sbin/ai --
> gen_context(system_u:object_r:ai_exec_t, s0)" >>
> ai.fc
> 
> this will take care of our file contexts. Now lets declare
> our module
> and some types to enforce:
> 
> echo "policy_module(ai, 0.0.1)" > ai.te
> echo "type ai_initrc_exec_t;" >> ai.te
> echo "init_script_file(ai_initrc_exec_t)"
> >> ai.te
> echo "type ai_t;" >> ai.te
> echo "type ai_exec_t;" >> ai.te
> echo "init_daemon_domain(ai_t, ai_exec_t)"
> >> ai.te
> 
> Now lets compile our module:
> 
> make -f /usr/share/selinux/devel/Makefile
> 
> Now lets install our module:
> 
> sudo semodule -i ai.pp
> 
> Now lets restore the file context of our executable file
> and the init
> script.
> 
> restorecon -v /etc/rc.d/init.d/ai
> restorecon -v /usr/sbin/ai
> 
> Now we have to create actual policy. We do this by testing.
> Since EL5
> does not support permissive domains, we will have to put
> the system into
> permissive mode: setenforce 0
> 
> now lets start the daemon:
> 
> sudo service ai start
> 
> after some testing of the daemons functionility we stop the
> daemon:
> 
> sudo service ai stop
> 
> now we enforce selinux again: setenforce 1
> 
> ..and we check for avc denials and pipe those into
> audit2allow to
> translate raw avc denials to policy language:
> 
> ausearch -m avc -ts today | audit2allow -R
> 
> then we simply append the output to our ai.te file,
> recompile and
> reinstall.
> 
> Thats about it in a nutshell.
> 
> Ofcourse this example is over simplified. there are only
> two files owned
> by ai. in real life there are more files that need types
> (we would use
> rpm -ql to find those, and we would inspect the output of
> audit2allow -R
> to identify any file owned by ai that were created (like
> pid files ,
> files in /tmp etc etc)
> 
> Also audit2allow -R's output is not optimal so we would
> try to find
> optimal interfaces for the policy it may not have
> translated in a
> optimal way.
> 
> If you have questions you can also join us on
> #fedora-selinux on
> irc.freenode.org.
> 
> happy policy writing!
> 
> Dominick
> 
> On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> > Hi,
> > 
> > Could somebody give me a working example of a policy
> module with transition, please. I am trying to create a
> policy for a vendor product I have to use (Asset Insight). 
> > The basic idea is to create domains ai_exec_t, ai_t,
> proper transition rules for initrc_exec_t -> initrc_t
> -> ai_exec_t -> ai_t. 
> > Then I want to ai_t be unconfined (for the moment) so
> probably make ai_t as an alias of unconfined_t, since there
> is no "permissive domain" in Redhat5 yet, but I
> want to be able to see what needs to be added to .te file to
> make it work. There is no much documentation about writing
> policy in Redhat/Fedora, unfortunately, or maybe I am
> missing some.
> > Thank you.
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux