Lukas Vrabec <lvrabec@xxxxxxxxxx>: > On 6/18/19 10:07 AM, Marko Rauhamaa wrote: >> I'm an application developer. Nobody's going to integrate my >> application with the distro except me and my teammates. It would help >> us tremendously if there were a cookbook for the likes of us. > > You can look on this, it's not finished but some guide how to start with > policy writing is here: > > http://redhatgov.io/workshops/selinux_policy/exercise1.1/ Thanks, Lukas. It looks like what I've been looking for. I'll have to research it. It starts to seem like almost every file in a product should have its own file context label type. Additionally, every process should have a process context. Then, transition rules should assign process contexts to executable files (often starting with init_t). Finally, each process context should be granted I/O access. Somewhat surprisingly, though, even without doing any of this, our services mostly have access to everything they need on Fedora and RHEL systems. Maybe the default distro policies are very lax so as not to anger application developers. Marko _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx