On Fri, Mar 13, 2020 at 9:41 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > Example > ------- > Note, this example requires the separate selinux userspace patch to > be applied, built, and installed to support the extensions to secilc > and the new sebox command below. > > $ sudo semodule -cE base > $ sudo vi base.cil > <add "sandbox" to (class security (....))> > $ sudo semodule -i base.cil > > $ cat ./definesandboxclass.cil > (class sandbox (load_policy unload_policy)) > (classorder (unordered sandbox)) > $ sudo semodule -i definesandboxclass.cil > > $ cat ./unconfinedcansandbox.cil > ; allow unconfined_t to sandbox itself > (allow unconfined_t unconfined_t (security (sandbox))) > (allow unconfined_t unconfined_t (sandbox (load_policy unload_policy))) > $ sudo semodule -i unconfinedcansandbox.cil > > $ cat ./no-tmp.cil > ; some boilerplate required by current limitations in secilc > ; is omitted here to keep this text simple and readable, > ; see the follow-up message for the full no-tmp.cil file. > (class dir (read getattr open search)) > (class file (getattr)) > (classorder (dir file)) > (type unconfined_t) > (type tmp_t) > (deny unconfined_t tmp_t (dir (read getattr open search))) > (deny unconfined_t tmp_t (file (getattr))) Attached is the complete no-tmp.cil file. The boilerplate is just a reflection of the current prototype status of the implementation and it should be possible to omit it in the future.
Attachment:
no-tmp.cil
Description: application/vnd.ms-artgalry
