I'm trying to create a module for the Net ID electronic identification
system used in Sweden. With the standard policy, this does not work
with SELinux enabled, but works fine in permissive mode.
Net ID works as a plugin to Firefox. The plugin starts a separate
program "iid". This program needs access to some files in the user's
home directory, and also to open a graphical window for reading a
passphrase and the like.
My idea was create a specific domain for this program, and try to
allow this domain as little as necessary. I'm working with this in
permissive mode, trying check what it tries to do, and trying to find
the correct M4 macros to enable it.
One thing confuses me. If I try to run the same thing in enforcing
mode, the application doesn't come up at all. That's not surprising,
the new policy isn't finished yet.
But what IS surprising is I don't get any AVC telling me why. Even if
I rebuld with "semodule -DB" I only get a couple of comments about the
plugin-container not being allowed to read/write an unix_stream_socket
with the type xdm_t. As I understand it, that is unrelated and
normally dontaudited.
But then, why don't I get any AVC:s? What is blocking without
telling?
For reference, I attach the policy so far as I've come. But note that
it is not under development. (But comments on mistakes I've made and
other suggestions are welcome in any case! :-)
# Module to make the NetID program run in its own domain, and be allowed to
# create the necessary files in the home directory.
module netid 1.10;
require {
type mozilla_plugin_t;
type tmpfs_t;
all_kernel_class_perms
}
# Create a domain for NetID
type netid_t;
type netid_exec_t;
application_domain(netid_t, netid_exec_t)
domtrans_pattern(mozilla_plugin_t, netid_exec_t, netid_t)
# NetID files in the home directory
type netid_home_t;
userdom_user_home_content(netid_home_t)
rw_files_pattern(netid_t, netid_home_t, netid_home_t)
# NetID communicates with pcscd
pcscd_stream_connect(netid_t)
# Things needed to create the GUI
type netid_tmpfs_t;
userdom_user_tmpfs_file(netid_tmpfs_t)
manage_dirs_pattern(netid_t, netid_tmpfs_t, netid_tmpfs_t)
manage_files_pattern(netid_t, netid_tmpfs_t, netid_tmpfs_t)
fs_tmpfs_filetrans(netid_t, netid_tmpfs_t, { dir file })
xserver_user_x_domain_template(netid, netid_t, netid_tmpfs_t)
userdom_home_reader(netid_t) # Is this really necessary?
# NetID logs to a file in /tmp
userdom_manage_tmp_files(netid_t)
HOME_DIR/\.iid(/.*)? gen_context(system_u:object_r:netid_home_t,s0)
/usr/bin/iid[.0-9]* -- gen_context(system_u:object_r:netid_exec_t,s0)