Lukas Vrabec <lvrabec(a)redhat.com>:
On 6/18/19 10:07 AM, Marko Rauhamaa wrote:
> I'm an application developer. Nobody's going to integrate my
> application with the distro except me and my teammates. It would help
> us tremendously if there were a cookbook for the likes of us.
You can look on this, it's not finished but some guide how to start with
policy writing is here:
http://redhatgov.io/workshops/selinux_policy/exercise1.1/
Thanks, Lukas. It looks like what I've been looking for. I'll have to
research it.
It starts to seem like almost every file in a product should have its
own file context label type. Additionally, every process should have a
process context. Then, transition rules should assign process contexts
to executable files (often starting with init_t). Finally, each process
context should be granted I/O access.
Somewhat surprisingly, though, even without doing any of this, our
services mostly have access to everything they need on Fedora and RHEL
systems. Maybe the default distro policies are very lax so as not to
anger application developers.
Marko