Thank you so much.
Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context
initrc_exec_t and it seems a proper approach to me.
Sincerely yours,
Vadym Chepkov
P.S. To my shame never used IRC in my life :(
--- On Thu, 1/29/09, Dominick Grift <domg472(a)gmail.com> wrote:
From: Dominick Grift <domg472(a)gmail.com>
Subject: Re: example of a domain with transition policy
To: "Vadym Chepkov" <chepkov(a)yahoo.com>
Cc: fedora-selinux-list(a)redhat.com
Date: Thursday, January 29, 2009, 2:20 PM
Lets assume we have an init script: /etc/rc.d/init.d/ai, a
executable: /usr/sbin/ai
first we create our file context file:
mkdir ~/ai; cd ~/ai;
echo "/etc/rc\.d/init\.d/ai --
gen_context(system_u:object_r:ai_initrc_exec_t, s0)"
> ai.fc
echo "/usr/sbin/ai --
gen_context(system_u:object_r:ai_exec_t, s0)" >>
ai.fc
this will take care of our file contexts. Now lets declare
our module
and some types to enforce:
echo "policy_module(ai, 0.0.1)" > ai.te
echo "type ai_initrc_exec_t;" >> ai.te
echo "init_script_file(ai_initrc_exec_t)"
>> ai.te
echo "type ai_t;" >> ai.te
echo "type ai_exec_t;" >> ai.te
echo "init_daemon_domain(ai_t, ai_exec_t)"
>> ai.te
Now lets compile our module:
make -f /usr/share/selinux/devel/Makefile
Now lets install our module:
sudo semodule -i ai.pp
Now lets restore the file context of our executable file
and the init
script.
restorecon -v /etc/rc.d/init.d/ai
restorecon -v /usr/sbin/ai
Now we have to create actual policy. We do this by testing.
Since EL5
does not support permissive domains, we will have to put
the system into
permissive mode: setenforce 0
now lets start the daemon:
sudo service ai start
after some testing of the daemons functionility we stop the
daemon:
sudo service ai stop
now we enforce selinux again: setenforce 1
..and we check for avc denials and pipe those into
audit2allow to
translate raw avc denials to policy language:
ausearch -m avc -ts today | audit2allow -R
then we simply append the output to our ai.te file,
recompile and
reinstall.
Thats about it in a nutshell.
Ofcourse this example is over simplified. there are only
two files owned
by ai. in real life there are more files that need types
(we would use
rpm -ql to find those, and we would inspect the output of
audit2allow -R
to identify any file owned by ai that were created (like
pid files ,
files in /tmp etc etc)
Also audit2allow -R's output is not optimal so we would
try to find
optimal interfaces for the policy it may not have
translated in a
optimal way.
If you have questions you can also join us on
#fedora-selinux on
irc.freenode.org.
happy policy writing!
Dominick
On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> Hi,
>
> Could somebody give me a working example of a policy
module with transition, please. I am trying to create a
policy for a vendor product I have to use (Asset Insight).
> The basic idea is to create domains ai_exec_t, ai_t,
proper transition rules for initrc_exec_t -> initrc_t
-> ai_exec_t -> ai_t.
> Then I want to ai_t be unconfined (for the moment) so
probably make ai_t as an alias of unconfined_t, since there
is no "permissive domain" in Redhat5 yet, but I
want to be able to see what needs to be added to .te file to
make it work. There is no much documentation about writing
policy in Redhat/Fedora, unfortunately, or maybe I am
missing some.
> Thank you.
>
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list