[selinux-policy: 373/3172] add more example
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:37:05 UTC 2010
commit 347f406f29b65fc4b69f1898d02a4fefe0e80de7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 15 19:10:24 2005 +0000
add more example
www/html/getting-started.html | 79 +++++++++++++++++++++++++++++++++++++++--
1 files changed, 76 insertions(+), 3 deletions(-)
---
diff --git a/www/html/getting-started.html b/www/html/getting-started.html
index 8327fe9..dd3e014 100644
--- a/www/html/getting-started.html
+++ b/www/html/getting-started.html
@@ -34,8 +34,81 @@ This creates all fo the types needed for this module, including a type for the p
Let's expand this example further by allowing some access for these types. My application needs access between it's own types and access to read random numbers. The access between private types is written exactly the same way current policy rules are written, i.e.:
<div id="codeblock">
<pre>
-allow myapp_t myapp_log_t : file ra_file_perms;
-allow myapp_t myapp_tmp_t : file rw_file_perms;
+allow myapp_t myapp_log_t:file ra_file_perms;
+allow myapp_t myapp_tmp_t:file create_file_perms;
</pre>
</div>
-</p>
\ No newline at end of file
+This allows myapp_t to write to it's private types, but it needs to be able to
+create its temporary files in /tmp. This requires a call to the files module.
+<div id="codeblock">
+<pre>
+files_create_tmp_files(myapp_t,myapp_tmp_t,file)
+</pre>
+</div>
+This call to the files module allows myapp_t to create myapp_tmp_t files in
+the /tmp directory.
+</p>
+<h3>Module IF Policy</h3>
+<p>
+First, let's create myapp.if and add the following:
+<div id="codeblock">
+<pre>
+## <module name="myapp" layer="apps">
+## <summary>Myapp example policy</summary>
+## <description>More descriptive text about myapp</description>
+
+## <interface name="myapp_domtrans">
+## <summary>
+## Execute a domain transition to run myapp.
+## </summary>
+## <parameter name="domain">
+## Domain allowed to transition.
+## </parameter>
+## </interface>
+define(`myapp_domtrans',`
+ gen_requires(`
+ type myapp_t, myapp_exec_t;
+ class fd use;
+ class process sigchld;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,myapp_exec_t,myapp_t)
+
+ allow $1 myapp_t:fd use;
+ allow myapp_t $1:fd use;
+ allow $1 myapp_t:fifo_file rw_file_perms;
+ allow $1 myapp_t:process sigchld;
+')
+
+## <interface name="myapp_read_log">
+## <summary>
+## Read myapp log files.
+## </summary>
+## <parameter name="domain">
+## Domain allowed to read the log files.
+## </parameter>
+## </interface>
+define(`myapp_read_log',`
+ gen_requires(`
+ type myapp_log_t;
+ class file r_file_perms;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file r_file_perms;
+')
+
+## </module>
+</pre>
+</div>
+The first interface allows other domains to do a domain
+transition to myapp_t, by executing a program labeled myapp_exec_t.
+</p>
+<p>
+The second interface allows other domains to read myapp's log files. Myapp's
+log files are in the /var/log directory, so the access to search the /var/log
+directory is also given by the interface. The gen_requires() macro is used to
+support loadable policy modules, and must explicitly list the type, attributes,
+object classes, and permissions used by this interface.
+</p>
More information about the scm-commits
mailing list