Creating and packaging a new policy module

Dominick Grift dominick.grift at gmail.com
Mon Aug 19 13:27:45 UTC 2013 

On Sun, 2013-08-18 at 20:10 +0200, Juan Orti Alcaine wrote:
> Hello, I'm the package mantainer of gogoc, and I'm creating my first policy 
> module for it following the instructions of this draft in the wiki [1].
> 
> It says you must build your module for three policies: mls, scritct and 
> targeted, but I don't see any strict policy, is this information still 
> correct? Must I build it also for minimum?

Yes strict no longer exists, so remove any reference to it

> 
> Also I have doubts if the module will always live in the gogoc package or it 
> will be migrated sometime to the main selinux-policy-targeted package.
> 
> If you can take a look at the policy to find any possible error it would be 
> great. It's already in the git repository of gogoc [2]
> 

You policy should have no require{} in the .te file, everything should
have an api that you can use instead

Only type transition on what you need to type transition on, instead of
everything (you type transition on everything)

corecmd_bin_entry_type(gogoc_t) <- this doesnt make sense as you do not
domain type transition on bin_t anywhere

radvd_admin(gogoc_t, system_r) <- this one isnt appropriate here

systemd_exec_systemctl(gogoc_t)  <- why is this needed?

allow gogoc_t radvd_exec_t:file { read execute open execute_no_trans };
<-- depending on why gogoc runs dadvd you may want to run radvd with a
domain transition instead. If it turns out that you should have ran
radvd with a domain transition ,then it is encouraged you start over
with your policy because, one should always take care of type
transitions first before adding any other rules. because type
transitions can greatly impact access your process needs

There are duplicate rules in your policy

For example:
sysnet_dns_name_resolve(gogoc_t)
and
files_read_etc_files(gogoc_t)

are already enclosed with:
auth_use_nsswitch(gogoc_t)

Theres probably a bit moreroom for improvement other than above but this
is a start


> Kind regards.
> 
> [1] https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
> [2] http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list