Creating and packaging a new policy module

Tue Aug 20 10:51:15 UTC 2013

El 2013-08-19 13:27, Dominick Grift escribió:
> On Sun, 2013-08-18 at 20:10 +0200, Juan Orti Alcaine wrote:
>> Hello, I'm the package mantainer of gogoc, and I'm creating my first 
>> policy
>> module for it following the instructions of this draft in the wiki 
>> [1].
>> 
>> It says you must build your module for three policies: mls, scritct 
>> and
>> targeted, but I don't see any strict policy, is this information still
>> correct? Must I build it also for minimum?
> 
> Yes strict no longer exists, so remove any reference to it

And what about the minimum policy?
Also, I see some packages dropping their policies to 
/usr/share/selinux/packages/ and others to 
/usr/share/selinux/{targeted,mls}. What's better?

> 
>> 
>> Also I have doubts if the module will always live in the gogoc package 
>> or it
>> will be migrated sometime to the main selinux-policy-targeted package.
>> 
>> If you can take a look at the policy to find any possible error it 
>> would be
>> great. It's already in the git repository of gogoc [2]
>> 
> 
> You policy should have no require{} in the .te file, everything should
> have an api that you can use instead
> 
> Only type transition on what you need to type transition on, instead of
> everything (you type transition on everything)
> 
> corecmd_bin_entry_type(gogoc_t) <- this doesnt make sense as you do not
> domain type transition on bin_t anywhere
> 
> radvd_admin(gogoc_t, system_r) <- this one isnt appropriate here
> 
> systemd_exec_systemctl(gogoc_t)  <- why is this needed?
> 
> allow gogoc_t radvd_exec_t:file { read execute open execute_no_trans };
> <-- depending on why gogoc runs dadvd you may want to run radvd with a
> domain transition instead. If it turns out that you should have ran
> radvd with a domain transition ,then it is encouraged you start over
> with your policy because, one should always take care of type
> transitions first before adding any other rules. because type
> transitions can greatly impact access your process needs
> 
> There are duplicate rules in your policy
> 
> For example:
> sysnet_dns_name_resolve(gogoc_t)
> and
> files_read_etc_files(gogoc_t)
> 
> are already enclosed with:
> auth_use_nsswitch(gogoc_t)
> 
> Theres probably a bit moreroom for improvement other than above but 
> this
> is a start

Thank you for your comments, I'm newbie at policy writing.

What gogoc does is to negotiate the tunnel and execute a shell script to 
configure the tun interface and launch the radvd with a custom config to 
advertise the prefix in the net.

I'm rewriting the policy and have doubts about how to transition to the 
radvd_t domain. I miss a interface like radvd_domtrans(gogoc_t), which I 
think it's the way to do the transition, another way I'm thinking it's 
adding a section require{ type radvd_exec_t;} and grant access to 
execute and domain transition. Which api function should I use?

Regards,
Juan.