Well SELinux is about least privilege. we tend to use as much unique types as reasonably possible. there is one small correction though for EL5 and my example: el5 uses init_script_type() instead of init_script_file() so: init_script_type(ai_initrc_exec_t) On Thu, 2009-01-29 at 11:35 -0800, Vadym Chepkov wrote: > Thank you so much. > > Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me. > > Sincerely yours, > Vadym Chepkov > > P.S. To my shame never used IRC in my life :( > > --- On Thu, 1/29/09, Dominick Grift <domg472 gmail com> wrote: > > > From: Dominick Grift <domg472 gmail com> > > Subject: Re: example of a domain with transition policy > > To: "Vadym Chepkov" <chepkov yahoo com> > > Cc: fedora-selinux-list redhat com > > Date: Thursday, January 29, 2009, 2:20 PM > > Lets assume we have an init script: /etc/rc.d/init.d/ai, a > > executable: /usr/sbin/ai > > > > first we create our file context file: > > > > mkdir ~/ai; cd ~/ai; > > echo "/etc/rc\.d/init\.d/ai -- > > gen_context(system_u:object_r:ai_initrc_exec_t, s0)" > > > ai.fc > > echo "/usr/sbin/ai -- > > gen_context(system_u:object_r:ai_exec_t, s0)" >> > > ai.fc > > > > this will take care of our file contexts. Now lets declare > > our module > > and some types to enforce: > > > > echo "policy_module(ai, 0.0.1)" > ai.te > > echo "type ai_initrc_exec_t;" >> ai.te > > echo "init_script_file(ai_initrc_exec_t)" > > >> ai.te > > echo "type ai_t;" >> ai.te > > echo "type ai_exec_t;" >> ai.te > > echo "init_daemon_domain(ai_t, ai_exec_t)" > > >> ai.te > > > > Now lets compile our module: > > > > make -f /usr/share/selinux/devel/Makefile > > > > Now lets install our module: > > > > sudo semodule -i ai.pp > > > > Now lets restore the file context of our executable file > > and the init > > script. > > > > restorecon -v /etc/rc.d/init.d/ai > > restorecon -v /usr/sbin/ai > > > > Now we have to create actual policy. We do this by testing. > > Since EL5 > > does not support permissive domains, we will have to put > > the system into > > permissive mode: setenforce 0 > > > > now lets start the daemon: > > > > sudo service ai start > > > > after some testing of the daemons functionility we stop the > > daemon: > > > > sudo service ai stop > > > > now we enforce selinux again: setenforce 1 > > > > ..and we check for avc denials and pipe those into > > audit2allow to > > translate raw avc denials to policy language: > > > > ausearch -m avc -ts today | audit2allow -R > > > > then we simply append the output to our ai.te file, > > recompile and > > reinstall. > > > > Thats about it in a nutshell. > > > > Ofcourse this example is over simplified. there are only > > two files owned > > by ai. in real life there are more files that need types > > (we would use > > rpm -ql to find those, and we would inspect the output of > > audit2allow -R > > to identify any file owned by ai that were created (like > > pid files , > > files in /tmp etc etc) > > > > Also audit2allow -R's output is not optimal so we would > > try to find > > optimal interfaces for the policy it may not have > > translated in a > > optimal way. > > > > If you have questions you can also join us on > > #fedora-selinux on > > irc.freenode.org. > > > > happy policy writing! > > > > Dominick > > > > On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote: > > > Hi, > > > > > > Could somebody give me a working example of a policy > > module with transition, please. I am trying to create a > > policy for a vendor product I have to use (Asset Insight). > > > The basic idea is to create domains ai_exec_t, ai_t, > > proper transition rules for initrc_exec_t -> initrc_t > > -> ai_exec_t -> ai_t. > > > Then I want to ai_t be unconfined (for the moment) so > > probably make ai_t as an alias of unconfined_t, since there > > is no "permissive domain" in Redhat5 yet, but I > > want to be able to see what needs to be added to .te file to > > make it work. There is no much documentation about writing > > policy in Redhat/Fedora, unfortunately, or maybe I am > > missing some. > > > Thank you. > > > > > > Sincerely yours, > > > Vadym Chepkov > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list redhat com > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
signature.asc
Description: This is a digitally signed message part