example of a domain with transition policy

Thu Jan 29 19:45:29 UTC 2009

Well SELinux is about least privilege. we tend to use as much unique
types as reasonably possible.

there is one small correction though for EL5 and my example:

el5 uses init_script_type() instead of init_script_file() 

so:

init_script_type(ai_initrc_exec_t)

On Thu, 2009-01-29 at 11:35 -0800, Vadym Chepkov wrote:
> Thank you so much.
> 
> Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> P.S. To my shame never used IRC in my life :(
> 
> --- On Thu, 1/29/09, Dominick Grift <domg472 at gmail.com> wrote:
> 
> > From: Dominick Grift <domg472 at gmail.com>
> > Subject: Re: example of a domain with transition policy
> > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > Cc: fedora-selinux-list at redhat.com
> > Date: Thursday, January 29, 2009, 2:20 PM
> > Lets assume we have an init script: /etc/rc.d/init.d/ai, a
> > executable: /usr/sbin/ai
> > 
> > first we create our file context file:
> > 
> > mkdir ~/ai; cd ~/ai;
> > echo "/etc/rc\.d/init\.d/ai --
> > gen_context(system_u:object_r:ai_initrc_exec_t, s0)"
> > > ai.fc
> > echo "/usr/sbin/ai --
> > gen_context(system_u:object_r:ai_exec_t, s0)" >>
> > ai.fc
> > 
> > this will take care of our file contexts. Now lets declare
> > our module
> > and some types to enforce:
> > 
> > echo "policy_module(ai, 0.0.1)" > ai.te
> > echo "type ai_initrc_exec_t;" >> ai.te
> > echo "init_script_file(ai_initrc_exec_t)"
> > >> ai.te
> > echo "type ai_t;" >> ai.te
> > echo "type ai_exec_t;" >> ai.te
> > echo "init_daemon_domain(ai_t, ai_exec_t)"
> > >> ai.te
> > 
> > Now lets compile our module:
> > 
> > make -f /usr/share/selinux/devel/Makefile
> > 
> > Now lets install our module:
> > 
> > sudo semodule -i ai.pp
> > 
> > Now lets restore the file context of our executable file
> > and the init
> > script.
> > 
> > restorecon -v /etc/rc.d/init.d/ai
> > restorecon -v /usr/sbin/ai
> > 
> > Now we have to create actual policy. We do this by testing.
> > Since EL5
> > does not support permissive domains, we will have to put
> > the system into
> > permissive mode: setenforce 0
> > 
> > now lets start the daemon:
> > 
> > sudo service ai start
> > 
> > after some testing of the daemons functionility we stop the
> > daemon:
> > 
> > sudo service ai stop
> > 
> > now we enforce selinux again: setenforce 1
> > 
> > ..and we check for avc denials and pipe those into
> > audit2allow to
> > translate raw avc denials to policy language:
> > 
> > ausearch -m avc -ts today | audit2allow -R
> > 
> > then we simply append the output to our ai.te file,
> > recompile and
> > reinstall.
> > 
> > Thats about it in a nutshell.
> > 
> > Ofcourse this example is over simplified. there are only
> > two files owned
> > by ai. in real life there are more files that need types
> > (we would use
> > rpm -ql to find those, and we would inspect the output of
> > audit2allow -R
> > to identify any file owned by ai that were created (like
> > pid files ,
> > files in /tmp etc etc)
> > 
> > Also audit2allow -R's output is not optimal so we would
> > try to find
> > optimal interfaces for the policy it may not have
> > translated in a
> > optimal way.
> > 
> > If you have questions you can also join us on
> > #fedora-selinux on
> > irc.freenode.org.
> > 
> > happy policy writing!
> > 
> > Dominick
> > 
> > On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> > > Hi,
> > > 
> > > Could somebody give me a working example of a policy
> > module with transition, please. I am trying to create a
> > policy for a vendor product I have to use (Asset Insight). 
> > > The basic idea is to create domains ai_exec_t, ai_t,
> > proper transition rules for initrc_exec_t -> initrc_t
> > -> ai_exec_t -> ai_t. 
> > > Then I want to ai_t be unconfined (for the moment) so
> > probably make ai_t as an alias of unconfined_t, since there
> > is no "permissive domain" in Redhat5 yet, but I
> > want to be able to see what needs to be added to .te file to
> > make it work. There is no much documentation about writing
> > policy in Redhat/Fedora, unfortunately, or maybe I am
> > missing some.
> > > Thank you.
> > > 
> > > Sincerely yours,
> > >   Vadym Chepkov
> > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > >
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/f9da9c24/attachment.sig>