<URL: https://fedoraproject.org/wiki/Security_context?rd=SELi nux/SecurityContext> :
The 3rd component of the security context is the Type component, for example /usr/sbin/httpd is labeled with a type of “httpd_exec_t".
In my opinion this is the most important field in the SELinux security context. This is the heart of SELinux Type Enforcement. Most of the policy rules in SELinux revolve around what subject types have what access to which object types. By convention this component always ends in a "_t".
I am a developer creating a new type of service. Let's call it "abcd." Am I expected to have my RPM package create a new type "abcd_exec_t"? What document describes the proper steps to introduce the type to the system?
Marko
----- Original Message -----
From: "Marko Rauhamaa" marko@pacujo.net To: selinux@lists.fedoraproject.org Sent: Friday, June 5, 2015 6:56:11 AM Subject: Adding new type
<URL: https://fedoraproject.org/wiki/Security_context?rd=SELi nux/SecurityContext> :
The 3rd component of the security context is the Type component, for example /usr/sbin/httpd is labeled with a type of “httpd_exec_t".
In my opinion this is the most important field in the SELinux security context. This is the heart of SELinux Type Enforcement. Most of the policy rules in SELinux revolve around what subject types have what access to which object types. By convention this component always ends in a "_t".
I am a developer creating a new type of service. Let's call it "abcd." Am I expected to have my RPM package create a new type "abcd_exec_t"?
This would have to be defined in the type enforcing (.te) file for "abcd"
What document describes the proper steps to introduce the type to the system?
A sample format is listed here /usr/share/selinux/devel/example.{fc,if,te}
Marko
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Simon Sekidde ssekidde@redhat.com:
I am a developer creating a new type of service. Let's call it "abcd." Am I expected to have my RPM package create a new type "abcd_exec_t"?
This would have to be defined in the type enforcing (.te) file for "abcd"
I take it the answer to my question is, Yes. Thank you.
Now, I suppose the process is to create abcd.te in my source code. I then compile the .te file as follows:
checkmodule -M -m -o abcd.mod abcd.te semodule_package -o abcd.pp -m abcd.mod
I include abcd.pp in my RPM package and have its postinstall section execute:
semodule -i abcd.pp
Right?
I will also need to specify an abcd.fc. What do I do with the file? Is it magically imported by checkmodule?
Marko
Dne 5.6.2015 v 15:20 Marko Rauhamaa napsal(a):
Simon Sekidde ssekidde@redhat.com:
I am a developer creating a new type of service. Let's call it "abcd." Am I expected to have my RPM package create a new type "abcd_exec_t"?
This would have to be defined in the type enforcing (.te) file for "abcd"
I take it the answer to my question is, Yes. Thank you.
Now, I suppose the process is to create abcd.te in my source code. I then compile the .te file as follows:
checkmodule -M -m -o abcd.mod abcd.te semodule_package -o abcd.pp -m abcd.mod
You can use Makefile from selinux-policy-devel package:
$ make -f /usr/share/selinux/devel/Makefile abcd.pp
I'd suggest to use 'sepolicy generate ' to generate an initial template which you can adjust for your needs. It will generate SELinux files, a spec file and a script which helps with deploying:
$ sepolicy generate --application /usr/bin/abcde -n abcde
*************************************** Warning /usr/bin/abcde does not exist ***************************************
Created the following files: /home/plautrba/policy/abcde.te # Type Enforcement file /home/plautrba/policy/abcde.if # Interface file /home/plautrba/policy/abcde.fc # File Contexts file /home/plautrba/policy/abcde_selinux.spec # Spec file /home/plautrba/policy/abcde.sh # Setup Script
I include abcd.pp in my RPM package and have its postinstall section execute:
semodule -i abcd.pp
Right?
That's right. Note that a module file should be located in /usr/share/selinux/packages
This is spec file code generated by 'sepolicy generate'
%post semodule -n -i %{_datadir}/selinux/packages/abcde.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %relabel_files
fi; exit 0
Petr
Petr Lautrbach plautrba@redhat.com:
I'd suggest to use 'sepolicy generate ' to generate an initial template which you can adjust for your needs.
Much appreciated.
Now that you gave me that lead, I managed to find <URL: https://acces s.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELi nux_Users_and_Administrators_Guide/Security-Enhanced_Linux-The-sepoli cy-Suite-sepolicy_generate.html>.
Marko
On 06/05/2015 05:43 PM, Marko Rauhamaa wrote:
Petr Lautrbach plautrba@redhat.com:
I'd suggest to use 'sepolicy generate ' to generate an initial template which you can adjust for your needs.
Much appreciated.
Now that you gave me that lead, I managed to find <URL: https://acces s.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELi nux_Users_and_Administrators_Guide/Security-Enhanced_Linux-The-sepoli cy-Suite-sepolicy_generate.html>.
Yes. You can also read
https://mgrepl.wordpress.com/2015/05/20/how-to-create-a-new-initial-policy-u...
Marko
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav Grepl mgrepl@redhat.com:
Yes. You can also read
https://mgrepl.wordpress.com/2015/05/20/how-to-create-a-new-initial-policy-u...
Thank you. The helpful advice here seems to be highly RedHat-centric. Would analogous steps be available on Debian?
Marko
selinux@lists.fedoraproject.org