write selinux policy

write selinux policy

[hechao55429]

[-- Attachment #1: Type: text/plain, Size: 943 bytes --]

hello everyone:
   I'm now studying selinux policy on fedora 10  .  I wrote a policy module like this:
        myapp.if
## <summary>this si to constraint gedit</summary>
        myapp.te
policy_module(myapp,1.0.0) 
type myapp_t;
# Access to shared libraries
libs_use_ld_so(myapp_t)
libs_use_shared_libs(myapp_t)
miscfiles_read_localization(myapp_t)
type myapp_exec_t;
type myapp_rw_t;
files_type(myapp_exec_t)
files_type(myapp_rw_t)
init_domain(myapp_t,myapp_exec_t)  
allow myapp_t myapp_rw_t :file ~{write};
  myapp.fc
/usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)  
/root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
Then i compiled it and it created myapp.pp with no error.
And then i used the command that semodule -i myapp.pp and it succeeded.
 Then i relabeled the files by using the restorecon command and reboot .
But after it reboot ,the  /usr/bin/gedit  still  ran on the unconfined_t domain. 
why?

[-- Attachment #2: Type: text/html, Size: 1500 bytes --]

Re: write selinux policy

[Joshua Brindle]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=x-gbk; format=flowed, Size: 1361 bytes --]

hechao55429 wrote:
> hello everyone:
>    I'm now studying selinux policy on fedora 10  .  I wrote a policy 
> module like this:
>         myapp.if
> ## <summary>this si to constraint gedit</summary>
>         myapp.te
> policy_module(myapp,1.0.0)
> type myapp_t;
> # Access to shared libraries
> libs_use_ld_so(myapp_t)
> libs_use_shared_libs(myapp_t)
> miscfiles_read_localization(myapp_t)
> type myapp_exec_t;
> type myapp_rw_t;
> files_type(myapp_exec_t)
> files_type(myapp_rw_t)
> init_domain(myapp_t,myapp_exec_t)  
> allow myapp_t myapp_rw_t :file ~{write};
>   myapp.fc
> /usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)  
> /root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
> Then i compiled it and it created myapp.pp with no error.
> And then i used the command that semodule -i myapp.pp and it succeeded
>  Then i relabeled the files by using the restorecon command and reboot .
> But after it reboot ,the  /usr/bin/gedit  still  ran on the unconfined_t 
> domain.
> why?

you didn't specify a type transition from unconfined, you can do this in your 
module using the unconfined_run_to() interface.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: write selinux policy

[Dominick Grift]

On Sat, 2009-05-16 at 22:54 +0800, hechao55429 wrote:
> hello everyone:
>    I'm now studying selinux policy on fedora 10  .  I wrote a policy
> module like this:
>         myapp.if
> ## <summary>this si to constraint gedit</summary>
>         myapp.te
> policy_module(myapp,1.0.0) 
> type myapp_t;
> # Access to shared libraries
> libs_use_ld_so(myapp_t)
> libs_use_shared_libs(myapp_t)
> miscfiles_read_localization(myapp_t)
> type myapp_exec_t;
> type myapp_rw_t;
> files_type(myapp_exec_t)
> files_type(myapp_rw_t)
> init_domain(myapp_t,myapp_exec_t)  
> allow myapp_t myapp_rw_t :file ~{write};
>   myapp.fc
> /usr/bin/gedit -- gen_context(system_u:object_r:myapp_exec_t,s0)  
> /root/share/a/as -- gen_context(system_u:object_r:myapp_rw_t,s0)
> Then i compiled it and it created myapp.pp with no error.
> And then i used the command that semodule -i myapp.pp and it succeeded
>  Then i relabeled the files by using the restorecon command and
> reboot .
> But after it reboot ,the  /usr/bin/gedit  still  ran on the
> unconfined_t domain. 
> why?
One reason is because you do not have a proper transition rule.

Below you see an example that confines Gedit for an unconfined user.
This example only gets you started and it in this example Gedit is an
permissive domain. The example only has a few declaration and minimum
policy to achieve the goal of confining it for unconfined users.

~/mygedit/mygedit.te file:

policy_module(mygedit, 0.0.1)
type gedit_t;
type gedit_exec_t;
application_executable_file(gedit_exec_t)
application_domain(gedit_t, gedit_exec_t)
role unconfined_r types gedit_t;
permissive gedit_t;
require { type unconfined_t; }
domain_auto_trans(unconfined_t, gedit_exec_t, gedit_t)

~/mygedit/mygedit.fc file:

/usr/bin/gedit -- gen_context(system_u:object_r:gedit_exec_t, s0)

compile & install:

cd ~/mygedit; make -f /usr/share/selinux/devel/Makefile;
sudo semodule -i mygedit.pp;
sudo restorecon -v /usr/bin/gedit

If all was well then, when you (an unconfined user) executes gedit, the
process should transition to gedit_t.
You can verify this with ps -auxZ | grep gedit
Now you can accumulate avc_denials and extend you policy to your liking.
Once you are done with testing and extending, you should comment the
line that says: permissive gedit_t; or remove it from policy. Then
rebuild the module and reinstall.

By the way, we also have a few friendly IRC channels on irc.freenode.org
(#selinux and #fedora-selinux) where you can get some more personal
assistence and where you can have friendly SELinux related chats!

Good luck

> 
> 
> 
> 
> ______________________________________________________________________
> 穿越地震带 纪念汶川地震一周年


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.