2005-06-15 18:31:28 +00:00
|
|
|
<h1>Getting Started</h1>
|
|
|
|
<p>
|
2006-04-13 17:32:42 +00:00
|
|
|
This guide will walk you through the basics of creating a new reference policy
|
|
|
|
module. This will also serve as an introduction to the basics concepts and
|
|
|
|
philosophy of refpolicy.
|
2005-06-15 18:31:28 +00:00
|
|
|
</p>
|
|
|
|
<h2>Creating A Module</h2>
|
|
|
|
<p>
|
2006-04-13 17:32:42 +00:00
|
|
|
Modules are the principal organizing component in refpolicy. A module contains
|
|
|
|
the policy for an application or related group of applications, private and shared
|
|
|
|
resources, labeling information, and interfaces that allow other modules access
|
|
|
|
to the modules resources. The majority of the global policy has been eliminated
|
|
|
|
in refpolicy. Certain policy components, like users and object classes, are
|
|
|
|
still global in refpolicy, but almost all TE policy is now contained within a
|
|
|
|
module.
|
2005-06-15 18:31:28 +00:00
|
|
|
</p>
|
|
|
|
<p>
|
2006-04-13 17:32:42 +00:00
|
|
|
Let's create a new module called myapp. This is done by creating three files:
|
|
|
|
myapp.te, mayapp.fc, and myapp.if. The file myapp.te file will contain all of
|
|
|
|
the policy private to this module, including any types or attributes. The file
|
|
|
|
myapp.fc file will contain the file context labeling statement for this module.
|
|
|
|
Finally, the file myapp.if will contain the interfaces for this module (interfaces
|
|
|
|
will be explained below).
|
2005-06-15 18:31:28 +00:00
|
|
|
</p>
|
|
|
|
<h3>Module TE Policy</h3>
|
|
|
|
<p>
|
2005-06-15 21:19:06 +00:00
|
|
|
First create myapp.te and add the following:
|
2005-06-15 18:31:28 +00:00
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
2006-04-13 17:32:42 +00:00
|
|
|
policy_module(myapp,1.0)
|
|
|
|
|
2005-06-15 18:31:28 +00:00
|
|
|
# Private type declarations
|
|
|
|
type myapp_t;
|
|
|
|
type myapp_exec_t;
|
|
|
|
type myapp_log_t;
|
|
|
|
type myapp_tmp_t;
|
|
|
|
|
|
|
|
domain_type(myapp_t)
|
|
|
|
domain_entry_file(myapp_t, myapp_exec_t)
|
|
|
|
logging_log_file(myapp_log_t)
|
|
|
|
files_tmp_file(myapp_tmp_t)
|
|
|
|
</pre>
|
|
|
|
</div>
|
|
|
|
</p>
|
|
|
|
<p>
|
2006-04-13 17:32:42 +00:00
|
|
|
This creates all of the types needed for this module, including a type for the
|
|
|
|
process, executables, log files, and temporary files. The first thing to notice
|
|
|
|
is that there are no attributes applied to any of these types. In refpolicy all
|
|
|
|
types and attributes can only be referred to in the module that declares them.
|
|
|
|
This means that it is not possible, for example, to directly refer to the domain
|
|
|
|
attribute. Instead, macros in other modules are used to declare that a type will
|
|
|
|
be used for a certain purpose. These macros will likely use attributes (but not
|
|
|
|
necessarily), but it allows the module that declared the attribute to strictly
|
|
|
|
control how it can be used. In this example interfaces are used to transform the
|
|
|
|
types into a domain, entry file, log file, and temporary file.
|
2005-06-15 18:31:28 +00:00
|
|
|
</p>
|
|
|
|
<p>
|
2006-04-13 17:32:42 +00:00
|
|
|
Let's expand this example further by allowing some access for these types. My
|
|
|
|
application needs access between it's own types and access to read random numbers.
|
|
|
|
The access between private types is written exactly the same way current policy
|
|
|
|
rules are written, i.e.:
|
2005-06-15 18:31:28 +00:00
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
2005-06-15 19:10:24 +00:00
|
|
|
allow myapp_t myapp_log_t:file ra_file_perms;
|
|
|
|
allow myapp_t myapp_tmp_t:file create_file_perms;
|
2005-06-15 18:31:28 +00:00
|
|
|
</pre>
|
|
|
|
</div>
|
2005-06-15 21:19:06 +00:00
|
|
|
<p>This allows myapp_t to write to it's private types, but it needs to be able to
|
|
|
|
create its temporary files in /tmp. This requires a call to the files module.</p>
|
2005-06-15 19:10:24 +00:00
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
2006-04-13 17:32:42 +00:00
|
|
|
files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
|
2005-06-15 19:10:24 +00:00
|
|
|
</pre>
|
|
|
|
</div>
|
2005-06-15 21:19:06 +00:00
|
|
|
<p>
|
2005-06-15 19:10:24 +00:00
|
|
|
This call to the files module allows myapp_t to create myapp_tmp_t files in
|
|
|
|
the /tmp directory.
|
|
|
|
</p>
|
2006-04-13 17:32:42 +00:00
|
|
|
<h3>Module FC Policy</h3>
|
|
|
|
<p>
|
|
|
|
The file contexts file lists files and the labels they should have. Create
|
|
|
|
myapp.fc and add the following:
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
/usr/bin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
|
|
|
|
</pre>
|
|
|
|
</div>
|
|
|
|
<p>
|
|
|
|
The gen_context() macro has three parameters, the base SELinux label,
|
|
|
|
the MLS sensitivity, and the MCS category set (optional). When compiling a
|
|
|
|
module, the macro will add the appropriate MLS/MCS part to the label when needed.
|
|
|
|
</p>
|
2005-06-15 19:10:24 +00:00
|
|
|
<h3>Module IF Policy</h3>
|
|
|
|
<p>
|
2005-07-01 16:39:21 +00:00
|
|
|
The interface file creates the macros that other modules will use to gain access
|
|
|
|
to my resources. This allows the module that created the type or attribute to
|
|
|
|
define appropriate uses. Additionally, it provides a single point for
|
|
|
|
documentation. Create myapp.if and add the following:
|
2005-06-15 19:10:24 +00:00
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
## <summary>Myapp example policy</summary>
|
2005-07-01 16:39:21 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## More descriptive text about myapp. The <desc>
|
|
|
|
## tag can also use <p>, <ul>, and <ol>
|
|
|
|
## html tags for formatting.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This policy supports the following myapp features:
|
|
|
|
## <ul>
|
|
|
|
## <li>Feature A</li>
|
|
|
|
## <li>Feature B</li>
|
|
|
|
## <li>Feature C</li>
|
|
|
|
## </ul>
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2005-06-15 19:10:24 +00:00
|
|
|
|
2006-04-13 17:32:42 +00:00
|
|
|
########################################
|
2005-06-15 19:10:24 +00:00
|
|
|
## <summary>
|
|
|
|
## Execute a domain transition to run myapp.
|
|
|
|
## </summary>
|
2005-07-01 16:39:21 +00:00
|
|
|
## <param name="domain">
|
2005-06-15 19:10:24 +00:00
|
|
|
## Domain allowed to transition.
|
2005-07-01 16:39:21 +00:00
|
|
|
## </param>
|
|
|
|
interface(`myapp_domtrans',`
|
2005-06-15 19:10:24 +00:00
|
|
|
gen_requires(`
|
|
|
|
type myapp_t, myapp_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,myapp_exec_t,myapp_t)
|
|
|
|
|
|
|
|
allow $1 myapp_t:fd use;
|
|
|
|
allow $1 myapp_t:fifo_file rw_file_perms;
|
|
|
|
allow $1 myapp_t:process sigchld;
|
|
|
|
')
|
|
|
|
|
2006-04-13 17:32:42 +00:00
|
|
|
########################################
|
2005-06-15 19:10:24 +00:00
|
|
|
## <summary>
|
|
|
|
## Read myapp log files.
|
|
|
|
## </summary>
|
2005-07-01 16:39:21 +00:00
|
|
|
## <param name="domain">
|
2005-06-15 19:10:24 +00:00
|
|
|
## Domain allowed to read the log files.
|
2005-07-01 16:39:21 +00:00
|
|
|
## </param>
|
|
|
|
interface(`myapp_read_log',`
|
2005-06-15 19:10:24 +00:00
|
|
|
gen_requires(`
|
|
|
|
type myapp_log_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
logging_search_logs($1)
|
|
|
|
allow $1 myapp_log_t:file r_file_perms;
|
|
|
|
')
|
|
|
|
</pre>
|
|
|
|
</div>
|
2005-06-15 21:19:06 +00:00
|
|
|
<p>
|
2005-06-15 19:10:24 +00:00
|
|
|
The first interface allows other domains to do a domain
|
|
|
|
transition to myapp_t, by executing a program labeled myapp_exec_t.
|
|
|
|
</p>
|
|
|
|
<p>
|
|
|
|
The second interface allows other domains to read myapp's log files. Myapp's
|
|
|
|
log files are in the /var/log directory, so the access to search the /var/log
|
|
|
|
directory is also given by the interface. The gen_requires() macro is used to
|
2005-09-22 21:56:50 +00:00
|
|
|
support loadable policy modules, and must explicitly list the type and attributes
|
|
|
|
used by this interface. If object classes of a userland object manager are used,
|
|
|
|
the class and the permissions used by the interface must also be listed.
|
2005-06-15 19:10:24 +00:00
|
|
|
</p>
|
2006-04-13 17:32:42 +00:00
|
|
|
<p>
|
|
|
|
<h2>Compiling Modules</h2>
|
|
|
|
Two methods of building modules are supported,
|
|
|
|
<a href="#headers">headers</a> and complete source.
|
|
|
|
Current systems, such as Fedora Core 5, which support loadable policy modules
|
|
|
|
should compile modules using headers. Using the complete source for building
|
|
|
|
modules is only needed if loadable modules are not supported on the system or
|
|
|
|
if when doing other modifications to the base policy. Genereally this is only
|
|
|
|
suggested for experts.
|
|
|
|
</p>
|
|
|
|
<a name="headers">
|
|
|
|
<h2>Building Using Policy Headers</h2>
|
|
|
|
<p>
|
|
|
|
When building a loadable policy module, the three module source files need not
|
|
|
|
be in a specific directory. A development directory in the user's home directory
|
|
|
|
would be sufficient. In this example, lets place it in the policy directory
|
|
|
|
in the home directory. The example Makefile should be copied to this directory.
|
|
|
|
It is usually located in the /usr/share/doc/PKGNAME directory, where PKGNAME
|
|
|
|
is the name of the policy package that has the policy headers.
|
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
$ <b>cp /usr/share/doc/refpolicy-20060307/Makefile.example ~/policy/Makefile</b>
|
|
|
|
</pre>
|
|
|
|
</div>
|
|
|
|
<p>
|
|
|
|
Alternatively, this can be copied from the Reference Policy source, from the doc
|
|
|
|
directory. The Makefile is not required, but will simplify the process.
|
|
|
|
</p>
|
|
|
|
<p>
|
|
|
|
Now the policy directory should have the three module source files and Makefile.
|
|
|
|
all that needs to be done is to run make, and the policy will be compiled.
|
|
|
|
<p>
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
$ <b>make</b>
|
|
|
|
Compiling targeted myapp module
|
|
|
|
/usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp
|
|
|
|
/usr/bin/checkmodule: policy configuration loaded
|
|
|
|
/usr/bin/checkmodule: writing binary representation (version 5) to tmp/myapp.mod
|
|
|
|
Creating targeted myapp.pp policy package
|
|
|
|
</pre>
|
|
|
|
</div>
|
|
|
|
<p>
|
|
|
|
If you do not have the example Makefile, you must tell make where to find the
|
|
|
|
policy header's Makefile, by using the -f option. The Makefile for the base
|
|
|
|
policy provided by the Linux distribution should be found in the
|
|
|
|
/usr/share/selinux/NAME/include directory, where NAME is the name
|
|
|
|
of the policy, for example, strict or targeted.
|
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
$ <b>make -f /usr/share/selinux/targeted/include/Makefile</b>
|
|
|
|
Compiling targeted myapp module
|
|
|
|
/usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp
|
|
|
|
/usr/bin/checkmodule: policy configuration loaded
|
|
|
|
/usr/bin/checkmodule: writing binary representation (version 5) to tmp/myapp.mod
|
|
|
|
Creating targeted myapp.pp policy package
|
|
|
|
</pre>
|
|
|
|
</div>
|
|
|
|
<p>
|
|
|
|
When this succeeds, there will be a myapp.pp policy package that can be inserted
|
|
|
|
into the running policy To load the module, you must be running as root, in a
|
|
|
|
role allowed to run semodule. Then run semodule -i to insert the module into
|
|
|
|
the running policy.
|
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
# <b>semodule -i myapp.pp</b>
|
|
|
|
</pre>
|
|
|
|
</div>
|
|
|
|
<p>
|
|
|
|
The semodule command will only have messages if there is an error inserting the
|
|
|
|
module. If it succeeds, semodule -l should list the myapp module, and the version.
|
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
|
|
|
# <b>semodule -l</b>
|
|
|
|
myapp 1.0
|
|
|
|
</pre>
|
|
|
|
</div>
|