add more example
This commit is contained in:
Chris PeBenito
parent
3d76bef60a
commit
347f406f29
@ -35,7 +35,80 @@ Let's expand this example further by allowing some access for these types. My ap
|
|||||||
<div id="codeblock">
|
<div id="codeblock">
|
||||||
<pre>
|
<pre>
|
||||||
allow myapp_t myapp_log_t:file ra_file_perms;
|
allow myapp_t myapp_log_t:file ra_file_perms;
|
||||||
allow myapp_t myapp_tmp_t : file rw_file_perms;
|
allow myapp_t myapp_tmp_t:file create_file_perms;
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div>
|
||||||
|
This allows myapp_t to write to it's private types, but it needs to be able to
|
||||||
|
create its temporary files in /tmp. This requires a call to the files module.
|
||||||
|
<div id="codeblock">
|
||||||
|
<pre>
|
||||||
|
files_create_tmp_files(myapp_t,myapp_tmp_t,file)
|
||||||
|
</pre>
|
||||||
|
</div>
|
||||||
|
This call to the files module allows myapp_t to create myapp_tmp_t files in
|
||||||
|
the /tmp directory.
|
||||||
|
</p>
|
||||||
|
<h3>Module IF Policy</h3>
|
||||||
|
<p>
|
||||||
|
First, let's create myapp.if and add the following:
|
||||||
|
<div id="codeblock">
|
||||||
|
<pre>
|
||||||
|
## <module name="myapp" layer="apps">
|
||||||
|
## <summary>Myapp example policy</summary>
|
||||||
|
## <description>More descriptive text about myapp</description>
|
||||||
|
|
||||||
|
## <interface name="myapp_domtrans">
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run myapp.
|
||||||
|
## </summary>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
|
define(`myapp_domtrans',`
|
||||||
|
gen_requires(`
|
||||||
|
type myapp_t, myapp_exec_t;
|
||||||
|
class fd use;
|
||||||
|
class process sigchld;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,myapp_exec_t,myapp_t)
|
||||||
|
|
||||||
|
allow $1 myapp_t:fd use;
|
||||||
|
allow myapp_t $1:fd use;
|
||||||
|
allow $1 myapp_t:fifo_file rw_file_perms;
|
||||||
|
allow $1 myapp_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
## <interface name="myapp_read_log">
|
||||||
|
## <summary>
|
||||||
|
## Read myapp log files.
|
||||||
|
## </summary>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Domain allowed to read the log files.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
|
define(`myapp_read_log',`
|
||||||
|
gen_requires(`
|
||||||
|
type myapp_log_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
logging_search_logs($1)
|
||||||
|
allow $1 myapp_log_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
## </module>
|
||||||
|
</pre>
|
||||||
|
</div>
|
||||||
|
The first interface allows other domains to do a domain
|
||||||
|
transition to myapp_t, by executing a program labeled myapp_exec_t.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
The second interface allows other domains to read myapp's log files. Myapp's
|
||||||
|
log files are in the /var/log directory, so the access to search the /var/log
|
||||||
|
directory is also given by the interface. The gen_requires() macro is used to
|
||||||
|
support loadable policy modules, and must explicitly list the type, attributes,
|
||||||
|
object classes, and permissions used by this interface.
|
||||||
</p>
|
</p>
|
||||||
Loading…
Reference in New Issue
Block a user