add more example
This commit is contained in:
Chris PeBenito
parent
3d76bef60a
commit
347f406f29
@ -35,7 +35,80 @@ Let's expand this example further by allowing some access for these types. My ap
|
||||
<div id="codeblock">
|
||||
<pre>
|
||||
allow myapp_t myapp_log_t:file ra_file_perms;
|
||||
allow myapp_t myapp_tmp_t : file rw_file_perms;
|
||||
allow myapp_t myapp_tmp_t:file create_file_perms;
|
||||
</pre>
|
||||
</div>
|
||||
This allows myapp_t to write to it's private types, but it needs to be able to
|
||||
create its temporary files in /tmp. This requires a call to the files module.
|
||||
<div id="codeblock">
|
||||
<pre>
|
||||
files_create_tmp_files(myapp_t,myapp_tmp_t,file)
|
||||
</pre>
|
||||
</div>
|
||||
This call to the files module allows myapp_t to create myapp_tmp_t files in
|
||||
the /tmp directory.
|
||||
</p>
|
||||
<h3>Module IF Policy</h3>
|
||||
<p>
|
||||
First, let's create myapp.if and add the following:
|
||||
<div id="codeblock">
|
||||
<pre>
|
||||
## <module name="myapp" layer="apps">
|
||||
## <summary>Myapp example policy</summary>
|
||||
## <description>More descriptive text about myapp</description>
|
||||
|
||||
## <interface name="myapp_domtrans">
|
||||
## <summary>
|
||||
## Execute a domain transition to run myapp.
|
||||
## </summary>
|
||||
## <parameter name="domain">
|
||||
## Domain allowed to transition.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
define(`myapp_domtrans',`
|
||||
gen_requires(`
|
||||
type myapp_t, myapp_exec_t;
|
||||
class fd use;
|
||||
class process sigchld;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,myapp_exec_t,myapp_t)
|
||||
|
||||
allow $1 myapp_t:fd use;
|
||||
allow myapp_t $1:fd use;
|
||||
allow $1 myapp_t:fifo_file rw_file_perms;
|
||||
allow $1 myapp_t:process sigchld;
|
||||
')
|
||||
|
||||
## <interface name="myapp_read_log">
|
||||
## <summary>
|
||||
## Read myapp log files.
|
||||
## </summary>
|
||||
## <parameter name="domain">
|
||||
## Domain allowed to read the log files.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
define(`myapp_read_log',`
|
||||
gen_requires(`
|
||||
type myapp_log_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 myapp_log_t:file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
</pre>
|
||||
</div>
|
||||
The first interface allows other domains to do a domain
|
||||
transition to myapp_t, by executing a program labeled myapp_exec_t.
|
||||
</p>
|
||||
<p>
|
||||
The second interface allows other domains to read myapp's log files. Myapp's
|
||||
log files are in the /var/log directory, so the access to search the /var/log
|
||||
directory is also given by the interface. The gen_requires() macro is used to
|
||||
support loadable policy modules, and must explicitly list the type, attributes,
|
||||
object classes, and permissions used by this interface.
|
||||
</p>
|
||||
Loading…
Reference in New Issue
Block a user