danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Module questions from Fedora SElinux List
danwalsh
Johnson, Richard wrote:

Q:  Can any SELinux directive be put into a policy module, or are there restrictions?

For example: suppose I wanted to:

  allow snmpd_t apmd_t:process ptrace;

  allow snmpd_t auditd_t:process ptrace;

  allow snmpd_t automount_t:process ptrace;

 [ ...and so on ]

so that snmpd could access mib .1.3.6.1.2.1.6. (advisability notwithstanding) Could these directives be put into a policy module even though the base policy already has an snmpd i/f?


Allow rules can be added in modules.
Tpes, roles, attributes, booleans can be defined.

genfscon is not allowed, although I am pushing for this.
You can define port types but not the port,  You need to add this using semanage.
You can not define users, you need to use semanage.
 
You can add the rules you defined above but when defining your module watch out for name conflicts,  Don't name your module the same as an existing module or you will replace it.  This is why I always prefix my modules with 'my' (myMODNAME)

BTW the interface

domain_read_all_domains_state(snmpd_t)

Is probably what you want.

If you use a type, role, attribute within a module that is not defined in the module you need to add it to a gen_require block.

For your example above you would have needed

gen_require(`
          type snmpd_t,  apmd_t, auditd_t, automount_t;
')
 

Q.  Can a module define new booleans?  If so are they persistent if the module is unloaded and reloaded?

For example; an snmpd policy module with an snmpd_can_ptrace boolean. Are there namespace conventions?

Yes and the booleans will be removed if you unload the policy.

We prefer all booleans to be named with the name of the module.  Although there are a lot of booleans that do not follow that standard.  I would love to have aliasing for booleans so we could rename them.

Q. What happens if the base policy (or another policy modules) is updated with overlapping statements.
Am I correct in believing that the set of allows is the union of the base allows + all module allows?

Yes.  If we have allow rules in two different modules that are the same, the compiler will just remove the duplicates and add the rules.


You are viewing danwalsh