SELinux with omarine policy: An in-depth look at the security policy - secure program with its own domain: Part 4


(0 comments)

Building and installing module myapp
We are ready to build module myapp and insert it into the policy. You run this command to build the module:

make -f /usr/share/selinux/omarine/include/Makefile myapp.pp

The result is the policy package myapp.pp. Now insert it into the policy with the semodule command, as the root user:

semodule -i myapp.pp

Designing module myapp_perm to grant permissions to use the domain myapp_t
The myapp_perm module simply consists of a myapp_perm.te file, as follows:

policy_module(myapp_perm,1.0)

require {
    type staff_t;    
    role staff_r;
}

myapp_run(staff_t,staff_r)
myapp_read_log(staff_t)

Explanations:
Call the interface myapp_run of module myapp to allow domain staff_t to transition to domain myapp_t with staff_r role when the myapp binary is executed. Allow domain staff_t to read the log files of the myapp program.
Our goal is to allow the default user in Omarine ie staff_u running myapp program from its user domain, staff_t. Then the process is transitioned to the domain myapp_t.
The build and installation of myapp_perm module is similar to myapp


Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required