If you want to create your own rules to add to the security policy, read this article to learn how to do through an example. See SELinux with omarine policy: SELinux User Capabilities.
We create a module named systemctlstatus to allow systemd services to check the status of other systemd services.
Create file systemctlstatus.te (extension te stands for type enforcement) with the following content:
module systemctlstatus 1.0;
class service status;
allow init_t systemd_unit_t:service status;
The above rule states that the type of init_t is allowed to check the status of services with type systemd_unit_t. See https://selinuxproject.org for more information.
Building the module
The module is built with this command:
make -f /usr/share/selinux/omarine/include/Makefile systemctlstatus.pp
The result is the policy package systemctlstatus.pp.
Inserting the module into current policy
To insert the module into the current policy, run the following command, as the root user:
semodule -i systemctlstatus.pp
You can then perform such as
systemctl is-active <some_unit> inside a service.
Share on Twitter
Share on Facebook
Can't see mail in Inbox? Check your Spam folder.