SELinux with omarine policy: Creating your own rules to add to the security policy

If you want to create your own rules to add to the security policy, read this article to learn how to do through an example. See SELinux with omarine policy: SELinux User Capabilities.

We create a module named systemctlstatus to allow systemd services to check the status of other systemd services.
Create file systemctlstatus.te (extension te stands for type enforcement) with the following content:

module systemctlstatus 1.0;
require {
    type init_t;
    type systemd_unit_t;
    class service status;
}
allow init_t systemd_unit_t:service status;

The above rule states that the type of init_t is allowed to check the status of services with type systemd_unit_t. See https://selinuxproject.org for more information.

Building the module
The module is built with this command:

make -f /usr/share/selinux/omarine/include/Makefile systemctlstatus.pp

The result is the policy package systemctlstatus.pp.

Inserting the module into current policy
To insert the module into the current policy, run the following command, as the root user:

semodule -i systemctlstatus.pp

You can then perform such as systemctl is-active <some_unit> inside a service.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.