Adding constraints to the rules - practice In this article we will practice modifying the constraint in the base module for the myapp_se program. First you take the type myapp_se_tmp_t into the mcs_constrained_type group, add the following statements to myapp_se.te file: require { attribute mcs_constrained_type; }typeattribute myapp_se_tmp_t mcs_constrained_type; Then rebuild and reinstall the module myapp_se.Next … Đọc tiếp SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 8

Adding constraints to the rules We already know that root can read the temp files of the myapp program (or myapp_se) That's because there are rules that allow the root user to read the files.If you want, you can add a constraint condition to disable the rules, so that root cannot read the files.When you … Đọc tiếp SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 7

Transitioning domain directly by designing SELinux-aware program In the myapp module we have applied automatic domain transition for a normal program that is myapp. That is done by the type_transition statement inside the domtrans_pattern macro of the interface myapp_domtrans. Detail: type_transition staff_t myapp_exec_t: process myapp_t; To look deeper we perform manual domain transition in a … Đọc tiếp SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 6