Due to several requests for guides to writing SELinux policy i have decided to create another screen cast detailing how to create a policy for a user application, and some of the things that may help one get familiar with policy writing.
As per usual by now, it is just a amateur production for amateurs. These recordings are pretty boring and long. I do advise that you view the whole thing in the proper order. Because things may not be explained well all the time, but most of it should become more clear in the course of the series.
Sometimes i make mistakes that i later notice. By the end of the series everything is pretty much sorted out (except atleast one pretty minor issue that i consider as an exercise to the watcher to troubleshoot and solve).
Also note that i encountered a conflict with restorecond -u (run in a gnome-session) with regard to labelling a file in the user home directory. I worked around that issue, but it will work fine when one logs out and back in, when it occurs.
part 1. Setting up an optimal environment for policy writing and in the mean time i explain my view on policy writing and every aspect of it.
part 2. Do it yourself: create a simple script and write raw policy for it. Introduction to type transition, allow, dontaudit and other type statements. A start at translating raw policy that SELinux understands into policy that is maintainable and readable by humans and that is scalable in a modular environment.
part 3. Proceed with translation of raw policy to m4 macro language powered policy. Merge our loadable policy module into upstream tresys reference policy.
part 4. troubleshoot remaining issues and fix them.
If you have specific question with regard to the series above feel free to ask for clarification.
Be careful relabeling volumes with Container run times. Sometimes things can go very wrong? - I recently revieved an email from someone who made the mistake of volume mounting /root into his container with the :Z option. docker run -ti -v /root:/ro...
2 weken geleden