[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     77a5cb36d533f0b6d1d34563bc59b5d523ad1c41
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 17:42:58 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 17:42:58 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=77a5cb36

Finishing on policy chapter

---
 xml/selinux/hb-using-policies.xml |  159 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 157 insertions(+), 2 deletions(-)

diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 44d7b1f..5d5f008 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -177,11 +177,166 @@ Needless to say, we do not recommend to grant this to a regular user ;-)
 </section>
 
 <section>
-<title>Building a SELinux Policy Module</title>
+<title>Full SELinux Policy Modules</title>
 <subsection>
-<title>Creating an Isolated Module</title>
+<title>Checking Out an Isolated Module</title>
 <body>
 
+<p>
+With the above in mind, we can now go one step further and investigate a full
+policy module, with both the type enforcement rules (<path>.te</path> file),
+file contexts (<path>.fc</path>) and interfaces (<path>.if</path>).
+</p>
+
+<p>
+You should know that writing a module requires you to get intimate with the
+application. It isn't a matter of just hoping for the best: as a security
+administrator, you will be responsible for defining what accesses are allowed
+and which not. If you forget one, the application might break under the users'
+hands. But if you add too much, you might grant privileges that can be abused
+later on. And it will be a lot more difficult to track and remove privileges
+later as you will be hesitating if the privilege is needed or not.
+</p>
+
+<p>
+In this section, we will not divulge in how to write one. We have an excellent
+<uri link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux
+Development</uri> resource that guides you in that. However, we will look into
+such a full module to explain the other aspects of policy development.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Type Enforcement File</title>
+<body>
+
+<p>
+The <path>.te</path> file we wrote earlier is a <e>type enforcement file</e>.
+Its purpose is to define the access rules related to the module that you are
+building, but also - and more importantly - define new types (or even roles).
+</p>
+
+<p>
+The example below is a snippet from a module for the skype application.
+</p>
+
+<pre caption="Snippet from skype.te">
+policy_module(skype, 1.0.0)
+
+type skype_t;
+type skype_exec_t;
+application_domain(skype_t, skype_exec_t)
+
+type skype_home_t;
+userdom_user_home_content(skype_home_t)
+
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
+manage_files_pattern(skype_t, skype_home_t, skype_home_t)
+</pre>
+
+<p>
+In the above example, three new types are declared: <c>skype_t</c> (which will
+be used for the application), <c>skype_exec_t</c> (which is the label given to
+the application binary) and <c>skype_home_t</c> (which will be used for the
+users' <path>~/.Skype</path> location). Also, the <c>skype_t</c> domain is given
+some privileges with respect to the <c>skype_home_t</c> label (manage
+directories and files).
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>File Context File</title>
+<body>
+
+<p>
+In the <path>.fc</path> file (which stands for <e>file context file</e>) the
+module's resources (files, directories, sockets, ...) are defined. Once the
+module is loaded, these rules are added so that file system relabeling will put
+the correct context on the files.
+</p>
+
+<p>
+The example below is a snippet from the skype modules' file context file.
+</p>
+
+<pre caption="Snippet from skype.fc">
+HOME_DIR/\.Skype(/.*)?    gen_context(system_u:object_r:skype_home_t,s0)
+/opt/skype/skype       -- gen_context(system_u:object_r:skype_exec_t,s0)
+/usr/bin/skype         -- gen_context(system_u:object_r:skype_exec_t,s0)
+</pre>
+
+<p>
+The format of the file context file has the following syntax:
+</p>
+
+<ol>
+  <li>
+    The regular expression that matches the file(s) and directorie(s) affected
+    by that line
+  </li>
+  <li>
+    An optional identifier to differentiate the type of files (file, directory,
+    socket, symbolic link, ...)
+  </li>
+  <li>
+    A <c>gen_context</c> line that contains the context to assign to the file(s)
+    and directorie(s)
+  </li>
+</ol>
+
+</body>
+</subsection>
+<subsection>
+<title>Interface File</title>
+<body>
+
+<p>
+In the <path>.if</path> file (for <e>interface file</e>) interfaces are declared
+which can be used by other modules. It is through interfaces that a nicely
+defined policy can be built on top of other, existing policy modules.
+</p>
+
+<p>
+One interface could be to allow users to call and execute an application. For
+instance, the following interface can be found in the skype module.
+</p>
+
+<pre caption="Snippet from skype.if">
+interface(`skype_role',`
+        gen_require(`
+                type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
+        ')
+
+        role $1 types skype_t;
+
+        domtrans_pattern($2, skype_exec_t, skype_t)
+
+        allow $2 skype_t:process { ptrace signal_perms };
+
+        manage_dirs_pattern($2, skype_home_t, skype_home_t)
+        manage_files_pattern($2, skype_home_t, skype_home_t)
+        manage_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+        relabel_dirs_pattern($2, skype_home_t, skype_home_t)
+        relabel_files_pattern($2, skype_home_t, skype_home_t)
+        relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+        ps_process_pattern($2, skype_t)
+')
+</pre>
+
+<p>
+Through this <c>skype_role</c>, we can then allow users to call skype, as can be
+found in the <path>unprivuser.te</path> file (which defines the user_t domain):
+</p>
+
+<pre caption="Snippet from unprivuser.te to call skype">
+optional_policy(`
+	skype_role(user_r, user_t)
+')
+</pre>
 
 </body>
 </subsection>