Comments on: A step-by-step guide to building a new SELinux policy module

By: The Linux Guide - A must be ! - WHM/cPanel Support Platform

The Linux Guide - A must be ! - WHM/cPanel Support Platform — Tue, 11 Nov 2008 00:14:55 +0000

[...] [...]

By: Tux Training » Blog Archive » A step-by-step guide to building a new SELinux policy module

Mon, 12 May 2008 21:47:04 +0000

[...] Source [...]

By: bhrugu

bhrugu — Mon, 28 Apr 2008 16:52:17 +0000

i would like to work with new reference policy enhancement

By: Karanbir Singh

Karanbir Singh — Mon, 14 Jan 2008 04:32:31 +0000

Just want to point out that ( atleast on RHEL5 and clones ), the package you need to install in order to get system-config-selinux is policycoreutils-gui

By: Dan Walsh

Dan Walsh — Wed, 02 Jan 2008 17:39:35 +0000

setsebool -P httpd_can_network_connect_db=1

If you were running setroubleshoot, it would have told you this.

By: lgm

lgm — Tue, 01 Jan 2008 22:24:20 +0000

I am struggling to get away from Windows and all the nice click options. I have just spent days building up a working Fedora 8 server with MySQL php and Apache, all working, all the chmods sorted and so on. Now I want to set up Zen Shopping cart which I have running fine on a Windows box. (I want to get into Apache POI java for an Excel application and windows is not the place to do this).

BLAM, I am bu…red. SeLinux has decided to to stop ZenCart talking to MySQL. I can understand why but now I have to spend most of another day making a policy file.

Will you guys who write this stuff please learn that normal people will never get seriously into Linux while you leave all these little exercises in masochism in the software. Bill Gates must be laughing all the way to the bank yet again.

Fortunately I do not need SELinux at home so out it goes for now.

By: Torbjørn

Torbjørn — Tue, 02 Oct 2007 10:05:55 +0000

Hello, thank you for the answer. That was ofcourse the reason.

I have been reading alot of your journals and howto’s on the web and fine them extremely usefull, thank you very much.

I’ll address the mailing list for more questions, seems like a better fora for more basic issues like this.

By: Dan Walsh

Dan Walsh — Tue, 18 Sep 2007 11:21:35 +0000

You need to add a domain transition rule to the policy.
Since you want to transition from the unconfined_t domain to the myapp_t.

An interface should have been created in the if file called
myapp_domtrans.

So you could add to your te file,

gen_require (`
type unconfined_t;
‘)
myapp_domtrans(unconfined_t)

Of you could simply add these lines to your code.

domain_auto_trans(unconfined_t,myapp_exec_t,myapp_t)

allow unconfined_t myapp_t:fd use;
allow myapp_t unconfined_t:fifo_file rw_file_perms;
allow myapp_t unconfined_t:process sigchld;

By: Torbjorn Lindahl

Torbjorn Lindahl — Wed, 12 Sep 2007 14:21:19 +0000

I’m a bit puzzled..

I am writing a new application that I want to tie down as strict as reasonable using SELinux.

the gui worked nicely and set up the files needed to compile the selinx module. (i just had to add “type myapp_t;” since that did not already exist)

However… it also granted the app
corecmd_executable_file(myapp_exec_t)

And trial and error concluded that this one single rule allowed the app to do whatever it pleased… All other selinux settings, network ports etc.. as generated by the GUI had no real effect as long as that one single rule was in the source.

If i remove that one particular rule and run audi2dallow, it suggests:
allow unconfined_t myapp_exec_t:file { ioctl relabelfrom execute read getattr execute_no_trans };

.. which by my limited understanding seems way to broad, ie basically the let the app do anything. Wtih that one rule in the source the app was again allowed to do anything.

where do I go from here..

By: Gerwin

Gerwin — Wed, 22 Aug 2007 16:53:39 +0000

Oke thanks Dan, as I’m fairly new to SElinux I didn’t know it was that easy

Cheers