Writing SELinux Policy – A black art.

Dan Walsh writing a blog outside of DanWalsh.livejournal.com???

What is the world coming to?

I was asked by Red Hat to start writing occasional articles for developers, so here it is.

Writing SELinux Policy – A black art.

I often find it comical that people think that writing SELinux policy is difficult. They imagine that the people doing it are GURU’s, The truth is, it is rather easy. Although, don’t tell my bosses that!

There are some things that are difficult like figuring out whether or not you need a new “type” or whether you should transition from one domain to another, or just run an application with the current process label.

Writing policy with sepolgen in RHEL6 or with sepolicy generate in Fedora, makes it pretty easy now a days. And audit2allow can help you refine your policies. sepolicy generate, will not only generate a policy framework for you to use, but also an rpm spec file to ship your policy in, and a man page explaining the policy you just wrote.

Over the past few months, I have given classes that teach people how to write SELinux policy. I like to find services in Fedora or RHEL which did not have policy written for them. Then I Tom Sawyer the students into white washing the fence – I mean write the policy.

I got together with some Documentation writers and together we wrote a new paper on Writing SELinux Policy.

Now you also can be considered a SELinux Policy GURU…


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 

Leave a Reply