kwfalo.blogg.se - Nxfilter selinux policy

To be able to build the policy files only standard SELinux utilities are required.

Build a test application that allows the XSELinux SELinuxGet.

Demonstrate simple X-Windows select and paste applications using customised x_contexts files to show the different between standard (as used by the Reference Policy) and polyinstantiation selections using the XSELinux object manager / XACE services.

This builds into a very simple message filter using a network client / server application and file moving (filter) application (TODO).

Show how to construct and build a series of loadable modules for use with the base module.

Show how to construct and build a simple base policy.

The main objectives of the sections that follow are to: It also contains README and a simple Makefile for each section. It is recommended that the Notebook Source file is installed in your $HOME as this contains all the configuration files and source code required to produce the required modules. This file is required by the X-Windows SELinux object manager.

Important Note: While these are simple policies, they are built to support X-Windows therefore an x_contexts file must be installed. On my Gentoo, the following packages need to be installed: sys-apps/policycoreutilsĪvailable versions: 2.0.82 (~)2.0.82-r1 (~)2.0.85 (~)2.1.The objective of this section is to show how policy files are constructed, compiled and loaded using the SELinux command line tools and editors such as vi or gedit to produce a usable policy for instructional use only.Ī modular (with loadable modules) policy is built without the use of any support macros or make files from the Reference Policy source. mod file and then use dismod to disassemble the binary module to textual representation. To unpack this policy module, you need a tool which is called semodule_unpackage to extract the. # semodule_package -m postgreylocal.mod -o postgreylocal.pp

Postgreylocal.pp policy module will be created with: # checkmodule -M -m -o postgreylocal.mod postgreylocal.te #= postfix_smtpd_t =Īllow postfix_smtpd_t initrc_t:unix_stream_socket connectto Īllow postfix_smtpd_t postfix_spool_t:sock_file write generate a set of policy rules: audit2allowĪssuming that I have a postgreylocal.te file with belows content: module postgreylocal 1.0.A SELinux policy module is built by following steps: