SELinux
Basics
Policy Module
A policy module will define your application rules and it is easy to install and uninstall.
It contains three files :
-
Type Enforcement (.te)
-
File Context (.fc)
-
Interfaces (.if)
Type Enforcement files
Type enforcement files contains the rules to confine your application
File Context files
File contexts files define which label to give to each file
Interface files
Interface files contain interfaces to says how they interact with the modules
Compile
To compile a SELinux module, we place our different files in a folder.
make -f /usr/share/selinux/devel/Makefile -C /usr/share/sec-lsm-manager/selinux-rules demo-app.pp
Install / Uninstall
To install the newly created SELinux module, use the following command :
semodule -i demo-app.pp
And to remove it :
semodule -r demo-app.pp
Sources
Vermeulen, S. (2015). Selinux Cookbook. Packt Publishing.
https://mgrepl.fedorapeople.org/PolicyCourse/writingSELinuxpolicy_MUNI.pdf
https://debian-handbook.info/browse/fr-FR/stable/sect.selinux.html