Examining a Sample Policy
Seeing the
syntax of individual policy
declarations is not the same as seeing how they work together to
establish a useful policy. In this section, we’ll
look at the policy that governs the ping_t domain,
and the related domain ping_exec_t, as implemented
in Fedora Core 2. Like most policies, this policy resides in two
files:
- file_contexts/program/ping.fc
Specifies security contexts for files related to the domains.
- domains/program/ping.te
Specifies the RBAC declarations related to the domains.
The ping.fc file has these contents:
# ping /bin/ping.* -- system_u:object_r:ping_exec_t /usr/sbin/hping2 -- system_u:object_r:ping_exec_t
When the filesystems are labeled, these specifications cause ordinary
files matching the first regular expression
/bin/ping.* to be labeled with the security
context system_u:object_r:ping_exec_t. Ordinary
files matching the second regular expression
/usr/sbin/hping2 are also labeled with that
security context. The ping.te file is
considerably longer than the ping.fc file, so
we’ll analyze it a few lines at a time. The first
several lines are merely comments:
#DESC Ping - Send ICMP messages to network hosts # # Author: David A. Wheeler <dwheeler@ida.org> # X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 # ################################# # # Rules for the ping_t domain. # # ping_t is the domain for the ping program. # ping_exec_t is the type of the corresponding program. #
The comments point out that the domain ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
