Creating a New Domain

In general, it’s unwise to create overly large domains, especially domains that include unrelated programs. The traceroute_t domain considered in the preceding sections is perhaps such an overweight domain, since it relates to both the traceroute and Nmap programs. These programs perform a few somewhat similar operations, but they’re not closely related. Because they’re part of a single domain, a vulnerability in either program could enable an intruder to gain control of the entire domain. Let’s presume that we prefer to avoid that fate and see what’s required to create a domain specific to the Nmap program.

To do so, we’ll follow a procedure that also works in most similar cases:

  1. Determine what files are related to the domain.

  2. Determine the security contexts of these files.

  3. Decide what security contexts are appropriate for the new domain.

  4. Create a basic TE file.

  5. Create a basic FC file that specifies proper labels for files related to the domain.

  6. If necessary, delete conflicting specifications from other FC files.

  7. Load the revised policy and label the domains.

  8. Repeat the following steps as needed:

    1. Test the program.

    2. Tweak the TE or FC files as needed.

Determine What Files Are Related to the Domain

As the procedure directs, let’s start by finding out what files are related to Nmap:

# rpm -ql nmap /usr/bin/nmap /usr/share/doc/nmap-3.50 /usr/share/doc/nmap-3.50/COPYING /usr/share/doc/nmap-3.50/README /usr/share/doc/nmap-3.50/copying.html /usr/share/doc/nmap-3.50/nmap-fingerprinting-article.txt ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.