Help for us …. “template.te”
From time to time I get questions how to write|compile|load own local policy module. We wrote a lot of blogs about using ausearch, audit2allow tools to generate a policy from AVC messages. We also mentioned the sepolgen tool to generate a new policy for services, applications, roles.
Note: there is a new tool for this called “sepolicy”.
But sometimes either you or I need to create a local test policy without these tools. Basically we start with
# vim mypol.te
and add needed declarations for mypol.te policy file. For example
# cat mypol.te
policy_module(mypol,1.0)
require{
type ping_t;
type openshift_initrc_t;
}
dontaudit ping_t openshift_initrc_t:fifo_file write;
Then we just compile/load this policy module.
# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
Based on this example we came up with a new VIM template for *.te policy file which would help us so we do not have to remember all these statements nor write them over and over. You can download this template from
http://mgrepl.fedorapeople.org/template.te
and execute
# cp template.te /usr/share/vim/vimfiles/
After that just add the line to your /etc/vimrc file.
autocmd BufNewFile *.spec 0r /usr/share/vim/vimfiles/template.spec
+ autocmd BufNewFile *.te 0r /usr/share/vim/vimfiles/template.te
augroup END
Now you can try to create a new local policy.
# vim mypolicy.te
What do you think? Would you like to add some additional examples or comments?
