Skip to content

Help for us …. “template.te”

October 28, 2012

From time to time I get questions how to write|compile|load own local policy module. We wrote a lot of blogs about using ausearch, audit2allow tools to generate a policy from AVC messages. We also mentioned the sepolgen tool to generate a new policy for services, applications, roles.

Note: there is a new tool for this called “sepolicy”.

But sometimes either you or I need to create a local test policy without these tools. Basically we start with

# vim mypol.te

and add needed declarations for mypol.te policy file. For example

# cat mypol.te
policy_module(mypol,1.0)
require{
type ping_t;
type openshift_initrc_t;
}
dontaudit ping_t openshift_initrc_t:fifo_file write;

Then we just compile/load this policy module.

# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp

Based on this example we came up with a new VIM template for *.te policy file which would help us so we do not have to remember all these statements nor write them over and over. You can download this template from

http://mgrepl.fedorapeople.org/template.te

and execute

# cp template.te /usr/share/vim/vimfiles/

After that just add the line to your /etc/vimrc file.

autocmd BufNewFile *.spec 0r /usr/share/vim/vimfiles/template.spec
+ autocmd BufNewFile *.te 0r /usr/share/vim/vimfiles/template.te
augroup END

Now you can try to create a new local policy.

# vim mypolicy.te

What do you think? Would you like to add some additional examples or comments?

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: