Simplicity is a form of art...

Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?
by Sven Vermeulen, post on Fri 16 August 2013

As you are probably aware, Gentoo uses the reference policy as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use xdg_*_home_t customizable types to further restrict user application access has been sent up for comments …

A SELinux policy for incron: finishing up
by Sven Vermeulen, post on Fri 31 May 2013

After 9 posts, it's time to wrap things up. You can review the final results online (incron.te, incron.if and incron.fc) and adapt to your own needs if you want. But we should also review what we have accomplished so far...

We built the start of an entire …

A SELinux policy for incron: using booleans
by Sven Vermeulen, post on Thu 30 May 2013

After using a default set of directories to watch, and allowing admins to mark other types as such as well, let's consider another approach for making the policy more flexible: booleans. The idea now is that a boolean called incron_notify_non_security_files enables incrond to be notified on changes on all possible …

A SELinux policy for incron: default set
by Sven Vermeulen, post on Tue 28 May 2013

I finished the last post a bit with a cliffhanger as incrond is still not working properly, and we got a few denials that needed to be resolved; here they are again for your convenience:

type=AVC msg=audit(1368734110.912:28353): avc:  denied  { getattr } for  pid=9716 comm="incrond …

A SELinux policy for incron: new types and transitions
by Sven Vermeulen, post on Sun 26 May 2013

So I've shown the iterative approach used to develop policies. Again, please be aware that this is my way of developing policies, other policy developers might have a different approach. We were working on the incrontab command, so let's continue with trying to create a new user incrontab:

$ incrontab -e …

A SELinux policy for incron: basic set for incrontab
by Sven Vermeulen, post on Sat 25 May 2013

Now that our regular user is allowed to execute incrontab, let's fire it up and look at the denials to build up the policy.

$ incrontab --help

That doesn't show much does it? Well, if you look into the audit.log (or avc.log) file, you'll notice a lot of denials …

A SELinux policy for incron: our first interface
by Sven Vermeulen, post on Fri 24 May 2013

The next step after having a basic skeleton is to get incrontab running. We know however that everything invoked from the main daemon will be running with the rights of the daemon context (unless we would patch the source code, but that is beyond the scope of this set of …

A SELinux policy for incron: the basic skeleton
by Sven Vermeulen, post on Thu 23 May 2013

So, in the previous post I talked about incron and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we're going to create our own policy for it.

In SELinux, policies are generally …

A SELinux policy for incron: what does it do?
by Sven Vermeulen, post on Wed 22 May 2013

In this series of posts, we'll go through the creation of a SELinux policy for incron, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At …

Why oh why does a process run in unlabeled_t?
by Sven Vermeulen, post on Tue 21 May 2013

If you notice that a process is running in the unlabeled_t domain, the first question to ask is how it got there.

Well, one way is to have a process running in a known domain, like screen_t, after which the SELinux policy module that provides this domain is removed from …