O'Reilly logo

SELinux by Bill McCarty

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Examining a Sample Policy

Seeing the syntax of individual policy declarations is not the same as seeing how they work together to establish a useful policy. In this section, we’ll look at the policy that governs the ping_t domain, and the related domain ping_exec_t, as implemented in Fedora Core 2. Like most policies, this policy resides in two files:

file_contexts/program/ping.fc

Specifies security contexts for files related to the domains.

domains/program/ping.te

Specifies the RBAC declarations related to the domains.

The ping.fc file has these contents:

# ping
/bin/ping.*     -- system_u:object_r:ping_exec_t
/usr/sbin/hping2   --   system_u:object_r:ping_exec_t

When the filesystems are labeled, these specifications cause ordinary files matching the first regular expression /bin/ping.* to be labeled with the security context system_u:object_r:ping_exec_t. Ordinary files matching the second regular expression /usr/sbin/hping2 are also labeled with that security context. The ping.te file is considerably longer than the ping.fc file, so we’ll analyze it a few lines at a time. The first several lines are merely comments:

#DESC Ping - Send ICMP messages to network hosts
#
# Author:  David A. Wheeler <dwheeler@ida.org>
# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
#

#################################
#
# Rules for the ping_t domain.
#
# ping_t is the domain for the ping program.
# ping_exec_t is the type of the corresponding program.
#

The comments point out that the domain ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required