Base SELinux template.

This commit is contained in:
Chance Callahan 2022-10-06 11:35:41 -04:00
parent 163498d48e
commit 1374c7bd45
5 changed files with 188 additions and 0 deletions

1
selinux/wings.fc Normal file
View File

@ -0,0 +1 @@
/usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0)

40
selinux/wings.if Normal file
View File

@ -0,0 +1,40 @@
## <summary>policy for wings</summary>
########################################
## <summary>
## Execute wings_exec_t in the wings domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`wings_domtrans',`
gen_require(`
type wings_t, wings_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, wings_exec_t, wings_t)
')
######################################
## <summary>
## Execute wings in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`wings_exec',`
gen_require(`
type wings_exec_t;
')
corecmd_search_bin($1)
can_exec($1, wings_exec_t)
')

52
selinux/wings.sh Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh -e
DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi
if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" wings.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se wings`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> wings.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi
echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile wings.pp || exit
/usr/sbin/semodule -i wings.pp
# Generate a man page off the installed module
sepolicy manpage -p . -d wings_t
# Fixing the file context on /usr/local/bin/wings
/sbin/restorecon -F -R -v /usr/local/bin/wings
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba wings_selinux.spec

25
selinux/wings.te Normal file
View File

@ -0,0 +1,25 @@
policy_module(wings, 1.0.0)
########################################
#
# Declarations
#
type wings_t;
type wings_exec_t;
init_daemon_domain(wings_t, wings_exec_t)
permissive wings_t;
########################################
#
# wings local policy
#
allow wings_t self:fifo_file rw_fifo_file_perms;
allow wings_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(wings_t)
files_read_etc_files(wings_t)
miscfiles_read_localization(wings_t)

View File

@ -0,0 +1,70 @@
# vim: sw=4:ts=4:et
%define relabel_files() \
restorecon -R /usr/local/bin/wings; \
%define selinux_policyver 34.1.29-1
Name: wings_selinux
Version: 1.0
Release: 1%{?dist}
Summary: SELinux policy module for wings
Group: System Environment/Base
License: GPLv2+
# This is an example. You will need to change it.
URL: http://HOSTNAME
Source0: wings.pp
Source1: wings.if
Source2: wings_selinux.8
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
Requires(postun): policycoreutils
BuildArch: noarch
%description
This package installs and sets up the SELinux policy security module for wings.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/wings_selinux.8
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
%post
semodule -n -i %{_datadir}/selinux/packages/wings.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
fi;
exit 0
%postun
if [ $1 -eq 0 ]; then
semodule -n -r wings
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
fi;
fi;
exit 0
%files
%attr(0600,root,root) %{_datadir}/selinux/packages/wings.pp
%{_datadir}/selinux/devel/include/contrib/wings.if
%{_mandir}/man8/wings_selinux.8.*
%changelog
* Thu Oct 6 2022 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
- Initial version