Base SELinux template.
This commit is contained in:
parent
163498d48e
commit
1374c7bd45
1
selinux/wings.fc
Normal file
1
selinux/wings.fc
Normal file
|
@ -0,0 +1 @@
|
|||
/usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0)
|
40
selinux/wings.if
Normal file
40
selinux/wings.if
Normal file
|
@ -0,0 +1,40 @@
|
|||
|
||||
## <summary>policy for wings</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute wings_exec_t in the wings domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`wings_domtrans',`
|
||||
gen_require(`
|
||||
type wings_t, wings_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, wings_exec_t, wings_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute wings in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`wings_exec',`
|
||||
gen_require(`
|
||||
type wings_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, wings_exec_t)
|
||||
')
|
52
selinux/wings.sh
Normal file
52
selinux/wings.sh
Normal file
|
@ -0,0 +1,52 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
DIRNAME=`dirname $0`
|
||||
cd $DIRNAME
|
||||
USAGE="$0 [ --update ]"
|
||||
if [ `id -u` != 0 ]; then
|
||||
echo 'You must be root to run this script'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $# -eq 1 ]; then
|
||||
if [ "$1" = "--update" ] ; then
|
||||
time=`ls -l --time-style="+%x %X" wings.te | awk '{ printf "%s %s", $6, $7 }'`
|
||||
rules=`ausearch --start $time -m avc --raw -se wings`
|
||||
if [ x"$rules" != "x" ] ; then
|
||||
echo "Found avc's to update policy with"
|
||||
echo -e "$rules" | audit2allow -R
|
||||
echo "Do you want these changes added to policy [y/n]?"
|
||||
read ANS
|
||||
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
|
||||
echo "Updating policy"
|
||||
echo -e "$rules" | audit2allow -R >> wings.te
|
||||
# Fall though and rebuild policy
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
echo "No new avcs found"
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
echo -e $USAGE
|
||||
exit 1
|
||||
fi
|
||||
elif [ $# -ge 2 ] ; then
|
||||
echo -e $USAGE
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Building and Loading Policy"
|
||||
set -x
|
||||
make -f /usr/share/selinux/devel/Makefile wings.pp || exit
|
||||
/usr/sbin/semodule -i wings.pp
|
||||
|
||||
# Generate a man page off the installed module
|
||||
sepolicy manpage -p . -d wings_t
|
||||
# Fixing the file context on /usr/local/bin/wings
|
||||
/sbin/restorecon -F -R -v /usr/local/bin/wings
|
||||
# Generate a rpm package for the newly generated policy
|
||||
|
||||
pwd=$(pwd)
|
||||
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba wings_selinux.spec
|
25
selinux/wings.te
Normal file
25
selinux/wings.te
Normal file
|
@ -0,0 +1,25 @@
|
|||
policy_module(wings, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type wings_t;
|
||||
type wings_exec_t;
|
||||
init_daemon_domain(wings_t, wings_exec_t)
|
||||
|
||||
permissive wings_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# wings local policy
|
||||
#
|
||||
allow wings_t self:fifo_file rw_fifo_file_perms;
|
||||
allow wings_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
domain_use_interactive_fds(wings_t)
|
||||
|
||||
files_read_etc_files(wings_t)
|
||||
|
||||
miscfiles_read_localization(wings_t)
|
70
selinux/wings_selinux.spec
Normal file
70
selinux/wings_selinux.spec
Normal file
|
@ -0,0 +1,70 @@
|
|||
# vim: sw=4:ts=4:et
|
||||
|
||||
|
||||
%define relabel_files() \
|
||||
restorecon -R /usr/local/bin/wings; \
|
||||
|
||||
%define selinux_policyver 34.1.29-1
|
||||
|
||||
Name: wings_selinux
|
||||
Version: 1.0
|
||||
Release: 1%{?dist}
|
||||
Summary: SELinux policy module for wings
|
||||
|
||||
Group: System Environment/Base
|
||||
License: GPLv2+
|
||||
# This is an example. You will need to change it.
|
||||
URL: http://HOSTNAME
|
||||
Source0: wings.pp
|
||||
Source1: wings.if
|
||||
Source2: wings_selinux.8
|
||||
|
||||
|
||||
Requires: policycoreutils, libselinux-utils
|
||||
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
|
||||
Requires(postun): policycoreutils
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
This package installs and sets up the SELinux policy security module for wings.
|
||||
|
||||
%install
|
||||
install -d %{buildroot}%{_datadir}/selinux/packages
|
||||
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
|
||||
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
|
||||
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
|
||||
install -d %{buildroot}%{_mandir}/man8/
|
||||
install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/wings_selinux.8
|
||||
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
|
||||
|
||||
|
||||
%post
|
||||
semodule -n -i %{_datadir}/selinux/packages/wings.pp
|
||||
if /usr/sbin/selinuxenabled ; then
|
||||
/usr/sbin/load_policy
|
||||
%relabel_files
|
||||
|
||||
fi;
|
||||
exit 0
|
||||
|
||||
%postun
|
||||
if [ $1 -eq 0 ]; then
|
||||
semodule -n -r wings
|
||||
if /usr/sbin/selinuxenabled ; then
|
||||
/usr/sbin/load_policy
|
||||
%relabel_files
|
||||
|
||||
fi;
|
||||
fi;
|
||||
exit 0
|
||||
|
||||
%files
|
||||
%attr(0600,root,root) %{_datadir}/selinux/packages/wings.pp
|
||||
%{_datadir}/selinux/devel/include/contrib/wings.if
|
||||
%{_mandir}/man8/wings_selinux.8.*
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Oct 6 2022 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
|
||||
- Initial version
|
||||
|
Loading…
Reference in New Issue
Block a user