Ask Your Question

How do I write a policy in selinux where I have the unconfined_t denys access to open or read files with the var_t?

asked 2014-02-04 13:23:43 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Also if you could, give me examples of blocking access to directories with the var_t also

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-02-04 16:42:54 -0500

domg gravatar image

I have been playing with this, and got it to work for the most part. There were some minor issues that i still needed to fix but it was just a proof of concept exercise to show roughly how to do it. (i do not expect many people to actually understand what i did though but still)

Here is the whole recording of my experiment:

unconfined minus var_t file access video at youtube

I also hit this issue: see me

edit flag offensive delete link more


Alright thanks man I really appreciate it.

eliascaplan465 gravatar imageeliascaplan465 ( 2014-02-04 19:27:19 -0500 )edit

I read your other answer to my question that I posted a long time ago and I guess I was looking at SElinux in a backwards way of thinking instead of what you said about it is usually a deny default system. I also have that book you mentioned and I am currently reading it but it was a lot more complicated than I intended it to be. Just need to spend more time playing with it, but once again thanks for helping me.

eliascaplan465 gravatar imageeliascaplan465 ( 2014-02-04 19:31:28 -0500 )edit

Yes the book is too academic to use for starting off but it is a must read. The more you learn to more the book makes sense. The book is great, its one of the best, but it wont help much with getting you started.

I learned most by trial and error but also by looking at the source policy. Comparing various modules, looking for patterns.SELinux is not that hard though, the policy language is pretty simple. The harder parts i guess are understanding the various security models and some fundamental concepts like "automatic transitions" versus "manual changes". Grouping identifiers using "attributes" etc

domg gravatar imagedomg ( 2014-02-05 02:42:56 -0500 )edit

Question Tools

1 follower


Asked: 2014-02-04 13:23:43 -0500

Seen: 200 times

Last updated: Feb 04 '14