selcraft¶
selcraft is a specialized tool designed to generate custom SELinux policies for Automotive Stream Distribution (AutoSD). It abstracts the complexity of SELinux by using a templating approach (Jinja2) to create policies based on high-level configuration files.
The idea¶
In modern Software-Defined Vehicles (SDV), applications often reside in isolated environments (like the QM partition) but need to communicate across boundaries via Unix Domain Sockets (UDS), TCP, Shared Memory, and so on. Writing SELinux policies from scratch for these scenarios is complex and error-prone. selcraft allows users to define their IPC requirements in a simple YAML file and, based on it, generate the desired policy files (.te, .fc, and .if). In addition, build supporting files (Makefile, Containerfile, etc.) are part of the output. This allows for automated builds of custom SELinux policy RPMs, which can be further integrated into other build pipelines such as automotive-image-builder. The generation itself is powered by pre-defined templates (Jinja).
The following diagram shows how selcraft works:
Goal and limitation¶
The focus of selcraft is to simplify building SELinux policies. It does not generate additional artifacts, which might be necessary for certain scenarios such as the polkit configuration of D-Bus.
Currently supported IPC mechanisms¶
The following list shows which IPC mechanisms and other features are currently supported:
| Type | Description |
|---|---|
| UDS | Unix Domain Sockets for local inter-process communication |
| SHM | Named shared memory regions (/dev/shm/) |
| Systemd | Service control (start, stop, reload, status) for binary applications via D-Bus |