Policy configuration file¶
selcraft requires a policy configuration file as an input. This file contains information of all (containerized) applications and their permissions on specified IPC mechanisms. An example can be seen in the spec/spec.yaml.
Note
Each specified binary application, file, etc. is assigned its own SELinux label. This might conflict with label assignments of other RPM packages. See the troubleshooting section for known issues.
The schema in different versions fo the policy configuration can be seen down below:
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SELinux policy generation schema v2.0.0",
"description": "Schema for SELinux policy configuration with root/QM namespace separation and embedded access control",
"type": "object",
"required": [
"schema_version",
"info",
"root"
],
"properties": {
"schema_version": {
"type": "string",
"pattern": "^2\\.0\\.0$",
"description": "Schema version, must be 2.0.0"
},
"info": {
"type": "object",
"required": [
"name",
"version",
"description",
"license",
"distro"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-zA-Z][a-zA-Z0-9_-]*$",
"default": "my-policy",
"description": "Policy name (alphanumeric, hyphen, underscore; starts with letter)"
},
"version": {
"type": "string",
"pattern": "^v?\\d+\\.\\d+\\.\\d+$",
"default": "1.0.0",
"description": "Policy version (semver with optional 'v' prefix)"
},
"description": {
"type": "string",
"default": "",
"description": "Policy description"
},
"license": {
"type": "string",
"default": "MIT",
"description": "Policy license"
},
"distro": {
"type": "string",
"enum": [
"autosd9",
"autosd10"
],
"default": "autosd10",
"description": "Target distribution"
}
},
"additionalProperties": false
},
"root": {
"description": "Root domain resources and applications",
"$ref": "#/$defs/environment"
},
"qm": {
"description": "QM domain resources and applications",
"$ref": "#/$defs/environment"
},
"mounts": {
"type": "array",
"description": "Cross-domain resource mount mappings",
"items": {
"oneOf": [
{
"$ref": "#/$defs/mountShorthand"
},
{
"$ref": "#/$defs/mountVerbose"
}
]
}
},
"validation": {
"type": "object",
"description": "Validation configuration",
"properties": {
"disabled": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of validation rules to disable"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"$defs": {
"environment": {
"type": "object",
"description": "Common environment structure for root and QM domains",
"properties": {
"binaries": {
"type": "array",
"description": "Domain binaries",
"items": {
"$ref": "#/$defs/binary"
}
},
"containers": {
"type": "array",
"description": "Domain containers",
"items": {
"$ref": "#/$defs/container"
}
},
"sockets": {
"type": "object",
"description": "Socket definitions",
"properties": {
"uds": {
"type": "array",
"description": "Unix Domain Sockets",
"items": {
"$ref": "#/$defs/socketResource"
}
}
},
"additionalProperties": false
},
"shm": {
"type": "array",
"description": "Shared memory resources",
"items": {
"$ref": "#/$defs/shmResource"
}
},
"dbus": {
"type": "object",
"description": "D-Bus service definitions",
"properties": {
"system": {
"type": "array",
"description": "System D-Bus service control permissions",
"items": {
"$ref": "#/$defs/dbusControl"
}
}
}
},
"systemd": {
"type": "array",
"description": "Systemd service control permissions",
"items": {
"$ref": "#/$defs/systemdControl"
}
}
},
"additionalProperties": false
},
"binary": {
"type": "object",
"description": "Binary application definition",
"required": [
"name",
"path"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-zA-Z][a-zA-Z0-9_-]*$",
"description": "Binary name"
},
"path": {
"type": "string",
"pattern": "^/[a-zA-Z0-9/_.-]+$",
"description": "Absolute path to binary"
}
},
"additionalProperties": false
},
"container": {
"type": "object",
"description": "Containerized application definition",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-zA-Z][a-zA-Z0-9_-]*$",
"description": "Container name"
},
"label": {
"type": "string",
"pattern": "[a-z_]+_t$",
"description": "SecurityLabelType used assigned to the container",
"default": "spc_t"
},
"file_label": {
"type": "string",
"pattern": "[a-z_]+_t$",
"description": "SecurityLabelFileType used assigned to the container",
"default": "usr_t"
}
},
"additionalProperties": false
},
"socketResource": {
"type": "object",
"description": "Socket resource definition",
"required": [
"name",
"path"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-zA-Z][a-zA-Z0-9_-]*$",
"description": "Socket name"
},
"path": {
"type": "string",
"pattern": "^/[a-zA-Z0-9/_.-]+$",
"description": "Socket path"
},
"access": {
"$ref": "#/$defs/accessControl"
}
},
"additionalProperties": false
},
"shmResource": {
"type": "object",
"description": "Shared memory resource definition",
"required": [
"name",
"path"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-zA-Z][a-zA-Z0-9_-]*$",
"description": "Shared memory resource name"
},
"path": {
"type": "string",
"pattern": "^/[a-zA-Z0-9/_.-]+$",
"description": "Shared memory path"
},
"access": {
"$ref": "#/$defs/accessControl"
}
},
"additionalProperties": false
},
"accessControl": {
"type": "array",
"description": "Access control list mapping applications to permissions",
"items": {
"type": "object",
"minProperties": 1,
"maxProperties": 1,
"patternProperties": {
"^[a-zA-Z][a-zA-Z0-9_-]*$": {
"type": "array",
"items": {
"$ref": "#/$defs/ipcPermission"
},
"minItems": 1,
"uniqueItems": true,
"description": "Array of permissions for the application"
}
},
"additionalProperties": false
}
},
"systemdControl": {
"type": "object",
"description": "Systemd service control permissions",
"minProperties": 1,
"maxProperties": 1,
"patternProperties": {
"^[a-zA-Z][a-zA-Z0-9_-]*$": {
"type": "array",
"items": {
"$ref": "#/$defs/systemdPermission"
},
"minItems": 1,
"uniqueItems": true,
"description": "Array of systemd control permissions"
}
},
"additionalProperties": false
},
"dbusControl": {
"type": "object",
"description": "D-Bus service control permissions",
"minProperties": 1,
"maxProperties": 1,
"patternProperties": {
"^[a-zA-Z][a-zA-Z0-9_-]*$": {
"type": "array",
"items": {
"$ref": "#/$defs/dbusPermission"
},
"minItems": 1,
"uniqueItems": true,
"description": "Array of D-Bus control permissions"
}
},
"additionalProperties": false
},
"ipcPermission": {
"type": "string",
"enum": [
"READ",
"WRITE",
"CREATE"
],
"description": "IPC resource permission"
},
"systemdPermission": {
"type": "string",
"enum": [
"START",
"STOP",
"RELOAD",
"STATUS"
],
"description": "Systemd service control permission"
},
"dbusPermission": {
"type": "string",
"enum": [
"READ",
"WRITE",
"OWN"
],
"description": "D-Bus service control permission"
},
"resourceRef": {
"type": "string",
"pattern": "^(root|qm)\\.[a-zA-Z][a-zA-Z0-9_-]*$",
"description": "Resource reference in format domain.resource-name"
},
"mountShorthand": {
"type": "object",
"description": "Shorthand mount format: root.resource: qm.resource",
"minProperties": 1,
"maxProperties": 2,
"patternProperties": {
"^(root|qm)\\.[a-zA-Z][a-zA-Z0-9_-]*$": {
"$ref": "#/$defs/resourceRef"
}
},
"properties": {
"requires": {
"$ref": "#/$defs/mountRequirements"
}
},
"additionalProperties": false
},
"mountVerbose": {
"type": "object",
"description": "Verbose mount format with explicit source and target",
"required": [
"source",
"target"
],
"properties": {
"source": {
"$ref": "#/$defs/resourceRef",
"description": "Source resource reference"
},
"target": {
"$ref": "#/$defs/resourceRef",
"description": "Target resource reference"
},
"requires": {
"$ref": "#/$defs/mountRequirements"
}
},
"additionalProperties": false
},
"mountRequirements": {
"type": "array",
"description": "Mount requirements for generating additional configuration",
"items": {
"type": "string",
"enum": [
"volume-mount",
"systemd-tmpfile"
]
},
"uniqueItems": true
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SELinux policy generation schema",
"type": "object",
"required": [
"schema_version",
"info",
"apps",
"ipc",
"permissions"
],
"properties": {
"schema_version": {
"type": "string",
"pattern": "^\\d+\\.\\d+\\.\\d+$"
},
"info": {
"type": "object",
"required": [
"name",
"version",
"description",
"license",
"distro"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-zA-Z][a-zA-Z0-9_-]*$",
"default": "my-policy"
},
"version": {
"type": "string",
"pattern": "^v?\\d+\\.\\d+\\.\\d+$",
"default": "1.0.0"
},
"description": {
"type": "string",
"default": ""
},
"license": {
"type": "string",
"default": "MIT"
},
"distro": {
"type": "string",
"enum": [
"autosd9",
"autosd10"
],
"default": "autosd10"
}
},
"additionalProperties": false
},
"apps": {
"type": "object",
"required": [],
"properties": {
"binaries": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"path"
],
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
},
"is_qm": {
"type": "boolean",
"default": false
},
"systemd": {
"type": "object",
"required": [],
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"permissions": {
"type": "array",
"items": {
"type": "string",
"enum": [
"START",
"STOP",
"RELOAD",
"STATUS"
]
}
}
}
}
},
"additionalProperties": false
}
},
"containers": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"label"
],
"properties": {
"name": {
"type": "string"
},
"label": {
"type": "string"
},
"is_qm": {
"type": "boolean",
"default": false
}
},
"additionalProperties": false
}
}
},
"additionalProperties": false
},
"ipc": {
"type": "object",
"required": [],
"properties": {
"sockets": {
"type": "object",
"required": [],
"properties": {
"uds": {
"type": "array",
"items": {
"type": "object",
"minProperties": 1,
"required": [
"name",
"path"
],
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
}
},
"additionalProperties": false
}
}
},
"additionalProperties": false
},
"shm": {
"type": "array",
"items": {
"type": "object",
"minProperties": 1,
"required": [
"name",
"path"
],
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
}
},
"additionalProperties": false
}
},
"dbus": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"kind"
],
"properties": {
"name": {
"type": "string"
},
"kind": {
"type": "string",
"enum": [
"system",
"session"
]
}
},
"additionalProperties": false
}
}
},
"additionalProperties": false
},
"permissions": {
"type": "array",
"items": {
"type": "object",
"required": [
"app",
"ipc",
"allow"
],
"properties": {
"app": {
"type": "string"
},
"ipc": {
"type": "string"
},
"allow": {
"type": "array",
"items": {
"type": "string",
"enum": [
"READ",
"WRITE",
"CREATE"
]
}
}
},
"additionalProperties": false
}
},
"validation": {
"type": "object",
"required": [],
"properties": {
"disabled": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of validation rules to disable"
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
Systemd service control¶
Binary applications can be granted permissions to control systemd services. This is configured via the systemd field on a binary entry:
apps:
binaries:
- name: "my-app"
path: "/usr/bin/my-app"
systemd:
enabled: true
permissions:
- START
- STOP
- STATUS
- RELOAD
The available permissions are: START, STOP, STATUS, and RELOAD.
Note
Systemd service control is only supported for binary applications, not containers.
Internally, selcraft generates D-Bus IPC entries with a reserved systemd-control- prefix. IPC names using this prefix cannot be used for custom entries.