Examples¶
The following snippets show policy configurations for which selcraft generates the proper SELinux policy files:
# yaml-language-server: $schema=https://selcraft.readthedocs.io/en/latest/assets/schema.2-0-0.json
schema_version: "2.0.0"
info:
name: "uds-selinux"
version: "1.0.0"
description: "SELinux policy for a client/server application using an Unix Domain Socket"
license: "MIT"
distro: "autosd10"
root:
binaries:
- name: "client"
path: "/usr/bin/client"
- name: "server"
path: "/usr/bin/server"
sockets:
uds:
- name: "shared-socket"
path: "/run/uds-sample/shared.socket"
access:
- server: [READ, WRITE, CREATE]
- client: [READ, WRITE]
# yaml-language-server: $schema=https://selcraft.readthedocs.io/en/latest/assets/schema.2-0-0.json
schema_version: "2.0.0"
info:
name: "uds-selinux"
version: "1.0.0"
description: "SELinux policy for a QM client and root server application using an Unix Domain Socket"
license: "MIT"
distro: "autosd10"
root:
binaries:
- name: "server"
path: "/usr/bin/server"
sockets:
uds:
- name: "shared-socket"
path: "/run/uds-sample/shared.socket"
access:
- server: [READ, WRITE, CREATE]
qm:
binaries:
- name: "client"
path: "/usr/bin/client"
sockets:
uds:
- name: "shared-socket"
path: "/run/uds-sample/shared.socket"
access:
- client: [READ, WRITE]
mounts:
- root.shared-socket: qm.shared-socket
# yaml-language-server: $schema=https://selcraft.readthedocs.io/en/latest/assets/schema.2-0-0.json
schema_version: "2.0.0"
info:
name: "shm-selinux"
version: "1.0.0"
description: "SELinux policy for a client/server application using an Shared Memory"
license: "MIT"
distro: "autosd10"
root:
binaries:
- name: "shm-client"
path: "/usr/bin/client"
- name: "shm-server"
path: "/usr/bin/server"
sockets:
uds:
- name: "shm-socket"
path: "/run/shm-sample/shared.socket"
access:
- shm-client: [READ, WRITE]
- shm-server: [READ, WRITE, CREATE]
shm:
- name: "shm-shared"
path: "/dev/shm/sample"
access:
- shm-client: [READ, WRITE]
- shm-server: [READ, WRITE, CREATE]
# yaml-language-server: $schema=https://selcraft.readthedocs.io/en/latest/assets/schema.2-0-0.json
schema_version: "2.0.0"
info:
name: "sample"
version: "1.0.0"
description: "SELinux policy of multiple example applications"
license: "MIT"
distro: "autosd10"
root:
binaries:
- name: "shm-server"
path: "/usr/bin/server"
sockets:
uds:
- name: "shm-socket"
path: "/run/named_shm_demo/shared.socket"
access:
- shm-server: [READ, WRITE, CREATE]
shm:
- name: "shm-shared"
path: "/dev/shm/shared"
access:
- shm-server: [READ, WRITE, CREATE]
qm:
binaries:
- name: "shm-client"
path: "/usr/bin/client"
containers:
- name: "containerized-client"
label: "containerized_client_t"
- name: "containerized-server"
label: "containerized_server_t"
sockets:
uds:
- name: "shm-socket"
path: "/run/named_shm_demo/shared.socket"
access:
- shm-client: [READ, WRITE]
- containerized-server: [READ, WRITE]
shm:
- name: "shm-shared"
path: "/dev/shm/shared"
access:
- shm-client: [READ, WRITE]
mounts:
- root.shm-socket: qm.shm-socket
- root.shm-shared: qm.shm-shared
# yaml-language-server: $schema=https://selcraft.readthedocs.io/en/latest/assets/schema.2-0-0.json
schema_version: "2.0.0"
info:
name: "systemd-policy"
version: "1.0.0"
description: "Policy for controlling systemd services"
license: "MIT"
distro: "autosd10"
root:
binaries:
- name: "manager"
path: "/usr/bin/manager"
- name: "monitor"
path: "/usr/bin/monitor"
systemd:
- manager: [START, STOP, STATUS, RELOAD]
- monitor: [STATUS]