Creating resource-access interfaces
With all the resources defined, we now need to ensure that other domains can use those resources as needed. As we've seen, resources can be functional in nature (specific to a service) or more infrastructural (such as logfiles).
Access to resources is provided through SELinux policy rules that need to be provided through access interfaces. These interfaces are then used by third-party SELinux policy modules to document and allow access to the resource types. Without the access interfaces, the resource types we define are not easily accessible by other policy developers.
How to do it…
To create resource-access interfaces, add the proper interface definition in the module's .if
file. For instance, to create a set of resource interfaces to access ClamAV's configuration files, follow the next set of steps:
For each resource, create an overview of the privileges that will be needed. For file class resources, these are often search, read, write, and manage privileges...