Choosing resource types wisely
Services interact with resources, and the label that we assign to the resources is used by the fine-grained access controls assigned to these resources. End user files (for users that have a Linux account on the system) are labeled as user_home_t
, which suffices for most uses. However, when we deal with services, the choice of the resource label defines if and how other applications can access those resources and is much more fine-grained than what we currently use for end user files.
There are some best practices concerning resource type selection within SELinux policies, which we will now look into.
How to do it…
The service resource types need to be carefully chosen. Their naming implies the functional use of the resource, which already pushes the development of the policy in a certain structure. The types and their affiliated permissions can be developed by completing the following steps:
Look for the processes that will run within their own specific domain...