Creating a skeleton policy
With the logical setup now in place, we can draft a skeleton policy. This policy will be a translation from the logical setup we encountered to SELinux policy rules.
The entire policy is written in a myskype.te
file. The final result of this set of recipes is also available through the download pack of this book as a reference.
How to do it…
We start with a base skeleton that we can enhance later. This skeleton is developed as follows:
We start with the declaration of the various types. From the design, we can deduce four types:
skype_t
as the main process domainskype_exec_t
as the label for the Skype executable(s)skype_home_t
for the user configuration files and directories of theskype_t
domainskype_tmpfs_t
is needed for shared memory and the X11 interaction
The code to deduce these four types is as follows:
policy_module(myskype, 0.1) attribute_role skype_roles; type skype_t; type skype_exec_t; userdom_user_application_domain(skype_t, skype_exec_t) role skype_roles...