SELinux by Example: Using Security Enhanced Linux

14.7. Summary

• As in all modern enterprises, writing policy modules is a skill best learned through practice.

• The basic steps for writing a new policy module, whether it be for the example policy or the reference policy, are as follows:

  1. Prepare and plan:

     Gather information about the application.

     Create a test configuration.

     Specify security goals.

  2. Create an initial policy module:

     Create the basic module files.

     Declare our module's types.

     Allow initial restrictive access.

     Allow domain transitions and role access.

     Integrate into system policy.

     Create labeling policy.

     Apply the policy.

  3. Test and analyze the policy:

     Functional test the policy module.

     Analyze the policy modules against our security goals.

• In general, we iterate among the steps until we achieve the policy module we desire.