We can further fine-tune our policy with conditionals. Some of the access vectors identified earlier might not be necessary in all circumstances, so it makes sense to make them optional and configurable through SELinux Booleans.
Two of the identified access vectors that are candidates for configurable policies are as follows:
Accessing the video and sound devices (in order to reduce the risk of malware or vulnerabilities in the application to access the webcam or sound device and spy on the unsuspecting users)
Accessing all user content (instead of only the
skype_home_t
content)
The following set of steps allows us to make the policy more flexible for the administrators to handle by introducing Booleans. These Booleans modify the behavior of the policy and are added to a policy.
Inside
myskype.te
, create the definitions for both Booleans. This is usually done before the type declarations:gen_tunable(skype_use_audio, false) gen_tunable(skype_use_video...