To end the SELinux module development for services, we need to create proper role-based interfaces. Whereas the _role
interface is usually for nonprivileged user roles, an _admin
interface is used to provide all the necessary privileges to fully administer a service.
An administrative interface which we can later assign to the user and role that will administer the environment is created with the following steps:
Create a specific
init
script type for theinit
scripts of the daemon. For instance, for thevirtd
daemon insidevirt.te
, the following policy rules create the properinit
script type:type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t)
Make sure that this
init
script is labeled correctly through the.fc
file:/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
Start with a skeleton
_admin
interface:########################################## ## <summary> ## All rules related to administer...