Section 14.1. Overview of Writing a Policy Module | SELinux by Example: Using Security Enhanced Linux

14.1. Overview of Writing a Policy Module

In this chapter, we walk through the process of creating a policy module, bringing together all we have learned throughout the book. We discuss all the steps required to create a policy module for both the original example policy (Chapter 11, "Original Example Policy") and the newer reference policy (Chapter 12, "Reference Policy"). For most steps in the process, we present the general idea of the step and then show examples of that step from both kinds of policies. We think this "by example" procedure is the best way to understand both policies.

Our presentation is only an introduction to this topic; the only way to learn the techniques and strategies of an experienced policy writer is to attempt to write modules. The outline we present provides a starting point for your own policy development. The best guide in the future is the experience you gain through applying SELinux to solve your own security challenges.

The policy module that we create in this chapter is for the IRC daemon available as part of Fedora Core 4 (FC4). We chose this example because it is a straightforward, yet representative example of a network-facing daemon.

In our experience, writing a policy module involves three basic steps: preparation and planning, initial policy module creation, and testing and analysis. In preparation and planning, we gather critical information, create a test environment, and specify the security goals for the policy module. In the initial policy creation step, we combine the gathered information and security goals to create a first version of the policy module. In the testing and analysis step, we determine the correctness of the policy module in terms of functionality and security.

In the remainder of this chapter, we present these steps in an idealized, linear fashion. In reality, policy writing is often an iterative process of writing, testing, and research. In particular, the testing and analysis step usually results in changes to the policy module.