Exercises

Explain the differences between the default, current, pending, and persistent values of a Boolean variable.

Suppose that our policy has three Booleans defined: bool1, bool2, and bool3. Now take a look at the following commands:

# cd /selinux/booleans # cat bool1 0 1 # cat bool2 1 1 # cat bool3 1 0

What are the current values of all three Booleans?

Take the set of comments from the previous question, and add the following command:

# echo 1 > /selinux/commit_pending_bools

Now what are the current values of the three Booleans?

One use of conditional policies is to control the level of auditing performed by SELinux by enabling and disabling packages of audit rules. Suppose we want to create a Boolean (enhanced_audit) to control auditing of access attempts (success and denial events). Further, suppose that there are two kinds of events, among others, we want to capture for enhanced auditing: transitions into any domain type and any use of the ping program to access the network. Write a partial policy to achieve these goals. Assume that there are two attributes in your policy: domain, which is associated with all domain types; and netif_type, which is associated with all the types used for network interface objects.