Project 3: Custom Application Policy Module Builder

A complete SELinux policy module for a custom daemon—including type definitions, domain transitions, file contexts, network access rules, using reference policy interfaces.

Quick Reference

Attribute Value
Primary Language SELinux Policy Language (m4/CIL)
Alternative Languages Python (for tooling), Bash
Difficulty Level 3: Advanced
Time Estimate 2-3 weeks
Knowledge Area SELinux Policy Development
Tooling semodule, checkmodule, sepolgen
Prerequisites Projects 1-2 completed, understanding of AVC messages

What You Will Build

A complete SELinux policy module for a custom daemon—including type definitions, domain transitions, file contexts, network access rules, using reference policy interfaces.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Defining new types → understanding type hierarchies and attributes
  • Creating domain transitions → how processes become confined
  • Using reference policy interfaces → the modular policy approach
  • Handling network and IPC → object classes beyond files

Key Concepts

  • Map the project to core concepts before you code.

Real-World Outcome

$ ls -la myapp_selinux/
-rw-r--r-- myapp.fc     # File contexts
-rw-r--r-- myapp.if     # Interfaces
-rw-r--r-- myapp.te     # Type enforcement

$ cat myapp.te
policy_module(myapp, 1.0.0)

type myapp_t;
type myapp_exec_t;
type myapp_conf_t;
type myapp_log_t;

init_daemon_domain(myapp_t, myapp_exec_t)

allow myapp_t myapp_conf_t:file read_file_perms;
logging_log_filetrans(myapp_t, myapp_log_t, file)
corenet_tcp_bind_generic_port(myapp_t)

$ sudo semodule -i myapp.pp
$ ps -eZ | grep myapp
system_u:system_r:myapp_t:s0     12345 ?   00:00:01 myapp

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md
  • “SELinux by Example” by Frank Mayer et al.